Petra Learning LLC
SOX Nimbleness
“How Responsive is Your SOX Program
September 10, 2012
7/17/2013 Proprietary and Confidential
Page
1
Purpose and Objectives
Purpose: Inform and Equip
Objectives:
 Explore the attributes of a responsive
SOX Program
 Provide an assessment tool that can be
used to evaluate current SOX programs
7/17/2013 Proprietary and Confidential Page 2
Agenda
7/17/2013 Proprietary and Confidential Page 3
Discussion Topic
SOX Current State 5 minutes
Attributes of a Responsive SOX Program
1) Polling Questions (3)
2) Self-Assessment Tool (Summary Slide)
40 minutes
Call to Action 5 minutes
SOX Current State
We’ve Enjoyed a Relatively Static Environment
◦ Changes mainly related to SOX optimization.
◦ Limited impact on personnel, operations, and technology from accounting
standards.
◦ Limited publicity or press related to SOX failures. Limited impact of disclosing
deficiencies, material weaknesses, or having restatements.
SOX redesign is not a palatable undertaking for most
◦ Programs aren’t overly flexible
◦ Heavy on documentation, numerous very specific and detailed controls
7/17/2013 Proprietary and Confidential Page 4
“SEC Sanctions Direct Edge Electronic Exchanges and Orders
Remedial Measures to Strengthen Systems and Controls”
Responsive SOX Program Attributes
Overall characteristics you should strive for in your
SOX program
 Dynamic – ability to evolve; to reinvent their business model to
achieve or maintain an advantage
 Integrated – to make into a whole by bringing all parts together;
unify; combining or coordinating separate elements so as to
provide a harmonious, interrelated whole
 Comprehensive – covering completely or broadly; dealing with
all or many of the relevant details
 Well Understood – widely or sufficiently understood or
comprehended
7/17/2013 Proprietary and Confidential Page 5
Question # 1 and 2: Dynamic
7/17/2013 Proprietary and Confidential Page 6
1. How frequently is the design of controls (not the
effectiveness) evaluated?
2. What triggers reevaluation of your design of controls?
Why this matters
 Numerous accounting changes upcoming some of which
allow for early adoption; most of which will require
significant operational changes
 Potential overlapping implementation dates means
multiple projects may occur simultaneously.
What could you do to get ahead of this?
Polling Question # 1
To what extent would you agree that
process and control owners within your
company have a sufficient understanding
of the difference between design
effectiveness and control effectiveness?
a) Strongly agree
b) Somewhat agree
c) Somewhat disagree
d) Strongly disagree
7/17/2013 Proprietary and Confidential Page 7
Question 3: Dynamic
3. How well do you understand and how easily can you
identify the interdependencies between controls?
Why this matters
 As sub-processes and their related controls are
changed you need to be able to quickly assess the
impact on the rest of your control environment.
 Some areas are not as obvious, for example automated
controls such as edit checks or comparisons /
thresholds.
What could you do to get ahead of this?
7/17/2013 Proprietary and Confidential Page 8
Question 4: Integration
4. Do you have a good linkage between accounting information
and supporting IT systems (in the broadest sense)?
Why this matters
 Ability to identify information that may come from a system that
is not currently in-scope or subject to the same IT
environment.
 Ability to flag information that comes from spreadsheets that
will need revised so that you become more sensitive and
focused on spreadsheet errors during the change period.
 Ability to trace info to key databases and flags that will go
through significant change.
What could you do to get ahead of this?
7/17/2013 Proprietary and Confidential Page 9
Question 5: Integration
5. How you assess other components of the
control environment during this change period?
Why this matters
 Qualifications of accounting personnel
 Financial expertise of Audit Committee and
especially Audit Committee Chair
 Information and communication processes
around changing accounting policies and
processes
 Disclosure committee and risk committee
What could you do to get ahead of this?
7/17/2013 Proprietary and Confidential
Page
10
COSO Framework
Current framework prior to revision expected to be issued final 1Q2013.
7/17/2013 Proprietary and Confidential
Page
11
COSO Releases
Thought Paper on
Enhancing Board
Oversight by Avoiding
and Challenging Traps
and Biases in
Professional Judgment
Polling Question # 2
Evaluating the control environment and allowing this evaluation
to influence the design and testing of transactional level controls
has been a challenge in many SOX programs. What level of
linkage have do you believe that you’ve been able to obtain
between the control environment and transactional level
controls?
a. Strong linkage – our control environment assessment
directly influences our control effectiveness assessment
b. Partial linkage – our control environment assessment may
impact our level of testing but does not impact our
assessment of control effectiveness
c. No linkage – assessments are completely independent of
each other; identified issues are addressed separately.
7/17/2013 Proprietary and Confidential
Page
12
Question 6: Comprehensive
6. Do you have a systematic process for analyzing specific
scoping and materiality nuances?
Why this matters
 Impact of adoption could be a material amount though the
account itself is not material. Is reliance upon an entity-level
control sufficient to catch these material items?
