Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Managerial Accounting

What is Internal Control Over Financial Reporting?

advertisement 
Project Administration - Setting and
revising priorities in the wake of the
"Final 404 Rules"
The Institute of Internal Auditors
Webcast Series on Sarbanes-Oxley
Session #4 – August 12, 2003
1
The IIA Webcast Moderator
Jim Key, CIA
Managing Partner
Shenandoah Group, L.L.P
2
Disclaimer
The views expressed in this webcast
are solely those of the panelists and
moderators and do not necessarily
reflect the views or policies of the
Institute of Internal Auditors or its
directors, officers, employees and
members.
3
Emerging Trends and Best
Practices in Implementing the
Sarbanes-Oxley Act
• May 21 - Section 404 Readiness Review: How to document your
system of internal control
• June 10 - Helping your audit committee implement complaint
handling
• July 8 - Leveraging the COSO framework to meet Section 404
requirements
• August 12 - Project Administration - Setting and revising priorities
in the wake of the "Final 404 Rules“
• September 9 - Internal Audit support of Audit Committees - What
works best
• September 30 - The Road Ahead - Meeting the challenges in
complying with The Sarbanes-Oxley Act
*Available online archive for one year and on CD
4
Agenda
1:00 - 1:05 Introduction and Overview - Jim Key
1:05 - 1:25 Management’s Report on Internal Control
Over Financial Reporting - Sean Harrison
1:25 - 1:45 Preparing the 404 Work Plan –
Kiko Harvey & David Richards
** Combined Presentation
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key
5
Management’s Report on
Internal Control Over Financial
Reporting
Sean Harrison, Esquire
Special Counsel, Office of Rule Making
Division of Corporate Finance
U.S. Securities and Exchange
Commission
6
Disclaimer
As a matter of policy, the Securities and
Exchange Commission disclaims
responsibility for any private publication or
statement of any of its employees. The
views expressed in this presentation
reflect the views of the author and does
not necessarily reflect those of the
Commission, the Commissioners, or other
members of the staff.
7
What is Internal Control
Over Financial Reporting?
The final rules define this term as:
– A process designed by, or under the supervision of,
the registrant’s principal executive and principal
financial officers, or persons performing similar
functions, and effected by the registrant’s board of
directors, management and other personnel, to
provide reasonable assurance regarding the
reliability of financial reporting and the preparation
of financial statements for external purposes in
accordance with generally accepted accounting
principles and includes those policies and
procedures that:
8
What is Internal Control
Over Financial Reporting?
• Pertain to the maintenance of records that in
reasonable detail accurately and fairly reflect
the transactions and dispositions of the assets
of the registrant;
9
What is Internal Control Over
Financial Reporting?
• Provide reasonable assurance that
transactions are recorded as necessary to
permit preparation of financial statements in
accordance with generally accepted
accounting principles, and that receipts and
expenditures of the registrant are being made
only in accordance with authorizations of
management and directors of the registrant;
and
10
What is Internal Control
Over Financial Reporting?
• Provide reasonable assurance regarding
prevention or timely detection of unauthorized
acquisition, use or disposition of the
registrant’s assets that could have a material
effect on the financial statements
11
Management Report
Requirements
• A statement of management’s responsibility
for establishing and maintaining adequate
internal control over financial reporting for the
company;
• A statement identifying the framework used by
management to evaluate the effectiveness of
the company’s internal control over financial
reporting;
12
Management Report
Requirements
• Management’s assessment of the
effectiveness of internal control over financial
reporting as of the end of the company’s most
recent fiscal year and disclosure of any
material weaknesses in such control identified
by management, if there is material weakness
in the internal controls, management cannot
conclude that the controls are effective; and
• A statement that the company’s auditor has
issued an attestation report on management’s
assessment.
13
Framework for
Management’s Evaluation
• The new rules implicitly require management to use a
“framework” to evaluate the company’s internal
control and to identify the framework in the report.
• The rules do not prescribe the use of a particular
framework, however, the rules state that the
framework used must be a suitable, recognized
control framework established by a body or group
that has followed due-process procedures, including
broad distribution of the framework for public
comment.
