Your SlideShare is downloading. ×
Addressing Sarbanes-Oxley in Manufacturing Organizations
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Addressing Sarbanes-Oxley in Manufacturing Organizations

1,254
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,254
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Addressing Sarbanes-Oxley in Manufacturing Organizations What Does it Mean and How to Become Compliant within the Sarbanes-Oxley Law Presented By: Andy Vitullo Principal, Logan Consulting
  • 2. Who is Logan Consulting?
    • Logan Consulting is a professional services firm committed to helping businesses get the most from their information technology investments. Since 1992, we have been helping companies develop and execute business management and information systems strategies...from ERP selections and implementations to e-business planning to strategic IT applications.
  • 3. Who is Logan Consulting?
    • Operating throughout North America, our clients are equally diverse...from global Fortune 100 companies to regional manufacturers...in both process and discrete industries.
  • 4. BIO: Andy Vitullo
    • Former Controller, Accounting Manager, Tax Preparer, Auditor.
    • CPA, State of Ohio
    • BS, Accounting –
    • Financial Accountant with over 15 years of experience.
    • An Implementer of ERP with over 8 Years of Experience.
  • 5. Agenda
    • Sarbanes-Oxley Law
    • 404 Requirements
    • Considerations for Your Company’s Internal Control Environment
    • Becoming Compliant with the Law: A phased project approach
    • Utilizing QAD’s MFG/PROs inherent “PREVENT Controls”
  • 6. Why Was Sarbanes Oxley Passed
    • A Perception that Public Companies failed to properly exercise appropriate corporate governance which in turn led to fraudulent activities at certain public companies.
      • Enron, WorldCom, Tyco, Adelphia, etc…
    • Most Dramatic Business Legislation in the last 50 years.
  • 7. Who Does it Apply To?
    • Any Public Company required to File financial statements with the Securities and Exchange Commission (SEC)
    • Approximately public equity and debt 17,000 registrants
  • 8. Focus of Law is on Sections 302 and 404
    • Section 302 specifies the CEO and CFO must personally certify they are responsible for internal controls’ and procedures’ design, effectiveness, conclusions, and disclosure
    • They must disclose significant control changes, deficiencies, weaknesses, and fraud to their audit committee and external auditors
    • Section 404 mandates that management evaluate and opine on their internal controls in their annual report
    • The independent auditor must attest to management’s assessment of the effectiveness of financial reporting internal controls and procedures
  • 9. What are Effective Controls
    • “ A process designed to provide reasonable assurance regarding the achievement of business objectives” *
    • A process used by people, not an event
    • Reasonable but not absolute assurance
    • Business objectives include:
      • Effectiveness and efficiency of operations
      • Reliability of financial reporting
      • Compliance with applicable laws and regulations
      • * Committee of Sponsoring Organizations (COSO)
  • 10. Selected Related Events
    • 1985 - Treadway Commission
        • Report on Fraudulent Financial Reporting
        • Focus on control environment, codes of conduct, and competence and participation of audit committee
        • Created Committee of Sponsoring Organizations (COSO)
    • 1992 - COSO Published “Internal Controls - Integrated Framework ”
        • Defined roles and responsibilities of management
        • Established framework for establishing, evaluating, monitoring, and reporting on internal controls
  • 11. Selected Related Events
    • 2002 - Sarbanes-Oxley Act of July 2002
        • Articulates compliance responsibilities for board and management
        • Relevant sections:
          • 301 - Procedures for handling complaints of financial problems and potential fraud
          • 302 - Disclosure certification of quarterly and annual financial reports
          • 401 - Disclosure of periodic off-balance-sheet transactions, pro-forma income statements, etc.
          • 404 - Management assessment of financial reporting internal controls
          • 409 - Real time issuer disclosures
          • 802 - Criminal penalties for altering documents
          • 806 - Protection for those who provide fraud evidence
  • 12. Complying with the Sarbanes-Oxley Law
    • The SEC specifies that a corporation must select an industry recognized controls framework
    • The SEC recognizes the most used COSO’s framework
    • This framework provides structure for an internal controls program
    • It also is helpful in organizing the evaluation reporting
  • 13. Additional Information
    • Audit Requirements Prior to the Act as they relate to Internal Controls
      • Prior to the Act the focus of an audit of the financial statements has been to provide an opinion on a company’s financial statements and not to report on internal control . Therefore, it is unlikely companies already will possess sufficient, organized documentation to support management’s assessment of the effectiveness of internal control.
