All panelists

293 views
255 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
293
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Controls Presenter: Briefly go through the 5 components. Emphasize that all 5 components must be in place for a control to be effective. State that PwC actually devised this framework as part of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
  • All panelists

    1. 1. Leveraging the COSO Framework to Meet Section 404 Requirements The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act July 8, 2003 1:00 – 2:30 pm Eastern Time
    2. 2. The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L.L.P
    3. 3. Disclaimer <ul><li>The views expressed in this web cast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees, and members. </li></ul>
    4. 4. The Webcast Series on the Sarbanes-Oxley Act <ul><li>Series 1: Fostering Compliance with SOA: </li></ul><ul><li>Internal Auditor’s Role </li></ul><ul><ul><li>Four sessions archived on website and available on CD </li></ul></ul><ul><ul><li>To purchase contact Alex at Agoodman@theiia.org </li></ul></ul>
    5. 5. Series 2: Emerging Trends and Best Practices in Implementing SOA <ul><ul><li>May 21 - Section 404 Readiness Review: How to document your system of internal control . (Archived) </li></ul></ul><ul><ul><li>June 10 - Helping your audit committee implement complaint handling. (Archived) </li></ul></ul><ul><ul><li>July 8 - Leveraging the COSO framework to meet Section 404 requirements </li></ul></ul><ul><ul><li>August 12 - Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules” </li></ul></ul><ul><ul><li>September 9 - Internal Audit support of Audit Committees – What works best </li></ul></ul><ul><ul><li>September 30 - The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act </li></ul></ul>
    6. 6. Sarbanes-Oxley: Implications and Impact for Internal Audit <ul><li>Seminar Offering: 2.5 Days </li></ul><ul><ul><li>Chicago, July 30 </li></ul></ul><ul><ul><li>Seattle, August 4 </li></ul></ul><ul><ul><li>West Palm Beach, August 25 </li></ul></ul><ul><ul><li>Phoenix, September 10 </li></ul></ul><ul><ul><li>San Francisco, September 24 </li></ul></ul><ul><ul><li>Orlando, December 10 </li></ul></ul><ul><ul><li>New York, December 17 </li></ul></ul>
    7. 7. Other Resources <ul><li>IIA Web Page www.theiia.org </li></ul><ul><ul><li>Click on Guidance </li></ul></ul><ul><ul><li>Click on Tools and Resources for Corporate Governance </li></ul></ul><ul><ul><ul><li>IIA Position Papers </li></ul></ul></ul><ul><ul><ul><li>Responses to exposure drafts </li></ul></ul></ul><ul><ul><ul><li>IIA Research Foundation Master Key Series </li></ul></ul></ul><ul><ul><ul><li>The Sarbanes-Oxley legislation </li></ul></ul></ul><ul><ul><ul><li>Stock listing exchanges key requirements </li></ul></ul></ul>
    8. 8. Management Assessment of Internal Controls (404) <ul><li>Requires the SEC to prescribe rules to: </li></ul><ul><ul><li>State the responsibility of management for establishing and maintaining adequate internal control structure and procedures for financial reporting, and </li></ul></ul><ul><ul><li>Contain an assessment of effectiveness of the internal control structure and procedures for financial reporting </li></ul></ul>
    9. 9. SEC Final Rules <ul><li>Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports </li></ul><ul><li>Release Date: June 5, 2003 (33-8238) </li></ul><ul><li>Effective Date: August 14, 2003 </li></ul><ul><li>Evaluation of Internal Control over Financial Reporting within the context of COSO framework </li></ul>
    10. 10. Agenda <ul><li>1:00 Welcome and Overview </li></ul><ul><li>1:10 Soft Controls – Bruce Adamec </li></ul><ul><li>1:20 Control Activities – Ray Lukas </li></ul><ul><li>1:30 Monitoring – Andrew Bellenkes </li></ul><ul><li>1:40 Break </li></ul><ul><li>1:45 Questions and Answers – Panel </li></ul><ul><li>2:25 Wrap up – Jim Key </li></ul>
    11. 11. Soft Controls Bruce Adamec, CPA, CIA Vice President and General Auditor United Stationers Inc.
