The Importance of Governance   In a Regulatory World Dwayne Jorgensen, CIA, CFE Consultant, Governance Services Spirit Con...
Agenda <ul><li>Introduction/Sarbanes-Oxley </li></ul><ul><li>Brief history </li></ul><ul><li>Human nature and the need for...
The Cost of Poor Governance: Sarbanes – Oxley in a Nutshell <ul><li>The Act was signed into law on July 30, 2002 and inclu...
Brief History <ul><li>Thanks to Enron and the “.com implosion,” Governance became an issue </li></ul><ul><li>COSO’s Framew...
Human Nature -The Need For Governance <ul><li>Maslow's Hierarchy of needs </li></ul><ul><ul><li>“ Self-Awareness” is a des...
Human Nature The Need For Governance <ul><li>The Competency Square </li></ul>Unconsciously incompetent Consciously incompe...
Human Nature The Need For Governance Unconsciously incompetent Consciously incompetent Consciously competent Unconsciously...
Human Nature The Need For Governance Unconsciously incompetent Consciously incompetent Consciously competent Unconsciously...
COSO - Overview <ul><li>COSO Definition of Internal Control </li></ul><ul><ul><li>Internal control is a process, effected ...
<ul><li>Risks </li></ul><ul><li>Evaluated by: </li></ul><ul><ul><li>Severity </li></ul></ul><ul><ul><li>Likelihood </li></...
COSO – Overview <ul><li>Dwayne’s “Hierarchy of Internal control needs” (First published 1990): </li></ul>Control Self-Asse...
COSO – Overview <ul><li>Hierarchy of internal control needs – revised (2004) </li></ul><ul><ul><li>New Foundational Layers...
Your Role as “Teacher” <ul><li>Who is responsible for implementing the Internal Control Framework? </li></ul><ul><ul><li>M...
Your Role as “Teacher” <ul><li>Internal control expertise can provide assistance in every layer of the cube </li></ul>Reac...
Your Role as “Counselor” <ul><li>Why should management, internal and  external auditors communicate? </li></ul><ul><ul><li...
Governance: Spirit or Letter of the Law? <ul><li>Sarbanes-Oxley: The “end” or “means?” </li></ul><ul><ul><li>Act originall...
Spirit or Letter of the Law? <ul><li>Section 404 </li></ul><ul><ul><li>Can external auditors “independently” test and opin...
Spirit or Letter of the Law? <ul><li>Section 302 </li></ul><ul><ul><li>Is management comfortable with this decision in lig...
Spirit or Letter of the Law? <ul><li>Section 201 </li></ul><ul><ul><li>Since this assistance of operating management in pr...
In the true “spirit” of the Act… <ul><li>Independent  Internal Audit (IA) function </li></ul><ul><li>Board-approved charte...
In the true “spirit” of the Act… <ul><li>Thought-leading organizations were doing most, if not all, of the previous prior ...
COSO – ERM Framework Have You Started Yet?
Enterprise Risk Framework <ul><li>Four objective categories – Strive to achieve </li></ul><ul><li>Eight components – Neede...
Enterprise Risk Framework <ul><li>Is a  process - is a means to an end, not an end and itself. </li></ul><ul><li>Is  effec...
Enterprise Risk Framework <ul><li>Is designed to identify events potentially affecting the entity and manage risk within i...
The Compliance Iceberg Industry Compliance Standards
Who’s Watching the Store? Frequency Responsibility Role <ul><li>Annually </li></ul><ul><li>Periodically </li></ul><ul><li>...
Cost of SOX Implementation:  2005 <ul><li>2005 SOX Expenditure by US firms:  $6 Billion </li></ul><ul><ul><li>Internal exp...
Cost of SOX Implementation: Ongoing? <ul><li>A  study from Foley & Lardner LLP  shows that while the total cost of SOX com...
So What’s a Corporation to Do? <ul><li>Continuous monitoring  (CM) offers the only practical, cost-effective solution. </l...
Proposed CM Solution Pyramid Hardware/Data Integrity Component EMC: Centera ® , Proofspace encryption, record management a...
Sarbanes-Oxley’s Impact on the COSO Cube  IT Components Section 302 Section 409 Section 404 Risk Assessment Control Enviro...
CM Solution Requirements One Close® Organizational Consulting ACL CCM/ One Close ® Documentum ® One Close ® Technology (HW...
Key Recommendation <ul><li>Validate methodology through execution on a pilot process (assess, document, and test) </li></u...
Internal Control Maturity Model Control structure is not defined.  Control occurs incidentally. Control structure is not d...
COSO-Driven Methodology: Assess Process Outcomes <ul><li>Management support </li></ul><ul><li>Internal champion </li></ul>...
COSO-Driven   M e t h o d o l o g y : Document Process Outcomes ASSESS TEST REPORT Remediate Ongoing coordination between ...
COSO-Driven   M e t h o d o l o g y : Test Process Outcomes Remediate Ongoing coordination between management, external au...
COSO-Driven   M e t h o d o l o g y : Report Process Outcomes Remediate Ongoing coordination between management, external ...
