Project Administration - Setting and revising priorities in the wake of the "Final 404 Rules"

1
Project Administration - Setting and revising
priorities in the wake of the "Final 404 Rules"

• The Institute of Internal Auditors
• Webcast Series on Sarbanes-Oxley
• Session 4 August 12, 2003

2
The IIA Webcast Moderator

• Jim Key, CIA
• Managing Partner
• Shenandoah Group, L.L.P

3
Disclaimer

• The views expressed in this webcast are solely
  those of the panelists and moderators and do not
  necessarily reflect the views or policies of the
  Institute of Internal Auditors or its directors,
  officers, employees and members.

4
Emerging Trends and Best Practices in
Implementing the Sarbanes-Oxley Act

• May 21 - Section 404 Readiness Review How to
  document your system of internal control
• June 10 - Helping your audit committee implement
  complaint handling
• July 8 - Leveraging the COSO framework to meet
  Section 404 requirements
• August 12 - Project Administration - Setting and
  revising priorities in the wake of the "Final 404
  Rules
• September 9 - Internal Audit support of Audit
  Committees - What works best
• September 30 - The Road Ahead - Meeting the
  challenges in complying with The Sarbanes-Oxley
  Act

Available online archive for one year and on CD
5
Agenda
100 - 105 Introduction and Overview - Jim
Key 105 - 125 Managements Report on Internal
Control Over Financial Reporting - Sean
Harrison 125 - 145 Preparing the 404 Work Plan
Kiko Harvey David Richards Combined
Presentation 145 - 150 Break 150 -
225 Questions Answers Panel 225 -
230 Concluding Remarks Jim Key
6
Managements Report on Internal Control Over
Financial Reporting
Sean Harrison, Esquire Special Counsel, Office
of Rule MakingDivision of Corporate FinanceU.S.
Securities and Exchange Commission
7
Disclaimer

• As a matter of policy, the Securities and
  Exchange Commission disclaims responsibility for
  any private publication or statement of any of
  its employees. The views expressed in this
  presentation reflect the views of the author and
  does not necessarily reflect those of the
  Commission, the Commissioners, or other members
  of the staff.

8
What is Internal Control Over Financial Reporting?

• The final rules define this term as
• A process designed by, or under the supervision
  of, the registrants principal executive and
  principal financial officers, or persons
  performing similar functions, and effected by the
  registrants board of directors, management and
  other personnel, to provide reasonable assurance
  regarding the reliability of financial reporting
  and the preparation of financial statements for
  external purposes in accordance with generally
  accepted accounting principles and includes those
  policies and procedures that

9
What is Internal Control Over Financial Reporting?

• Pertain to the maintenance of records that in
  reasonable detail accurately and fairly reflect
  the transactions and dispositions of the assets
  of the registrant

10
What is Internal Control Over Financial Reporting?

• Provide reasonable assurance that transactions
  are recorded as necessary to permit preparation
  of financial statements in accordance with
  generally accepted accounting principles, and
  that receipts and expenditures of the registrant
  are being made only in accordance with
  authorizations of management and directors of the
  registrant and

11
What is Internal Control Over Financial Reporting?

• Provide reasonable assurance regarding prevention
  or timely detection of unauthorized acquisition,
  use or disposition of the registrants assets
  that could have a material effect on the
  financial statements

12
Management Report Requirements

• A statement of managements responsibility for
  establishing and maintaining adequate internal
  control over financial reporting for the company
• A statement identifying the framework used by
  management to evaluate the effectiveness of the
  companys internal control over financial
  reporting

13
Management Report Requirements

• Managements assessment of the effectiveness of
  internal control over financial reporting as of
  the end of the companys most recent fiscal year
  and disclosure of any material weaknesses in such
  control identified by management, if there is
  material weakness in the internal controls,
  management cannot conclude that the controls are
  effective and
• A statement that the companys auditor has issued
  an attestation report on managements assessment.

