SOX 101 Training April 2021 SOX 101 Agenda ▪ What is Sarbanes-Oxley Compliance? ▪ What are controls? ▪ Who is involved in SOX? ▪ SOX compliance approach ▪ Key areas of focus – Year 1 ▪ SOX Framework ▪ Scope, document, test of design & effectiveness, conclude & report ▪ ABC, Inc. roadmap to SOX compliance 2021 ▪ Questions What is Sarbanes-Oxley Compliance? 3 SOX 101 SOX Overview SOX Section 302 / 906 SOX Section 404 PCAOB & External Auditor Mgmt.'s Responsibility ▪ SOX is a legal requirement for all publicly traded companies ▪ Establish and maintain internal control over financial reporting (ICFR) ▪ Annually assess and report by both management and the external auditor on the design and operating effectiveness of internal controls ▪ ABC, Inc. plans to implement and test controls during 2021 ▪ Use a recognized framework (COSO 2013) ▪ Support assessment by documentation, regarding both the design and effectiveness of the internal controls SOX 101 SOX Overview Sarbanes-Oxley Section 302 / 906 Company CEO & CFO are required to certify in each quarterly and annual report. Certification includes: ▪ A disclosure as to management’s conclusion of the effectiveness of disclosure controls and procedures ▪ Disclosing significant changes or deficiencies in the design or operation of internal controls ▪ Communicating about fraud by any person with a significant role in internal controls Additionally, under Section 906: ▪ CEOs who willfully certify false or misleading statements (both financial and non-financial) are now subject to criminal penalties that can include fines and prison terms ▪ Reported results should reflect actual results and not be inaccurate or misleading SOX 101 SOX Overview Sarbanes-Oxley Section 404 404(a) Company CEO & CFO are required to report annually on the state of internal controls, including: ▪ The framework used to evaluate the effectiveness of ICFR ▪ Management’s assessment of the effectiveness of internal controls ▪ Any significant control deficiencies or material weaknesses 404(b) Additionally, the external auditor (PwC) must attest to the effectiveness of the Company’s internal controls over financial reporting. SOX 101 SOX Overview PCAOB & External Auditor The Public Company Accounting Oversight Board (PCAOB) was created by the Sarbanes-Oxley Act of 2002 to oversee accounting professionals who provide independent audit reports for publicly traded companies. (They audit PwC!) SOX 101 SOX Overview PCAOB & External Auditor Regulated by the PCAOB, PwC will have the following responsibilities: ▪ Acknowledge ABC, Inc. has (and evaluates) their internal controls ▪ Plan and perform the audit to obtain reasonable assurance that effective internal controls was maintained ▪ Form an opinion of the internal controls based on Internal Control – Integrated Framework (2013) issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) SOX Overview SOX 101 What does success look like? ▪ Processes are documented ▪ Risks (of material misstatement to the financial statements) are identified ▪ Controls are designed and operating effectively by December 31, 2021 ▪ Internal Audit completes tests of controls’ design and operating effectiveness ▪ Internal Audit assesses and reports findings to the Audit Committee and the CEO & CFO to enable 10-K disclosure SOX Overview SOX 101 Audit Committee In a U.S. publicly traded company, an Audit Committee (AC) is a committee of a company’s Board of Directors charged with oversight of financial reporting and disclosure, including: ▪ Selection of the independent auditor ▪ Receipt of Internal Audit and External Audit results (Internal Audit reports directly to the AC) ▪ Assess the analysis of important and judgments made by management in the financial reports ▪ Ensure appropriate policies and processes are in place for the prevention and identification of asset misappropriation, corruption, and financial statement fraud ▪ Meet with management and the independent auditor to discuss the quarterly and audited annual financial statements of the company SOX Overview SOX 101 What to Expect ▪ A busy 2021 calendar year ▪ Internal Audit ▪ Completing walkthroughs and updating process narratives ▪ Updating risk and control matrices (RCM) ▪ Testing of Control Design and Effectiveness ▪ Testing of IT general controls (ITGC) ▪ Reporting to AC and Executive Team ▪ Management ▪ Responding to requests from Internal Audit ▪ Implementing additional controls to address gaps ▪ Enhancing documentation (evidence of control occurring) What are Controls? 