Title: Controls%20Compliance%20
1Controls Compliance Rounding the Turn The
Institute of Internal AuditorsSeptember 14, 2004
- Ed Dudley, CIA, CPA
- Retired Vice-President General Auditor-ABB
Americas
2Agenda
- Introduction Key Issues For Today
- Ed Dudley
- SOX Lessons Learned Dan Langer
- Integration of SOX 302 and 404
- Brian Appleton
- SAS 70 Considerations for SOX 404
- Nathan Prather
- Break
- Q A
- Summary of Main Points
- Ed Dudley
3Key Controls Compliance Issues for Today
- Approach to Convergent regulatory challenges
- Process Improvements
- Technology Infrastructure Enhancements
- Improvements in Leadership
- Inventorying in 302/404
4Key Controls Compliance Issues for Today
- Role Clarifications in SOX 302/404
- Software Utilization in SOX 302/404
- Resource Issues in SOX 302/404
- Inventorying Service Organizations/Specialists in
SAS 70
5Key Controls Compliance Issues for Today
- Understanding/Evaluating Significance in SAS 70
- Evaluating Evidence in SAS 70
6Controls Compliance Rounding the TurnSOX
Lessons Learned
- Daniel B. Langer, CPA, CIA, CCSA
- Solutions Director, Internal Audit and Controls
- Jefferson Wells International
-
710-Step Program for Clarity and Sustainability
- Four Main Categories
- Efficient and better organized approach to
convergent regulatory challenges - Process improvements
- Technology infrastructure enhancements
- Leadership improvements
- Helpful reference resources
810-Step Program for Clarity and Sustainability
- 1) Established Post-404 Compliance Infrastructure
- Improved/strengthened internal audit department
- Full-time/dedicated ongoing compliance team,
Steering Committee, and external resources where
appropriate - Formally trained process owners
- Instituted ongoing risk-assessment strategy
- Established desk-top procedures and sub-process
certifications
910-Step Program for Clarity and Sustainability
- 2) Beware of too many internal controls
- Excessive detail when documenting internal
controls - Try to replace multiple ineffective controls with
one effective control - 3) Excessive detail when documenting internal
controls - Use external auditor formulas as a guide
- Evaluate as attestation process progresses
1010-Step Program for Clarity and Sustainability
- 4) Strive for the right Tone at the Top
- Focus
- Direction
- Top management commitment to good
governance-related control compliance - Proactive education and awareness
- 5) Side-step confusion related to IT and internal
controls - Assess system access controls as users are
promoted, transferred, or leave the company - Properly define and document SOX-related controls
(not all IT controls)
1110-Step Program for Clarity and Sustainability
- 6) Make the right compliance software investment
- To date quality has been spotty, has not met
organization needs, and/or implementation
resources have been inadequate - Revisit as sustaining organization needs are
defined
1210-Step Program for Clarity and Sustainability
- 7) Manage external auditor demands
- Avoid time-consuming attestation reviews
- Ensure they provide proper resources on your
reviews - Manage expectations/establish position
- Materiality levels
- Key accounts
- of Controls
1310-Step Program for Clarity and Sustainability
- 8) Address external service provider key controls
Focus - Strength of service provider
- Adequacy of documentation
- Pooled review with other customers
- 9) Consider compliance in the context of
governance and risk management - Ongoing process of enterprise-level risk
assessment
1410-Step Program for Clarity and Sustainability
- 10) Properly staff the Internal Audit function
- Proper mix of industry, financial, operational,
and technology practice experience and expertise
15- So, how best can Internal Audit effectively
participate in improving the reporting process
towards better governance and sustainable control
compliance?
16Internal Auditors Role
- Educate all levels about controls
- Ongoing assessment of the Tone at the Top
- Facilitate Board, key management, and external
auditor involvement in communication of
strengthened control expectations - Provide objective and independent participation
in controls documentation, testing and assessment
process - Analyze and evaluate causes of company-wide
non-compliance issues both systemic or isolated - Conduct regular KPI monitoring
- Facilitate cost beneficial design modifications
to achieve control - Evaluate effectiveness of corrective actions on
an enterprise-wide basis
17Internal Auditors Role
- Ask yourself good questions
- Would you have prepared the financials in the
same manner? - Was there full disclosure had you been an
investor? - Are internal audit procedures the same as if you
were CEO? - Are there any activities to move revenue or
expenses from period-to-period?
Warren Buffet, Berkshire Hathaway
18Governance Organizations
- www.theiia.org - Institute of Internal Auditors
- www.pcaobus.org - Public Company Accounting
Oversight Board - www.coso.org - Committee of Sponsoring
Organizations - www.nyse.com - New York Stock Exchange
- www.nacdonline.org - National Association of
Corporate Directors - www.issproxy.com - Institutional Shareholder
Services - www.ecgi.org - European Corporate Governance
Institute - www.icgn.org - International Corporate Governance
Network - www.asx.com.au/ - Australian Stock Exchange
- www.oecd.org Organization for Economic
Co-operation and Development - www.ifac.org - International Federation of
Accountants - www.icaew.co.uk - Institute of Chartered
Accountants in England and Wales - www.oceg.org - Open Compliance and Ethics Group
19Integration of SOX 302 404
Brian T. Appleton, CIA, MBA, CDP Director of
Internal Audit National Penn Bancshares
20This is the Time
- Take an inventory
- Budget considerations
- Role clarification
- Software utilization
- Human resources
- Integration
21Take an Inventory
- Review SOX 302 404 methodology
- Overlay risk based work with SOX 302 404 work
- Full consideration to SOX 302 404 in annual
risk analysis - Minimum - tentative 2005 audit plan
22Budget Considerations
- Schedule resource needs
- Do not understate resource needs
- Educate Audit Committee, CEO, and Executives on
needs - Manage your resource network
23Role Clarification
- Identify roles for ongoing compliance with
Sarbanes-Oxley compliance. Include other company
initiatives in the matrix. These may include CSA
or ERM. - Consider forming a transition team
- Revisit your resource needs calculation and
encourage management to do the same.
