Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley.

Similar presentations


Presentation on theme: "1 The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley."— Presentation transcript:

1 1 The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Session #6 – September 30, 2003

2 2 The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L.L.P

3 3 Disclaimer The views expressed in this webcast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members.

4 4 Series 2: Emerging Trends and Best Practices in Implementing SOA May 21 - Section 404 Readiness Review: How to document your system of internal control. (Archived) June 10 - Helping your audit committee implement complaint handling. (Archived) July 8 - Leveraging the COSO framework to meet Section 404 requirements (Archived) August 12 - Project Administration – Setting and revising priorities in the wake of the Final 404 Rules (Archived) September 9 - Internal Audit support of Audit Committees – What works best September 30 - The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act

5 5 Webcast Series on SOA Fostering Compliance with SOA: Internal Auditors Role Four sessions archived on IIAs website and available on CD Originally aired January 28 – April 15, 2003

6 6 IIA Online Training - New ! Conferences on Demand IIAs Augusts ERM/CSA Conference 10 best sessions online for $199. Stay current and earn CPEs Visit http://www.theiia.org/iia/index.cfm?doc_id=4382 for a list of the segments and additional information. http://www.theiia.org/iia/index.cfm?doc_id=4382 Or, contact rbrindley@theiia.org.

7 7 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSOs ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Jim Key Agenda

8 8 Internal Control Testing Strategy Patricia Scipio, CIA, CPA Vice President, Auditing Wellchoice, Inc.

9 9 Where is your company at in terms of 404 Readiness? ChoiceCount% Completed the scoping, planning and mobilization 5146.4% Completed controls documentation 1816.4% Completed the evaluation of the design effectiveness of controls 87.3% Completed the testing of the operating effectiveness of controls 32.7% Completed remediation of any identified design gaps 10.9% Completed remediation of any identified operating controls ineffectiveness 21.8% Other, please explain:2724.5%

10 10 When is your company planning to test the operating effectiveness of key controls? ChoiceCount% 2003 and 20046358.9% Only in 2004 and why? 4441.1%

11 11 Key Initial Decisions What controls will be tested? How will each type of control be tested? When will each control be tested? How often should each control be tested? Who will perform the testing?

12 12 Testing Strategy Objectives Standardize a methodology for testing the operating effectiveness Develop proactive warning indicators to alert management of potential control failures Monitor key processes by continuous scanning for adverse developments Develop a turn key approach so business owners can easily perform testing as part of their routine

13 13 Financial Reporting Control Objectives Existence or Occurrence Completeness Rights and Obligations Valuation or Allocations Presentation and Disclosure

14 14 Basic Controls Accountability Control Totals Double Verification Exception/Edit Reports Holding Files Independent Checks Interface Controls Key Performance Indicators Management Review Numerical Sequencing Periodic Reconciliation Pre-numbered Documents Proper Authorization Safeguard Assets Segregation of Duties System Configuration Transactions Recorded

15 15 Means of Achieving Control Organization – structured roles Policies – principles and guidelines Procedures – methods employed Personnel – qualifications to perform the job Accounting – financial control Budgeting – expected results Reporting – timely, accurate and meaningful

16 16 Controls by Function or Type Directive Controls Preventive Controls Detective Controls Corrective Controls Manual vs Automated Controls Hard vs Soft Controls

17 17 Testing Procedures Inquiry Observation Inspection of Physical Evidence Re-performance

18 18 Factors in Designing Testing Strategy Nature of control & significance in achieving objective One control supporting more than one objective Significant changes in volume or nature of transactions Changes in the design of the control Degree to which control relies on effectiveness of other controls

19 19 Factors in Designing Testing Strategy (continued) Complexity of the Control Manual vs. Automated Control Existence of Self-assessment Programs Entity wide Control Frequency of Control Timing of Test of Controls Changes in key personnel who perform or monitor the control

20 20 Summary Several factors must be considered in determining the nature, timing and extent of testing Management should monitor the quality and performance of the system of internal control over time To the extent possible, internal controls should be structured to be self- monitoring and self-correcting

21 21 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSOs ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Jim Key Agenda

22 22 Fitting Into the Bigger Picture Kimberly Gavaletz VP, Internal Audit Lockheed Martin Corporation

23 23 Components Framework Quality Keeping It Fresh Internal Audits Obligation & Opportunity

24 24 Framework II. Discussion of Amendments Implementing Section 404 1.B.3 Final Rules …a companys annual report to include and internal control report of management that contains… A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the companys internal control over financial reporting; 1.B.3.A Evaluation of Internal Control over Financial Reporting …Management must base its evaluation of the effectiveness of the companys internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. The COSO Framework satisfies our criteria and may be used as an evaluation framework…However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute… June 5, 2003 SEC Final Rule: Managements Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports

25 25 COSO Big Picture Embodied in the Framework Other Frameworks: Guidance on Assessing Control, Turnbull Report, Future Developments Control EnvironmentFoundation – Discipline & Structure Risk AssessmentIdentification & Analysis of Risks to Pre- determined Objectives Control ActivityPolicies/Procedures/Practices that Ensure Objectives are Achieved and Risk Mitigation Strategies are Carried Out Information & Communication Communication of Control Responsibilities to Employees in Form & Timeframe to Execute Monitoring Oversight of Internal Controls (Outside and Inside the Process)

26 26 Objectives Risks Controls Monitoring Key: Management Ownership Management Owns Internal Audit Performs Independent Assessments/ Audits Framework: Ownership Control Environment & Information/Communications

