Uploaded by tkndjie

SOX 101 Training 2021

advertisement
SOX 101
Training April 2021
SOX
101
Agenda
▪ What is Sarbanes-Oxley Compliance?
▪ What are controls?
▪ Who is involved in SOX?
▪ SOX compliance approach
▪ Key areas of focus – Year 1
▪ SOX Framework
▪ Scope, document, test of design & effectiveness, conclude &
report
▪ ABC, Inc. roadmap to SOX compliance 2021
▪ Questions
What is
Sarbanes-Oxley
Compliance?
3
SOX
101
SOX Overview
SOX Section
302 / 906
SOX Section
404
PCAOB &
External
Auditor
Mgmt.'s
Responsibility
▪ SOX is a legal requirement for all publicly traded companies
▪ Establish and maintain internal control over financial reporting (ICFR)
▪ Annually assess and report by both management and the external
auditor on the design and operating effectiveness of internal controls
▪ ABC, Inc. plans to implement and test controls during 2021
▪ Use a recognized framework (COSO 2013)
▪ Support assessment by documentation, regarding both the design and
effectiveness of the internal controls
SOX
101
SOX Overview
Sarbanes-Oxley Section
302 / 906
Company CEO & CFO are required to certify in each quarterly and
annual report. Certification includes:
▪ A disclosure as to management’s conclusion of the effectiveness of disclosure
controls and procedures
▪ Disclosing significant changes or deficiencies in the design or operation of
internal controls
▪ Communicating about fraud by any person with a significant role in internal
controls
Additionally, under Section 906:
▪ CEOs who willfully certify false or misleading statements (both financial and
non-financial) are now subject to criminal penalties that can include fines and
prison terms
▪ Reported results should reflect actual results and not be inaccurate or
misleading
SOX
101
SOX Overview
Sarbanes-Oxley Section
404
404(a)
Company CEO & CFO are required to report annually on the state of
internal controls, including:
▪ The framework used to evaluate the effectiveness of ICFR
▪ Management’s assessment of the effectiveness of internal controls
▪ Any significant control deficiencies or material weaknesses
404(b)
Additionally, the external auditor (PwC) must attest to the effectiveness
of the Company’s internal controls over financial reporting.
SOX
101
SOX Overview
PCAOB & External Auditor
The Public Company Accounting Oversight Board (PCAOB) was created
by the Sarbanes-Oxley Act of 2002 to oversee accounting professionals
who provide independent audit reports for publicly traded companies.
(They audit PwC!)
SOX
101
SOX Overview
PCAOB & External Auditor
Regulated by the PCAOB, PwC will have the following responsibilities:
▪ Acknowledge ABC, Inc. has (and evaluates) their internal controls
▪ Plan and perform the audit to obtain reasonable assurance that
effective internal controls was maintained
▪ Form an opinion of the internal controls based on Internal Control
– Integrated Framework (2013) issued by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO)
SOX Overview
SOX
101
What does success look like?
▪ Processes are documented
▪ Risks (of material misstatement to the financial statements) are
identified
▪ Controls are designed and operating effectively by December 31,
2021
▪ Internal Audit completes tests of controls’ design and operating
effectiveness
▪ Internal Audit assesses and reports findings to the Audit
Committee and the CEO & CFO to enable 10-K disclosure
SOX Overview
SOX
101
Audit Committee
In a U.S. publicly traded company, an Audit Committee (AC) is a
committee of a company’s Board of Directors charged with
oversight of financial reporting and disclosure, including:
▪ Selection of the independent auditor
▪ Receipt of Internal Audit and External Audit results (Internal Audit reports
directly to the AC)
▪ Assess the analysis of important and judgments made by management in
the financial reports
▪ Ensure appropriate policies and processes are in place for the prevention
and identification of asset misappropriation, corruption, and financial
statement fraud
▪ Meet with management and the independent auditor to discuss the
quarterly and audited annual financial statements of the company
SOX Overview
SOX
101
What to Expect
▪ A busy 2021 calendar year
▪ Internal Audit
▪ Completing walkthroughs and updating process narratives
▪ Updating risk and control matrices (RCM)
▪ Testing of Control Design and Effectiveness
▪ Testing of IT general controls (ITGC)
▪ Reporting to AC and Executive Team
▪ Management
▪ Responding to requests from Internal Audit
▪ Implementing additional controls to address gaps
▪ Enhancing documentation (evidence of control occurring)
What are
Controls?
