1. The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley
The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act
The Institute of Internal Auditors
Webcast Series on Sarbanes-Oxley
Session #6 – September 30, 2003

2. The IIA Webcast Moderator
Jim Key, CIA
Managing Partner
Shenandoah Group, L.L.P

3. Disclaimer
The views expressed in this webcast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members.

4. Series 2: Emerging Trends and Best Practices in Implementing SOA
May 21 - Section 404 Readiness Review: How to document your system of internal control. (Archived)
June Helping your audit committee implement complaint handling. (Archived)
July 8 - Leveraging the COSO framework to meet Section 404 requirements (Archived)
August 12 - Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules” (Archived)
September 9 - Internal Audit support of Audit Committees – What works best
September 30 - The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act

5. Webcast Series on SOA
Fostering Compliance with SOA: Internal Auditor’s Role
Four sessions archived on IIA’s website and available on CD
Originally aired January 28 – April 15, 2003

6. IIA Online Training - New !
Conferences on Demand
IIA’s August’s ERM/CSA Conference 10 best sessions online for $199.
Stay current and earn CPEs
Visit for a list of the segments and additional information.
Or, contact

7. Agenda 1:00 Introduction and Overview - Jim Key
1:05 Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel
1:55 Break
2:00 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key

8. Internal Control Testing Strategy
Patricia Scipio, CIA, CPA Vice President, Auditing
Wellchoice, Inc.

9. Where is your company at in terms of 404 Readiness?
Choice
Count %
Completed the scoping, planning and mobilization 51
46.4%
Completed controls documentation 18
16.4%
Completed the evaluation of the design effectiveness of controls 8
7.3%
Completed the testing of the operating effectiveness of controls 3
2.7%
Completed remediation of any identified design gaps 1
0.9%
Completed remediation of any identified operating controls ineffectiveness 2
1.8%
Other, please explain: 27
24.5%

10. When is your company planning to test the operating effectiveness of key controls?
Choice
Count %
2003 and 2004 63
58.9%
Only in 2004 and why? 44
41.1%

11. Key Initial Decisions What controls will be tested?
How will each type of control be tested?
When will each control be tested?
How often should each control be tested?
Who will perform the testing?

12. Testing Strategy Objectives
Standardize a methodology for testing the operating effectiveness
Develop proactive warning indicators to alert management of potential control failures
Monitor key processes by continuous scanning for adverse developments
Develop a turn key approach so business owners can easily perform testing as part of their routine

13. Financial Reporting Control Objectives
Existence or Occurrence
Completeness
Rights and Obligations
Valuation or Allocations
Presentation and Disclosure

14. Basic Controls Accountability Control Totals Double Verification
Exception/Edit Reports
Holding Files
Independent Checks
Interface Controls
Key Performance Indicators
Management Review
Numerical Sequencing
Periodic Reconciliation
Pre-numbered Documents
Proper Authorization
Safeguard Assets
Segregation of Duties
System Configuration
Transactions Recorded

15. Means of Achieving Control
Organization – structured roles
Policies – principles and guidelines
Procedures – methods employed
Personnel – qualifications to perform the job
Accounting – financial control
Budgeting – expected results
Reporting – timely, accurate and meaningful

16. Controls by Function or Type
Directive Controls
Preventive Controls
Detective Controls
Corrective Controls
Manual vs Automated Controls
Hard vs Soft Controls

17. Testing Procedures Inquiry Observation Inspection of Physical Evidence
Re-performance

18. Factors in Designing Testing Strategy
Nature of control & significance in achieving objective
One control supporting more than one objective
Significant changes in volume or nature of transactions
Changes in the design of the control
Degree to which control relies on effectiveness of other controls

19. Factors in Designing Testing Strategy (continued)
Complexity of the Control
Manual vs. Automated Control
Existence of Self-assessment Programs
Entity wide Control
Frequency of Control
Timing of Test of Controls
Changes in key personnel who perform or monitor the control