Benefits/ROI <ul><li>ROIs are easily calculated, by the determination of FTE reduction due to PCAOB’s Standard II regardin...
Illustrative Assessment Work Plan
Control Assessment Structure
Framework for Risk Assessment <ul><li>Identify </li></ul><ul><ul><li>What are the risks? </li></ul></ul><ul><li>Measure </...
Risk Assessment: The Big Picture <ul><li>Internal and external risks faced by all organizations. </li></ul><ul><li>Require...
Enterprise Risk Assessment <ul><li>Driven by enterprise strategies and overall goals. </li></ul><ul><li>Risk rank audit un...
Enterprise Risk Assessment Defined <ul><li>Enterprise Risk  –  Potential exposures which could significantly impact or imp...
Ways To Look At Risk <ul><li>Quantitative </li></ul><ul><ul><li>Assign a value to each control risk times a probability of...
Approaching Risk Assessment <ul><li>Solicit executive management’s enterprise strategies, goals, objectives and concerns. ...
An Enterprise Risk Assessment Tool <ul><li>Provide analyses regarding risk exposures at an audit universe (enterprise) lev...
Types of Risk Factors <ul><li>Assets at risk </li></ul><ul><ul><li>Cash </li></ul></ul><ul><ul><li>Inventory </li></ul></u...
Risk Weighting and Scoring <ul><li>Weigh risks based on customized criteria. </li></ul><ul><ul><li>Relative importance of ...
Risk-based Approach: Examples Business Processes Alignment Business Continuity Compliance Contracting Empowerment Environm...
Risk-based Approach:  Process Company Strategies Executive Management Input Risk Factor Model Development <ul><li>Executiv...
Risk-based Approach Re-cap <ul><li>Risk-based approach </li></ul><ul><li>Defined model of enterprise risk factors </li></u...
Questions?
Dwayne Jorgensen, CIA, CFE Consultant, Governance Spirit Consulting Services <ul><li>Dwayne Jorgensen, CIA, CFE, is a reco...
Dwayne Jorgensen, CIA, CFE Consultant, Governance Spirit Consulting Services – Referrals <ul><li>“ I had the opportunity t...
Contact Information <ul><li>Dwayne E. Jorgensen, CIA, CFE  </li></ul><ul><ul><ul><li>Consultant </li></ul></ul></ul><ul><u...
Thank You!
Upcoming SlideShare
Loading in...5
×

Need For Corporate Governance

22,851

Published on

Why do corporations continue to fail, regardless of the increase (or decrease) in regulatory efforts? Until management adopts a "risk-centric" stance, we will continue to repeat the sins of the past...

Published in: Business, Technology
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
22,851
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide

Need For Corporate Governance

  1. 1. The Importance of Governance In a Regulatory World Dwayne Jorgensen, CIA, CFE Consultant, Governance Services Spirit Consulting Services
  2. 2. Agenda <ul><li>Introduction/Sarbanes-Oxley </li></ul><ul><li>Brief history </li></ul><ul><li>Human nature and the need for governance </li></ul><ul><li>COSO overview </li></ul><ul><li>Your role </li></ul><ul><li>Spirit or Letter of the Law? </li></ul><ul><li>A Risk-based approach… </li></ul><ul><li>Q&A </li></ul>
  3. 3. The Cost of Poor Governance: Sarbanes – Oxley in a Nutshell <ul><li>The Act was signed into law on July 30, 2002 and includes eleven titled sections: </li></ul><ul><ul><ul><li>Title I Public Company Accounting Oversight Board </li></ul></ul></ul><ul><ul><ul><li>Title II Auditor Independence </li></ul></ul></ul><ul><ul><ul><li>Title III Corporate Responsibility </li></ul></ul></ul><ul><ul><ul><li>Title IV Enhanced Financial Disclosures </li></ul></ul></ul><ul><ul><ul><li>Title V Analyst Conflicts of Interest </li></ul></ul></ul><ul><ul><ul><li>Title VI Commission Resources and Authority </li></ul></ul></ul><ul><ul><ul><li>Title VII Studies and Reports </li></ul></ul></ul><ul><ul><ul><li>Title VIII Corporate and Criminal Fraud Accountability </li></ul></ul></ul><ul><ul><ul><li>Title IX White Collar Crime Penalty Enhancements </li></ul></ul></ul><ul><ul><ul><li>Title X Corporate Tax Returns </li></ul></ul></ul><ul><ul><ul><li>Title XI Corporate Fraud and Accountability </li></ul></ul></ul>
  4. 4. Brief History <ul><li>Thanks to Enron and the “.com implosion,” Governance became an issue </li></ul><ul><li>COSO’s Framework of Internal Control was published in 1992, but did not prevent the need for the Sarbanes-Oxley Act… Why? </li></ul><ul><li>COSO was left “voluntary,” and therefore was essentially ignored for ten years by the business world, until made mandatory by the Sarbanes-Oxley Act. </li></ul>
  5. 5. Human Nature -The Need For Governance <ul><li>Maslow's Hierarchy of needs </li></ul><ul><ul><li>“ Self-Awareness” is a desired, not required state. </li></ul></ul><ul><li>Behavior styles and business management </li></ul><ul><ul><li>Governance tends to be viewed as “overhead,” and has historically been minimized on a “cost/benefit” basis. </li></ul></ul><ul><li>Why is governance important? </li></ul><ul><ul><li>Curiosity, greed, self-rationalization and pride, the key elements of control breakdowns in historical business cases. </li></ul></ul>
  6. 6. Human Nature The Need For Governance <ul><li>The Competency Square </li></ul>Unconsciously incompetent Consciously incompetent Consciously competent Unconsciously competent
  7. 7. Human Nature The Need For Governance Unconsciously incompetent Consciously incompetent Consciously competent Unconsciously competent