14
Framework for
Management’s Evaluation
• The release states a suitable framework must:
– Be free from bias;
– Permit reasonably consistent qualitative and
quantitative measurements of a company’s internal
control;
– Be sufficiently complete so that those relevant
factors that would alter a conclusion about the
effectiveness of a company’s internal controls are
not omitted; and
– Be relevant to an evaluation of internal control over
financial reporting
15
Method of Evaluation
• The new rules do not specify a method or
procedures to be followed. However, the rules
do state that a company must maintain
evidential matter, including documentation,
that provides reasonable support for
management’s assessment of effectiveness.
• This is an inherent element of effective internal
control and consistent with the internal
accounting control requirements under section
13(b)(2) of the Exchange Act.
16
Method of Evaluation
• Evidential matter includes documentation regarding
both the design of internal control and the testing
processes.
• This evidential matter should provide reasonable
support: (1) for the evaluation of whether the control
is designed to prevent or detect material
misstatements or omissions; (2) for the conclusion
that the tests were appropriately planned and
performed; and (3) that the results of the tests were
appropriately considered.
17
Material Weaknesses in
Internal Control Over Financial
Reporting
• Management cannot conclude that the
company’s internal control over financial
reporting is effective if there is a “material
weakness” in such control. Any such material
weakness must also be specifically disclosed.
• The term “material weakness” has the meaning
under generally accepted auditing standards
(or GAAS), including the AICPA’s Codification
of Statements on Auditing Standards Section
325.
18
Material Weaknesses in
Internal Control Over Financial
Reporting
• It is possible that the PCAOB, will modify the
definition of material weakness and significant
deficiency.
• It is also worth noting that on June 20, 2003 the
Auditing Standards Board (ASB) of the AICPA
submitted for the consideration of the PCAOB
recommendations for Professional Auditing
Standards, that among other things,
recommended changes to the definitions of
“significant deficiency” and “material weakness.”
19
Quarterly Evaluations
• Under the new rules, management will be
required to perform quarterly evaluations of
changes that have materially affected, or are
reasonably likely to have a material effect on,
the company’s internal control over financial
reporting. If such a change occurred during a
company’s fiscal quarter, the company will
have to disclose the change in its quarterly
report.
20
Quarterly Evaluations
• This disclosure requirement replaces
paragraph (b) in existing Item 307 of
Regulations S-K and S-B regarding quarterly
disclosure of changes in internal controls and
corrective actions and is incorporated in new
Item 308 of Regulations S-K and S-B.
21
Quarterly Evaluations
• The new rules do not explicitly require
disclosure about the reasons for the change,
however, companies will have to determine, on
a facts and circumstances basis, whether the
reasons for the change, or other information
about the circumstances surrounding the
change, constitute material information
necessary to make the disclosures in the
report not misleading.
22
Auditor Independence
Issues
• Management and the company’s outside
auditor will need to coordinate their
processes of documenting and testing
internal control over financial reporting.
• The adopting release reminded companies
and their auditors that the Commission’s
rules on auditor independence prohibit an
auditor from providing certain nonaudit
services to an audit client.
23
Auditor Independence
Issues
• When the auditor is engaged to assist
management in documenting internal controls
or preparing evaluative tools, management
must be actively involved in the process.
Management cannot delegate its responsibility
to assess its internal control over financial
reporting to the auditor.
24
Compliance Dates
• A company must begin to comply with the
management report on internal control over
financial reporting disclosure requirements for
fiscal years ending on or after June 15, 2004, if
it is an “accelerated filer,” as defined in
Exchange Act Rule 12b-2 as of the end of its
first fiscal year ending on or after June 15,
2004.
25
Compliance Dates
• Companies that are non-accelerated filers,
including small business issuers and foreign
private issuers, must begin to comply with the
disclosure requirements in annual reports for
their first fiscal year ending on or after April 15,
2005.
26
Compliance Dates
• All companies must begin to comply with the
quarterly evaluation of changes to internal
control over financial reporting requirements
for its first periodic report due after the first
annual report that must include management’s
report on internal control over financial
reporting.