    12. 12. <ul><li>Control Environment </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Information & Communication </li></ul>Soft Controls
    13. 13. The Goal is Reliable Financial Results and Safeguarding Assets – A re “Soft” Components Important? <ul><li>Commissioner Paul S. Atkins, SEC, </li></ul><ul><li>Rocky Mountain Securities Conference: Denver, Colorado, May 30, 2003 </li></ul><ul><li>“ A long standing risk management principle is the importance of corporate culture and “tone from the top”. A CEO’s tolerance, or lack of tolerance of ethical misdeeds and a CEO’s philosophy of business conveys a great deal throughout the organization. The role of directors is to monitor and oversee that situation on behalf of stockholders.“ </li></ul>
    14. 14. <ul><li>Commissioner Cynthia Glassman, SEC, </li></ul><ul><li>Federal Reserve Bank of Chicago May 9, 2003 “ I can’t walk away from any discussion of corporate governance without stressing that the most important aspect of reform comes from market participants working proactively to foster an ethical culture in business.” </li></ul>The Goal is Reliable Financial Results and Safeguarding Assets – A re “Soft” Components Important?
    15. 15. Why We Should Care About Soft Controls – Even Without Sarbanes Oxley! <ul><li>Howard Shilit, Smart Money, July 2003, </li></ul><ul><li>“ Bad people, in business model with a nice story, will somehow find a way to destroy the business…But with honest people running the company…they’ll be able to navigate through the tough times and the company won’t blow it.” </li></ul>
    16. 16. 404 Evaluation <ul><li>Clear Understanding of Soft Components </li></ul><ul><li>Infrastructure Evaluation – “Hard” Activities for “Soft” Components </li></ul><ul><li>Evaluation of How Well The Soft Components Are Working to Ensure Financial Statement Reliability, Safeguarding Assets </li></ul>
    17. 17. What Do COSO Components Mean? <ul><li>Control Environment – Organization’s Ethics, Tone At Top, Management Philosophy and Style, Commitment to Competence – Management Culture </li></ul><ul><li>Risk Assessment – How Organization Routinely ID’s and Manages Risks – Goals and Obstacles </li></ul><ul><li>Information and Communication – Identifying, Capturing, and Communicating Relevant Data in a Form and Time Frame To Meet Associates’, Investor, and Board of Director’s (Governance) Needs </li></ul>
    18. 18. Infrastructure Evaluation “Hard Activities For Soft Components” <ul><li>Management Culture – Code of Ethics, Human Resources Practices </li></ul><ul><li>Goals and Obstacles – Objectives, Financial Planning and Analysis, Hard-Coded Response Systems (Law, Finance, HR Department) </li></ul><ul><li>Communication & Information – Clear Authority/Responsibility Lines, Standard Financial Close/Reporting Practices, Disclosure Controls, Whistleblower Process, “Open Door” Policies </li></ul>
    19. 19. What Do COSO Components Mean? <ul><li>Control Environment – Organization’s Ethics, Tone At Top, Management Philosophy and Style, Commitment to Competence – Management Culture </li></ul><ul><li>Risk Assessment – How Organization Routinely ID’s and Manages Risks – Goals and Obstacles </li></ul><ul><li>Information and Communication – Identifying, Capturing, and Communicating Relevant Data in a Form and Time Frame To Meet Associates </li></ul>
    20. 20. Infrastructure Evaluation “Hard Activities For Soft Components” <ul><li>Management Culture – Code of Ethics, Human Resources Practices </li></ul><ul><li>Goals and Obstacles – Objectives, Financial Planning and Analysis, Hard-Coded Response Systems (Law, Finance, HR Department) </li></ul><ul><li>Communication & Information – Clear Authority/Responsibility Lines, Standard Financial Close/Reporting Practices, Disclosure Controls, Whistleblower Process, “Open Door” Policies </li></ul>
    21. 21. Evaluation of How Well the “Soft” Components Are Working <ul><li>Possible Methods - </li></ul><ul><li>Internal Control Questionnaires </li></ul><ul><li>Control Self Assessments </li></ul><ul><li>Survey Employees, Management Assesses Survey Results </li></ul>
    22. 22. Surveys Action Plans Knowledgeable Fact-based Assertions Control Self Assessments Interviews Complete Continuous Monitoring Awareness 404 Certifications Identification Company-wide Framework Control Internal System Directors Board of