12 SOX Overview SOX 101 What is a control? A control is a specific activity designed to mitigate or manage risk. While there is no “standard” definition, the generally accepted description in the context of SOX is: “A key control is a control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be prevented or detected on a timely basis. In other words, a key control is one that is required to provide reasonable assurance that material errors will be prevented or timely detected.” Controls should be documented to clearly state the activity performed, frequency, and ownership. A control is not a policy statement or a process. Controls Overview SOX 101 Process vs. Control Activity ▪ Process – activity performed in the normal course of business and is necessary to process a transaction or related business activity. Examples: posting an entry, creating a report, issuing an invoice ▪ Control – consists of the policies and procedures that help ensure management directives are implemented and that financial reporting is accurate. Examples: approvals, reconciliations, segregation of duties ▪ Control activities are specific and describe: ▪ HOW OFTEN (daily, weekly, etc.) ▪ WHO (position title, office) ▪ DOES WHAT (compares, reviews, etc.) ▪ TO WHAT (document, checklist, etc.) ▪ TO ENSURE (accuracy, proper authorization, etc.) Controls Overview SOX 101 COSO 2013 Framework To manage SOX, the Company will follow the COSO 2013 framework Controls Overview SOX 101 Entity Level Controls What are Entity Level Controls? ▪ Controls that exist at the organization, group, or business unit level and have a pervasive impact on business activities ▪ Establishes tone at the top ▪ Examples: Code of Conduct training, Background checks, Delegation of Authority, etc. ▪ Entity Level Controls (ELC) must be evaluated both internally and by the external auditor Controls Overview SOX 101 Types of Controls Who is involved in SOX? 18 SOX Involvement SOX 101 Key Stakeholders It takes a village… ▪ Process and control owners – Ownership, maintenance, and performance of process and controls ▪ Executive Management – Accountable for ensuring the Company is compliant with SOX Sections 302/906 and 404(a) ▪ Audit Committee – Oversight responsibility over financial reporting and disclosure ▪ Internal Audit – Champions effective and efficient control environment and independently assesses control design and effectiveness ▪ External Auditors – PwC will be required to independently evaluate and report on Company’s control environment SOX Involvement SOX 101 Process / Control Owners What is expected of control owners? Ownership ▪ Own, maintain, and perform controls ▪ Ensure the controls are appropriately designed and run effectively throughout the year Documentation ▪ Ensure process narratives and/or flowcharts and internal controls are documented accurately and completely ▪ Ensure all required documentation that evidences control execution is complete, accurate, and up-to-date, including IPE! (Information Produced Entity) Audit Support ▪ Support process walkthroughs, audit inquiries, and audit testing Roles & Responsibilities SOX 101 Internal Audit’s role in SOX Compliance IA is here to help you understand ▪ The SOX compliance requirement ▪ The scoping of risks and controls ▪ Considerations when evaluating design and effectiveness IA commits to ▪ Communicate timely ▪ Execute an organized project plan ▪ Assist with remediation of control deficiencies IA needs you to ▪ Own the consistent performance and documentation of controls ▪ Strengthen existing controls to meet requirements ▪ Remediate gaps in design and effectiveness timely SOX Compliance Approach 22 SOX Compliance Approach SOX 101 Framework 5 4 Governance Audit Committee SOX Steering Committee 1 Conclude & Report Scope Annual SOX Compliance Test of Effectiveness Key Business Partners Management Control Owners IT Compliance External Audit Internal Audit 2 Document 3 Test of Design 23 Key Areas of Focus Year 1 24 Key Areas of Focus SOX 101 Overview ▪ Evidence of control performance ▪ Information produced by the entity (IPE) ▪ Segregation of Duties (SOD) ▪ Management Review Controls (MRC) Key Areas of Focus SOX 101 Control Evidence Control owners are responsible for: ▪ Creating sufficient documentation to support control execution If it is not documented, it didn’t happen! ▪ Documenting controls at the time when the control is performed I.e., not backdated or altered after the fact ▪ Documenting management’s review for every item reviewed A “blanket sign-off” on a document is not sufficient ▪ Providing reliable approvals (e.g., manually or electronically signed) ▪ Keeping the process activities and control activities up-to-date in the Flowcharts and Risk and Control Matrices (RCM) Key Areas of Focus SOX 101 Information Produced by the Entity What is IPE? Information