27 27 Framework: Scope Big Picture Business Objectives - Financial - Technical Delivery - Compliance Performance with Integrity Todays Emphasis Disclosure Controls-302 Internal Controls-404 Integrity of Financial Reporting Todays Emphasis Disclosure Controls-302 Internal Controls-404 Integrity of Financial Reporting

28 28 Quality Who Decides Quality of Controls? Who Decides Level of Consistency Needed? RolesDrivers -Management -Internal Audit -External Audit -Rules -Guidelines Balance of Controls Reactive Proactive Preventive

29 29 Quality: Internal Audit Start: Serve as a Facilitator/Partner across Management and External Auditors – Start the Dialog – Determine the Roles Options/Steps: – Independently Assess Existing Quality Assurance Structure – Advise Management on the Need and Scope of a Quality Assurance System – If Necessary, Gap Fill as the Quality Assurance Function

30 30 Keeping It Fresh Keep it Fresh Continuous Improvement Ongoing Involvement Utilize Evolving Technology System of Internal Controls Management Advise Assess & Opine Internal Audit External Audit Attest

31 31 Summary Focus on the Big Picture Framework-Scope-Ownership Focus on Quality Ownership Detection & Prevention Keep it Fresh Continuous Improvement-Involvement

32 32 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSOs ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Jim Key Agenda

33 33 COSOs ERM Framework: The Shape of Things to Come Paul J. Sobel Vice President, Internal Audit Mirant Corporation

34 34 The New COSO Cube Monitoring Information and Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment STRATEGIC OPERATIONS REPORTING COMPLIANCE ENTITY - LEVEL DIVISION BUSINESS UNIT SUBSIDIARY

35 35 Internal Environment Today- An Integral Part of Sarbanes-Oxley 404 –Integrity and ethical values –Control consciousness and operating style –Commitment to competence –Board/Audit Committee participation in governance Tomorrow - Embracing Risk –Risk management philosophy –Risk culture –Risk appetite Internal Environment

36 36 Objective Setting Today - Financial Statement Assertions –Access to assets –Authorization –Completeness and accuracy –Existence and occurrence –Presentation, classification and disclosure –Rights and obligations –Valuation or allocation Tomorrow - Business Objectives –Beyond financial objectives –Formalized risk tolerance levels Objective Setting

37 37 Event Identification Today - An Ad Hoc Part of Risk Assessment –Generic risk universes –Standard risks and definitions –Few scenarios considered Tomorrow - Formal Identification and Analysis –Answer the questions What can go wrong? and What needs to go right? –Understand events/scenarios (worse case, most likely, etc.) –Consider interdependencies (domino effect)1000 Event Identification

38 38 Risk Assessment Today - Becoming common, but somewhat Superficial –Tends to be pretty broad –May only be done in silos –Minimal support for judgments –One-time event Tomorrow - A Robust, Ongoing Activity –Integrated with strategic planning –Inherent and residual risk considered –Enterprise-wide Risk Assessment

39 39 Risk Response Today - Individual Judgments –Based on past experience and instinct –Typically focuses on a single response –Little consideration to portfolio effect Tomorrow - Portfolio Approach –Identify and evaluate range of possible responses –Consider enterprise-wide responses –A formal process Risk Response

40 40 Control Activities Today - Ensuring Adequate Control –General and application/specific controls –Preventative and detective controls –Automated and manual controls –Routine and non-routine controls Tomorrow - Ensuring Objective Achievement –Integrated with risk response –Focuses on strategic, operational, financial and compliance objectives Control Activities

41 41 Information & Communication and Monitoring Today - Financial Reporting and Compliance –Supports financial judgments –Blend of internal and external information –Multi-directional communications –Monitor degree of success Tomorrow - Strategic and Operations –All of the above for all objectives –Integrated monitoring system Monitoring Information and Communication

42 42 Transition to a Risk Management-Based Internal Audit Approach –Internal Environment - Expand focus to include risk philosophy, risk culture and risk appetite –Objective Setting - Obtain understanding of objectives; determine risk tolerance levels –Event Identification - Imbed in annual and process level risk assessments –Risk Assessment - Lead or facilitate a robust, ongoing, enterprise-wide process What Does it Mean for Internal Auditors?

43 43 Transition to a Risk Management-Based Internal Audit Approach (continued) –Risk Response - Facilitate identification of possible responses; bring process orientation –Control Activities - Link controls back to objectives;ensure integration with risk response –Information and Communication - Evaluate as a part of every audit (make a separate risk) –Monitoring - Recommend ways to enhance in every process What Does it Mean for Internal Auditors?

44 44 1992 - Groundwork laid, but not focused for most companies 2002 - Sarbanes-Oxley brought internal control to the forefront 2004+ - True ERM begins to take shape Summary - The COSO Evolution Control Activities Monitoring Information and Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment STRATEGIC OPERATIONS REPORTING COMPLIANCE ENTITY - LEVEL DIVISION BUSINESS UNIT SUBSIDIARY

45 45 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSOs ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Jim Key Agenda

46 46 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSOs ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Jim Key Agenda

47 47 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSOs ERM Framework: The Shape of Things to Come – Paul J. Sobel 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Jim Key Agenda

48 48 Webcast Summary It is essential to be intentional about planning your testing strategy Focusing on quality and continuous improvement will leverage your control framework for better results COSO ERM framework provides an opportunity for Internal Audit to help organizations meet strategic goals

49 49 Future Webcasts Webcast Steering Committee Survey - Input

50 50 Thank you for your participation! Your Comments/Feedback are very important – please complete the evaluation form and redeem a discount on an Online Training product. Email agoodman@theiia.org for more details!agoodman@theiia.org


Download ppt "1 The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley."

Similar presentations


Ads by Google