12
SOX Overview
SOX
101
What is a control?
A control is a specific activity designed to mitigate or manage risk.
While there is no “standard” definition, the generally accepted
description in the context of SOX is:
“A key control is a control that, if it fails, means there is at least a reasonable
likelihood that a material error in the financial statements would not be prevented
or detected on a timely basis. In other words, a key control is one that is required
to provide reasonable assurance that material errors will be prevented or timely
detected.”
Controls should be documented to clearly state the activity
performed, frequency, and ownership. A control is not a policy
statement or a process.
Controls Overview
SOX
101
Process vs. Control Activity
▪ Process – activity performed in the normal course of business and is
necessary to process a transaction or related business activity. Examples:
posting an entry, creating a report, issuing an invoice
▪ Control – consists of the policies and procedures that help ensure
management directives are implemented and that financial reporting is
accurate. Examples: approvals, reconciliations, segregation of duties
▪ Control activities are specific and describe:
▪ HOW OFTEN (daily, weekly, etc.)
▪ WHO (position title, office)
▪ DOES WHAT (compares, reviews, etc.)
▪ TO WHAT (document, checklist, etc.)
▪ TO ENSURE (accuracy, proper authorization, etc.)
Controls Overview
SOX
101
COSO 2013 Framework
To manage SOX, the Company will follow the COSO 2013 framework
Controls Overview
SOX
101
Entity Level Controls
What are Entity Level Controls?
▪ Controls that exist at the organization, group, or business unit level and have a
pervasive impact on business activities
▪ Establishes tone at the top
▪ Examples: Code of Conduct training, Background checks, Delegation of
Authority, etc.
▪ Entity Level Controls (ELC) must be evaluated both internally and by the
external auditor
Controls Overview
SOX
101
Types of Controls
Who is
involved in
SOX?
18
SOX Involvement
SOX
101
Key Stakeholders
It takes a village…
▪ Process and control owners – Ownership, maintenance, and performance
of process and controls
▪ Executive Management – Accountable for ensuring the Company is
compliant with SOX Sections 302/906 and 404(a)
▪ Audit Committee – Oversight responsibility over financial reporting and
disclosure
▪ Internal Audit – Champions effective and efficient control environment
and independently assesses control design and effectiveness
▪ External Auditors – PwC will be required to independently evaluate and
report on Company’s control environment
SOX Involvement
SOX
101
Process / Control Owners
What is expected of control owners?
Ownership
▪ Own, maintain, and perform controls
▪ Ensure the controls are appropriately designed and run effectively throughout
the year
Documentation
▪ Ensure process narratives and/or flowcharts and internal controls are
documented accurately and completely
▪ Ensure all required documentation that evidences control execution is
complete, accurate, and up-to-date, including IPE! (Information Produced
Entity)
Audit Support
▪ Support process walkthroughs, audit inquiries, and audit testing
Roles & Responsibilities
SOX
101
Internal Audit’s role in SOX Compliance
IA is here to help you understand
▪ The SOX compliance requirement
▪ The scoping of risks and controls
▪ Considerations when evaluating design and effectiveness
IA commits to
▪ Communicate timely
▪ Execute an organized project plan
▪ Assist with remediation of control deficiencies
IA needs you to
▪ Own the consistent performance and documentation of controls
▪ Strengthen existing controls to meet requirements
▪ Remediate gaps in design and effectiveness timely
SOX
Compliance
Approach
22
SOX Compliance
Approach
SOX
101
Framework
5
4
Governance
Audit Committee
SOX Steering
Committee
1
Conclude
& Report
Scope
Annual SOX
Compliance
Test of
Effectiveness
Key Business
Partners
Management
Control Owners
IT Compliance
External Audit
Internal Audit
2
Document
3
Test of
Design
23
Key Areas of
Focus
Year 1
24
Key Areas of Focus
SOX
101
Overview
▪ Evidence of control performance
▪ Information produced by the entity (IPE)
▪ Segregation of Duties (SOD)
▪ Management Review Controls (MRC)
Key Areas of Focus
SOX
101
Control Evidence
Control owners are responsible for:
▪ Creating sufficient documentation to support control execution
If it is not documented, it didn’t happen!
