Leveraging the COSO Framework to Meet Section 404 Requirements

1
Leveraging the COSO Framework to Meet Section
404 Requirements

• The Institute of Internal Auditors
• Webcast Series on Sarbanes-Oxley Act
• July 8, 2003
• 100 230 pm Eastern Time

2
The IIA Webcast Moderator

• Jim Key, CIA
• Managing Partner
• Shenandoah Group, L.L.P

3
Disclaimer

• The views expressed in this web cast are
  solely those of the panelists and moderators and
  do not necessarily reflect the views or policies
  of the Institute of Internal Auditors or its
  directors, officers, employees, and members.

4
The Webcast Series on the Sarbanes-Oxley Act

• Series 1 Fostering Compliance with SOA
• Internal Auditors Role
• Four sessions archived on website and available
  on CD
• To purchase contact Alex at Agoodman_at_theiia.org

5
Series 2 Emerging Trends and Best Practices in
Implementing SOA

• May 21 - Section 404 Readiness Review How to
  document your system of internal control.
  (Archived)
• June 10 - Helping your audit committee implement
  complaint handling. (Archived)
• July 8 - Leveraging the COSO framework to meet
  Section 404 requirements
• August 12 - Project Administration Setting and
  revising priorities in the wake of the Final 404
  Rules
• September 9 - Internal Audit support of Audit
  Committees What works best
• September 30 - The Road Ahead Meeting the
  challenges in complying with The Sarbanes-Oxley
  Act

6
Sarbanes-Oxley Implications and Impact for
Internal Audit

• Seminar Offering 2.5 Days
• Chicago, July 30
• Seattle, August 4
• West Palm Beach, August 25
• Phoenix, September 10
• San Francisco, September 24
• Orlando, December 10
• New York, December 17

7
Other Resources

• IIA Web Page www.theiia.org
• Click on Guidance
• Click on Tools and Resources for Corporate
  Governance
• IIA Position Papers
• Responses to exposure drafts
• IIA Research Foundation Master Key Series
• The Sarbanes-Oxley legislation
• Stock listing exchanges key requirements

8
Management Assessment of Internal Controls (404)

• Requires the SEC to prescribe rules to
• State the responsibility of management for
  establishing and maintaining adequate internal
  control structure and procedures for financial
  reporting, and
• Contain an assessment of effectiveness of the
  internal control structure and procedures for
  financial reporting

9
SEC Final Rules

• Management's Reports on Internal Control Over
  Financial Reporting and Certification of
  Disclosure in Exchange Act Periodic Reports
• Release Date June 5, 2003 (33-8238)
• Effective Date August 14, 2003
• Evaluation of Internal Control over Financial
  Reporting within the context of COSO framework

10
Agenda

• 100 Welcome and Overview
• 110 Soft Controls Bruce Adamec
• 120 Control Activities Ray Lukas
• 130 Monitoring Andrew Bellenkes
• 140 Break
• 145 Questions and Answers Panel
• 225 Wrap up Jim Key

11
Soft Controls

• Bruce Adamec, CPA, CIA
• Vice President and General Auditor
• United Stationers Inc.

12
Soft Controls

• Control Environment
• Risk Assessment
• Information Communication

13
The Goal is Reliable Financial Results and
Safeguarding Assets Are Soft Components
Important?

• Commissioner Paul S. Atkins, SEC,
• Rocky Mountain Securities Conference Denver,
  Colorado, May 30, 2003
• A long standing risk management principle is
  the importance of corporate culture and tone
  from the top. A CEOs tolerance, or lack of
  tolerance of ethical misdeeds and a CEOs
  philosophy of business conveys a great deal
  throughout the organization. The role of
  directors is to monitor and oversee that
  situation on behalf of stockholders.

14
The Goal is Reliable Financial Results and
Safeguarding Assets Are Soft Components
Important?

• Commissioner Cynthia Glassman, SEC,
• Federal Reserve Bank of Chicago May 9, 2003I
  cant walk away from any discussion of corporate
  governance without stressing that the most
  important aspect of reform comes from market
  participants working proactively to foster an
  ethical culture in business.

15
Why We Should Care About Soft Controls Even
Without Sarbanes Oxley!

• Howard Shilit, Smart Money, July 2003,
• Bad people, in business model with a nice
  story, will somehow find a way to destroy the
  businessBut with honest people running the
  companytheyll be able to navigate through the
  tough times and the company wont blow it.