14
Framework for Managements Evaluation

• The new rules implicitly require management to
  use a framework to evaluate the companys
  internal control and to identify the framework in
  the report.
• The rules do not prescribe the use of a
  particular framework, however, the rules state
  that the framework used must be a suitable,
  recognized control framework established by a
  body or group that has followed due-process
  procedures, including broad distribution of the
  framework for public comment.

15
Framework for Managements Evaluation

• The release states a suitable framework must
• Be free from bias
• Permit reasonably consistent qualitative and
  quantitative measurements of a companys internal
  control
• Be sufficiently complete so that those relevant
  factors that would alter a conclusion about the
  effectiveness of a companys internal controls
  are not omitted and
• Be relevant to an evaluation of internal control
  over financial reporting

16
Method of Evaluation

• The new rules do not specify a method or
  procedures to be followed. However, the rules do
  state that a company must maintain evidential
  matter, including documentation, that provides
  reasonable support for managements assessment of
  effectiveness.
• This is an inherent element of effective internal
  control and consistent with the internal
  accounting control requirements under section
  13(b)(2) of the Exchange Act.

17
Method of Evaluation

• Evidential matter includes documentation
  regarding both the design of internal control and
  the testing processes.
• This evidential matter should provide reasonable
  support (1) for the evaluation of whether the
  control is designed to prevent or detect material
  misstatements or omissions (2) for the
  conclusion that the tests were appropriately
  planned and performed and (3) that the results
  of the tests were appropriately considered.

18
Material Weaknesses in Internal Control Over
Financial Reporting

• Management cannot conclude that the companys
  internal control over financial reporting is
  effective if there is a material weakness in
  such control. Any such material weakness must
  also be specifically disclosed.
• The term material weakness has the meaning
  under generally accepted auditing standards (or
  GAAS), including the AICPAs Codification of
  Statements on Auditing Standards Section 325.

19
Material Weaknesses in Internal Control Over
Financial Reporting

• It is possible that the PCAOB, will modify the
  definition of material weakness and significant
  deficiency.
• It is also worth noting that on June 20, 2003 the
  Auditing Standards Board (ASB) of the AICPA
  submitted for the consideration of the PCAOB
  recommendations for Professional Auditing
  Standards, that among other things, recommended
  changes to the definitions of significant
  deficiency and material weakness.

20
Quarterly Evaluations

• Under the new rules, management will be required
  to perform quarterly evaluations of changes that
  have materially affected, or are reasonably
  likely to have a material effect on, the
  companys internal control over financial
  reporting. If such a change occurred during a
  companys fiscal quarter, the company will have
  to disclose the change in its quarterly report.

21
Quarterly Evaluations

• This disclosure requirement replaces paragraph
  (b) in existing Item 307 of Regulations S-K and
  S-B regarding quarterly disclosure of changes in
  internal controls and corrective actions and is
  incorporated in new Item 308 of Regulations S-K
  and S-B.

22
Quarterly Evaluations

• The new rules do not explicitly require
  disclosure about the reasons for the change,
  however, companies will have to determine, on a
  facts and circumstances basis, whether the
  reasons for the change, or other information
  about the circumstances surrounding the change,
  constitute material information necessary to make
  the disclosures in the report not misleading.

23
Auditor Independence Issues

• Management and the companys outside auditor will
  need to coordinate their processes of documenting
  and testing internal control over financial
  reporting.
• The adopting release reminded companies and their
  auditors that the Commissions rules on auditor
  independence prohibit an auditor from providing
  certain nonaudit services to an audit client.

24
Auditor Independence Issues

• When the auditor is engaged to assist management
  in documenting internal controls or preparing
  evaluative tools, management must be actively
  involved in the process. Management cannot
  delegate its responsibility to assess its
  internal control over financial reporting to the
  auditor.

