Title: Project Administration - Setting and revising priorities in the wake of the "Final 404 Rules"
1Project Administration - Setting and revising
priorities in the wake of the "Final 404 Rules"
- The Institute of Internal Auditors
- Webcast Series on Sarbanes-Oxley
- Session 4 August 12, 2003
2The IIA Webcast Moderator
- Jim Key, CIA
- Managing Partner
- Shenandoah Group, L.L.P
3Disclaimer
- The views expressed in this webcast are solely
those of the panelists and moderators and do not
necessarily reflect the views or policies of the
Institute of Internal Auditors or its directors,
officers, employees and members.
4Emerging Trends and Best Practices in
Implementing the Sarbanes-Oxley Act
- May 21 - Section 404 Readiness Review How to
document your system of internal control - June 10 - Helping your audit committee implement
complaint handling - July 8 - Leveraging the COSO framework to meet
Section 404 requirements - August 12 - Project Administration - Setting and
revising priorities in the wake of the "Final 404
Rules - September 9 - Internal Audit support of Audit
Committees - What works best - September 30 - The Road Ahead - Meeting the
challenges in complying with The Sarbanes-Oxley
Act
Available online archive for one year and on CD
5Agenda
100 - 105 Introduction and Overview - Jim
Key 105 - 125 Managements Report on Internal
Control Over Financial Reporting - Sean
Harrison 125 - 145 Preparing the 404 Work Plan
Kiko Harvey David Richards Combined
Presentation 145 - 150 Break 150 -
225 Questions Answers Panel 225 -
230 Concluding Remarks Jim Key
6Managements Report on Internal Control Over
Financial Reporting
Sean Harrison, Esquire Special Counsel, Office
of Rule MakingDivision of Corporate FinanceU.S.
Securities and Exchange Commission
7Disclaimer
- As a matter of policy, the Securities and
Exchange Commission disclaims responsibility for
any private publication or statement of any of
its employees. The views expressed in this
presentation reflect the views of the author and
does not necessarily reflect those of the
Commission, the Commissioners, or other members
of the staff.
8What is Internal Control Over Financial Reporting?
- The final rules define this term as
- A process designed by, or under the supervision
of, the registrants principal executive and
principal financial officers, or persons
performing similar functions, and effected by the
registrants board of directors, management and
other personnel, to provide reasonable assurance
regarding the reliability of financial reporting
and the preparation of financial statements for
external purposes in accordance with generally
accepted accounting principles and includes those
policies and procedures that
9What is Internal Control Over Financial Reporting?
- Pertain to the maintenance of records that in
reasonable detail accurately and fairly reflect
the transactions and dispositions of the assets
of the registrant
10What is Internal Control Over Financial Reporting?
- Provide reasonable assurance that transactions
are recorded as necessary to permit preparation
of financial statements in accordance with
generally accepted accounting principles, and
that receipts and expenditures of the registrant
are being made only in accordance with
authorizations of management and directors of the
registrant and
11What is Internal Control Over Financial Reporting?
- Provide reasonable assurance regarding prevention
or timely detection of unauthorized acquisition,
use or disposition of the registrants assets
that could have a material effect on the
financial statements
12Management Report Requirements
- A statement of managements responsibility for
establishing and maintaining adequate internal
control over financial reporting for the company - A statement identifying the framework used by
management to evaluate the effectiveness of the
companys internal control over financial
reporting
13Management Report Requirements
- Managements assessment of the effectiveness of
internal control over financial reporting as of
the end of the companys most recent fiscal year
and disclosure of any material weaknesses in such
control identified by management, if there is
material weakness in the internal controls,
management cannot conclude that the controls are
effective and - A statement that the companys auditor has issued
an attestation report on managements assessment.
14Framework for Managements Evaluation
- The new rules implicitly require management to
use a framework to evaluate the companys
internal control and to identify the framework in
the report. - The rules do not prescribe the use of a
particular framework, however, the rules state
that the framework used must be a suitable,
recognized control framework established by a
body or group that has followed due-process
procedures, including broad distribution of the
framework for public comment.
15Framework for Managements Evaluation
- The release states a suitable framework must
- Be free from bias
- Permit reasonably consistent qualitative and
quantitative measurements of a companys internal
control - Be sufficiently complete so that those relevant
factors that would alter a conclusion about the
effectiveness of a companys internal controls
are not omitted and - Be relevant to an evaluation of internal control
over financial reporting
16Method of Evaluation
- The new rules do not specify a method or
procedures to be followed. However, the rules do
state that a company must maintain evidential
matter, including documentation, that provides
reasonable support for managements assessment of
effectiveness. - This is an inherent element of effective internal
control and consistent with the internal
accounting control requirements under section
13(b)(2) of the Exchange Act.
17Method of Evaluation
- Evidential matter includes documentation
regarding both the design of internal control and
the testing processes. - This evidential matter should provide reasonable
support (1) for the evaluation of whether the
control is designed to prevent or detect material
misstatements or omissions (2) for the
conclusion that the tests were appropriately
planned and performed and (3) that the results
of the tests were appropriately considered.
