Title: 404 Readiness Review: Documenting Your System of Internal Control
1404 Readiness Review Documenting Your System of
Internal Control
- The Institute of Internal Auditors
- Webcast Series on Sarbanes-Oxley Act
- May 21, 2003
- 100 230 pm Eastern Time
2The IIA Webcast Moderator
- Jim Key, CIA
- Managing Partner
- Shenandoah Group, L.L.P
3Webcast Series on SOA
- Fostering Compliance with SOA
- Internal Auditors Role
- Four sessions archived on IIAs website and
available on CD - Originally aired January 28 April 15, 2003
4Webcast Series on SOA - Continues
- Emerging Trends Best Practices in
- Implementing SOA
- Six Sessions archived on IIAs website and
available on CD - May 21 404 Readiness Review Documenting Your
System of Internal Control - June 10 Helping the Audit Committee Implement
Complaint Handling - Remaining sessions with your input will be on
July 8, August 12, September 9 and September 30
5Agenda
- 100 Introductions and Overview
- 110 Critical Decisions on DocumentingInternal
Controls - Bill Gassel - 120 Implementing Sarbanes-Oxley Sec 404 -
- Dennis Drent
- 130 Maintaining Objectivity - Paul Sobel
- 145 Break
- 150 Questions and Answers - Panel
- 225 Wrap up - Jim Key
6Critical Decisions for Documenting Internal
Controls
- Bill Gassel, CPA
- Director of Internal Audit
- Emerson
7Chronology
- Nov 02 Formed core team established goals
timetable - Nov 02 Selected the documentation methodology
created a pilot questionnaire - Dec 02 Conducted pilots at 9 sites worldwide
- Dec 02 Started on website to facilitate
documentation collection - Jan 03 Led training and documentation rollout
- Mar 03 Divisions completed documentation
-(tremendous effort) Internal Audit reviewed for
sufficiency - May 03 Executing the testing plan
8Key Initial Decisions
- Documentation decisions made early on
- Where?
- What format (narratives, flowcharts,
questionnaires, or a combination)? - What accounts or processes?
- How much must be documented?
- Who should certify?
- Who will own/maintain the documentation?
- How to train everyone?
9Location Table
10Example Documentation
11Guidance for Control Descriptions
- Note
- "Yes" answers require the following criteria
- 1. Describe the control procedure in detail.
- 2. Who performs the control (employee title) and
who reviews it? - 3. Frequency of Control (daily, monthly,
quarterly etc.) - 4. Automated system or Manual control.
- "No" answers require
- 1. What mitigating controls exist to achieve
control objective. - 2. Who performs mitigating controls how often?
- 3. If no mitigating controls exist, how will the
deficiency be fixed? - "N/A" answers require
- 1. Explain 'why' the control does not apply to
the location.
12Beneficial Steps
- Executive management support obtained
- Involved the Controllership function early
- Communicated early with KPMG and EY to interpret
likely standards - Standardized the documentation format
- Used pilot process to gain practical insights
- Collaborated with internal process experts to
validate questionnaire focus
13Beneficial Steps
- Held central training for all Finance Officers
- Created an Example Completed ICQ
- Tailored the questionnaire for smaller and
international sites - Reviewed a majority of the documentation for
sufficiency - Started testing controls 5 months prior to
year-end (10 12,000 hours of effort) -
significant locations first
14Current 404 Considerations
- Develop Evaluation Methodology with Management
- Which locations and controls will be tested?
- Accumulating and aggregating the testing results
- Broadening the evaluation methodology into ERM
- Migrating Control Questionnaire platform to CSA
process - Minimizing redundancy of testing between Internal
and external auditors - Availability of qualified staff
15Steps in Implementing Sarbanes-Oxley Sec. 404
- Dennis Drent
- Vice President Internal Audit
- Nationwide Insurance
16 Implementing Sarbanes-Oxley 404
17 Implementing Sarbanes-Oxley 404
182
Develop evaluation strategy including use of
technology
- CEO friendly technology solution.
- Lotus Notes database allows for analysis and
reporting. No flow charts. - Used drop-down boxes for everythingwe could.
- Control and executive owners verses process
owners. - Internal Audit owns the database - the business
owns the controls.