16
404 Evaluation

• Clear Understanding of Soft Components
• Infrastructure Evaluation Hard Activities for
  Soft Components
• Evaluation of How Well The Soft Components Are
  Working to Ensure Financial Statement
  Reliability, Safeguarding Assets

17
What Do COSO Components Mean?

• Control Environment Organizations Ethics, Tone
  At Top, Management Philosophy and Style,
  Commitment to Competence Management Culture
• Risk Assessment How Organization Routinely IDs
  and Manages Risks Goals and Obstacles
• Information and Communication Identifying,
  Capturing, and Communicating Relevant Data in a
  Form and Time Frame To Meet Associates,
  Investor, and Board of Directors (Governance)
  Needs

18
Infrastructure EvaluationHard Activities For
Soft Components

• Management Culture Code of Ethics, Human
  Resources Practices
• Goals and Obstacles Objectives, Financial
  Planning and Analysis, Hard-Coded Response
  Systems (Law, Finance, HR Department)
• Communication Information Clear
  Authority/Responsibility Lines, Standard
  Financial Close/Reporting Practices, Disclosure
  Controls, Whistleblower Process, Open Door
  Policies

19
What Do COSO Components Mean?

• Control Environment Organizations Ethics, Tone
  At Top, Management Philosophy and Style,
  Commitment to Competence Management Culture
• Risk Assessment How Organization Routinely IDs
  and Manages Risks Goals and Obstacles
• Information and Communication Identifying,
  Capturing, and Communicating Relevant Data in a
  Form and Time Frame To Meet Associates

20
Infrastructure EvaluationHard Activities For
Soft Components

• Management Culture Code of Ethics, Human
  Resources Practices
• Goals and Obstacles Objectives, Financial
  Planning and Analysis, Hard-Coded Response
  Systems (Law, Finance, HR Department)
• Communication Information Clear
  Authority/Responsibility Lines, Standard
  Financial Close/Reporting Practices, Disclosure
  Controls, Whistleblower Process, Open Door
  Policies

21
Evaluation of How Well the Soft Components Are
Working

• Possible Methods -
• Internal Control Questionnaires
• Control Self Assessments
• Survey Employees, Management Assesses Survey
  Results

22
Company-wide Framework
Awareness
Surveys
Control Self Assessments
Interviews
Knowledgeable Fact-based Assertions
Complete Continuous Monitoring
Action Plans
404 Certifications
Identification
23
More Information on Survey Method

• Internal Reflections, The Internal Auditor,
  December 2002, Pp. 56-63
• Internal Audits Role in Corporate Governance
  Sarbanes Oxley Compliance, IIA Website (IIARF
  Master Key)
• ALLTel Control and Risk Assessment
• El Paso Internal Control Assessment Survey

24
Control Activities

• Ray Lukas, CPA
• Director , Global Risk Management Solutions
• PricewaterhouseCoopers

25
Control Activities

• Control Activities
• Policies and procedures that ensure management
  directives are carried out.
• Range of activities including approvals,
  authorizations, verifications, recommendations,
  performance reviews, asset security and
  segregation of duties.

26
Integration With Risk Assessment

• Along with assessing risks, management should
  identify the actions needed to address identified
  risks.
• These actions serve to focus attention on the
  control activities needed to ensure that such
  actions are appropriately carried out in a timely
  manner

27
Integration With Risk Assessment

• Control activities are the means by which an
  enterprise strives to achieve its stated business
  objectives
• Control activities serve as the primary mechanism
  used by management to monitor performance to
  achieve business objectives, and
• Control activities are more effective when built
  directly into the management process

28
Types of Control Activities

• Numerous types of control activities, including
• Preventative controls
• Detective controls
• Manual controls
• Computer controls, and
• Management controls
• Control activities usually involve two distinct
  elements
• Policy that establishes what should be done,
  and
• Procedures that entail specific actions to be
  taken to comply with the policy

Essential element of control activities/procedures
performed is that issues identified as a result
of such procedures be investigated and
appropriate corrective actions taken
29
Types of Control Activities

• Control Activities are performed by personnel at
  various levels in the organization
• Top Level Review Actual performance to budget
  and forecast
• Direct Functional or Activity Management daily,
  weekly an/or monthly review of performance by
  direct reports (supervisors managers)
• Information Processing controls designed to
  check accuracy, completeness and authorization of
  transactions

30
Types of Control Activities

• Control Activities are performed by personnel at
  various levels in the organization (continued)
• Physical Controls Physical security and
  periodic counting of hard assets (Cash,
  Inventory, equipment, etc.)
• Performance Indicators Analytical reviews,
  where differences are investigated and corrective
  actions taken, and
• Segregation of Duties Incompatible duties are
  separated among different people to reduce risk
  of error or inappropriate actions

31
Application to Sarbanes 404
Optimized
Monitored
Standardized
Informal
Unreliable
-
-
Control activities
Unpredictable
-
Standardized
-
Control activities
-
Integrated
controls with
environment
are designed, in
are designed
internal controls
periodic testing
where
place and are
and in place but
with real time
for effective
control
are not
adequately
monitoring by
design and
adequately
activities are
documented
management
operation with
documented
not designed
and continuous
reporting to
or in place
improvement
management

