Balancing SOX with Risk Based Audit Planning - PowerPoint PPT Presentation

About This Presentation
Title:

Balancing SOX with Risk Based Audit Planning

Description:

Peg Weir, United States Postal Service. Break. Q & A. Balancing. SOX with ... United States Postal Service. 21. Independent government entity. Self-sustaining ... – PowerPoint PPT presentation

Number of Views:201
Avg rating:3.0/5.0
Slides: 32
Provided by: lorion
Category:

less

Transcript and Presenter's Notes

Title: Balancing SOX with Risk Based Audit Planning


1
Balancing SOX with Risk Based Audit Planning
  • The Institute of Internal AuditorsMarch 9, 2004

Dave Richards, CIA, CPADirector, Internal
AuditingFirstEnergy Corporation
2
Balancing SOX with Risk Based Audit Planning
  • Introduction Overview
  • Dave Richards, FirstEnergy
  • Finding the Balance
  • Brian Appleton, National Penn Bancshares
  • Year 2 Audit Planning
  • Carl Balderson, Pinnacle West Capital
  • Balancing Issues for Large Shops
  • Peg Weir, United States Postal Service
  • Break
  • Q A

3
Key Balancing Issues
  • 1. Involvement in SOX 404 Work
  • 2. Expectations of AC Sr. Mgt
  • 3. Risk Model Impacts
  • 4. Emphasis on Financial Audits
  • 5. Increased IT General Controls Topics
  • 6. Using 404 Results to Drive Audits
  • 7. Dealing with SOX Issues
  • 8. Impact on External Auditor Relationship
    Work Support

4
Key Balancing Issues
  • 9. Using 404 Model for Operational
    Compliance Topics
  • 10. Staff Productivity Enhancements
  • 11. IAD Tools for Control Assessments
  • 12. Rotation of Audit Topics???
  • 13. Building on SOX 404 Work
  • 14. IAD Customer Relationships
  • 15. Impact on Audit Contingency
  • 16. Internal Control Opinions in Audits

5
Finding the Balance
  • Brian T. Appleton, CIA, MBA,CDP
  • Executive Vice President
  • Director of Internal Audit
  • National Penn Bancshares

6
Overview of Company
  • Company Size
  • Audit Division
  • Client Focused Philosophy
  • Process Owner Class

7
Status of 404
  • Tone at the top
  • How 404 is implemented makes a difference
  • High level risk-assessment completed
  • Documentation phase in progress

8
Balance
  • Identify the coordinating scheme
  • Complement, not supplement
  • Be flexible and creative
  • Focus your scope
  • Standardize the documentation
  • Take a closer look at opportunities
  • Management
  • Audit

9
Impact on Internal Clients
  • Creates a more sophisticated clientele
  • Fosters uniformity in structure
  • Increases accountability for results
  • Promotes process ownership by management

10
Impact on Audit Approach
  • Enhance auditor knowledge
  • Career growth opportunity
  • Role of auditors as facilitators
  • Expansion of skill set to educator
  • Springboard effect
  • Operational and compliance audits
  • Control Self Assessment
  • Enterprise Risk Management

11
Benefit to Audit Committee
  • Stronger assurance of controls
  • Create new metrics
  • Published accountability through sign-offs

12
Summary
  • Identify the changes, find a balance
  • Allocate resources early
  • Sell the benefit to the company
  • Find and publish the positives
  • Think of SOX 404 as complementing audit coverage

13
Year 2 Audit Planning
  • Carl Balderson, CIA, CPA, CFEDirector of Audit
    Services
  • Pinnacle West Capital Corporation

14
Driving Change
  • Re-balancing is continued evolution
  • Changed audit committee expectations
  • Changed management expectations

15
Impacts of SOX
  • Increase management awareness of internal
    controls
  • Audit customer responsiveness
  • Greater emphasis on IT auditing
  • Verify quarterly review for IC changes

16
Planning Steps
  • Risk based planning with pre-SOX methodology
  • What we Think is needed for SOX
  • Follow-up open issues
  • Test changed process documentation
  • Test Key controls
  • Integrate to avoid duplication
  • Alternate depth of efforts with future years
  • Allocate available resources

17
Productivity Initiatives
  • Automated Work Papers
  • Productive Time Targets
  • Emphasize Project Budgets
  • In-house and Local Training

18
Contingency Planning
  • Small number of hours unallocated
  • Renewed emphasis on Stop Go auditing
  • Administrative assistant/secretary vs.
    para-professional auditor
  • Be more selective in what we address

19
Driving Long-Term Value
  • Integrate SOX compliance and risk management
    processes
  • Examine risk management processes for efficiency
  • Documentation of new systems
  • Integrate SOX documentation with business
    resumption plans
  • Utilize documentation for training

20
Balancing Issues for Large Shops
  • Margaret (Peg) Weir
  • Manager, Internal Control Group
  • United States Postal Service

21

United States Postal Service
  • Independent government entity
  • Self-sustaining
  • Annual operating revenue /- 70B
  • Second largest civilian employer
  • 38,000 Post Offices
  • Office of Inspector General

22
Internal Control Group
  • CFO vision
  • Established ICG organization
  • Complements OIG function
  • End-to-end process
  • Looks for efficiencies and risks of inefficiencies

23
Internal Audit-Internal ControlPolicy vs.
Process
  • Internal Audit - Financial Statements fairly
    represent operations
  • Monies
  • Expenses
  • Work hours
  • Assets
  • Internal Control - Reasonable Assurance
    achievement of fundamental business goals
  • Reliability
  • Exist, effective, efficient
  • Compliance with laws/regulations

24
Internal Control Group
  • Identify risk through data and process analysis
  • Partner with process owner to mitigate
    prioritized risk
  • Analyze trends and indicators
  • Conduct internal control reviews
  • Develop improved controls to meet goals and
    objectives

25
Sarbanes-Oxley Act
  • Voluntarily adopting parts of Section 404
  • Makes good business sense

26
Internal Control Group
  • Senior management provides direction and
    oversight
  • Focus based on
  • Guidance
  • Risk analysis
  • Risk prioritization
  • Resources support mandate

27
Internal Control Group
  • Enterprise-wide from corporate to local
  • Interdependencies vs. stovepipes
  • Partnership with process owners
  • Data driven
  • Targeted reviews
  • Standardized approach using COSO framework
  • Root causes
  • Meaningful recommendations to improve controls
  • Reasonable assurance goals objectives will be
    met

28
Internal Control Group Status
  • Implemented preliminary activities of COSO
    framework
  • Adjusted as lessons learned
  • Developing additional training
  • Enhancing the analytical reporting tool

29
Internal Control Group
  • Internal Control Group complements internal audit
    process
  • Internal Control Group supports performance-based
    culture
  • Internal Control Group establishes foundation for
    long-term enterprise-wide improvements and
    efficiencies
  • Internal Control Group is dynamic evolving

30
Conclusions
  • SOX 404 WILL IMPACT what we do
  • What impact it has must be managed
  • Upfront drivers for impact must be understood
  • Changes in approach, scope, results
    expectations must be communicated
  • AC, Sr. Mgt. IAD Customers must recognize the
    impact on identifying performing work
  • IAD must be more productive to meet this
    challenge
  • External Auditor relationship must be managed

31
Next Webcast
  • April 13, 2004
  • Strategies for Internal External
    Relationships
  • See you at our next webcast!
Write a Comment
User Comments (0)
About PowerShow.com