19 Implementing Sarbanes-Oxley 404
20 Implementing Sarbanes-Oxley 404
215
First quarter certification and verification
process completed
- Control and executive owners certify in database
- separate verification process. - 30 of controls were changed, over 100 controls
eliminated. - Internal Audit administers change questionnaire
and consults on verification procedures. - Results of control certification/verification
process reported to Disclosure Committee.
226
Control scrubbing, gap analysis, and control
evaluation
- Time to bring in the external auditors - jointly
define internal control adequacy. - At this point, most work performed by external
auditor will be audit services and therefore
mitigates independence conflict.
23 Implementing Sarbanes-Oxley 404
24 Implementing Sarbanes-Oxley 404
25 Implementing Sarbanes-Oxley 404
26Maintaining Objectivity
- Paul Sobel
- Vice President, Risk Assessment
- Aquila, Inc.
27Corporate Governance Framework
Corporate Stakeholders
Governance Umbrella
Board of Directors
Risk Management
Assurance
Senior Management
Risk Owners
28Corporate Governance Framework
Sarbanes-Oxley Act
Governance Umbrella
Sec. 404
Sec. 404
Board of Directors
Risk Management
Assurance
Senior Management
Risk Owners
29Objectivity Standards
- Internal auditors should have an impartial,
unbiased attitude and avoid conflicts of
interest. - State of mind
- Personal feelings or prejudices shouldnt distort
the facts - Cannot act in a management role or make
management decisions
30The Audit Process
Audit Phase Approach Audit Evidence
Project Objective Determined in Annual Audit Plan Planning Memo
Risk Assessment Identify/Assess Key Risks Risk Memo/Matrix
Process Design Understand Process and Identify Key Controls Flowcharts Memos
Gap Analysis Evaluate Current vs. Desired State Findings and Recommendations
Process Effectiveness Develop and Execute Testing Plan Testing Results
Gap Analysis Evaluate Current vs. Desired State Findings and Recommendations
Reporting Communicate Results Audit Report
31The Sarbanes-Oxley 404 Process
Audit Phase Approach Audit Evidence
Project Objective Understand S-O 404 Requirements Project Planning Memo
Risk Assessment Link F/S Captions to Processes Assess Risks to F/S Assertions F/S / Risks / Assertions Linkage
Process Design Understand Processes Identify Key Controls Over Financial Reporting Flowcharts Memos
Gap Analysis Evaluate Current vs. Desired State Findings and Remediation Plans
Process Effectiveness Develop and Execute Assurance/ Testing Plan Testing Results
Gap Analysis Evaluate Current vs. Desired State Findings and Remediation Plans
Reporting Update Key Control Effectiveness (Control Owner Assertions) Self Assessments and Audit Reports
32Maintaining Objectivity
Audit Phase Approach What Can IA Do?
Project Objective Understand S-O 404 Requirements No issues objectives set by 3rd party (SEC)
Risk Assessment Link F/S Captions to Processes Assess Risks to F/S Assertions Make risk judgments must gain mgmt. concurrence
Process Design Understand Processes ID Key Controls Over Financial Reporting Document processes based on mgmt. input and validation
Gap Analysis Evaluate Current vs. Desired State Make judgments validate with mgmt.
Process Effectiveness Develop and Execute Assurance/ Testing Plan Determine what to test and evaluate test results
Gap Analysis Evaluate Current vs. Desired State Make judgments validate with mgmt.
Reporting Update Key Control Effectiveness (Control Owner Assertions) Facilitate/gather assessment results
33Summary
- Internal Audit can lead a Sarbanes-Oxley 404
project - Documentation phase is no different than that
required in an audit - IAs objectivity is not impaired if they lead the
documentation efforts - It is important to engage management to validate
judgments and decisions - They must own the results, not IA
- Communicate consistently with your external
auditors to ensure they understand how your
objectivity has not been impaired - Its not an objectivity issue its an ownership
issue!
34Break
- 5 min break followed by Poll
35Questions Answers
- Email your questions to info_at_tvworldwide.com
36Webcast Summary
- Engage management to develop control evaluation
strategy - Work with external auditors to reduce duplication
- Leverage technology to support process
- Internal audit can own the process
- Objectivity is a state of mind