  • 14. Additional Information
    • A Sarbox Audit is incremental to the Annual External Audit of the Financial Statements.
    • Incremental Costs are estimated anywhere between 50 to 80 percent of the Standard External Audit. (Source: SEC: Survey of Filing Companies).
  • 15. Overview
    • Requires management evaluation and auditor attestation to the presence and effectiveness of internal controls over financial reporting.
      • Companies must report annually on internal controls in Form 10K and disclose:
        • Management’s responsibility for establishing and maintaining internal controls and procedures for financial reporting
        • Management’s conclusions as to the effectiveness of the internal controls and procedures for financial reporting
        • A statement identifying the framework used by management to evaluate the effectiveness of internal controls
        • A statement that independent auditors have issued a separate report attesting to management’s assertions
    404
  • 16. Impact on your Company 404 Identify financial processes and accounts at Corporate and OpCo levels
    • Document internal controls
    • Enterprise level controls
    • Process/transaction/application level controls
    Test internal controls and assess effectiveness Obtain independent auditor attestation Implement remediation steps if necessary Establish ongoing monitoring and certification of effectiveness
  • 17. Financial Statement Assertions 404
    • Existence or Occurrence
    • Completeness
    • Valuation or Measurement
    • Rights and Obligations
    • Presentation and Disclosure
  • 18. Evaluation of Controls 404 Internal Control Deficiency More than remote likelihood of misstatement of financial statements More than inconsequential in amount * SIGNIFICANT DEFICIENCY: Must be reported to Audit Committee By itself or in combination with other deficiencies Results in more than a remote likelihood of material misstatement in financial statements MATERIAL WEAKNESS: Must be referred to in Attestation Report (results in adverse opinion) * Determined through judgment – there is not a published guideline for this .
  • 19. Levels of Controls 404
    • EXAMPLE ENTERPRISE LEVEL CONTROLS
    • Corporate Acquisitions Processes
    • Corporate and Operating Unit Sub Company Certification Process (SOX 302)
    • Good Audit Committee Processes
    • Corporate Consolidation Process
    • Financial Reporting Process
    • Internal Audit
    • EXAMPLE TRANSACTION/PROCESS/APPLICATION LEVEL CONTROLS
    • Quote to Cash Cycle
    • Record to Report Cycle
    • Purchase to Pay Cycle
    • Inventory Production and Control Cycle
    • Record and Monitor Debt
    • Calculate Income Taxes
    • Asset Management - Capitalization
    • Estimate Self-Insurance Accruals
    • Assess Assets for Impairment
  • 20. Suggested Participants in Compliance Project 404
    • CEO
    • COO
    • CFO
    • Audit Committee Representative
    • IT Representative
    SPONSOR/STEERING COMMITTEE PROJECT OFFICE
    • Corporate
    • Operations
    • Strategic Partners (External Auditor and Services Partner)
    PROJECT TEAM
    • Operating Company Controllers
    • Director of Financial Reporting
    • Director of Internal Audit
    • Director of IT Financial Systems
    OPERATING COMPANY
    • Functional Managers
      • Financial Systems
      • Operational Systems
    • Individual Contributors
  • 21. Scoping and Planning High-Level Analysis – Identify Significant Accounts and Locations Classify Processes Affecting the Significant Accounts
    • Routine Data Processes
    • Non-Routine Data Processes
    • Estimation Processes
    Determine Controls To Document and Test 404
  • 22. Prototype Processes
    • Select distinct processes to prototype
    • Accounts Payable Process
    • Revenue Recognition Process
    • Non-routine process
    • Estimation process
    Documentation will be basis and template for remaining processes Functional managers at operating company will work together with project team 404
  • 23. Training & Education Operating Companies Majority of work to be done by functional managers and individuals at each operating company Project Team
    • Project team will develop training/project materials:
    • Guidelines
    • Templates
    • Reporting requirements
    Training & Education Educate operating company participants via road-show training sessions 404
  • 24. Documentation 404 Documentation of Process and Internal Controls Detailed documentation to be done after risk assessment and internal control process inventory is complete To be done by the process owner at operating company Uniform basis using common templates and techniques
  • 25. Evaluation 404 Project team will evaluate controls, documentation and reporting Any control deficiencies will be explored and remedial steps will be taken Communication with External Auditors
  • 26. Independent Auditors 404
    • Independent Auditor Review and Attestation
      • Ongoing involvement in scoping, planning and training
      • Required to perform their own testing and assessment
      • Project team will facilitate information flow and communication
  • 27. Ongoing Monitoring A comprehensive process will be documented and implemented Primary responsibility at Controller level, reporting up to senior management
    • Examples include:
    • Reconciliation reviews
    • Management reports
    • Internal audit reviews
    • Ad hoc monitoring
    404
  • 28. Considerations for Documenting Controls at the Process, Transaction, or Application Level
    • Identify Significant Accounts
    • Identify the Major Classes of Transactions an Related Process that influence the Significant accounts.