Produced by the Entity is data generated by the entity in the course of executing a control. Often, it’s in the form of a “report” which may be system-generated, manually prepared, or both. IPE is an “input” to a control. What can go wrong? ▪ Not all data captured / data input correctly ▪ Algorithm or calculation is incorrect / applied to wrong population ▪ Parameters are incorrect Information Used in the Control (IUC): for each report or calculation used in the performance of a control, we need to: ▪ Understand how the information is generated ▪ Be able to demonstrate the completeness and accuracy of the data Key Areas of Focus SOX 101 Information Produced by the Entity ▪ IPE is an inherent part of most control activities, and completeness and accuracy checks should be incorporated into control performance. ▪ It is the responsibility of control performers to ensure that IPE completeness and accuracy checks are performed to the same level of precision every time a control is performed, and importantly, at the same time a control is performed, and evidence is retained. Tips for IPE: ▪ Always keep a screenshot of the parameters to run a report ▪ Always keep a screenshot(s) of the generated report ▪ Include screenshots, with tie outs, in the control documentation Key Areas of Focus SOX 101 Segregation of Duties Segregation of Duties (SOD) is an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task SOD separates “incompatible duties” so that one person does not have all tasks: ▪ Authorization – approving ▪ Safekeeping – holding the asset or access to asset ▪ Record keeping – keeping track of the asset / liability Examples: ▪ Separating preparers and reviewers for key controls ▪ Restricting access to production environments (e.g., to system administrators and database administrators) Key Areas of Focus SOX 101 Management Review Controls Controls design to review financial statements, account balances, account analyses, estimates, reconciliations, or other data for: ▪ Completeness and accuracy ▪ Appropriate accounting recognition ▪ Potential errors or misstatements ▪ Timely, effective performance of other controls Management must be able to demonstrate: ▪ How the control operates ▪ Timeliness of the control and the related follow-up procedures (Timeliness varies by control activity but, at a minimum, all controls must be performed and documented prior to the earnings announcement / release) ▪ Controls over inputs / data used in control ▪ Thresholds used to identify variances (meeting operational and SOX requirements) Key Areas of Focus SOX 101 Management Review Controls ▪ Management review controls (MRC) often have a risk associated with the control due to their subjectivity and complexity ▪ Management review controls must be precise enough to detect any errors that could potentially result in a material misstatement ▪ Precision is defined as: “The sensitivity to which a control functions” For example: If I am a control owner performing a review control, what initiates a follow-up? ▪ Items greater than a certain dollar amount? ▪ Unique / unusual reconciling items? ▪ Unexpected adjustments or payments? ▪ Unexpected changes or variances? ▪ Long outstanding reconciling items? SOX Framework 32 Scope SOX 101 Key Activities Establish materiality and define qualitative factors Risk rank accounts and map to SOX processes Scope controls by process Review income statements and balance sheets at consolidated levels ▪ Assign a risk rating to financial accounts ▪ Link business processes to business unit coverage ▪ Identify accounts in-scope based on risk rating ▪ ▪ Calculated materiality ▪ ▪ Evaluate qualitative factors Map key processes to accounts Ensure all components of the COSO framework have been considered ▪ Map key IT systems to accounts / processes ▪ Scope SOX 101 In-scope processes ABC, Inc. has 12 key in-scope processes: 1 Financial Close & Reporting 7 Tax Receivable Agreement (TRA) 2 Treasury 8 Equity 3 Payroll 9 Debt & Interest 4 Procure to Pay 10 Goodwill & Intangibles 5 Revenue & Receivables 11 Entity Level Controls (ELC) 6 Taxes 12 IT General Controls (ITGC) 34 Scope SOX 101 Key Activities Documenting processes to identify controls is a requirement Update key controls and attributes Process owners validate documentation & changes Update process flows for key sub-processes ▪ Risk and control matrices are created to identify control activities ▪ Business owners approve process documentation ▪ Process flow created for each in-scope process ▪ Controls are mapped to risks and financial statement assertions ▪ Management communicates all process or control changes to the Internal Controls Team timely ▪ Controls are