Controls%20Compliance%20

1
Controls Compliance Rounding the Turn The
Institute of Internal AuditorsSeptember 14, 2004

• Ed Dudley, CIA, CPA
• Retired Vice-President General Auditor-ABB
  Americas

2
Agenda

• Introduction Key Issues For Today
• Ed Dudley
• SOX Lessons Learned Dan Langer
• Integration of SOX 302 and 404
• Brian Appleton
• SAS 70 Considerations for SOX 404
• Nathan Prather
• Break
• Q A
• Summary of Main Points
• Ed Dudley

3
Key Controls Compliance Issues for Today

• Approach to Convergent regulatory challenges
• Process Improvements
• Technology Infrastructure Enhancements
• Improvements in Leadership
• Inventorying in 302/404

4
Key Controls Compliance Issues for Today

• Role Clarifications in SOX 302/404
• Software Utilization in SOX 302/404
• Resource Issues in SOX 302/404
• Inventorying Service Organizations/Specialists in
  SAS 70

5
Key Controls Compliance Issues for Today

• Understanding/Evaluating Significance in SAS 70
• Evaluating Evidence in SAS 70

6
Controls Compliance Rounding the TurnSOX
Lessons Learned

• Daniel B. Langer, CPA, CIA, CCSA
• Solutions Director, Internal Audit and Controls
• Jefferson Wells International

7
10-Step Program for Clarity and Sustainability

• Four Main Categories
• Efficient and better organized approach to
  convergent regulatory challenges
• Process improvements
• Technology infrastructure enhancements
• Leadership improvements
• Helpful reference resources

8
10-Step Program for Clarity and Sustainability

• 1) Established Post-404 Compliance Infrastructure
• Improved/strengthened internal audit department
• Full-time/dedicated ongoing compliance team,
  Steering Committee, and external resources where
  appropriate
• Formally trained process owners
• Instituted ongoing risk-assessment strategy
• Established desk-top procedures and sub-process
  certifications

9
10-Step Program for Clarity and Sustainability

• 2) Beware of too many internal controls
• Excessive detail when documenting internal
  controls
• Try to replace multiple ineffective controls with
  one effective control
• 3) Excessive detail when documenting internal
  controls
• Use external auditor formulas as a guide
• Evaluate as attestation process progresses

10
10-Step Program for Clarity and Sustainability

• 4) Strive for the right Tone at the Top
• Focus
• Direction
• Top management commitment to good
  governance-related control compliance
• Proactive education and awareness
• 5) Side-step confusion related to IT and internal
  controls
• Assess system access controls as users are
  promoted, transferred, or leave the company
• Properly define and document SOX-related controls
  (not all IT controls)

11
10-Step Program for Clarity and Sustainability

• 6) Make the right compliance software investment
• To date quality has been spotty, has not met
  organization needs, and/or implementation
  resources have been inadequate
• Revisit as sustaining organization needs are
  defined

12
10-Step Program for Clarity and Sustainability

• 7) Manage external auditor demands
• Avoid time-consuming attestation reviews
• Ensure they provide proper resources on your
  reviews
• Manage expectations/establish position
• Materiality levels
• Key accounts
• of Controls

13
10-Step Program for Clarity and Sustainability

• 8) Address external service provider key controls
  Focus
• Strength of service provider
• Adequacy of documentation
• Pooled review with other customers
• 9) Consider compliance in the context of
  governance and risk management
• Ongoing process of enterprise-level risk
  assessment

14
10-Step Program for Clarity and Sustainability

• 10) Properly staff the Internal Audit function
• Proper mix of industry, financial, operational,
  and technology practice experience and expertise

15

• So, how best can Internal Audit effectively
  participate in improving the reporting process
  towards better governance and sustainable control
  compliance?