27
Agenda
1:00 - 1:10 Introduction and Overview - Jim Key
1:10 - 1:20 Management’s Report on Internal Control
Over Financial Reporting - Sean Harrison
1:20 - 1:40 Preparing the 404 Work Plan –
Kiko Harvey & David Richards
** Combined Presentation
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key
28
Dave Richards, CIA, CPA
Director, Internal Auditing
FirstEnergy Corp.
29
Kiko Harvey, CPA
Director, Internal Audit
Starbucks Corporation
30
Preparing the 404 Work Plan
A Step-by-Step Process
31
Overview
Step 1:
Step 2:
Step 3:
Step 4:
Step 5:
Step 6:
32
Organize the Project Team /
Communicate
Set the Project Scope
Develop Tools
Documentation
Test and Evaluate Controls
Reporting
Step 1: Organize the Project
Team/ Communicate
33
FirstEnergy 404 Project Team
Organization Chart
Disclosure Committee
VP - Controller
CRO
CIO
VP - ED
General Counsel
BU Controller
Steering Committee
Project Manager
Director, IA
34
Internal Auditing
Controller's
Business Unit
5 people
1 person
5 people
• Core Team
TRAINING
– 404 Requirements
– Co. Approach (process to be followed)
– Guidelines
– Documentation tool
•
•
•
•
•
35
Process Owner
Process members (extended team)
Steering Committee
Audit Committee
Disclosure Committee
SOA 404 Annual Control
Assessment Process
High level overview
Financial
Statements
36
Processes
Materiality
Guidelines
Risk & Control
Process
Matrix (draft)
Assessment
Team
Risk
Guidelines
SOA 404 Annual Control
Assessment Process
ICW
GAPS
Corrective
action
No Gaps
Workshop(s) to
confirm Matrix
Workshop
Guidelines
37
Design
Assessment
SOA 404 Annual Control
Assessment Process
ICW
GAPS
Corrective
action
Testing to
confirm
controls
Testing
Guidelines
38
Testing Results
Assessment
Test
Plan
No Gaps
Overall
assessments
statements
Step 2: Scope the Project
• Identify cycles that drive financial statement
information
• Identify other key processes critical to the
company’s success
• Map out significant transactions for each cycle
and business process to form the basis for
documenting controls
39
Step 2: Scope the Project
Example
Cycles
Revenue
Transactions
Authorize
Credit
Maintain
Customer Files
40
Hiring, Training
& Scheduling
Employees
Collecting
Analyzing
Bad Debt
Transactions
Key Processes
Retail
Operations
Invoicing
Point of Sale
Maintenance
Merchandising Sales and Cash
& Promotions
Audit
Inventory
& Asset
Management
Step 2: Scope the Project
• Map financial statement components to cycles
and key processes
• Identify locations having a significant impact
on the financial reporting environment for
testing
– Set materiality guidelines for balance sheet and P&L
(i.e. % assets, EPS impact)
– Introduce project to remote accounting locations
selected for testing
41
Step 3: Develop Tools
• Determine how you will organize the
documentation – consider using special
purpose software (COSO based)
• Develop checklists
– Control self-assessment questionnaires
– Policies and procedures surveys
– Segregation of duty templates
42
Step 4: Documentation
• Collect and inventory existing internal control
documentation for cycles and key processes
identified in scoping activity
• Distribute checklists to new locations or where
information requires update
• Using the COSO documentation tool,
document controls for all transaction cycles
and key processes in a “controls repository” –
replicate for locations selected for testing
43
Step 4: Documentation
Example
Organization of Controls Repository
Transaction
Identified during scoping phase (by cycle and key process)
Map to financial statement accounts, disclosures, footnotes,
etc.
Identify
Risk
Identify risks for each transaction based on financial
statement assertions (existence, accuracy,
completeness, etc.)