  8. 8. Human Nature The Need For Governance Unconsciously incompetent Consciously incompetent Consciously competent Unconsciously competent
  9. 9. COSO - Overview <ul><li>COSO Definition of Internal Control </li></ul><ul><ul><li>Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: </li></ul></ul><ul><ul><ul><li>Effectiveness and efficiency of operations </li></ul></ul></ul><ul><ul><ul><li>Reliability of financial reporting </li></ul></ul></ul><ul><ul><ul><li>Compliance with applicable laws and regulations </li></ul></ul></ul><ul><li>Key Concepts </li></ul><ul><ul><li>Internal control is a process . It is a means to an end, not an end in itself. </li></ul></ul><ul><ul><li>Internal control is effected by people . It’s not merely policy manuals and forms, but people at every level of an organization. </li></ul></ul><ul><ul><li>Internal control can be expected to provide only reasonable assurance , not absolute assurance, to an entity’s management and board. </li></ul></ul><ul><ul><li>Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. </li></ul></ul>
  10. 10. <ul><li>Risks </li></ul><ul><li>Evaluated by: </li></ul><ul><ul><li>Severity </li></ul></ul><ul><ul><li>Likelihood </li></ul></ul><ul><li>Types of risks: </li></ul><ul><ul><li>Inherent risks </li></ul></ul><ul><ul><li>Managed risks </li></ul></ul><ul><ul><li>Residual risks </li></ul></ul>COSO - Overview
  11. 11. COSO – Overview <ul><li>Dwayne’s “Hierarchy of Internal control needs” (First published 1990): </li></ul>Control Self-Assessment Consulting Operational Compliance Proactive Reactive
  12. 12. COSO – Overview <ul><li>Hierarchy of internal control needs – revised (2004) </li></ul><ul><ul><li>New Foundational Layers: </li></ul></ul>CSA Consulting Operational Compliance Proactive Reactive Objectivity Independence
  13. 13. Your Role as “Teacher” <ul><li>Who is responsible for implementing the Internal Control Framework? </li></ul><ul><ul><li>Management </li></ul></ul><ul><li>Who should be responsible for overall Governance? </li></ul><ul><ul><li>Not your external auditors </li></ul></ul><ul><li>What is the preferred solution? </li></ul><ul><ul><li>Senior management and internal auditors as teachers of Internal Control </li></ul></ul>
  14. 14. Your Role as “Teacher” <ul><li>Internal control expertise can provide assistance in every layer of the cube </li></ul>Reactive Proactive Compliance Operational Consulting CSA
  15. 15. Your Role as “Counselor” <ul><li>Why should management, internal and external auditors communicate? </li></ul><ul><ul><li>Ensures company assessments, documentation, testing and reporting are correct </li></ul></ul><ul><ul><li>Lightens attestation load for external auditor (SAS 65) </li></ul></ul>
  16. 16. Governance: Spirit or Letter of the Law? <ul><li>Sarbanes-Oxley: The “end” or “means?” </li></ul><ul><ul><li>Act originally thought limited in life, now basis for many global governance initiatives </li></ul></ul><ul><li>Positive/negative effects of the intent for creating the ideal control environment </li></ul><ul><ul><li>Too much focus on “letter of the law” (reporting requirements) than “spirit” (corporate governance) </li></ul></ul><ul><li>Ongoing debate over role of External Auditor </li></ul><ul><ul><li>Act was direct result of audit firms acting as consultants, yet lines are still blurred on using external auditors for consulting needs. </li></ul></ul><ul><ul><li>“ 4 – 3 – 2” </li></ul></ul>
  17. 17. Spirit or Letter of the Law? <ul><li>Section 404 </li></ul><ul><ul><li>Can external auditors “independently” test and opine on management’s report on internal controls if they played any role in preparing the document? </li></ul></ul>4 - 3 - 2
  18. 18. Spirit or Letter of the Law? <ul><li>Section 302 </li></ul><ul><ul><li>Is management comfortable with this decision in light of pending guidance on disclosure protocols, and the subsequent potential harm if something was deemed “inappropriate” about the external auditor’s role at a later date?” </li></ul></ul>4 - 3 - 2
  19. 19. Spirit or Letter of the Law? <ul><li>Section 201 </li></ul><ul><ul><li>Since this assistance of operating management in preparing their assertion falls outside the scope of actual external audit work, does it require audit committee approval, and is management therefore comfortable asking for it? </li></ul></ul>4 - 3 - 2
  20. 20. In the true “spirit” of the Act… <ul><li>Independent Internal Audit (IA) function </li></ul><ul><li>Board-approved charters </li></ul><ul><li>Risk assessments – management & IA </li></ul><ul><ul><li>Key Controls Determined by management assessments </li></ul></ul><ul><ul><li>Audit plans developed based on output of assessments </li></ul></ul><ul><li>Testing and reports of effectiveness by IA </li></ul><ul><ul><li>Correction of deficiencies by management </li></ul></ul><ul><li>Management/IA as “teachers of internal control” </li></ul><ul><li>Management/IA as part of continuous improvement process </li></ul>
  21. 21. In the true “spirit” of the Act… <ul><li>Thought-leading organizations were doing most, if not all, of the previous prior to the Act, and were not even necessarily publicly traded! </li></ul>
  22. 22. COSO – ERM Framework Have You Started Yet?