16
Internal Auditors Role

• Educate all levels about controls
• Ongoing assessment of the Tone at the Top
• Facilitate Board, key management, and external
  auditor involvement in communication of
  strengthened control expectations
• Provide objective and independent participation
  in controls documentation, testing and assessment
  process
• Analyze and evaluate causes of company-wide
  non-compliance issues both systemic or isolated
• Conduct regular KPI monitoring
• Facilitate cost beneficial design modifications
  to achieve control
• Evaluate effectiveness of corrective actions on
  an enterprise-wide basis

17
Internal Auditors Role

• Ask yourself good questions
• Would you have prepared the financials in the
  same manner?
• Was there full disclosure had you been an
  investor?
• Are internal audit procedures the same as if you
  were CEO?
• Are there any activities to move revenue or
  expenses from period-to-period?

Warren Buffet, Berkshire Hathaway
18
Governance Organizations

• www.theiia.org - Institute of Internal Auditors
• www.pcaobus.org - Public Company Accounting
  Oversight Board
• www.coso.org - Committee of Sponsoring
  Organizations
• www.nyse.com - New York Stock Exchange
• www.nacdonline.org - National Association of
  Corporate Directors
• www.issproxy.com - Institutional Shareholder
  Services
• www.ecgi.org - European Corporate Governance
  Institute
• www.icgn.org - International Corporate Governance
  Network
• www.asx.com.au/ - Australian Stock Exchange
• www.oecd.org Organization for Economic
  Co-operation and Development
• www.ifac.org - International Federation of
  Accountants
• www.icaew.co.uk - Institute of Chartered
  Accountants in England and Wales
• www.oceg.org - Open Compliance and Ethics Group

19
Integration of SOX 302 404
Brian T. Appleton, CIA, MBA, CDP Director of
Internal Audit National Penn Bancshares
20
This is the Time

• Take an inventory
• Budget considerations
• Role clarification
• Software utilization
• Human resources
• Integration

21
Take an Inventory

• Review SOX 302 404 methodology
• Overlay risk based work with SOX 302 404 work
• Full consideration to SOX 302 404 in annual
  risk analysis
• Minimum - tentative 2005 audit plan

22
Budget Considerations

• Schedule resource needs
• Do not understate resource needs
• Educate Audit Committee, CEO, and Executives on
  needs
• Manage your resource network

23
Role Clarification

• Identify roles for ongoing compliance with
  Sarbanes-Oxley compliance. Include other company
  initiatives in the matrix. These may include CSA
  or ERM.
• Consider forming a transition team
• Revisit your resource needs calculation and
  encourage management to do the same.

24
Software Utilization

• Business need or purpose
• Tracking
• Maintenance
• Infrastructure compatibility
• Cost benefit
• Implementation plan

25
Human Resources

• Leadership
• Continual improvement
• Staff development
• Customer satisfaction
• Audit results
• Key performance indicators
• Standards

26
Integration

• Range of integration varies
• What are other companies doing?

27
Summary

• Inventory and integrate
• Revisit software support
• Develop HR, elevate standards

28
Evaluating Third Parties SAS 70 Considerations
for SOX 404

• Nathan Prather
• Manager, Audit and Enterprise Risk Services
• Deloitte Touche LLP

29
Agenda

• Evaluating Third Parties
• Step 1 Prepare Inventory Of Service
  Organizations and Specialists
• Step 2 Gain Understanding/Evaluate Significance
• Step 3 Obtain Evidence
• Step 4 Concluding
• SAS 70 Issues and Considerations
• QA

30
Step 1 Prepare Inventory Of Service
Organizations and Specialists

• Identify third party involvement in relevant
  processes which involve the use of service
  providers and specialists
• Definitions
• Service organization An entity that provides
  services to a user organization that is part of
  the user organizations information system
• Specialist A person (or Firm) possessing
  special skill or knowledge in a particular field

31
Step 1 Prepare Inventory Of Service
Organizations and Specialists Summary
Evaluate User Controls? Evaluate Third Party Controls?
Service organization Yes Yes, if relevant
Specialist Yes No

• Specialist Key Considerations
• Evaluate the competence of the specialist
• Understand nature and scope of the work
  performed
• Key control considerations
• Appropriateness of methods and assumptions
• Accuracy and completeness of data provided
• Reasonableness and recording of the results