25
Compliance Dates

• A company must begin to comply with the
  management report on internal control over
  financial reporting disclosure requirements for
  fiscal years ending on or after June 15, 2004, if
  it is an accelerated filer, as defined in
  Exchange Act Rule 12b-2 as of the end of its
  first fiscal year ending on or after June 15,
  2004.

26
Compliance Dates

• Companies that are non-accelerated filers,
  including small business issuers and foreign
  private issuers, must begin to comply with the
  disclosure requirements in annual reports for
  their first fiscal year ending on or after April
  15, 2005.

27
Compliance Dates

• All companies must begin to comply with the
  quarterly evaluation of changes to internal
  control over financial reporting requirements for
  its first periodic report due after the first
  annual report that must include managements
  report on internal control over financial
  reporting.

28
Agenda
100 - 110 Introduction and Overview - Jim
Key 110 - 120 Managements Report on Internal
Control Over Financial Reporting - Sean
Harrison 120 - 140 Preparing the 404 Work Plan
Kiko Harvey David Richards Combined
Presentation 145 - 150 Break 150 -
225 Questions Answers Panel 225 -
230 Concluding Remarks Jim Key
29
Dave Richards, CIA, CPA Director, Internal
Auditing FirstEnergy Corp.
30
Kiko Harvey, CPA Director, Internal
Audit Starbucks Corporation
31
Preparing the 404 Work Plan

• A Step-by-Step Process

32
Overview

• Step 1 Organize the Project Team /
  Communicate
• Step 2 Set the Project Scope
• Step 3 Develop Tools
• Step 4 Documentation
• Step 5 Test and Evaluate Controls
• Step 6 Reporting

33
Step 1 Organize the Project Team/ Communicate
34
FirstEnergy 404 Project Team Organization Chart
Disclosure Committee
VP - Controller CRO CIO VP - ED General
Counsel BU Controller
Steering Committee
Project Manager
Director, IA
Internal Auditing
Controller's
Business Unit
5 people
1 person
5 people
35
TRAINING

• Core Team
• 404 Requirements
• Co. Approach (process to be followed)
• Guidelines
• Documentation tool
• Process Owner
• Process members (extended team)
• Steering Committee
• Audit Committee
• Disclosure Committee

36
SOA 404 Annual Control Assessment Process
High level overview
Financial Statements
Processes
Risk Control Matrix (draft)
Process Assessment Team
Materiality Guidelines
Risk Guidelines
37
SOA 404 Annual Control Assessment Process
ICW
GAPS
Corrective action
No Gaps
Design Assessment
Workshop(s) to confirm Matrix
Workshop Guidelines
38
SOA 404 Annual Control Assessment Process
ICW
GAPS
Corrective action
Testing to confirm controls
No Gaps
Testing Results Assessment
Overall assessments statements
Testing Guidelines
Test Plan
39
Step 2 Scope the Project

• Identify cycles that drive financial statement
  information
• Identify other key processes critical to the
  companys success
• Map out significant transactions for each cycle
  and business process to form the basis for
  documenting controls

40
Step 2 Scope the Project
Example
Cycles Transactions
Authorize Credit
Maintain Customer Files
Invoicing
Collecting
Analyzing Bad Debt
Revenue
Transactions
Key Processes
Retail Operations
Hiring, Training Scheduling Employees
Point of Sale Maintenance
Merchandising Promotions
Sales and Cash Audit
Inventory Asset Management
41
Step 2 Scope the Project

• Map financial statement components to cycles and
  key processes
• Identify locations having a significant impact on
  the financial reporting environment for testing
• Set materiality guidelines for balance sheet and
  PL (i.e. assets, EPS impact)
• Introduce project to remote accounting locations
  selected for testing

42
Step 3 Develop Tools

• Determine how you will organize the documentation
  consider using special purpose software (COSO
  based)
• Develop checklists
• Control self-assessment questionnaires
• Policies and procedures surveys
• Segregation of duty templates