  23. 23. Enterprise Risk Framework <ul><li>Four objective categories – Strive to achieve </li></ul><ul><li>Eight components – Needed to achieve </li></ul><ul><li>Entity and organizations units </li></ul>
  24. 24. Enterprise Risk Framework <ul><li>Is a process - is a means to an end, not an end and itself. </li></ul><ul><li>Is effected by people- is not merely policies, survey and forms, but involves people at every level of an organization. </li></ul><ul><li>Is applied in strategy setting. </li></ul><ul><li>Is applied across an enterprise, at every level and unit, and includes taking an entity-level portfolio view of risks. </li></ul><ul><li>Four objective categories-Strive to achieve </li></ul><ul><li>Eight components-Needed to achieve </li></ul><ul><li>Entity and organizational units </li></ul>
  25. 25. Enterprise Risk Framework <ul><li>Is designed to identify events potentially affecting the entity and manage risk within its risk appetite. </li></ul><ul><li>Provides reasonable assurance to an entity’s management and board. </li></ul><ul><li>Is geared to the achievement of objectives in one or more separate but overlapping categories </li></ul><ul><li>Four objective categories-Strive to achieve </li></ul><ul><li>Eight components-Needed to achieve </li></ul><ul><li>Entity and organizational units </li></ul>
  26. 26. The Compliance Iceberg Industry Compliance Standards
  27. 27. Who’s Watching the Store? Frequency Responsibility Role <ul><li>Annually </li></ul><ul><li>Periodically </li></ul><ul><li>Ongoing </li></ul>COSO <ul><li>Quarterly </li></ul><ul><li>Quarterly </li></ul><ul><li>Quarterly </li></ul>SOX 302 <ul><li>External auditors </li></ul><ul><li>Internal auditors </li></ul><ul><li>Management </li></ul><ul><li>Annually </li></ul><ul><li>Validators independent of company </li></ul><ul><li>Annually </li></ul><ul><li>Validators independent of management, but part of company </li></ul><ul><li>Annually </li></ul><ul><li>Owner of internal controls and ongoing monitoring </li></ul>SOX 404
  28. 28. Cost of SOX Implementation: 2005 <ul><li>2005 SOX Expenditure by US firms: $6 Billion </li></ul><ul><ul><li>Internal expenses: $2 Billion </li></ul></ul><ul><ul><li>Hardware/Software: $2 Billion </li></ul></ul><ul><ul><li>Consulting: $2 Billion </li></ul></ul>Source: Gartner
  29. 29. Cost of SOX Implementation: Ongoing? <ul><li>A study from Foley & Lardner LLP shows that while the total cost of SOX compliance dipped in 2006, spending on so-called out-of-pocket costs rose by double-digit percentages. </li></ul><ul><li>According to the Chicago-based law firm's study, public companies with more than $1 billion in annual revenue spent an average $10 million on costs such as board compensation and audit and legal fees in 2006. That's a 12% increase over spending in 2005. At public companies with revenue under $1 billion, the increase was 13%. </li></ul><ul><li>External audit fees claimed the biggest chunk of money, accounting for more than 47% of the out-of-pocket spending on compliance by the smaller public companies. At companies with more than $1 billion in revenue, a whopping 60% of the money goes to external audit fees. </li></ul><ul><li>&quot;Some experts predicted that external audit fees would decrease after the initial implementation of Section 404 audits, as external auditors became more familiar with their clients' accounting controls and, therefore, more efficient in conducting their audits,&quot; said Thomas E. Hartman, a partner at Foley & Lardner and director of the report. &quot;Our study results do not support this prediction. Indeed, external audit fees have been the only cost our study has shown to increase every year since the Sarbanes-Oxley Act was passed.&quot; </li></ul><ul><li>Meanwhile, all the manpower and money that companies have invested internally on SOX compliance is beginning to pay off. According to the Foley study, most of that dip in total SOX spending in 2006 was due to efficiency improvements in internal financial reporting -- and thus a gain in productivity. </li></ul><ul><li>IT departments shouldered a big part of the internal work done in preparation for SOX -- cleaning up and documenting processes. Can CIOs give themselves a pat on the back? </li></ul><ul><li>&quot;CIOs will be able to pat themselves on the back when they sit down and help the rest of the business automate the internal controls as much as they can, and help get down the external audit fees, which are out of control,&quot; said analyst French Caldwell, who covers compliance at consultancy Gartner Inc. in Stamford, Conn. &quot;It's not over yet. Don't even stop to catch your breath.&quot; </li></ul><ul><li>Caldwell said the Foley findings are consistent with other research. During the last three years, companies have seen about a 35% reduction in overall SOX compliance costs, almost all of which have come from savings on internal labor and on fees paid to consultants. </li></ul><ul><li>But a reduction in internal labor costs or one-time consultants doesn't equate with &quot;any great efficiencies,&quot; he said, precisely because the external auditing fees have hardly budged -- indeed they're &quot;out of control.&quot; </li></ul><ul><li>&quot;That indicates to me that there is just as much to audit. That indicates to me that many companies haven't really rationalized the controls. They haven't automated a lot of the controls,&quot; Caldwell said. Nor have companies yet heeded the advice this spring from the Securities and Exchange Commission (SEC) to take a more risk-based approach to SOX compliance. </li></ul>Source: Linda Tucci, 16 Aug 2007, SearchCIO.com