32
Step 2 Gain Understanding/Evaluate Significance

• Gain an understanding of the service organization
  process flows and controls
• Review SAS 70 or perform walkthrough of service
  organization
• Gain an understanding of the user organization
  process, controls and monitoring activities
• Conclude whether service organization activities
  and controls necessary to achieving a user
  control objective(s)

33
Step 2 Gain Understanding/Evaluate Significance

• When are user controls alone sufficient?
• If the control performed by the service
  organization were not outsourced, would the
  control be necessary to achieving a control
  objective(s)
• Detective/monitoring controls at the user
  organization should operate at an appropriately
  detailed level to conclude that a control
  objective is met

34
Step 3 Obtain Evidence

• Determine if the scope of the SAS 70 is
  appropriate
• Type 1 SAS 70 addresses design of controls
• Type 2 SAS 70 addresses design and operating
  effectiveness of controls
• Map controls at service organization to risks and
  controls objectives for the user organization
• Business process controls
• Information technology controls

35
Step 3 Obtain Evidence

• Determine if the nature and extent of testing
  appropriate
• Treatment of user controls identified in the SAR
• Determine relevance
• Test of relevant controls
• Determine if the period of coverage is
  appropriate
• Cover a sufficient period to conclude the
  controls are operating effectively
• Depends on the frequency and nature of the
  controls
• Evaluate the need to update or roll forward

36
Step 4 Concluding

• Read the conclusions within the SAS70 for
  qualifying language
• The service auditors opinion section
• If exceptions are noted in the SAS70
• Evaluate the impact of the deficiency to the user
  organization
• Quantitative and qualitative aspects
• Consider compensating controls
• Make inquiries of Service Organization

37
SAS 70 Issues Considerations

• What if the service organization will not provide
  access to obtain evidence directly or a suitable
  SAS 70?
• Current thinking
• SEC precludes management from qualifying their
  report
• If management cant get a SAS 70 management will
  need to perform procedures at the service
  organization
• If management is unable to access to the service
  organization, they need to be able to demonstrate
  that user controls alone are sufficient
• If user controls are then insufficient management
  will need to determine if they have a deficiency
  in their control environment

38
SAS 70 Issues Considerations

• What if the Service Organization will not
  remediate exceptions?
• Management will need to install mitigating user
  controls

39
Q A
40
Summary of Main Points

• Establish a Post 404 Compliance Infrastructure
• Consider the possibility of too many internal
  controls
• Beware of excessive documentation detail
• Side-step confusion related to IT internal
  controls

41
Summary of Main Points

• Make Right Compliance Software Decisions
• Manage External Auditor Demands
• Compliance should be Considered within the Needs
  of Governance Risk
• Inventory Integrate Work within SOX 302/404

42
Summary of Main Points

• Revisit Software Support for SOX 302/404
• Strive for Continual Improvement within SOX
  302/404
• Identify Third Party Involvement Processes for
  Possible SAS 70
• Understand Service Organizations Process Flow
  Controls

43
Summary of Main Points

• Understand User Organizations Process Flows,
  Controls Monitoring
• Determine Appropriate Scope of SAS 70(Type 2 for
  both design operating effectiveness)
• Evaluate Impact of Deficiency in Any Exceptions
  from SAS 70 Performed

44
Get Your CPE Certificate

• If you are a primary Webcast participant
• If you view the live Webcast, you should be
  receiving your CPE certificate via email today.
• You can also view the certificate in your
  account. Just log in and hit the CPE button.
• If you are viewing the archived Webcast, you will
  have to take the corresponding quiz which you
  will find in your webcast account.

If you are not the primary participant but will
be viewing the Webcast

• Additional viewers may obtain CPE for a 15
  administrative fee per additional viewer per
  Webcast. Register online at http//www.auditlearni
  ng.org.

45

• October 12, 2004
• Quality Assurance

46
Webcast EvaluationVisit the Login Pageor CLICK
HERE