43
Step 4 Documentation

• Collect and inventory existing internal control
  documentation for cycles and key processes
  identified in scoping activity
• Distribute checklists to new locations or where
  information requires update
• Using the COSO documentation tool, document
  controls for all transaction cycles and key
  processes in a controls repository replicate
  for locations selected for testing

44
Step 4 Documentation
Example
Organization of Controls Repository
Transaction
Identified during scoping phase (by cycle and key
process) Map to financial statement accounts,
disclosures, footnotes, etc.
Identify Risk
Identify risks for each transaction based on
financial statement assertions (existence,
accuracy, completeness, etc.)
Identify Control
Document key control activities for each risk
identified Determine if preventive or detective
in nature Determine if automated or
manual Frequency of control activity (daily,
monthly, quarterly)
45
Step 5 Test and Evaluate Controls - Testing
Guidance

• Testing definition
• Objectives for testing
• Methods (options) for testing
• How to determine proper test
• Expectations of results of test
• Which controls to test (ID Key control)
• Documentation

46
Step 5 Test and Evaluate Controls - Testing
Guidance

• Evaluation (expectations vs. results)
• Frequency of testing
• Who performs the test
• Determination of gaps
• Action plans
• Identification of deficiency, significant
  deficiency or material weakness
• Retesting

47
Control Activity / Technique
Deficiency
Significant Deficiency
Multiple Control Activities
COSO Financial Control Objective not met
Material Weakness
48
Control Objectives COSO Financial Statement
Assertions
1. Existence / Occurrence 2. Completeness 3.
Measurement / Valuation 4. Rights Obligations
Recorded 5. Proper Classification
Disclosures 6. Safeguarding of Assets 7. Fraud
Prevention / Detection
49
Deficiency

• Design gap or Operational gap
• Missing control (design)
• Control objective not met (design)
• Control not present (operational)
• Control not operating as designed (operational)
• Control cannot be confirmed (operational)
• Inconsistent application (person performing
  control not qualified) (operational)

50
Payroll Process
51
Significant Deficiency

• Frequency of deficiencies noted
• Errors in multiple controls tied to key risk
• More than one control activity contains testing
  errors beyond expectations
• Control objective key risks are mitigated but
  only because one control activity has tested ok
  vs. all controls tied to the risk

52
Property Accounting
53
Material Weakness

• Key risks (HH) tied to control objective not
  mitigated
• Control objective cannot be achieved
• All controls designed to mitigate a risk have
  deficiencies
• Significant material transactions flow through
  the process (10,000,000)

54
Account Mapping to Material Accounts Processes
Process Zainet Deal Capture
Control Objective 2 Completeness of transactions
Key Risk 2.1 Transactions may be inaccurately
recorded
Control Activity 2.1.4 Confirmation process
used to ensure deals are captured complete
Test Select 30 transactions over test period
compare confirms to Zainet data (9
characteristics)
Expectation all deals will be confirmed with
all 9 characteristics matching
5
55
Step 6 404 Reporting

• Team meeting agendas minutes
• Assignments
• Monthly report
• Steering Committee meetings
• Disclosure Committee meetings
• Updates to Audit Committee
• Updates to Senior Management (CEO, CFO,
  President, Key VPs)
• External Financial Audit Team

56
Agenda
100 - 110 Introduction and Overview - Jim
Key 110 - 120 Managements Report on Internal
Control Over Financial Reporting - Sean
Harrison 120 - 140 Preparing the 404 Work Plan
- Kiko Harvey David Richards Combined
Presentation 145 - 150 Break 150 -
225 Questions Answers Panel 225 -
230 Concluding Remarks Jim Key
57
Summary

• Interpretation of SEC Rules is subjective
• Check SEC website www.sec.gov regularly for
  regulatory actions
• Approach 404 management assessment of internal
  controls as major project
• Apply project management disciplines to ensure
  compliance

58
The IIA Webcast Moderator

• Jim Key, CIA
• Managing Partner
• Shenandoah Group, L.L.P