  30. 30. So What’s a Corporation to Do? <ul><li>Continuous monitoring (CM) offers the only practical, cost-effective solution. </li></ul><ul><ul><li>Build a system that provides a perpetual inventory of governance </li></ul></ul><ul><ul><li>Leverage IT to maximize automation and reduce staffing loads </li></ul></ul>
  31. 31. Proposed CM Solution Pyramid Hardware/Data Integrity Component EMC: Centera ® , Proofspace encryption, record management automation Software Component Various vendor process automation products: Ex.: Documentum ® , Movaris OneClose ® , ACL CCM ® Co-sourcing component? Independent IT test services Planning Component SOX methodology: Assess, document, test, report Oversight Component “ Tone at the top”: Executive buy-in, “spirit” vs. “letter”
  32. 32. Sarbanes-Oxley’s Impact on the COSO Cube IT Components Section 302 Section 409 Section 404 Risk Assessment Control Environment IT Risk Management, IT Risk Assessments, Business Impact Analysis “ Tone at the top”, IT Governance, Regulatory Compliance Firewalls, Security, DRP, Business Continuity, SDLC, Change Control, Operations IT Policies, Standards & Procedures Email, Scorecards, Dashboards, Project Control, Help Desk Server Logs, Database Logs, Firewall Logs, Intrusion Detection, Incident Response, Awareness Training Monitoring Information & Communication Control Activities
  33. 33. CM Solution Requirements One Close® Organizational Consulting ACL CCM/ One Close ® Documentum ® One Close ® Technology (HW/SW) People (staff, mgmt.) Risk Assessment Control Environment Monitoring Information & Communication Control Activities Resources needed Tool or process needed (examples only):
  34. 34. Key Recommendation <ul><li>Validate methodology through execution on a pilot process (assess, document, and test) </li></ul><ul><li>Remediate consistently and constantly </li></ul><ul><li>Work with external auditor to ensure approach is satisfactory via a full trial on a key process before rollout </li></ul>
  35. 35. Internal Control Maturity Model Control structure is not defined. Control occurs incidentally. Control structure is not defined, but control processes may occur based on past success and management oversight. Control structure is documented, standardized and integrated into control processes for the organization. The control process is regularly assessed and tested. Detailed measures of the control process are collected and reported. Continuous process improvement is enabled by quantitative feedback from the control process. Initial Repeatable Defined Managed Optimizing Predictability, effectiveness and efficiency of an organization's internal controls improve as the organization moves through these five stages. Initial Repeatable Defined Managed Optimizing
  36. 36. COSO-Driven Methodology: Assess Process Outcomes <ul><li>Management support </li></ul><ul><li>Internal champion </li></ul><ul><li>Trained team </li></ul><ul><li>Consensus on objectives </li></ul><ul><li>Risk-ranked universe </li></ul><ul><li>The plan </li></ul>Form team Perform risk assessment Confirm results Develop work plan Define overall SO requirements Identify and form team Partner with external audit firm Confirm audit universe Define risk weighting Conduct assessment Analyze assessment results Confirm risk rankings Map to knowledge base of mitigating practices Present findings to management Develop plan for documentation phase Review plan with external auditor, management Remediate Ongoing coordination between management, external auditor, and consultant ASSESS TEST REPORT DOCUMENT
  37. 37. COSO-Driven M e t h o d o l o g y : Document Process Outcomes ASSESS TEST REPORT Remediate Ongoing coordination between management, external auditor, and consultant COSO alignment Document control activities Improve controls Define monitoring process Define target maturity level by process Assess COSO maturity by process Identify where improvements are needed Define control objectives Determine tool approach Map assessment to objectives and identify gaps Develop plan to address gaps with control changes Assess and implement changes in controls Test new processes and train users Confirm the role of the internal audit department Assess current monitoring environment Implement monitoring process <ul><li>COSO maturity ranking </li></ul><ul><li>Consensus on end state </li></ul><ul><li>Improved controls environment </li></ul><ul><li>Ongoing monitoring </li></ul><ul><li>Documented controls </li></ul>DOCUMENT