    • Ask “What can go Wrong” questions
    • Identify Controls
  • 29. Identify Significant Accounts
    • An Account is significant if it can contain errors of importance in managements judgment
    • Factors to Consider in Determining if an Account is Significant
      • Size and Composition of the account including its susceptibility to loss or fraud.
      • Volume of activity and the homogeneity of the transactions processed through the account.
      • Subjectivity in determining the account balance.
      • Nature of Account: Suspense accounts generally require greater attention.
      • Accounting and Reporting complexities associated with the account.
      • Existence of Related Party transactions.
  • 30. Significant Accounts Example
    • Allowance for Doubtful Accounts
      • Generally considered a significant account separate from accounts receivable since balances that affect the allowance account are based on management estimation processes rather than on routine transactions (i.e. sales and cash receipts)
  • 31. Significant Accounts
  • 32. Identify the Major Classes of Transactions an Related Process that influence the Significant accounts.
    • Correlate Business Processes to Significant Accounts (i.e., Segregate Inventories between purchasing, WIP, distribution of FG, maintenance)
    • Categorize Transaction Types as:
      • Routine – ( Sales, Cash Receipts, Payroll)
      • Non-Routine – (Physical Inventory, Calc Deprecation, Adjusting Foreign Currencies)
      • Estimation – Involves Management Judgment and has no precise means of measurement ( Allowance for Doubtful Accounts, Warranty Reserves, Assessing Assets for Impairment)
  • 33. Routine Transactions
    • Typically automated in our ERP systems.
    • IT Dependent
    • Management Reliance on programmed controls
      • Routine Transactions will still have inherent risk if the company fails to enforce “segregation of duties”.
  • 34. Non-Routine Transactions
    • Generally are manual operations involving management judgment.
    • Accuracy indirectly dependent upon data elements from the computerized process.
    • Management Still dependent upon IT to understand the flows of transactions.
  • 35. Documentation Considerations for Routine and Non-Routine Transactions.
    • Documentation should consider how transactions are initiated, recorded, processes and reported.
    • Process Models, Flowcharts, Procedure Manuals, Job Descriptions, Documents and Forms should be the foundation document for these transactions.
  • 36. Concentrate on Documenting:
    • Major Data Input Sources
    • Important Data Files (customer and price master)
    • Processing Procedures
    • Output files, reports, and records.
    • Functional Segregation of Duties.
      • The Primary Purpose of this Documentation is to help identify where errors or fraud can occur.
  • 37. Segregation of Duties
  • 38. Interaction of Significant Accounts and Business Processes
    • ..Interaction of Significant Accounts and Business Processes.xls
  • 39. What Can Go Wrong
    • Use the prism of Financial Statement Assertions in identifying errors. The assertions are:
      • Existence – of and asset or liability
      • Occurrence – an event to place
      • Valuation – of the transaction at the appropriate amount
      • Completeness- all transactions are recorded
      • Rights and Obligations – legal title exist for the assets.
      • Presentation and Discloser – a transaction is properly classified and disclosed in the Financial Statements.