identified ▪ Key activities, ownership, systems and reports are documented Document SOX 101 In Summary ▪ Management is responsible for maintaining process documentation ▪ Confirmed process narratives, RCMs, and flows support management’s annual control assessment ▪ Developing and maintaining evidence is an element of effective internal control; therefore, documentation is critical to avoid a deficiency Management is responsible for maintaining an effective control environment. Test of Design SOX 101 Key Activities Meet with control owners ▪ Are they qualified? What are the inputs of the control? Evaluate the control ▪ IPE ▪ Accurate ▪ IUC ▪ Precise ▪ Timely Evaluate management review controls ▪ When would there be a follow-up? ▪ Are we asking the right questions? Communicate and remediate ▪ As needed Test of Design SOX 101 Key Activities ▪ Walk through the execution of a control using a single sample ▪ Evaluate the design of the control, including an assessment of the individual(s) performing the control Control Attribute Description Key Considerations ▪ Length of tenure at ABC, Inc. Process Owner Assessment ▪ Education, certificates, training Assessment of competency ▪ Job role, prior roles and authority of the ▪ Discussion with owner (past experience process owners and and their ability to execute the control and performers (if different) identify / address errors) ▪ Segregation of incompatible duties Test of Design SOX 101 Document Input, Processing, and Output Management should ensure the completeness and accuracy of any system reports or manual calculations used in the performance of controls Control Attribute Information Produced by the Entity (IPE) and key reports / interfaces Description Key Considerations Key reports: Name and source of any reports used in the performance of the control ▪ Any key reports used in the control should be discussed for evaluation of IT control coverage and completeness Interfaces: Name of any interface that moves data between systems ▪ Any interfaces used in the control should be discussed for evaluation of IT control coverages and completeness Description of IPE, including queries, parameters, etc. – Details of management’s procedures to assess completeness and accuracy of any reports or information generated by the system ▪ ▪ ▪ Completeness of population Tying system tools to exported report(s) Filters or parameters that may be applied to a data population to create control evidence Any manipulation of the data to create the control evidence (i.e., systematic or manual) ▪ Test of Design SOX 101 Assess Design Management must demonstrate how controls are performed accurately, precisely, and timely Control Attribute Process background Control precision / review precision Description Overview of the process surrounding the control Precision of control, adequacy of thresholds, evidence of review, timeliness of review, etc. – Assessment on the precision level of the control to identify a material misstatement Key Considerations ▪ What happens immediately prior to/after the control? ▪ What is the overall process (input, process, output)? ▪ Who are the key stakeholders in the process? ▪ Are there thresholds used in the review of the control? What are they? Are they precise? Are they low enough to identify a material misstatement when aggregated? What does the reviewer look for when performing the review? Is someone reviewing the control? How evidenced? Is evidence of review sufficient to show they adequately reviewed the control? Is the review performed in a timely manner to catch a discrepancy within a reasonable period of time? ▪ ▪ ▪ Test of Design SOX 101 Conclude on design of key controls ▪ Based on the walkthrough, we conclude whether the control is adequately designed ▪ Only effectively designed controls will be tested for operating effectiveness (i.e., sample testing) ▪ Controls not effectively designed must be remediated; the Internal Audit team will work with management to develop a remediation plan Findings and observations will be communicated in a timely manner by Internal Audit and will be tracked centrally until remediation is complete. Test of Design SOX 101 In Summary ▪ A walkthrough is a test of one ▪ Information produced by the entity (IPE) and information used in the control (IUC) must be validated ▪ Controls need to be accurate, precise, and performed timely ▪ Controls are preventive and detective (e.g., management review) Test of Effectiveness SOX 101 Key Activities Test of effectiveness shows a control was operating throughout the period Request population & management IPE validation ▪ Define sample populations ▪ Select sample based on frequency and control risk