Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004 Ed Dudley, CIA, CPA Retired Vice-President & General Auditor-ABB.

Published byXavier Griffin Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004 Ed Dudley, CIA, CPA Retired Vice-President & General Auditor-ABB."— Presentation transcript:

1 1 Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004 Ed Dudley, CIA, CPA Retired Vice-President & General Auditor-ABB Americas

2 2 Introduction & Key Issues For Today Ed Dudley SOX Lessons Learned Dan Langer Integration of SOX 302 and 404 Brian Appleton SAS 70 Considerations for SOX 404 Nathan Prather Break Q & A Summary of Main Points Ed Dudley Agenda

3 3 Key Controls Compliance Issues for Today Approach to Convergent regulatory challenges Process Improvements Technology Infrastructure Enhancements Improvements in Leadership Inventorying in 302/404

4 4 Key Controls Compliance Issues for Today Role Clarifications in SOX 302/404 Software Utilization in SOX 302/404 Resource Issues in SOX 302/404 Inventorying Service Organizations/Specialists in SAS 70

5 5 Key Controls Compliance Issues for Today Understanding/Evaluating Significance in SAS 70 Evaluating Evidence in SAS 70

6 6 Controls Compliance – Rounding the Turn SOX Lessons Learned Daniel B. Langer, CPA, CIA, CCSA Solutions Director, Internal Audit and Controls Jefferson Wells International

7 7 10-Step Program for Clarity and Sustainability Four Main Categories –Efficient and better organized approach to convergent regulatory challenges –Process improvements –Technology infrastructure enhancements –Leadership improvements Helpful reference resources

8 8 10-Step Program for Clarity and Sustainability 1) Established Post-404 Compliance Infrastructure –Improved/strengthened internal audit department –Full-time/dedicated ongoing compliance team, Steering Committee, and external resources where appropriate –Formally trained process owners –Instituted ongoing risk-assessment strategy –Established desk-top procedures and sub-process certifications

9 9 10-Step Program for Clarity and Sustainability 2) Beware of too many internal controls –Excessive detail when documenting internal controls –Try to replace multiple ineffective controls with one effective control 3) Excessive detail when documenting internal controls –Use external auditor formulas as a guide –Evaluate as attestation process progresses

10 10 10-Step Program for Clarity and Sustainability 4) Strive for the right Tone at the Top –Focus –Direction –Top management commitment to good governance- related control compliance –Proactive education and awareness 5) Side-step confusion related to IT and internal controls –Assess system access controls as users are promoted, transferred, or leave the company –Properly define and document SOX-related controls (not all IT controls)

11 11 10-Step Program for Clarity and Sustainability 6) Make the right compliance software investment –To date quality has been spotty, has not met organization needs, and/or implementation resources have been inadequate –Revisit as sustaining organization needs are defined

12 12 10-Step Program for Clarity and Sustainability 7) Manage external auditor demands –Avoid time-consuming attestation reviews –Ensure they provide proper resources on your reviews –Manage expectations/establish position Materiality levels Key accounts # of Controls

13 13 10-Step Program for Clarity and Sustainability 8) Address external service provider key controls Focus –Strength of service provider –Adequacy of documentation –Pooled review with other customers 9) Consider compliance in the context of governance and risk management –Ongoing process of enterprise-level risk assessment

14 14 10-Step Program for Clarity and Sustainability 10) Properly staff the Internal Audit function –Proper mix of industry, financial, operational, and technology practice experience and expertise

15 15 So, how best can Internal Audit effectively participate in improving the reporting process towards better governance and sustainable control compliance?

16 16 Internal Auditors Role Educate all levels about controls Ongoing assessment of the Tone at the Top Facilitate Board, key management, and external auditor involvement in communication of strengthened control expectations Provide objective and independent participation in controls documentation, testing and assessment process Analyze and evaluate causes of company-wide non- compliance issues – both systemic or isolated Conduct regular KPI monitoring Facilitate cost beneficial design modifications to achieve control Evaluate effectiveness of corrective actions on an enterprise-wide basis

17 17 Internal Auditors Role Ask yourself good questions * –Would you have prepared the financials in the same manner? –Was there full disclosure had you been an investor? –Are internal audit procedures the same as if you were CEO? –Are there any activities to move revenue or expenses from period-to-period? * Warren Buffet, Berkshire Hathaway

18 18 Governance Organizations www.theiia.org - Institute of Internal Auditors www.pcaobus.org - Public Company Accounting Oversight Board www.coso.org - Committee of Sponsoring Organizations www.nyse.com - New York Stock Exchange www.nacdonline.org - National Association of Corporate Directors www.issproxy.com - Institutional Shareholder Services www.ecgi.org - European Corporate Governance Institute www.icgn.org - International Corporate Governance Network www.asx.com.au/ - Australian Stock Exchange www.oecd.org – Organization for Economic Co-operation and Development www.ifac.org - International Federation of Accountants www.icaew.co.uk - Institute of Chartered Accountants in England and Wales www.oceg.org - Open Compliance and Ethics Group