18Material Weaknesses in Internal Control Over
Financial Reporting
- Management cannot conclude that the companys
internal control over financial reporting is
effective if there is a material weakness in
such control. Any such material weakness must
also be specifically disclosed. - The term material weakness has the meaning
under generally accepted auditing standards (or
GAAS), including the AICPAs Codification of
Statements on Auditing Standards Section 325.
19Material Weaknesses in Internal Control Over
Financial Reporting
- It is possible that the PCAOB, will modify the
definition of material weakness and significant
deficiency. - It is also worth noting that on June 20, 2003 the
Auditing Standards Board (ASB) of the AICPA
submitted for the consideration of the PCAOB
recommendations for Professional Auditing
Standards, that among other things, recommended
changes to the definitions of significant
deficiency and material weakness.
20Quarterly Evaluations
- Under the new rules, management will be required
to perform quarterly evaluations of changes that
have materially affected, or are reasonably
likely to have a material effect on, the
companys internal control over financial
reporting. If such a change occurred during a
companys fiscal quarter, the company will have
to disclose the change in its quarterly report.
21Quarterly Evaluations
- This disclosure requirement replaces paragraph
(b) in existing Item 307 of Regulations S-K and
S-B regarding quarterly disclosure of changes in
internal controls and corrective actions and is
incorporated in new Item 308 of Regulations S-K
and S-B.
22Quarterly Evaluations
- The new rules do not explicitly require
disclosure about the reasons for the change,
however, companies will have to determine, on a
facts and circumstances basis, whether the
reasons for the change, or other information
about the circumstances surrounding the change,
constitute material information necessary to make
the disclosures in the report not misleading.
23Auditor Independence Issues
- Management and the companys outside auditor will
need to coordinate their processes of documenting
and testing internal control over financial
reporting. - The adopting release reminded companies and their
auditors that the Commissions rules on auditor
independence prohibit an auditor from providing
certain nonaudit services to an audit client.
24Auditor Independence Issues
- When the auditor is engaged to assist management
in documenting internal controls or preparing
evaluative tools, management must be actively
involved in the process. Management cannot
delegate its responsibility to assess its
internal control over financial reporting to the
auditor.
25Compliance Dates
- A company must begin to comply with the
management report on internal control over
financial reporting disclosure requirements for
fiscal years ending on or after June 15, 2004, if
it is an accelerated filer, as defined in
Exchange Act Rule 12b-2 as of the end of its
first fiscal year ending on or after June 15,
2004.
26Compliance Dates
- Companies that are non-accelerated filers,
including small business issuers and foreign
private issuers, must begin to comply with the
disclosure requirements in annual reports for
their first fiscal year ending on or after April
15, 2005.
27Compliance Dates
- All companies must begin to comply with the
quarterly evaluation of changes to internal
control over financial reporting requirements for
its first periodic report due after the first
annual report that must include managements
report on internal control over financial
reporting.
28Agenda
100 - 110 Introduction and Overview - Jim
Key 110 - 120 Managements Report on Internal
Control Over Financial Reporting - Sean
Harrison 120 - 140 Preparing the 404 Work Plan
Kiko Harvey David Richards Combined
Presentation 145 - 150 Break 150 -
225 Questions Answers Panel 225 -
230 Concluding Remarks Jim Key
29Dave Richards, CIA, CPA Director, Internal
Auditing FirstEnergy Corp.