Identify
Control
44
Document key control activities for each risk
identified
Determine if preventive or detective in nature
Determine if automated or manual
Frequency of control activity (daily, monthly,
quarterly)
Step 5: Test and Evaluate
Controls - Testing Guidance
•
•
•
•
•
•
•
45
Testing definition
Objectives for testing
Methods (options) for testing
How to determine proper test
Expectations of results of test
Which controls to test (ID Key control)
Documentation
Step 5: Test and Evaluate
Controls - Testing Guidance
•
•
•
•
•
•
Evaluation (expectations vs. results)
Frequency of testing
Who performs the test
Determination of “gaps”
Action plans
Identification of deficiency, significant
deficiency or material weakness
• Retesting
46
Deficiency
Significant
Deficiency
Material
Weakness
47
Control Activity /
Technique
Multiple Control
Activities
COSO Financial
Control
Objective not met
Control Objectives =
COSO Financial Statement
Assertions
1.
2.
3.
4.
5.
6.
7.
48
Existence / Occurrence
Completeness
Measurement / Valuation
Rights & Obligations Recorded
Proper Classification & Disclosures
Safeguarding of Assets
Fraud Prevention / Detection
Deficiency
“Design gap” or “Operational gap”
= Missing control (design)
= Control objective not met (design)
= Control not present (operational)
= Control not operating as designed (operational)
= Control cannot be confirmed (operational)
= Inconsistent application (person performing
control not qualified) (operational)
49
Payroll Process
Control
Objective
Complet
eness –
all
material
liabilities
recorded
Risk
All labor
liabilities
not
recorded
Control
Activity
Labor
accrual is
booked
for
unpaid
time
Test Results
Accrual is
automatic
based on
prior 2 wks
Overtime is
Not accrued
50
New hires
out; exits in
Significant Deficiency
• Frequency of deficiencies noted
• Errors in multiple controls tied to key
risk
• More than one control activity contains
testing errors beyond expectations
• Control objective key risks are mitigated
but only because one control activity has
tested ok vs. all controls tied to the risk
51
Property Accounting
Control
Activity
Existence Assets
Purchase
of assets not
orders
recorded issued by
SC
Control
Objective
52
Risk
Test
Results
BU
purchase
assets as
expense
Material
is charged
out of
warehouse
but not
installed
Material Weakness
• Key risks (HH) tied to control objective
not mitigated
• Control objective cannot be achieved
• All controls designed to mitigate a risk
have deficiencies
• Significant “material” transactions flow
through the process ($10,000,000)
53
Account Mapping to Material
Accounts = Processes
Process: Zai*net Deal Capture
Control Objective #2: Completeness of transactions
Key Risk #2.1: Transactions may be inaccurately recorded
Control Activity #2.1.4: Confirmation process
used to ensure deals are captured &
complete
Test: Select 30 transactions over
test period; compare confirms
to Zai*net data (9 characteristics)
54
Expectation: all deals will be confirmed with
all 9 characteristics matching
Step 6: 404 Reporting
•
•
•
•
•
•
•
Team meeting agendas & minutes
Assignments
Monthly report
Steering Committee meetings
Disclosure Committee meetings
Updates to Audit Committee
Updates to Senior Management (CEO, CFO,
President, Key VPs)
• External Financial Audit Team
55
Agenda
1:00 - 1:10 Introduction and Overview - Jim Key
1:10 - 1:20 Management’s Report on Internal Control
Over Financial Reporting - Sean Harrison
1:20 - 1:40 Preparing the 404 Work Plan - Kiko
Harvey & David Richards
** Combined Presentation
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Jim Key
56
Summary
• Interpretation of SEC Rules is subjective
• Check SEC website www.sec.gov
regularly for regulatory actions
• Approach 404 management assessment
of internal controls as major project
• Apply project management disciplines to
ensure compliance
57
The IIA Webcast Moderator
Jim Key, CIA
Managing Partner
Shenandoah Group, L.L.P
58
Related documents
Standar Pekerjaan Lapangan
Standar Pekerjaan Lapangan
view documents
view documents
Chapter Five: Evaluating the Integrity and Effectiveness of the
Chapter Five: Evaluating the Integrity and Effectiveness of the
(financial and operational) auditor internal (financial and operational
(financial and operational) auditor internal (financial and operational
H2 survey
H2 survey
Senior Financial and Operational Auditor
Senior Financial and Operational Auditor
Download
advertisement