▪ Documenting controls at the time when the control is performed
I.e., not backdated or altered after the fact
▪ Documenting management’s review for every item reviewed
A “blanket sign-off” on a document is not sufficient
▪ Providing reliable approvals (e.g., manually or electronically signed)
▪ Keeping the process activities and control activities up-to-date in the
Flowcharts and Risk and Control Matrices (RCM)
Key Areas of Focus
SOX
101
Information Produced by the Entity
What is IPE?
Information Produced by the
Entity is data generated by the
entity in the course of executing
a control. Often, it’s in the form
of a “report” which may be
system-generated, manually
prepared, or both.
IPE is an “input” to a control. What can
go wrong?
▪ Not all data captured / data input
correctly
▪ Algorithm or calculation is incorrect /
applied to wrong population
▪ Parameters are incorrect
Information Used in the Control (IUC):
for each report or calculation used in the
performance of a control, we need to:
▪ Understand how the information is
generated
▪ Be able to demonstrate the
completeness and accuracy of the
data
Key Areas of Focus
SOX
101
Information Produced by the Entity
▪ IPE is an inherent part of most control activities, and
completeness and accuracy checks should be incorporated into
control performance.
▪ It is the responsibility of control performers to ensure that IPE
completeness and accuracy checks are performed to the same level of
precision every time a control is performed, and importantly, at the same
time a control is performed, and evidence is retained.
Tips for IPE:
▪ Always keep a screenshot of the parameters to run a report
▪ Always keep a screenshot(s) of the generated report
▪ Include screenshots, with tie outs, in the control documentation
Key Areas of Focus
SOX
101
Segregation of Duties
Segregation of Duties (SOD) is an internal control designed to prevent
error and fraud by ensuring that at least two individuals are
responsible for the separate parts of any task
SOD separates “incompatible duties” so that one person does not have all
tasks:
▪ Authorization – approving
▪ Safekeeping – holding the asset or access to asset
▪ Record keeping – keeping track of the asset / liability
Examples:
▪ Separating preparers and reviewers for key controls
▪ Restricting access to production environments (e.g., to system
administrators and database administrators)
Key Areas of Focus
SOX
101
Management Review Controls
Controls design to review financial statements, account balances,
account analyses, estimates, reconciliations, or other data for:
▪ Completeness and accuracy
▪ Appropriate accounting recognition
▪ Potential errors or misstatements
▪ Timely, effective performance of other controls
Management must be able to demonstrate:
▪ How the control operates
▪ Timeliness of the control and the related follow-up procedures
(Timeliness varies by control activity but, at a minimum, all controls must be
performed and documented prior to the earnings announcement / release)
▪ Controls over inputs / data used in control
▪ Thresholds used to identify variances (meeting operational and SOX requirements)
Key Areas of Focus
SOX
101
Management Review Controls
▪ Management review controls (MRC) often have a risk associated with the
control due to their subjectivity and complexity
▪ Management review controls must be precise enough to detect any errors
that could potentially result in a material misstatement
▪ Precision is defined as: “The sensitivity to which a control functions”
For example: If I am a control owner performing a review control, what initiates
a follow-up?
▪ Items greater than a certain dollar amount?
▪ Unique / unusual reconciling items?
▪ Unexpected adjustments or payments?
▪ Unexpected changes or variances?
▪ Long outstanding reconciling items?