24Software Utilization
- Business need or purpose
- Tracking
- Maintenance
- Infrastructure compatibility
- Cost benefit
- Implementation plan
25Human Resources
- Leadership
- Continual improvement
- Staff development
- Customer satisfaction
- Audit results
- Key performance indicators
- Standards
26Integration
- Range of integration varies
- What are other companies doing?
27Summary
- Inventory and integrate
- Revisit software support
- Develop HR, elevate standards
28Evaluating Third Parties SAS 70 Considerations
for SOX 404
- Nathan Prather
- Manager, Audit and Enterprise Risk Services
- Deloitte Touche LLP
29Agenda
- Evaluating Third Parties
- Step 1 Prepare Inventory Of Service
Organizations and Specialists - Step 2 Gain Understanding/Evaluate Significance
- Step 3 Obtain Evidence
- Step 4 Concluding
- SAS 70 Issues and Considerations
- QA
30Step 1 Prepare Inventory Of Service
Organizations and Specialists
- Identify third party involvement in relevant
processes which involve the use of service
providers and specialists - Definitions
- Service organization An entity that provides
services to a user organization that is part of
the user organizations information system - Specialist A person (or Firm) possessing
special skill or knowledge in a particular field
31Step 1 Prepare Inventory Of Service
Organizations and Specialists Summary
Evaluate User Controls? Evaluate Third Party Controls?
Service organization Yes Yes, if relevant
Specialist Yes No
- Specialist Key Considerations
- Evaluate the competence of the specialist
- Understand nature and scope of the work
performed - Key control considerations
- Appropriateness of methods and assumptions
- Accuracy and completeness of data provided
- Reasonableness and recording of the results
32Step 2 Gain Understanding/Evaluate Significance
- Gain an understanding of the service organization
process flows and controls - Review SAS 70 or perform walkthrough of service
organization - Gain an understanding of the user organization
process, controls and monitoring activities - Conclude whether service organization activities
and controls necessary to achieving a user
control objective(s)
33Step 2 Gain Understanding/Evaluate Significance
- When are user controls alone sufficient?
- If the control performed by the service
organization were not outsourced, would the
control be necessary to achieving a control
objective(s) - Detective/monitoring controls at the user
organization should operate at an appropriately
detailed level to conclude that a control
objective is met
34Step 3 Obtain Evidence
- Determine if the scope of the SAS 70 is
appropriate - Type 1 SAS 70 addresses design of controls
- Type 2 SAS 70 addresses design and operating
effectiveness of controls - Map controls at service organization to risks and
controls objectives for the user organization - Business process controls
- Information technology controls
35Step 3 Obtain Evidence
- Determine if the nature and extent of testing
appropriate - Treatment of user controls identified in the SAR
- Determine relevance
- Test of relevant controls
- Determine if the period of coverage is
appropriate - Cover a sufficient period to conclude the
controls are operating effectively - Depends on the frequency and nature of the
controls - Evaluate the need to update or roll forward
36Step 4 Concluding
- Read the conclusions within the SAS70 for
qualifying language - The service auditors opinion section
- If exceptions are noted in the SAS70
- Evaluate the impact of the deficiency to the user
organization - Quantitative and qualitative aspects
- Consider compensating controls
- Make inquiries of Service Organization
37SAS 70 Issues Considerations
- What if the service organization will not provide
access to obtain evidence directly or a suitable
SAS 70? - Current thinking
- SEC precludes management from qualifying their
report - If management cant get a SAS 70 management will
need to perform procedures at the service
organization - If management is unable to access to the service
organization, they need to be able to demonstrate
that user controls alone are sufficient - If user controls are then insufficient management
will need to determine if they have a deficiency
in their control environment
38SAS 70 Issues Considerations
- What if the Service Organization will not
remediate exceptions? - Management will need to install mitigating user
controls
39Q A
40Summary of Main Points
- Establish a Post 404 Compliance Infrastructure
- Consider the possibility of too many internal
controls - Beware of excessive documentation detail
- Side-step confusion related to IT internal
controls
41Summary of Main Points
- Make Right Compliance Software Decisions
- Manage External Auditor Demands
- Compliance should be Considered within the Needs
of Governance Risk - Inventory Integrate Work within SOX 302/404
42Summary of Main Points
- Revisit Software Support for SOX 302/404
- Strive for Continual Improvement within SOX
302/404 - Identify Third Party Involvement Processes for
Possible SAS 70 - Understand Service Organizations Process Flow
Controls
43Summary of Main Points
- Understand User Organizations Process Flows,
Controls Monitoring - Determine Appropriate Scope of SAS 70(Type 2 for
both design operating effectiveness) - Evaluate Impact of Deficiency in Any Exceptions
from SAS 70 Performed
44Get Your CPE Certificate
- If you are a primary Webcast participant
- If you view the live Webcast, you should be
receiving your CPE certificate via email today. - You can also view the certificate in your
account. Just log in and hit the CPE button. - If you are viewing the archived Webcast, you will
have to take the corresponding quiz which you
will find in your webcast account.
If you are not the primary participant but will
be viewing the Webcast
- Additional viewers may obtain CPE for a 15
administrative fee per additional viewer per
Webcast. Register online at http//www.auditlearni
ng.org.
45- October 12, 2004
- Quality Assurance
46Webcast EvaluationVisit the Login Pageor CLICK
HERE