30Kiko Harvey, CPA Director, Internal
Audit Starbucks Corporation
31Preparing the 404 Work Plan
32Overview
- Step 1 Organize the Project Team /
Communicate - Step 2 Set the Project Scope
- Step 3 Develop Tools
- Step 4 Documentation
- Step 5 Test and Evaluate Controls
- Step 6 Reporting
33Step 1 Organize the Project Team/ Communicate
34FirstEnergy 404 Project Team Organization Chart
Disclosure Committee
VP - Controller CRO CIO VP - ED General
Counsel BU Controller
Steering Committee
Project Manager
Director, IA
Internal Auditing
Controller's
Business Unit
5 people
1 person
5 people
35TRAINING
- Core Team
- 404 Requirements
- Co. Approach (process to be followed)
- Guidelines
- Documentation tool
- Process Owner
- Process members (extended team)
- Steering Committee
- Audit Committee
- Disclosure Committee
36SOA 404 Annual Control Assessment Process
High level overview
Financial Statements
Processes
Risk Control Matrix (draft)
Process Assessment Team
Materiality Guidelines
Risk Guidelines
37SOA 404 Annual Control Assessment Process
ICW
GAPS
Corrective action
No Gaps
Design Assessment
Workshop(s) to confirm Matrix
Workshop Guidelines
38SOA 404 Annual Control Assessment Process
ICW
GAPS
Corrective action
Testing to confirm controls
No Gaps
Testing Results Assessment
Overall assessments statements
Testing Guidelines
Test Plan
39Step 2 Scope the Project
- Identify cycles that drive financial statement
information - Identify other key processes critical to the
companys success - Map out significant transactions for each cycle
and business process to form the basis for
documenting controls
40Step 2 Scope the Project
Example
Cycles Transactions
Authorize Credit
Maintain Customer Files
Invoicing
Collecting
Analyzing Bad Debt
Revenue
Transactions
Key Processes
Retail Operations
Hiring, Training Scheduling Employees
Point of Sale Maintenance
Merchandising Promotions
Sales and Cash Audit
Inventory Asset Management
41Step 2 Scope the Project
- Map financial statement components to cycles and
key processes - Identify locations having a significant impact on
the financial reporting environment for testing - Set materiality guidelines for balance sheet and
PL (i.e. assets, EPS impact) - Introduce project to remote accounting locations
selected for testing
42Step 3 Develop Tools
- Determine how you will organize the documentation
consider using special purpose software (COSO
based) - Develop checklists
- Control self-assessment questionnaires
- Policies and procedures surveys
- Segregation of duty templates
43Step 4 Documentation
- Collect and inventory existing internal control
documentation for cycles and key processes
identified in scoping activity - Distribute checklists to new locations or where
information requires update - Using the COSO documentation tool, document
controls for all transaction cycles and key
processes in a controls repository replicate
for locations selected for testing
44Step 4 Documentation
Example
Organization of Controls Repository
Transaction
Identified during scoping phase (by cycle and key
process) Map to financial statement accounts,
disclosures, footnotes, etc.
Identify Risk
Identify risks for each transaction based on
financial statement assertions (existence,
accuracy, completeness, etc.)
Identify Control
Document key control activities for each risk
identified Determine if preventive or detective
in nature Determine if automated or
manual Frequency of control activity (daily,
monthly, quarterly)
45Step 5 Test and Evaluate Controls - Testing
Guidance
- Testing definition
- Objectives for testing
- Methods (options) for testing
- How to determine proper test
- Expectations of results of test
- Which controls to test (ID Key control)
- Documentation
46Step 5 Test and Evaluate Controls - Testing
Guidance
- Evaluation (expectations vs. results)
- Frequency of testing
- Who performs the test
- Determination of gaps
- Action plans
- Identification of deficiency, significant
deficiency or material weakness - Retesting
47Control Activity / Technique
Deficiency
Significant Deficiency
Multiple Control Activities
COSO Financial Control Objective not met
Material Weakness
48Control Objectives COSO Financial Statement
Assertions
1. Existence / Occurrence 2. Completeness 3.
Measurement / Valuation 4. Rights Obligations
Recorded 5. Proper Classification
Disclosures 6. Safeguarding of Assets 7. Fraud
Prevention / Detection
49Deficiency
- Design gap or Operational gap
- Missing control (design)
- Control objective not met (design)
- Control not present (operational)
- Control not operating as designed (operational)
- Control cannot be confirmed (operational)
- Inconsistent application (person performing
control not qualified) (operational)
50Payroll Process
51Significant Deficiency
- Frequency of deficiencies noted
- Errors in multiple controls tied to key risk
- More than one control activity contains testing
errors beyond expectations - Control objective key risks are mitigated but
only because one control activity has tested ok
vs. all controls tied to the risk
52Property Accounting
53Material Weakness
- Key risks (HH) tied to control objective not
mitigated - Control objective cannot be achieved
- All controls designed to mitigate a risk have
deficiencies - Significant material transactions flow through
the process (10,000,000)
54Account Mapping to Material Accounts Processes
Process Zainet Deal Capture
Control Objective 2 Completeness of transactions
Key Risk 2.1 Transactions may be inaccurately
recorded
Control Activity 2.1.4 Confirmation process
used to ensure deals are captured complete
Test Select 30 transactions over test period
compare confirms to Zainet data (9
characteristics)
Expectation all deals will be confirmed with
all 9 characteristics matching
5
55Step 6 404 Reporting
- Team meeting agendas minutes
- Assignments
- Monthly report
- Steering Committee meetings
- Disclosure Committee meetings
- Updates to Audit Committee
- Updates to Senior Management (CEO, CFO,
President, Key VPs) - External Financial Audit Team
56Agenda
100 - 110 Introduction and Overview - Jim
Key 110 - 120 Managements Report on Internal
Control Over Financial Reporting - Sean
Harrison 120 - 140 Preparing the 404 Work Plan
- Kiko Harvey David Richards Combined
Presentation 145 - 150 Break 150 -
225 Questions Answers Panel 225 -
230 Concluding Remarks Jim Key
57Summary
- Interpretation of SEC Rules is subjective
- Check SEC website www.sec.gov regularly for
regulatory actions - Approach 404 management assessment of internal
controls as major project - Apply project management disciplines to ensure
compliance
58The IIA Webcast Moderator
- Jim Key, CIA
- Managing Partner
- Shenandoah Group, L.L.P