SOX Framework
32
Scope
SOX
101
Key Activities
Establish materiality and
define qualitative factors
Risk rank accounts and
map to SOX processes
Scope controls by process
Review income
statements and balance
sheets at consolidated
levels
▪
Assign a risk rating to
financial accounts
▪
Link business processes
to business unit coverage
▪
Identify accounts in-scope
based on risk rating
▪
▪
Calculated materiality
▪
▪
Evaluate qualitative
factors
Map key processes to
accounts
Ensure all components
of the COSO framework
have been considered
▪
Map key IT systems to
accounts / processes
▪
Scope
SOX
101
In-scope processes
ABC, Inc. has 12 key in-scope processes:
1
Financial Close & Reporting
7
Tax Receivable Agreement (TRA)
2
Treasury
8
Equity
3
Payroll
9
Debt & Interest
4
Procure to Pay
10
Goodwill & Intangibles
5
Revenue & Receivables
11
Entity Level Controls (ELC)
6
Taxes
12
IT General Controls (ITGC)
34
Scope
SOX
101
Key Activities
Documenting processes to identify controls is a
requirement
Update key controls and
attributes
Process owners validate
documentation & changes
Update process flows for
key sub-processes
▪ Risk and control
matrices are created to
identify control activities
▪ Business owners
approve process
documentation
▪ Process flow created
for each in-scope
process
▪ Controls are mapped to
risks and financial
statement assertions
▪ Management
communicates all
process or control
changes to the Internal
Controls Team timely
▪ Controls are identified
▪ Key activities,
ownership, systems
and reports are
documented
Document
SOX
101
In Summary
▪ Management is responsible for maintaining process documentation
▪ Confirmed process narratives, RCMs, and flows support management’s annual
control assessment
▪ Developing and maintaining evidence is an element of effective internal control;
therefore, documentation is critical to avoid a deficiency
Management is responsible for maintaining an effective
control environment.
Test of Design
SOX
101
Key Activities
Meet with
control
owners
▪ Are they
qualified?
What are the
inputs of the
control?
Evaluate the
control
▪ IPE
▪ Accurate
▪ IUC
▪ Precise
▪ Timely
Evaluate
management
review
controls
▪ When
would
there be a
follow-up?
▪ Are we
asking the
right
questions?
Communicate
and
remediate
▪ As needed
Test of Design
SOX
101
Key Activities
▪ Walk through the execution of a control using a single sample
▪ Evaluate the design of the control, including an assessment of the individual(s)
performing the control
Control Attribute
Description
Key Considerations
▪ Length of tenure at ABC, Inc.
Process Owner
Assessment
▪ Education, certificates, training
Assessment of competency
▪ Job role, prior roles
and authority of the
▪ Discussion with owner (past experience
process owners and
and their ability to execute the control and
performers (if different)
identify / address errors)
▪ Segregation of incompatible duties
Test of Design
SOX
101
Document Input, Processing, and Output
Management should ensure the completeness and accuracy of any
system reports or manual calculations used in the performance of
controls
Control Attribute
Information
Produced by the
Entity (IPE) and
key reports /
interfaces
Description
Key Considerations
Key reports: Name and source of any
reports used in the performance of the
control
▪
Any key reports used in the control should be
discussed for evaluation of IT control coverage
and completeness
Interfaces: Name of any interface that
moves data between systems
▪
Any interfaces used in the control should be
discussed for evaluation of IT control coverages
and completeness
Description of IPE, including queries,
parameters, etc. – Details of
management’s procedures to assess
completeness and accuracy of any reports
or information generated by the system
▪
▪
▪
Completeness of population
Tying system tools to exported report(s)
Filters or parameters that may be applied to a
data population to create control evidence
Any manipulation of the data to create the control
evidence (i.e., systematic or manual)
▪
Test of Design
SOX
101
Assess Design
Management must demonstrate how controls are performed accurately, precisely,
and timely
Control Attribute
Process
background
Control precision /
review precision
Description
Overview of the process
surrounding the control
Precision of control, adequacy of
thresholds, evidence of review,
timeliness of review, etc. –
Assessment on the precision level
of the control to identify a material
misstatement
Key Considerations
▪
What happens immediately prior to/after the control?