20. Summary
Several factors must be considered in determining the nature, timing and extent of testing
Management should monitor the quality and performance of the system of internal control over time
To the extent possible, internal controls should be structured to be self-monitoring and self-correcting

21. Agenda 1:00 Introduction and Overview - Jim Key
1:05 Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel
1:55 Break
2:00 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key

22. Fitting Into the Bigger Picture
Kimberly Gavaletz
VP, Internal Audit
Lockheed Martin Corporation

23. Internal Audit’s Obligation & Opportunity
Components
Framework
Quality
Keeping It Fresh
Internal Audit’s Obligation & Opportunity

24. Framework II. Discussion of Amendments Implementing Section 404
1.B.3 Final Rules …a company’s annual report to include and internal control report of management that contains…
A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting;
1.B.3.A Evaluation of Internal Control over Financial Reporting
…Management must base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. The COSO Framework satisfies our criteria and may be used as an evaluation framework…However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute…
June 5, 2003
SEC Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports

25. Big Picture Embodied in the Framework
COSO
Control Environment
Foundation – Discipline & Structure
Risk Assessment
Identification & Analysis of Risks to Pre-determined Objectives
Control Activity
Policies/Procedures/Practices that Ensure Objectives are Achieved and Risk Mitigation Strategies are Carried Out
Information & Communication
Communication of Control Responsibilities to Employees in Form & Timeframe to Execute
Monitoring
Oversight of Internal Controls (Outside and Inside the Process)
Big Picture Embodied in the Framework
Other Frameworks: Guidance on Assessing Control, Turnbull Report, “Future Developments”

26. Framework: Ownership Objectives Risks Controls Monitoring
Information/Communications
Control Environment
&
Management Owns
Internal Audit Performs Independent Assessments/Audits
Communications & Information must flow throughout
Key: Management Ownership

27. Integrity of Financial
Framework: Scope
Today’s Emphasis
Disclosure Controls-302
Internal Controls-404
Integrity of Financial
Reporting
Big Picture
Business Objectives
- Financial
- Technical Delivery
- Compliance
Performance with Integrity

28. ReactivegProactivegPreventive
Quality
Who Decides Quality of Controls?
Who Decides Level of Consistency Needed?
Roles
Drivers
-Management
-Internal Audit
-External Audit
-Rules
-Guidelines
-Management must own the controls---level appropriate to the risk level
-Idea: Set a new level--An exemplary control environment exists (level and breadth of control awareness, tone and discipline).
-Difference in “Effectiveness” and “Quality”
---Prevailing definition of Effectiveness---at a point in time.
Balance of Controls
ReactivegProactivegPreventive

29. Quality: Internal Audit
Start: Serve as a Facilitator/Partner across Management and External Auditors
– Start the Dialog
– Determine the Roles
Options/Steps:
– Independently Assess Existing Quality
Assurance Structure
– Advise Management on the Need and Scope of
a Quality Assurance System
– If Necessary, “Gap Fill” as the Quality
Assurance Function

30. System of Internal Controls
Keeping It Fresh
Keep it Fresh
Continuous Improvement
Ongoing Involvement
Utilize Evolving Technology
Advise
Management
Attest
Internal
Audit
Assess
&
Opine
System of Internal Controls
External
Audit

31. Summary Focus on the Big Picture Focus on Quality Keep it Fresh
Framework-Scope-Ownership
Focus on Quality
Ownership
Detection & Prevention
Keep it Fresh
Continuous Improvement-Involvement

32. Agenda 1:00 Introduction and Overview - Jim Key
1:05 Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel
1:55 Break
2:00 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key

33. COSO’s ERM Framework: The Shape of Things to Come
Paul J. Sobel
Vice President, Internal Audit
Mirant Corporation

34. Information and Communication
The New COSO Cube
Monitoring
Information and Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
STRATEGIC
OPERATIONS
REPORTING
COMPLIANCE
ENTITY - LEVEL
DIVISION
BUSINESS UNIT
SUBSIDIARY