19 19 Integration of SOX 302 & 404 Brian T. Appleton, CIA, MBA, CDP Director of Internal Audit National Penn Bancshares

20 20 This is the Time –Take an inventory –Budget considerations –Role clarification –Software utilization –Human resources –Integration

21 21 Take an Inventory Review SOX 302 & 404 methodology Overlay risk based work with SOX 302 & 404 work Full consideration to SOX 302 & 404 in annual risk analysis Minimum - tentative 2005 audit plan

22 22 Budget Considerations Schedule resource needs Do not understate resource needs Educate Audit Committee, CEO, and Executives on needs Manage your resource network

23 23 Role Clarification Identify roles for ongoing compliance with Sarbanes-Oxley compliance. Include other company initiatives in the matrix. These may include CSA or ERM. Consider forming a transition team Revisit your resource needs calculation and encourage management to do the same.

24 24 Software Utilization Business need or purpose Tracking Maintenance Infrastructure compatibility Cost benefit Implementation plan

25 25 Human Resources Leadership Continual improvement Staff development Customer satisfaction Audit results Key performance indicators Standards

26 26 Integration Range of integration varies What are other companies doing?

27 27 Summary –Inventory and integrate –Revisit software support –Develop HR, elevate standards

28 28 Evaluating Third Parties SAS 70 Considerations for SOX 404 Nathan Prather Manager, Audit and Enterprise Risk Services Deloitte & Touche LLP

29 29 Agenda Evaluating Third Parties: Step 1: Prepare Inventory Of Service Organizations and Specialists Step 2: Gain Understanding/Evaluate Significance Step 3: Obtain Evidence Step 4: Concluding SAS 70 Issues and Considerations Q&A

30 30 Step 1: Prepare Inventory Of Service Organizations and Specialists Identify third party involvement in relevant processes which involve the use of service providers and specialists Definitions: –Service organization: An entity that provides services to a user organization that is part of the user organizations information system –Specialist: A person (or Firm) possessing special skill or knowledge in a particular field…

31 31 Step 1: Prepare Inventory Of Service Organizations and Specialists – Summary Evaluate User Controls? Evaluate Third Party Controls? Service organization YesYes, if relevant SpecialistYes*No * Specialist Key Considerations: Evaluate the competence of the specialist Understand nature and scope of the work performed Key control considerations: Appropriateness of methods and assumptions Accuracy and completeness of data provided Reasonableness and recording of the results

32 32 Step 2: Gain Understanding/Evaluate Significance Gain an understanding of the service organization process flows and controls –Review SAS 70 or perform walkthrough of service organization Gain an understanding of the user organization process, controls and monitoring activities Conclude whether service organization activities and controls necessary to achieving a user control objective(s)

33 33 Step 2: Gain Understanding/Evaluate Significance When are user controls alone sufficient? –If the control performed by the service organization were not outsourced, would the control be necessary to achieving a control objective(s) –Detective/monitoring controls at the user organization should operate at an appropriately detailed level to conclude that a control objective is met

34 34 Step 3: Obtain Evidence Determine if the scope of the SAS 70 is appropriate Type 1 SAS 70 addresses design of controls Type 2 SAS 70 addresses design and operating effectiveness of controls Map controls at service organization to risks and controls objectives for the user organization –Business process controls –Information technology controls

35 35 Step 3: Obtain Evidence Determine if the nature and extent of testing appropriate Treatment of user controls identified in the SAR –Determine relevance –Test of relevant controls Determine if the period of coverage is appropriate –Cover a sufficient period to conclude the controls are operating effectively Depends on the frequency and nature of the controls Evaluate the need to update or roll forward

36 36 Step 4: Concluding Read the conclusions within the SAS70 for qualifying language –The service auditors opinion section If exceptions are noted in the SAS70 –Evaluate the impact of the deficiency to the user organization Quantitative and qualitative aspects Consider compensating controls –Make inquiries of Service Organization

37 37 SAS 70 Issues & Considerations What if the service organization will not provide access to obtain evidence directly or a suitable SAS 70? –Current thinking: SEC precludes management from qualifying their report If management cant get a SAS 70 management will need to perform procedures at the service organization If management is unable to access to the service organization, they need to be able to demonstrate that user controls alone are sufficient If user controls are then insufficient management will need to determine if they have a deficiency in their control environment

38 38 SAS 70 Issues & Considerations What if the Service Organization will not remediate exceptions? –Management will need to install mitigating user controls