▪
What is the overall process (input, process, output)?
▪
Who are the key stakeholders in the process?
▪
Are there thresholds used in the review of the control? What
are they? Are they precise? Are they low enough to identify
a material misstatement when aggregated?
What does the reviewer look for when performing the review?
Is someone reviewing the control? How evidenced? Is
evidence of review sufficient to show they adequately
reviewed the control?
Is the review performed in a timely manner to catch a
discrepancy within a reasonable period of time?
▪
▪
▪
Test of Design
SOX
101
Conclude on design of key controls
▪ Based on the walkthrough, we conclude whether the control is adequately
designed
▪ Only effectively designed controls will be tested for operating effectiveness (i.e.,
sample testing)
▪ Controls not effectively designed must be remediated; the Internal Audit team
will work with management to develop a remediation plan
Findings and observations will be communicated in a timely manner
by Internal Audit and will be tracked centrally until remediation is
complete.
Test of Design
SOX
101
In Summary
▪ A walkthrough is a test of one
▪ Information produced by the entity (IPE) and information used in
the control (IUC) must be validated
▪ Controls need to be accurate, precise, and performed timely
▪ Controls are preventive and detective (e.g., management review)
Test of Effectiveness
SOX
101
Key Activities
Test of effectiveness shows a control was operating throughout the
period
Request population &
management IPE
validation
▪
Define sample populations
▪
Select sample based on
frequency and control risk
ranking
▪
Request management to
provide evidence of
completeness and
accuracy
Perform interim operating
effectiveness testing
▪
Document procedures to
determine completeness of
the data, control activities,
and existence of
documentation
▪
Leverage discussion and
example from test of
design
▪
Test interim sample and
conclude on interim
operating effectiveness
Test roll-forward operating
effectiveness
▪
Test additional samples or
perform inquiry procedures
to extend testing coverage
to year-end
▪
Conclude on the
effectiveness of operation
and documentation as of
year-end
Test of Effectiveness
SOX
101
Audit Evidence: Sufficiency
The quantity of audit evidence needed is affected by the following:
▪ Risk of material misstatement or the risk associated with the
control
▪ As the risk increases, the amount of evidence that the auditor should obtain
also increases
▪ Quality of the audit evidence obtained
▪ As the quality of the evidence increases, the need for additional
corroborating evidence decreases
The quality of the audit evidence is affected by the relevance and
reliability of the information upon which it is based.
Test of Effectiveness
SOX
101
Audit Evidence: Appropriateness
Relevance:
▪ The relevance of audit evidence refers to its relationship to the assertion or
to the objective of the control
▪ Relevance depends on the design of the control and the timing of the audit
procedure
Reliability:
▪ The reliability of evidence depends on the nature and source and the
circumstances under which it is obtained
▪ The reliability of information generated internally is increased when the
controls over that information are effective
▪ Evidence is obtained directly by the auditor
▪ Evidence is provided by original documents
Test of Effectiveness
SOX
101
Is the control effective?
✓ Defined threshold, criteria, and review
✓ Documentation of key considerations
✓ Validation and documentation of IPE and IUC
✓ Evidence that shows clear performance of the control (i.e., tick marks,
approval signatures, reference numbers, etc.)