  38. 38. COSO-Driven M e t h o d o l o g y : Test Process Outcomes Remediate Ongoing coordination between management, external auditor, and consultant <ul><li>Management control monitoring </li></ul><ul><li>Independent monitoring </li></ul><ul><li>Management reporting process </li></ul><ul><li>Ongoing reporting </li></ul>Management controls monitoring Material weakness plan Ongoing report process Educate management on controls Develop framework for management monitoring Facilitate management monitoring of controls Identify weaknesses from management test Develop action plan for weaknesses Reiterate if necessary Implement process for ongoing quarterly reports Define process for development of IC report Partner with external auditor on report requirements Independent internal audit Testing Develop framework for independent monitoring Facilitate independent monitoring of controls ASSESS TEST REPORT DOCUMENT
  39. 39. COSO-Driven M e t h o d o l o g y : Report Process Outcomes Remediate Ongoing coordination between management, external auditor, and consultant Management report External audit External control testing External auditor assertion Management reports on role in controls Management reports on testing process Management delivers final controls report External audit commences External auditor tests controls per requirements External auditor reviews management report External auditor issues final report External auditor issues final assertion ASSESS TEST REPORT DOCUMENT <ul><li>Management report </li></ul><ul><li>External audit report </li></ul><ul><li>External assertion </li></ul>
  40. 40. Benefits/ROI <ul><li>ROIs are easily calculated, by the determination of FTE reduction due to PCAOB’s Standard II regarding the testing of automated controls once, versus reiterative testing necessary for manual controls. </li></ul><ul><li>Secondary benefit, especially in the ability to store the results of continuous monitoring in an authenticated, digital format, should have a significant impact on future third-party litigation revolving around alleged misconduct by management, in proving the validity of the effectiveness of key control activities. </li></ul>
  41. 41. Illustrative Assessment Work Plan
  42. 42. Control Assessment Structure
  43. 43. Framework for Risk Assessment <ul><li>Identify </li></ul><ul><ul><li>What are the risks? </li></ul></ul><ul><li>Measure </li></ul><ul><ul><li>What is the relative degree of risk? (Determined by Severity and Likelihood .) </li></ul></ul><ul><li>Prioritize </li></ul><ul><ul><li>Which risks are most important? </li></ul></ul>
  44. 44. Risk Assessment: The Big Picture <ul><li>Internal and external risks faced by all organizations. </li></ul><ul><li>Requires linked and consistent management objectives. </li></ul><ul><li>Identified/analyzed to manage and achieve objectives. </li></ul><ul><li>A system to address organization impact of external and internal condition changes. </li></ul>IIA Definition - “… a systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. …organize and integrate professional judgments for development of the audit work schedule.”
  45. 45. Enterprise Risk Assessment <ul><li>Driven by enterprise strategies and overall goals. </li></ul><ul><li>Risk rank audit universe, applying the same risk factors to all audit entities. </li></ul><ul><li>Top-down focus begins at the enterprise level. </li></ul><ul><li>Bottoms-up begins at the entity level. </li></ul><ul><ul><li>Approach dependent on management’s objectives and other initiatives in place. </li></ul></ul>
  46. 46. Enterprise Risk Assessment Defined <ul><li>Enterprise Risk – Potential exposures which could significantly impact or impede an enterprise’s ability to succeed in accomplishing its overall financial and operational goals and objectives. </li></ul><ul><li>Risks can be categorized as follows: </li></ul><ul><ul><li>Strategic – relating to high-level goals, aligned with and supporting the entity’s mission/vision. </li></ul></ul><ul><ul><li>Operations – relating to effectiveness and efficiency of the entity’s operations, including performance and profitability goals. </li></ul></ul><ul><ul><li>Reporting – relating to the effectiveness of the entity’s reporting. </li></ul></ul><ul><ul><li>Compliance – relating to the entity’s compliance with applicable laws and regulations. </li></ul></ul>
  47. 47. Ways To Look At Risk <ul><li>Quantitative </li></ul><ul><ul><li>Assign a value to each control risk times a probability of the threat of the risk </li></ul></ul><ul><ul><li>Higher value/greater risk </li></ul></ul><ul><li>Qualitative </li></ul><ul><ul><li>High, medium, low or adequate/inadequate </li></ul></ul>
  48. 48. Approaching Risk Assessment <ul><li>Solicit executive management’s enterprise strategies, goals, objectives and concerns. </li></ul><ul><li>If applicable, obtain external auditor’s perspective of the company. </li></ul><ul><li>Also consider insurers, outside counsel, other third-party service providers. </li></ul><ul><li>Capture organization, products, processes, functions, locations, systems, support areas, etc. relevant to auditable entities. </li></ul><ul><li>Develop a model using risk factors, weightings and scoring criteria. </li></ul><ul><li>Objective is a risk-ranked audit universe. </li></ul>