    23. 23. More Information on Survey Method <ul><li>“ Internal Reflections”, The Internal Auditor, December 2002, Pp. 56-63 </li></ul><ul><li>“ Internal Audit’s Role in Corporate Governance: Sarbanes Oxley Compliance”, IIA Website (IIARF Master Key) </li></ul><ul><ul><li>ALLTel Control and Risk Assessment </li></ul></ul><ul><ul><li>El Paso Internal Control Assessment Survey </li></ul></ul>
    24. 24. Control Activities Ray Lukas, CPA Director , Global Risk Management Solutions PricewaterhouseCoopers
    25. 25. Control Activities <ul><li>Control Activities </li></ul><ul><li>Policies and procedures that ensure management directives are carried out. </li></ul><ul><li>Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. </li></ul>
    26. 26. Integration With Risk Assessment <ul><li>Along with assessing risks, management should identify the actions needed to address identified risks. </li></ul><ul><li>These actions serve to focus attention on the control activities needed to ensure that such actions are appropriately carried out in a timely manner </li></ul>
    27. 27. Integration With Risk Assessment <ul><li>Control activities are the means by which an enterprise strives to achieve its stated business objectives </li></ul><ul><ul><li>Control activities serve as the primary mechanism used by management to monitor performance to achieve business objectives, and </li></ul></ul><ul><ul><li>Control activities are more effective when built directly into the management process </li></ul></ul>
    28. 28. Types of Control Activities <ul><li>Numerous types of control activities, including: </li></ul><ul><ul><li>Preventative controls </li></ul></ul><ul><ul><li>Detective controls </li></ul></ul><ul><ul><li>Manual controls </li></ul></ul><ul><ul><li>Computer controls, and </li></ul></ul><ul><ul><li>Management controls </li></ul></ul><ul><li>Control activities usually involve two distinct elements: </li></ul><ul><ul><li>Policy that establishes “what should be done”, and </li></ul></ul><ul><ul><li>Procedures that entail specific actions to be taken to comply with the policy </li></ul></ul>Essential element of control activities/procedures performed is that issues identified as a result of such procedures be investigated and appropriate corrective actions taken
    29. 29. Types of Control Activities <ul><li>Control Activities are performed by personnel at various levels in the organization </li></ul><ul><ul><li>Top Level Review – Actual performance to budget and forecast </li></ul></ul><ul><ul><li>Direct Functional or Activity Management – daily, weekly an/or monthly review of performance by direct reports (supervisors & managers) </li></ul></ul><ul><ul><li>Information Processing – controls designed to check accuracy, completeness and authorization of transactions </li></ul></ul>
    30. 30. Types of Control Activities <ul><li>Control Activities are performed by personnel at various levels in the organization (continued) </li></ul><ul><ul><li>Physical Controls – Physical security and periodic counting of hard assets (Cash, Inventory, equipment, etc.) </li></ul></ul><ul><ul><li>Performance Indicators – Analytical reviews, where differences are investigated and corrective actions taken, and </li></ul></ul><ul><ul><li>Segregation of Duties – Incompatible duties are separated among different people to reduce risk of error or inappropriate actions </li></ul></ul>
    31. 31. Application to Sarbanes 404 <ul><ul><li>Level 1 – Unreliable </li></ul></ul><ul><ul><ul><li>Unpredictable environment where control activities are not designed or in place </li></ul></ul></ul><ul><ul><li>Level 2 – Informal </li></ul></ul><ul><ul><ul><li>Disclosure Activities and Controls are designed and in place but are not adequately documented </li></ul></ul></ul><ul><ul><ul><li>Controls mostly dependent on people </li></ul></ul></ul><ul><ul><ul><li>No formal training or communication of control activities </li></ul></ul></ul><ul><ul><li>Level 3 – Standardized </li></ul></ul><ul><ul><ul><li>Control activities are designed and in place </li></ul></ul></ul><ul><ul><ul><li>Control activities have been documented and communicated to employees </li></ul></ul></ul><ul><ul><ul><li>Deviations from control activities will likely not be detected </li></ul></ul></ul><ul><ul><li>Level 4 – Monitored </li></ul></ul><ul><ul><ul><li>Standardized