✓ Central location to maintain original documentation
✓ Look back procedures to ensure consistent execution of control
Test of Effectiveness
SOX
101
In Summary
▪ Control test of effectiveness (TOE) is only performed for controls
that are adequately designed
▪ TOE is performed over an interim and roll-forward period
▪ Effective TOE depends on relevant and reliable supporting
evidence
▪ The degree of testing is based on the frequency of the control
Conclude and Report
SOX
101
Key Activities
Once testing is complete, management concludes on ICFR
Prepare summary of
aggregated deficiencies
(SAD)
Conclude on operating
effectiveness by control
▪
Summarize TOD and
TOE results and
aggregate deficiencies
▪
Compensating controls
(see note below) and
activities are identified
where applicable
Note:
▪
▪
Record and evaluate
control deficiencies on
the summary of
aggregated deficiencies
(SAD)
Compile management’s
annual SOX opinion
Report on control
framework for fiscal year
▪
Management reports
on operation of key
controls in the 10k as
required by 404(a)
▪
PwC issues an opinion
on the operation of key
controls as required by
404(b)
Compensating controls (mitigating controls) are key controls, generally
detective in nature, that serve to mitigate financial risks for which other key
controls were either not designed or operating effectively
Conclude and Report
SOX
101
Control Gap
What is a control gap?
A control gap exists when the design or operation
of a control does not function as intended.
49
Conclude and Report
SOX
101
Classify Control Gaps
Control Deficiency
▪
A deficiency in internal control over financial reporting exists when the design or
operation of a control does not allow management or employees, in the normal course
of performing their assigned functions, to prevent or detect misstatements on a timely
basis.
Significant Deficiency
▪
A deficiency, or combination of deficiencies, in internal control over financial
reporting that is less severe than a material weakness, yet important enough to
merit attention by those responsible for oversight of the company’s financial
reporting. Reported to Audit Committee
Material Weakness
▪
A deficiency, or combined deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material
misstatement of the company’s annual or interim financial statements will
not be prevented or detected on a timely basis. Reported to Audit
Committee and disclosed in the 10-K and in management’s certifications
Conclude and Report
SOX
101
Communication and Remediation
Control gap(s)
identified through
testing
Timely
communication by
IA to process owners
Remediation by
control / process
owners
Aggregate open
gaps at year-end
Report on overall
control assessment
Remediation of Control Deficiencies – Controls must be redesigned, implemented, and
successfully retested by management and possibly external auditors (for significant deficiencies
and material weaknesses) to be considered remediated.
SOX
101
Any questions of the SOX framework?
5
4
1
Conclude
& Report
Annual
SOX
Complian
ce
Test of
Effectiveness
Scope
2
Document
3
Test of
Design
SOX
101
Key Takeaways for Today
▪ You have a clear understanding of why
Sarbanes-Oxley is important to ABC, Inc.
▪ You understand what it takes to comply
▪ You understand roles and responsibilities
53
QUESTIONS?
Appendices
▪ Information Produced by the
Entity (IPE) checklist
Information Produced by the Entity (IPE)
SOX
101
Review Checklist
▪
Data processed by the IT application from which the IPE is produced is not complete or
accurate.
Is the system processing the data correctly?
▪
Data extracted from the IT application into IPE is not the intended data or is not complete.
Are parameters correct?
▪
Computations or categorizations performed in the creation of the IPE are inaccurate.
Are the calculations within the system correct? Or the reports have been customized from the
system?
▪
The data output from the application to the end-user computing (EUC) tool is modified or lost
in the transfer.
Are the reports exported into Excel, PowerPoint, PDF complete and accurate?
▪
Information added or changed (including new computations and categorizations) using the
EUC tool is incomplete, inaccurate, or inappropriate.
Are the reports modifiable?
SOX
101
Abbreviations Frequently Used
AC – Audit Committee
CD – Control Deficiency
COSO - Committee of Sponsoring
Organizations of the Treadway Commission
ELC – Entity Level Controls
EUC – End User Computing
IA – Internal Audit
ICFR – Internal Control over Financial
Reporting
IPE – Information Produced by Entity
ITDM – IT Dependent Manual Controls
ITGC – IT general controls
IUC – Information Used in Controls
MRC – Management Review Controls
MW – Material Weakness
PCAOB – Public Company Accounting Oversight Board
RCM – Risk and Control Matrix
SAD – Summary of Aggregated Deficiencies
SD – Significant Deficiency
SOD – Segregation of Duties
SOX – Sarbanes Oxley
TOD – Test of Design
TOE – Test of Effectiveness
Download