 Some processes may feed into significant new disclosures
though they are more operational in nature. Will those get
added into scope and how would be responsible for assessing
(ICOFR, IA)?
 Some locations may not have been significant in the past but
may contribute heavily to leases that will suddenly be on the
balance sheet or to other new accounts.
What could you do to get ahead of this?
7/17/2013 Proprietary and Confidential
Page
13
Question 7: Comprehensive
7. Is your SOX process sensitive enough to detect:
a. material changes in assumptions even if the balances
themselves do not fluctuate significantly?
b. Changes in assumptions that should’ve occurred but
did not?
Why this matters
 Underlying assumptions of material estimates are still an
area of concern that continues to cause restatement.
This risk will increase as new accounting standards are
issued.
What could you do to get ahead of this?
7/17/2013 Proprietary and Confidential
Page
14
Question 8: Understood
8. How well do you understand and how easily can
you identify the interdependencies between
controls?
Why this matters
 As sub-processes and their related controls are
changed, you need to quickly assess the impact
on the rest of your control environment.
 Areas where interdependencies may not be as
obvious include automated controls like edit
checks or comparisons / thresholds.
What could you do to get ahead of this?
7/17/2013 Proprietary and Confidential
Page
15
Polling Question # 3
Have you previously evaluated your
SOX program from a responsiveness
view?
a. Yes
b. No
7/17/2013 Proprietary and Confidential
Page
16
Self-Assessment Checklist
Criteria Yes No Ref
1. How frequently is the design of controls (not the effectiveness)
evaluated?
2. What triggers reevaluation of your design of controls?
3. How well do you understand and how easily can you identify the
interdependencies between controls?
4. Do you have a good linkage between accounting information and
supporting IT systems (in the broadest sense)?
5. How you assess other components of the control environment during
this change period?
6. Do you have a systematic process for analyzing specific scoping and
materiality nuances?
7. Is your SOX process sensitive enough to detect:
a. material changes in assumptions even if the balances themselves
do not fluctuate significantly?
b. Changes in assumptions that should’ve occurred but did not?
8. How well do you understand and how easily can you identify the
interdependencies between controls?
7/17/2013 Proprietary and Confidential
Page
17
Call to Action
 Evaluate your SOX program flexibility as
you wrap-up your 2012 testing and plan
for 2013.
 Consider querying your employees on
their understanding of the design of
controls
 Consider your approach for keeping
employees engaged and informed on
accounting changes.
7/17/2013 Proprietary and Confidential
Page
18

Oscpa webinar sox change readiness

  • 1.
    Petra Learning LLC SOXNimbleness “How Responsive is Your SOX Program September 10, 2012 7/17/2013 Proprietary and Confidential Page 1
  • 2.
    Purpose and Objectives Purpose:Inform and Equip Objectives:  Explore the attributes of a responsive SOX Program  Provide an assessment tool that can be used to evaluate current SOX programs 7/17/2013 Proprietary and Confidential Page 2
  • 3.
    Agenda 7/17/2013 Proprietary andConfidential Page 3 Discussion Topic SOX Current State 5 minutes Attributes of a Responsive SOX Program 1) Polling Questions (3) 2) Self-Assessment Tool (Summary Slide) 40 minutes Call to Action 5 minutes
  • 4.
    SOX Current State We’veEnjoyed a Relatively Static Environment ◦ Changes mainly related to SOX optimization. ◦ Limited impact on personnel, operations, and technology from accounting standards. ◦ Limited publicity or press related to SOX failures. Limited impact of disclosing deficiencies, material weaknesses, or having restatements. SOX redesign is not a palatable undertaking for most ◦ Programs aren’t overly flexible ◦ Heavy on documentation, numerous very specific and detailed controls 7/17/2013 Proprietary and Confidential Page 4 “SEC Sanctions Direct Edge Electronic Exchanges and Orders Remedial Measures to Strengthen Systems and Controls”
  • 5.
    Responsive SOX ProgramAttributes Overall characteristics you should strive for in your SOX program  Dynamic – ability to evolve; to reinvent their business model to achieve or maintain an advantage  Integrated – to make into a whole by bringing all parts together; unify; combining or coordinating separate elements so as to provide a harmonious, interrelated whole  Comprehensive – covering completely or broadly; dealing with all or many of the relevant details  Well Understood – widely or sufficiently understood or comprehended 7/17/2013 Proprietary and Confidential Page 5
  • 6.
    Question # 1and 2: Dynamic 7/17/2013 Proprietary and Confidential Page 6 1. How frequently is the design of controls (not the effectiveness) evaluated? 2. What triggers reevaluation of your design of controls? Why this matters  Numerous accounting changes upcoming some of which allow for early adoption; most of which will require significant operational changes  Potential overlapping implementation dates means multiple projects may occur simultaneously. What could you do to get ahead of this?
  • 7.
    Polling Question #1 To what extent would you agree that process and control owners within your company have a sufficient understanding of the difference between design effectiveness and control effectiveness? a) Strongly agree b) Somewhat agree c) Somewhat disagree d) Strongly disagree 7/17/2013 Proprietary and Confidential Page 7
  • 8.