35. Internal Environment Today- An Integral Part of Sarbanes-Oxley 404
Integrity and ethical values
Control consciousness and operating style
Commitment to competence
Board/Audit Committee participation in governance
Tomorrow - Embracing Risk
Risk management philosophy
Risk culture
Risk appetite
Internal Environment

36. Objective Setting Today - Financial Statement Assertions
Access to assets
Authorization
Completeness and accuracy
Existence and occurrence
Presentation, classification and disclosure
Rights and obligations
Valuation or allocation
Tomorrow - Business Objectives
Beyond financial objectives
Formalized risk tolerance levels
Objective Setting

37. Event Identification Today - An Ad Hoc Part of Risk Assessment
Generic risk universes
Standard risks and definitions
Few scenarios considered
Tomorrow - Formal Identification and Analysis
Answer the questions “What can go wrong?” and “What needs to go right?”
Understand events/scenarios (worse case, most likely, etc.)
Consider interdependencies (domino effect)1000
Event Identification

38. Risk Assessment Today - Becoming common, but somewhat Superficial
Tends to be pretty broad
May only be done in silos
Minimal support for judgments
One-time event
Tomorrow - A Robust, Ongoing Activity
Integrated with strategic planning
Inherent and residual risk considered
Enterprise-wide
Risk Assessment

39. Risk Response Today - Individual Judgments
Based on past experience and instinct
Typically focuses on a single response
Little consideration to portfolio effect
Tomorrow - Portfolio Approach
Identify and evaluate range of possible responses
Consider enterprise-wide responses
A formal process
Risk Response

40. Control Activities Today - Ensuring Adequate Control
General and application/specific controls
Preventative and detective controls
Automated and manual controls
Routine and non-routine controls
Tomorrow - Ensuring Objective Achievement
Integrated with risk response
Focuses on strategic, operational, financial and compliance objectives
Control Activities

41. Information & Communication and Monitoring
Today - Financial Reporting and Compliance
Supports financial judgments
Blend of internal and external information
Multi-directional communications
Monitor degree of success
Tomorrow - Strategic and Operations
All of the above for all objectives
Integrated monitoring system
Monitoring
Information and Communication

42. What Does it Mean for Internal Auditors?
Transition to a Risk Management-Based Internal Audit Approach
Internal Environment - Expand focus to include risk philosophy, risk culture and risk appetite
Objective Setting - Obtain understanding of objectives; determine risk tolerance levels
Event Identification - Imbed in annual and
process level risk assessments
Risk Assessment - Lead or facilitate a robust, ongoing, enterprise-wide process

43. What Does it Mean for Internal Auditors?
Transition to a Risk Management-Based Internal Audit Approach (continued)
Risk Response - Facilitate identification of possible responses; bring process orientation
Control Activities - Link controls back to objectives;ensure integration with risk response
Information and Communication - Evaluate as a part of every audit (make a separate risk)
Monitoring - Recommend ways to enhance in every process

44. Summary - The COSO Evolution
Groundwork laid, but not focused for most companies
Sarbanes-Oxley brought internal control to the forefront
True ERM begins to take shape
Control
Activities
Monitoring
Information and Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
STRATEGIC
OPERATIONS
REPORTING
COMPLIANCE
ENTITY - LEVEL
DIVISION
BUSINESS UNIT
SUBSIDIARY

45. Agenda 1:00 Introduction and Overview - Jim Key
1:05 Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel
1:55 Break
2:00 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key

46. Agenda 1:00 Introduction and Overview - Jim Key
1:05 Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel
1:55 Break
2:00 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key

47. Agenda 1:00 Introduction and Overview - Jim Key
1:05 Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel
1:55 Break
2:00 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key

48. Webcast Summary
It is essential to be intentional about planning your testing strategy
Focusing on quality and continuous improvement will leverage your control framework for better results
COSO ERM framework provides an opportunity for Internal Audit to help organizations meet strategic goals

49. Future Webcasts
Webcast Steering Committee
Survey - Input

50. Thank you for your participation!
Your Comments/Feedback are very important – please complete the evaluation form and redeem a discount on an Online Training product.
for more details!