  49. 49. An Enterprise Risk Assessment Tool <ul><li>Provide analyses regarding risk exposures at an audit universe (enterprise) level. </li></ul><ul><li>No pre-defined database of standard questionnaires, risk factors and set risk weightings. </li></ul><ul><li>Information compiled by experienced professionals. </li></ul><ul><li>Information/analyses as good as the information compiled. </li></ul>
  50. 50. Types of Risk Factors <ul><li>Assets at risk </li></ul><ul><ul><li>Cash </li></ul></ul><ul><ul><li>Inventory </li></ul></ul><ul><ul><li>Intellectual property </li></ul></ul><ul><li>Operational </li></ul><ul><ul><li>Procurement </li></ul></ul><ul><ul><li>Production </li></ul></ul><ul><ul><li>Material Handling </li></ul></ul><ul><ul><li>Sales </li></ul></ul><ul><ul><li>Service </li></ul></ul><ul><ul><li>Human Resources </li></ul></ul><ul><ul><li>Planning </li></ul></ul><ul><ul><li>Legal </li></ul></ul><ul><ul><li>Environmental </li></ul></ul><ul><li>Systems </li></ul><ul><ul><li>Information quality </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Disaster planning </li></ul></ul><ul><ul><li>Equipment/software </li></ul></ul><ul><li>Financial </li></ul><ul><ul><li>Data accuracy </li></ul></ul><ul><ul><li>Available information </li></ul></ul><ul><ul><li>Completeness of data </li></ul></ul><ul><ul><li>A/R, A/P, Cash flow, etc. </li></ul></ul>
  51. 51. Risk Weighting and Scoring <ul><li>Weigh risks based on customized criteria. </li></ul><ul><ul><li>Relative importance of individual risk factor. </li></ul></ul><ul><ul><li>Risk factor impact on business units based on likelihood of occurrence and severity of impact. </li></ul></ul><ul><ul><li>Facilitate with management and process owners. </li></ul></ul><ul><li>Risk weighting results reviewed by management and the process owners. </li></ul><ul><ul><li>Risk score is assessed for each risk factor. </li></ul></ul><ul><ul><li>Scores summed for a total risk score. </li></ul></ul><ul><ul><li>Supports risk ranked audit universe. </li></ul></ul>
  52. 52. Risk-based Approach: Examples Business Processes Alignment Business Continuity Compliance Contracting Empowerment Environmental Fraud Health and Safety Illegal Activities Management Information Obsolescence/Shrinkage Product/Service Quality Relevance Unauthorized Use Technology Availability Access Functionality Integrity Usability Functional Risk Finance Collateral Counterparty Credit Currency Derivatives Interest Rate Liquidity Reinvestment Settlement Financial Reporting Financial Assessment Evaluation Financial Statement Falsification Regulatory Reporting Taxation Strategic Risk Capital Availability Competition Financial Markets Flexibility Industry Leadership Legal Regulatory Product Life Cycle Product Development Reputation Trademark Erosion Sovereign Strategic Assumptions Valuation Authority Bench Strength Budgeting & Planning Capacity Commodity Communication Cycle Time Efficiency Human Resources Organization Structures Performance Metrics Pricing Resource Allocation Supplier Technology Selection Technology Deployment Conversion Risk
  53. 53. Risk-based Approach: Process Company Strategies Executive Management Input Risk Factor Model Development <ul><li>Executive Management Input and Buy-in </li></ul><ul><li>Extract Risk Factors from Strategies </li></ul><ul><li>Identify & Define Risk Factors to be Used </li></ul><ul><li>Define Related Scoring Criteria for Each Risk Factor </li></ul><ul><li>Weight the Risk Factors </li></ul>Audit Universe Development <ul><li>Input Obtained from Many Sources </li></ul><ul><li>Organizational Charts, Internal Management Reports, Company Directory, Annual Report, General Ledger, Location Listings, Major Projects or Contracts, Information Systems, etc. </li></ul><ul><li>Cost Centers, Profit Centers, Investment Centers, Locations, Functions, Processes, etc. </li></ul>Risk Exposure Scoring <ul><li>Scoring Occurs from Interviews with Senior Management Responsible for the Auditable Entities </li></ul><ul><li>One Person may be Responsible for Scoring Multiple Entities </li></ul><ul><li>Many Persons may be Responsible for Scoring One Entity </li></ul>Audit Plan Development <ul><li>Compute Risk-Ranked Audit Universe from Completion of the ERA model </li></ul><ul><li>Develop Audit Plan Based on Risk-Ranking and Available Resources </li></ul><ul><li>Obtain Executive Management Approval </li></ul><ul><li>Execute Audit Plan </li></ul><ul><li>Reassess Risk Exposures </li></ul>
  54. 54. Risk-based Approach Re-cap <ul><li>Risk-based approach </li></ul><ul><li>Defined model of enterprise risk factors </li></ul><ul><li>Customized to fit our client’s needs </li></ul><ul><li>Efficient direction of audit resources </li></ul><ul><li>Supported by an electronic tool that provides for data analysis </li></ul><ul><li>Provides sufficient information to build an audit plan </li></ul><ul><li>Performed by experienced professionals </li></ul><ul><li>Cost effective solution to improve enterprise risk management initiatives </li></ul>
  55. 55. Questions?