  • 40. What Can Go Wrong Questions
  • 41. Identify Controls Policies and procedures that are designed to monitor the achievement of the relevant process objectives, including identifying errors or fraud. Detect controls can be applied to groups of transactions. Detect Controls Procedures designed to prevent an error or fraud. Prevent controls are normally applied at a single transaction level. Many Prevent Controls are programmed controls residing in computer applications if used Prevent Controls Description Control Types:
  • 42. Considerations for Documenting Controls
    • Documentation of Controls is Sufficient when:
      • Specifies “what can go wrong” in the transaction stream and thus where the controls are needed.
      • Describes the relevant prevent and detect controls that are responsive to the what can go wrong question.
      • States who performs the controls.
  • 43. Validate the Control
    • Through Walk through/ Audit of the transaction and control steps.
    • Assure all control steps are followed
    • Document the results.
      • Does process need stronger controls?
  • 44. Outside Resources
    • Most Large Consulting firms are booked supporting the Large and Intermediate size companies for Sarbox Compliance.
  • 45. Internal Control Project Phases Internal Controls Evaluation Manage Project Internal Controls Enhancement - Operations ) - Financial Reporting ) * One or All - Compliance ) Assure Quality
  • 46. Becoming Compliant: A Project Approach
    • Plan the Project (2 Phases)
      • Internal Control Evaluation Phase
      • Internal control Enhancement Phase
    • Define the Project Organization
    • Assess the control Environment
    • Prepare Project Results
  • 47. I. Plan Project
    • Establish a shared vision of the project phase
    • Set objectives and deliverables
    • Define scope - select objective categories
    • Confirm work program, timing, and roles
    • Determine project phase risks, mitigation approach, and expectations
    • Complete project phase arrangements
    • Schedule key date
    • Notify organization
    Internal Controls Evaluation
  • 48. II. Define Project Organization
    • Determine if both Disclosure Committee and Internal Audit are required
    • Determine if CEO and CFO will also be the Project Management team
    • Establish Project Management Team
    • Select leaders and participants
    • Estimate required time and timing
    • Arrange for the participants’ time and timing
    • Train participants in Sarbanes-Oxley Act, COSO Framework, etc.
    Internal Controls Evaluation
  • 49. II. Define Project Organization Board/Audit Committee Disclosure Committee Internal Audit CEO and CFO Project Leader(s) Project Team Project Management Team Internal Controls Evaluation
  • 50. III. Assess Control Environment
    • Determine project phase scope by looking at the organization’s industry, size, complexity, organization, and locations
    • Define levels of deficiency and weakness
    • Conduct Environment Survey for intangibles:
      • Code of conduct including integrity and ethical values
      • Active compliance program
      • Commitment to competence and training
      • Communicating the importance and awareness of internal controls
      • Management philosophy and operating style
      • Established channels of communication
  • 51. III. Assess Control Environment
    • Conduct review of controls, processes and procedures
    • Review design and operating effectiveness and efficiency
    • Determine extent of documentation
    • Assess knowledge and use of controls, processes and procedures
    • Analyze consistently used monitoring
    Internal Controls Evaluation
  • 52. IV. Prepare Phase 1 Project Results
    • Prepare project report
    • Plan next phase
    • Conduct desired meetings
    • Obtain management approval for next phase
  • 53. Phase 2: Internal Control Enhancement Phase
    • Define scope - select objective categories
    • Confirm work program, timing, and roles
    • Determine project phase risks, mitigation approach, and expectations
    • Schedule key date
    • Notify organization
    • Select participants
    • Estimate required time and timing
    • Arrange for the participants’ time and timing
    Internal Controls Enhancement
  • 54. Assess Control Risk, Objectives, Processes and Procedures
    • Establish an internal controls data base
    • Interview management to identify risks
    • Follow normal operations to determine that transactions are handled accurately, completely, fairly, and timely
    • Look at one-time and highly judgmental activities for risks
    • Determine where management could over-ride controls
    • Define control objectives for each risk including authorizing, recording, protecting, and reconciling
    • Relate control processes and procedures to control objectives
    Internal Controls Enhancement
  • 55. Improve Control Activities, Processes and Procedures
    • Identify control deficiencies and weaknesses
    • Identify ineffective control activities, processes and procedures
    • Update risks and objectives if there are activities, processes and procedures with no risks or objectives
    • Define missing control processes and procedures
    • Review with management and obtain approval
    Internal Controls Enhancement
  • 56. Enhance Information and Communication Support
    • Determine how computer systems could improve controls
    • Design missing system controls
    • Implement missing system controls
    • Test system controls
    • Review non-system communications from and to management and the organization
    • Identify and define improvements
    Internal Controls Enhancement
  • 57. Test & Monitor Controls
    • Develop an over-all internal control test plan
    • Prepare the information and activities for the test
    • Perform the test using the people with the on-going responsible for monitoring
    • Make adjustments as necessary
    • Expand the tests to cover all the areas within scope
    • Develop a plan for on-going monitoring and reporting
    Internal Controls Enhancement
  • 58. Project Management Project Management
    • Activities:
    • Management Project Team Meetings
    • Team Meetings
    • Process Tracking
    • Status Reporting
    • Key Deliverables:
    • Project Plan & Budget
    • Action Items
    • Issues Log
    • Status Reports
    Benefits: - Informed Project Management - Teamwork - Focused Team Members - Consistent Team Mindset - Financial and Timeline Tracking - Executive knowledge and buy-in
  • 59. Using MFG/PRO to Comply with Sarbanes Oxley
    • MFG/PRO assists in supporting the internal control environment.