• Level 1 Unreliable
• Unpredictable environment where control
  activities are not designed or in place
• Level 2 Informal
• Disclosure Activities and Controls are designed
  and in place but are not adequately documented
• Controls mostly dependent on people
• No formal training or communication of control
  activities
• Level 3 Standardized
• Control activities are designed and in place
• Control activities have been documented and
  communicated to employees
• Deviations from control activities will likely
  not be detected
• Level 4 Monitored
• Standardized controls with periodic testing for
  effective design and operation with reporting to
  management
• Automation and tools may be used in a limited way
  to support control activities
• Level 5 Optimized
• An integrated internal control framework with
  real time monitoring by management with
  continuous improvement (Enterprise Wide Risk
  Management)
• Automation and tools are used to support controls
  activities and allow the organization to make
  rapid changes to the control activities if needed

Management 404 Internal Control Assertion
32
Application to Sarbanes 404
33
Monitoring
Andrew Bellenkes, CPA Senior Auditor VF
Corporation
34
COSO Model - Monitoring Component
Ongoing Monitoring - Management, supervisory, and
other monitoring activities in the ordinary
course of operations that assess the quality of
internal controls Separate Monitoring -
Evaluation focusing directly on system
effectiveness with a scope and frequency
dependent on the assessment of risks, and ongoing
monitoring Reporting Deficiencies - Upstream
reporting of internal control deficiencies, with
certain matters reported to top management and
the board

35
SEC Final Ruling - Monitoring
Points of Focus...

• Recognized control framework must be used as the
  basis of evaluation
• Sufficient procedures to evaluate the design and
  the test of internal controls over financial
  reporting
• Evidentiary matter must be maintained
• Quarterly evaluation of changes to internal
  controls over financial reporting
• Certifications mandated by Sections 302 and 906
  of the Sarbanes-Oxley Act as exhibits to annual,
  semi-annual and quarterly reports must be filed

36
Monitoring Component

• VF Hybrid Model
• Goals Objective Setting
• Monitoring Assessment

• COSO Model
• Risk Assessment
• Monitoring

37
Essential Elements of Effective Monitoring

• Scope Changes
• Evidentiary Support
• - SEC Rules
• - Archiving, Record Retention,
• Rollover to the Next Period
• Training
• Internal Audits Role
• Extent/Vigor of Quarterly Assessments

38
Roles in Monitoring Controls
Project Office
Internal Audit
Asian Business Units
Domestic Americas Business Units
European Business Units
Corporate Controllers Office
39
Roles in Monitoring Controls
Project Office/Internal Audit/Corporate
Controllers Office

• Project Office
• Corporate Communication
• Training
• Systems Administration (for internal controls
  documentation database used)
• Internal Audit
• Review of Self-Testing by the Business Units
• Coordination and Performance of Testing (for
  external audit reliance, except for exempt areas)

40
Roles in Monitoring Controls
Project Office/Internal Audit/Corporate
Controllers Office

• Corporate Controllers Office
• Policies and Procedures Statements
• Internal Control Design and Implementation
• Technical Guidance

41
Roles in Monitoring Controls
the Organization
VF Risk Committee Corporate CFO - Chair
Project Office General Auditor, Corporate
Controller, Internal Audit, Finance
Issue resolution Ownership of
final accounting determinations
External Advisory
VF Intimates BU Owner BU Coordinator
VF Corporate BU Owner BU Coordinator
VF Jeanswear BU Owner BU Coordinator
VF Outdoor BU Owner BU Coordinator
VF Europe BU Owner BU Coordinator
VF ASIA /GSO BU Owner BU Coordinator
VF Services FI/HR BU Owner BU Coordinator
VF Imagewear BU Owner BU Coordinator
VF IS/IT BU Owner
Acquisition(s)?
42
Roles in Monitoring Controls
VF Europe
VF Risk Committee Corporate CFO - Chair
Project Office General Auditor, Corporate
Controller, Internal Audit, Finance
VF Europe BU Owner BU Coordinator
UK Location Coordinator
Italy Location Coordinator
Belgium Location Coordinator
Malta Location Coordinator
Germany Location Coordinator
Poland Location Coordinator
43
Ongoing Monitoring
VF Methodology

• Ongoing Business Unit testing
• Integrated internal audit approach to test
  Business Unit compliance with Section 404 vs.
  Stand- alone audits of Accounting and Financial
  Reporting internal controls
• Quarterly certifications from Business Unit CFOs
  and CIOs

44
Summary

• Analysis and assessment of soft controls is as
  critical as analysis and assessment of hard
  controls.
• Need for evaluation controls that span all five
  components of COSO.
• Business unit management owns the monitoring
  function.