39 39 Q & A

40 40 Establish a Post 404 Compliance Infrastructure Consider the possibility of too many internal controls Beware of excessive documentation detail Side-step confusion related to IT & internal controls Summary of Main Points

41 41 Summary of Main Points Make Right Compliance Software Decisions Manage External Auditor Demands Compliance should be Considered within the Needs of Governance & Risk Inventory & Integrate Work within SOX 302/404

42 42 Summary of Main Points Revisit Software Support for SOX 302/404 Strive for Continual Improvement within SOX 302/404 Identify Third Party Involvement & Processes for Possible SAS 70 Understand Service Organizations Process Flow & Controls

43 43 Summary of Main Points Understand User Organizations Process Flows, Controls & Monitoring Determine Appropriate Scope of SAS 70(Type 2 for both design & operating effectiveness) Evaluate Impact of Deficiency in Any Exceptions from SAS 70 Performed

44 44 Get Your CPE Certificate: If you are a primary Webcast participant: If you view the live Webcast, you should be receiving your CPE certificate via email today. You can also view the certificate in your account. Just log in and hit the CPE button. If you are viewing the archived Webcast, you will have to take the corresponding quiz which you will find in your webcast account. If you are not the primary participant but will be viewing the Webcast: Additional viewers may obtain CPE for a $15 administrative fee per additional viewer per Webcast. Register online at http://www.auditlearning.org.

45 45 October 12, 2004 Quality Assurance Quality Assurance

46 46 Webcast Evaluation Visit the Login Page or CLICK HERE

Download ppt "1 Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004 Ed Dudley, CIA, CPA Retired Vice-President & General Auditor-ABB."

Similar presentations

Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
1 Using ERM Concepts in Managing Controls The Institute of Internal Auditors August 10, 2004 Ed Dudley, CIA, CPA Retired Vice-President & General Auditor-ABB.

1 Using ERM Concepts in Managing Controls The Institute of Internal Auditors August 10, 2004 Ed Dudley, CIA, CPA Retired Vice-President & General Auditor-ABB.
1 Balancing SOX with Risk Based Audit Planning The Institute of Internal Auditors March 9, 2004 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy.

1 Balancing SOX with Risk Based Audit Planning The Institute of Internal Auditors March 9, 2004 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy.
1 Call To Action - Building Ethics Programs for Tomorrow The Institute of Internal Auditors November 16, 2004 Ed Dudley, CIA, CPA Retired Vice-President.

1 Call To Action - Building Ethics Programs for Tomorrow The Institute of Internal Auditors November 16, 2004 Ed Dudley, CIA, CPA Retired Vice-President.
Garrett L. Stauffer, CPA Partner PricewaterhouseCoopers LLP.

Garrett L. Stauffer, CPA Partner PricewaterhouseCoopers LLP.
Alabama Primary Health Care Association

Alabama Primary Health Care Association
1

1
Cost Management ACCOUNTING AND CONTROL

Cost Management ACCOUNTING AND CONTROL
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.

1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.
Task Group Chairman and Technical Contact Responsibilities ASTM International Officers Training Workshop September 2012 Scott Orthey and Steve Mawn 1.

Task Group Chairman and Technical Contact Responsibilities ASTM International Officers Training Workshop September 2012 Scott Orthey and Steve Mawn 1.
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.

Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
Human Service Providers and Referrals Chapter 5. Human Service Providers and Referrals 5-2 Objectives Demonstrate the process for entering a Human Service.

Human Service Providers and Referrals Chapter 5. Human Service Providers and Referrals 5-2 Objectives Demonstrate the process for entering a Human Service.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
1 Career Pathways for All Students PreK-14 2 Compiled by Sue Updegraff Keystone AEA Information from –Iowa Career Pathways –Iowa School-to-Work –Iowa.

1 Career Pathways for All Students PreK-14 2 Compiled by Sue Updegraff Keystone AEA Information from –Iowa Career Pathways –Iowa School-to-Work –Iowa.
Modern Systems Analyst and as a Project Manager

Modern Systems Analyst and as a Project Manager
Plan My Care Training Care Management Working in partnership with Improvement and Efficiency South East.

Plan My Care Training Care Management Working in partnership with Improvement and Efficiency South East.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
1 According to PETROSAFE safety policy, the company is keen that: Introduction All Egyptian Petroleum companies and foreign companies working in A.R.E.

1 According to PETROSAFE safety policy, the company is keen that: Introduction All Egyptian Petroleum companies and foreign companies working in A.R.E.
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Headquarters U.S.A.F. 1 Commodity Councils 101 NAME (S) SAF/AQCDATE.

I n t e g r i t y - S e r v i c e - E x c e l l e n c e Headquarters U.S.A.F. 1 Commodity Councils 101 NAME (S) SAF/AQCDATE.

Similar presentations

Ads by Google