    • Does not in itself make the company compliant with Sarbanes-Oxley.
    • Utilizing the Software Functionality Can assist in establishing “Prevent” Controls.
  • 60. MFG/PRO Security
    • A proper security profile for you company will assist the internal control environment in establishing “segregation of duties”.
  • 61. MFG/PRO Security Examples in the Purchasing Cycle
    • Assume there are 4 Groups:
        • Purchasing, Receiving, AP, and Cash Disbursement
    • Access to 2.3.1 Supplier Maintenance and 5.7 PO Maintenance – Purchasing Group Only
    • Access to 5.13.1 PO Receipts – Receiving Group Only
    • Access to 28.1 Voucher Maintenance – AP only
    • Access to 28.9.9 Payment Automatic Checks – CD Group Only
  • 62. MFG/PRO Revenue Cycle
    • Assure Proper cutoff of Shipments at month end. Use Calendar Maintenance to prevent backdating of transactions
    • Assure Proper Pricing of Orders and Invoices – Utilize Price tables.
    • Insure Credit Decisions are controlled outside of the Selling origination - Use Credit Hold Functionality.
  • 63. MFG/PRO Purchasing Cycle
    • Assure all Purchase Orders are Authorized – Global Requisitions.
    • Assure Accurate Pricing – Review Purchase Price Variance Report (5.13.5).
    • Assure receipts are completed in the proper period (proper Cutoff through Calendar Maintenance).
  • 64. Fixed Assets
    • Assure Proper Accounting for CIP versus Expenses. ( QAD does not have any inherent prevent controls for this condition. However an Audit of CIP Project may discover incorrectly coded transactions to the projects).
    • Physically Control Fixed Assets - Assign Asset Custodians, Tag Numbers and Asset Locations
      • – Fixed Asset Maintenance.
    • Conduct Physical Inventory of Fixed Assets – Complete Asset Disposal and Transfer Transactions.
    • Properly Depreciate Fixed Assets.
  • 65. Inventory Control
    • Eliminate Uncontrolled Transactions – Unplanned Issues and Unplanned Receipts.
    • Accurately State your Standards – Income should not be based on favorable PPV.
    • Record Shipments in the Proper Period (Backdating Shipments may have criminal implications).
    • Use Cycle Counting instead of Physical Inventory.
    • Write Off Excess and Obsolete inventory - Inventory is not a Fixed Asset.
  • 66. Financial Reporting
    • Module integration to General Ledger should be a priority.
    • Eliminate manual feeds to your GL.
    • Use the Native General Ledger Report Writer for Financial Reporting – Eliminate off-line Excel financial reporting. This means you Controllers.
    • Load Budgets and report against them
    • Load Cost Center Budgets and report against them.
  • 67. What Can You Do ?
    • Complete Upgrade to Latest Version of software to take the benefits of New Functionality.
    • Complete Process Re-Engineering in concert with Upgrade consistent with Internal Control Objectives.
    • Document the control, test the controls. Be Ready!!!!!
  • 68. Opportunity
    • Documentation of Sarbanes –Oxley Assist the company in Supporting:
      • Compliance & Control
      • Accurate Financials
      • Increase Efficiency