controls with periodic testing for effective design and operation with reporting to management </li></ul></ul></ul><ul><ul><ul><li>Automation and tools may be used in a limited way to support control activities </li></ul></ul></ul><ul><ul><li>Level 5 – Optimized </li></ul></ul><ul><ul><ul><li>An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise Wide Risk Management) </li></ul></ul></ul><ul><ul><ul><li>Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed </li></ul></ul></ul>Optimized - Integrated internal controls with real time monitoring by management and continuous improvement Monitored - Standardized controls with periodic testing for effective design and operation with reporting to management Standardized - Control activities are designed, in place and are adequately documented Informal - Control activities are designed and in place but are not adequately documented Unreliable - Unpredictable environment where control activities are not designed or in place Management 404 Internal Control Assertion
    32. 32. Application to Sarbanes 404 Accuracy of Input: All errors in data are detected when recorded, accepted by the system, or converted to system-readable format. What ensures that the fee and amount of the services provided are correct? What ensures that the invoice represents the actual services provided? Control Noted There is a programmed procedure that will only allow to invoice a customer for the services described on the bill. An invoice will not be generated for that appointment until the services on the bill agree to the service on the schedule logging system . Through a programmed procedure, invoices are priced using the contract assigned to that customer or the default price assigned to that customer in the customer contract pricing database . However, anyone that can manually enter a service provider can manually enter a different fee, thus overriding the contracted fee arrangement. There is a programmed procedure that will only allow to invoice a customer for the services on the bill. However, there is no control to ensure that all services provided were logged on to the service invoice. Y N N Every night there is a manual reconciliation of the number of Service Appointments that day to the number of appointments invoiced. This is part of the balancing procedures performed by the data center over nightly batch jobs. Approximately 70% of these invoices are transmitted to the customers electronically via EDI. A manual reconciliation is done to check that all invoices sent to EDI were received by EDI. EDI customers must acknowledge that they have received invoices. If customer acknowledgements are not received, the analysts follow up with the customers. The remaining 30% of the invoices are sent through regular mail. Y Completeness of Input: All appropriate data are entered into the system and accepted for processing. Data rejected by the system are reported, investigated, corrected and re-entered.   What ensures that a service invoice is generated for service provided?   What ensures that a services provided cannot be invoiced twice? Control Objective Control? Control Activities/Procedures Invoicing BUSINESS PROCESS FOCUS AREA
    33. 33. Monitoring Andrew Bellenkes, CPA Senior Auditor VF Corporation
    34. 34. COSO Model - Monitoring Component Ongoing Monitoring - Management, supervisory, and other monitoring activities in the ordinary course of operations that assess the quality of internal controls Separate Monitoring - Evaluation focusing directly on system effectiveness with a scope and frequency dependent on the assessment of risks, and ongoing monitoring Reporting Deficiencies - Upstream reporting of internal control deficiencies, with certain matters reported to top management and the board
    35. 35. SEC Final Ruling - Monitoring <ul><li>Recognized control framework must be used as the basis of evaluation </li></ul><ul><li>Sufficient procedures to evaluate the design and the test of internal controls over financial reporting </li></ul><ul><li>Evidentiary matter must be maintained </li></ul><ul><li>Quarterly evaluation of changes to internal controls over financial reporting </li></ul><ul><li>Certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to annual, semi-annual and quarterly reports must be filed </li></ul>Points of Focus...