    Question 3: Dynamic 3.How well do you understand and how easily can you identify the interdependencies between controls? Why this matters  As sub-processes and their related controls are changed you need to be able to quickly assess the impact on the rest of your control environment.  Some areas are not as obvious, for example automated controls such as edit checks or comparisons / thresholds. What could you do to get ahead of this? 7/17/2013 Proprietary and Confidential Page 8
  • 9.
    Question 4: Integration 4.Do you have a good linkage between accounting information and supporting IT systems (in the broadest sense)? Why this matters  Ability to identify information that may come from a system that is not currently in-scope or subject to the same IT environment.  Ability to flag information that comes from spreadsheets that will need revised so that you become more sensitive and focused on spreadsheet errors during the change period.  Ability to trace info to key databases and flags that will go through significant change. What could you do to get ahead of this? 7/17/2013 Proprietary and Confidential Page 9
  • 10.
    Question 5: Integration 5.How you assess other components of the control environment during this change period? Why this matters  Qualifications of accounting personnel  Financial expertise of Audit Committee and especially Audit Committee Chair  Information and communication processes around changing accounting policies and processes  Disclosure committee and risk committee What could you do to get ahead of this? 7/17/2013 Proprietary and Confidential Page 10
  • 11.
    COSO Framework Current frameworkprior to revision expected to be issued final 1Q2013. 7/17/2013 Proprietary and Confidential Page 11 COSO Releases Thought Paper on Enhancing Board Oversight by Avoiding and Challenging Traps and Biases in Professional Judgment
  • 12.
    Polling Question #2 Evaluating the control environment and allowing this evaluation to influence the design and testing of transactional level controls has been a challenge in many SOX programs. What level of linkage have do you believe that you’ve been able to obtain between the control environment and transactional level controls? a. Strong linkage – our control environment assessment directly influences our control effectiveness assessment b. Partial linkage – our control environment assessment may impact our level of testing but does not impact our assessment of control effectiveness c. No linkage – assessments are completely independent of each other; identified issues are addressed separately. 7/17/2013 Proprietary and Confidential Page 12
  • 13.
    Question 6: Comprehensive 6.Do you have a systematic process for analyzing specific scoping and materiality nuances? Why this matters  Impact of adoption could be a material amount though the account itself is not material. Is reliance upon an entity-level control sufficient to catch these material items?  Some processes may feed into significant new disclosures though they are more operational in nature. Will those get added into scope and how would be responsible for assessing (ICOFR, IA)?  Some locations may not have been significant in the past but may contribute heavily to leases that will suddenly be on the balance sheet or to other new accounts. What could you do to get ahead of this? 7/17/2013 Proprietary and Confidential Page 13
  • 14.
    Question 7: Comprehensive 7.Is your SOX process sensitive enough to detect: a. material changes in assumptions even if the balances themselves do not fluctuate significantly? b. Changes in assumptions that should’ve occurred but did not? Why this matters  Underlying assumptions of material estimates are still an area of concern that continues to cause restatement. This risk will increase as new accounting standards are issued. What could you do to get ahead of this? 7/17/2013 Proprietary and Confidential Page 14
  • 15.
    Question 8: Understood 8.How well do you understand and how easily can you identify the interdependencies between controls? Why this matters  As sub-processes and their related controls are changed, you need to quickly assess the impact on the rest of your control environment.  Areas where interdependencies may not be as obvious include automated controls like edit checks or comparisons / thresholds. What could you do to get ahead of this? 7/17/2013 Proprietary and Confidential Page 15
  • 16.
    Polling Question #3 Have you previously evaluated your SOX program from a responsiveness view? a. Yes b. No 7/17/2013 Proprietary and Confidential Page 16
  • 17.
    Self-Assessment Checklist Criteria YesNo Ref 1. How frequently is the design of controls (not the effectiveness) evaluated? 2. What triggers reevaluation of your design of controls? 3. How well do you understand and how easily can you identify the interdependencies between controls? 4. Do you have a good linkage between accounting information and supporting IT systems (in the broadest sense)? 5. How you assess other components of the control environment during this change period? 6. Do you have a systematic process for analyzing specific scoping and materiality nuances? 7. Is your SOX process sensitive enough to detect: a. material changes in assumptions even if the balances themselves do not fluctuate significantly? b. Changes in assumptions that should’ve occurred but did not? 8. How well do you understand and how easily can you identify the interdependencies between controls? 7/17/2013 Proprietary and Confidential Page 17
  • 18.
    Call to Action Evaluate your SOX program flexibility as you wrap-up your 2012 testing and plan for 2013.  Consider querying your employees on their understanding of the design of controls  Consider your approach for keeping employees engaged and informed on accounting changes. 7/17/2013 Proprietary and Confidential Page 18

Editor's Notes

  • #14 Example protocolsPrimary new accounts established as part of implementing new accounting standards will be assessed in their initial year without regard to materiality.
  • #15 Example 1
  • #16 Example 1