  56. 56. Dwayne Jorgensen, CIA, CFE Consultant, Governance Spirit Consulting Services <ul><li>Dwayne Jorgensen, CIA, CFE, is a recognized expert in governance, risk and controls. Mr. Jorgensen created the Sarbanes-Oxley Services & IT Governance global practice for CTG, a 39-year old IT staffing solutions firm. He is respected for his ability to assess a clients’ current state of compliance with Sarbanes-Oxley (SOX) and then guide them in meeting their compliance goals, especially those related to Sections 302, 404, and 409 of the act. In addition, Mr. Jorgensen has developed a “continuous monitoring” solution for corporate governance and speaks on the role of IT in that endeavor. Mr. Jorgensen is an expert in COSO, risks and controls, specifically as these areas pertain to the impact of SOX on corporate governance. He has over 20 years’ experience in internal audit, system controls, practice development, capital acquisitions, and risk management. </li></ul><ul><li>Before CTG, Mr. Jorgensen was North American Practice Director of internal audit services for Jefferson Wells International. He oversaw the growth and development of the firm’s internal audit service line in the United States and Canada post-Sarbanes-Oxley, especially in the areas of 301, 302, and 404 compliance. He also directed the business process outsourcing practice for the Atlanta office of Arthur Andersen, LLP, and was elected a principal of the firm. He was a senior manager for Coopers & Lybrand, LLP, and director of internal audit and secretary of the audit committee for a Flagler System, Inc. Mr. Jorgensen is a member of the Institute of Internal Auditors and the Association of Certified Fraud Examiners, and has a Bachelor of Arts degree in pre-law with a major in accounting and finance from the University of Illinois-Urbana. </li></ul>
  57. 57. Dwayne Jorgensen, CIA, CFE Consultant, Governance Spirit Consulting Services – Referrals <ul><li>“ I had the opportunity to work with Dwayne during an extremely critical period as our company attempted to address Sarbanes Oxley concerns. Dwayne and his team were simply the best of the best. I highly recommend Dwayne and would welcome the opportunity to work with him again.” April 1, 2008 Top qualities: Great Results, Expert, High Integrity Mike Pulaski - hired Dwayne as a Business Consultant in 2004, and hired Dwayne more than once </li></ul><ul><li>“ Dwayne was directly responsible for developing Jefferson Wells approach to provision of Sarbanes Oxley services just after the act was passed by congress. He was on the leading edge of the service. His leadership was instrumental in subsequent success the company enjoyed.” January 7, 2008 Bob McDonald , Director Construction Services, Jefferson Wells International - worked indirectly for Dwayne at Jefferson Wells International </li></ul><ul><li>“ Dwayne took a leading role in developing the regulatory compliance practice in the UK operation. I found Dwayne to be very commercially focused and felt his strengths were in developing a lasting relationship with the client.” January 8, 2008 Martyn Smith , Senior Consultant, CTG (UK) Ltd - worked with Dwayne at CTG </li></ul><ul><li>“ Dwayne was the key provider in the delivery of an excellent Sarbanes-Oxley assessment audit of our business processes and provided specific and creative recommendations for implementation of corrective actions.” January 4, 2008 Top qualities: Personable, Good Value, On Time John Ponzo - hired Dwayne as a IT Consultant in 2004 </li></ul><ul><li>“ I encountered few people in the three years I was selling SOX and GRC applications that truly understood the intertwined nature of a control environment and technology. Dwayne understood the pro's, the con's and the yet to be challenged status quo. Dwayne knew early that complex control issues could be tackled efficiently using technology and at a reduced overall cost. Simply put Dwayne &quot;gets it&quot;!” January 28, 2008 Brian Tietje , Senior Sales Consultant, Movaris - was with another company when working with Dwayne at CTG </li></ul>
  58. 58. Contact Information <ul><li>Dwayne E. Jorgensen, CIA, CFE </li></ul><ul><ul><ul><li>Consultant </li></ul></ul></ul><ul><ul><ul><li>Spirit Consulting Services </li></ul></ul></ul><ul><ul><ul><li>1851 Baltusrol Trail </li></ul></ul></ul><ul><ul><ul><li>Duluth, GA 30097 </li></ul></ul></ul><ul><ul><ul><li>Office: 678/957-0838 </li></ul></ul></ul><ul><ul><ul><li>Mobile: 770/789-7581 </li></ul></ul></ul><ul><ul><ul><li>E-mail: dej@spiritconsultingservices.com </li></ul></ul></ul>
  59. 59. Thank You!

×