    36. 36. Monitoring Component <ul><li>COSO Model </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Monitoring </li></ul><ul><li>VF Hybrid Model </li></ul><ul><li>Goals & Objective Setting </li></ul><ul><li>Monitoring & Assessment </li></ul>
    37. 37. Essential Elements of Effective Monitoring <ul><li>Scope Changes </li></ul><ul><li>Evidentiary Support </li></ul><ul><ul><ul><li>- SEC Rules </li></ul></ul></ul><ul><ul><ul><li>- Archiving, Record Retention, </li></ul></ul></ul><ul><ul><ul><li>Rollover to the Next Period </li></ul></ul></ul><ul><li>Training </li></ul><ul><li>Internal Audit’s Role </li></ul><ul><li>Extent/Vigor of Quarterly Assessments </li></ul>
    38. 38. Roles in Monitoring Controls Internal Audit Project Office Corporate Controller’s Office European Business Units Asian Business Units Domestic & Americas Business Units
    39. 39. Roles in Monitoring Controls … Project Office/Internal Audit/Corporate Controller’s Office <ul><li>Project Office </li></ul><ul><li>Corporate Communication </li></ul><ul><li>Training </li></ul><ul><li>Systems Administration (for internal controls documentation database used) </li></ul><ul><li>Internal Audit </li></ul><ul><li>Review of Self-Testing by the Business Units </li></ul><ul><li>Coordination and Performance of Testing (for external audit reliance, except for exempt areas) </li></ul>
    40. 40. Roles in Monitoring Controls … Project Office/Internal Audit/Corporate Controller’s Office <ul><li>Corporate Controller’s Office </li></ul><ul><li>Policies and Procedures Statements </li></ul><ul><li>Internal Control Design and Implementation </li></ul><ul><li>Technical Guidance </li></ul>
    41. 41. Roles in Monitoring Controls VF Risk Committee Corporate CFO - Chair Project Office General Auditor, Corporate Controller, Internal Audit, Finance External Advisory VF Jeanswear BU Owner BU Coordinator VF Imagewear BU Owner BU Coordinator VF Intimates BU Owner BU Coordinator VF Outdoor BU Owner BU Coordinator VF Europe BU Owner BU Coordinator VF Corporate BU Owner BU Coordinator VF Services FI/HR BU Owner BU Coordinator *Issue resolution: Ownership of final accounting determinations … the Organization VF ASIA /GSO BU Owner BU Coordinator Acquisition(s)? VF IS/IT BU Owner
    42. 42. Roles in Monitoring Controls VF Risk Committee Corporate CFO - Chair Project Office General Auditor, Corporate Controller, Internal Audit, Finance Malta Location Coordinator UK Location Coordinator Italy Location Coordinator VF Europe BU Owner BU Coordinator Germany Location Coordinator … VF Europe Belgium Location Coordinator Poland Location Coordinator
    43. 43. Ongoing Monitoring … VF Methodology <ul><li>Ongoing Business Unit testing </li></ul><ul><li>Integrated internal audit approach to test Business Unit compliance with Section 404 vs. Stand- alone audits of Accounting and Financial Reporting internal controls </li></ul><ul><li>Quarterly certifications from Business Unit CFOs and CIOs </li></ul>
    44. 44. Summary <ul><li>Analysis and assessment of soft controls is as critical as analysis and assessment of hard controls. </li></ul><ul><li>Need for evaluation controls that span all five components of COSO. </li></ul><ul><li>Business unit management owns the monitoring function. </li></ul>

    ×