ranking ▪ Request management to provide evidence of completeness and accuracy Perform interim operating effectiveness testing ▪ Document procedures to determine completeness of the data, control activities, and existence of documentation ▪ Leverage discussion and example from test of design ▪ Test interim sample and conclude on interim operating effectiveness Test roll-forward operating effectiveness ▪ Test additional samples or perform inquiry procedures to extend testing coverage to year-end ▪ Conclude on the effectiveness of operation and documentation as of year-end Test of Effectiveness SOX 101 Audit Evidence: Sufficiency The quantity of audit evidence needed is affected by the following: ▪ Risk of material misstatement or the risk associated with the control ▪ As the risk increases, the amount of evidence that the auditor should obtain also increases ▪ Quality of the audit evidence obtained ▪ As the quality of the evidence increases, the need for additional corroborating evidence decreases The quality of the audit evidence is affected by the relevance and reliability of the information upon which it is based. Test of Effectiveness SOX 101 Audit Evidence: Appropriateness Relevance: ▪ The relevance of audit evidence refers to its relationship to the assertion or to the objective of the control ▪ Relevance depends on the design of the control and the timing of the audit procedure Reliability: ▪ The reliability of evidence depends on the nature and source and the circumstances under which it is obtained ▪ The reliability of information generated internally is increased when the controls over that information are effective ▪ Evidence is obtained directly by the auditor ▪ Evidence is provided by original documents Test of Effectiveness SOX 101 Is the control effective? ✓ Defined threshold, criteria, and review ✓ Documentation of key considerations ✓ Validation and documentation of IPE and IUC ✓ Evidence that shows clear performance of the control (i.e., tick marks, approval signatures, reference numbers, etc.) ✓ Central location to maintain original documentation ✓ Look back procedures to ensure consistent execution of control Test of Effectiveness SOX 101 In Summary ▪ Control test of effectiveness (TOE) is only performed for controls that are adequately designed ▪ TOE is performed over an interim and roll-forward period ▪ Effective TOE depends on relevant and reliable supporting evidence ▪ The degree of testing is based on the frequency of the control Conclude and Report SOX 101 Key Activities Once testing is complete, management concludes on ICFR Prepare summary of aggregated deficiencies (SAD) Conclude on operating effectiveness by control ▪ Summarize TOD and TOE results and aggregate deficiencies ▪ Compensating controls (see note below) and activities are identified where applicable Note: ▪ ▪ Record and evaluate control deficiencies on the summary of aggregated deficiencies (SAD) Compile management’s annual SOX opinion Report on control framework for fiscal year ▪ Management reports on operation of key controls in the 10k as required by 404(a) ▪ PwC issues an opinion on the operation of key controls as required by 404(b) Compensating controls (mitigating controls) are key controls, generally detective in nature, that serve to mitigate financial risks for which other key controls were either not designed or operating effectively Conclude and Report SOX 101 Control Gap What is a control gap? A control gap exists when the design or operation of a control does not function as intended. 49 Conclude and Report SOX 101 Classify Control Gaps Control Deficiency ▪ A deficiency in internal control over financial reporting exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. Significant Deficiency ▪ A deficiency, or combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting. Reported to Audit Committee Material Weakness ▪ A deficiency, or combined deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. Reported to Audit Committee and disclosed in the 10-K and in management’s certifications Conclude and Report SOX 101 Communication and Remediation Control gap(s) identified through testing Timely communication by IA to process owners Remediation by control / process owners Aggregate open gaps at year-end Report on overall control assessment Remediation of Control Deficiencies – Controls must be redesigned, implemented, and successfully retested by management and possibly external auditors (for significant deficiencies and material weaknesses) to be considered remediated. SOX 101 Any questions of the SOX framework? 5 4 1 Conclude & Report Annual SOX Complian ce Test of Effectiveness Scope 2 Document 3 Test of Design SOX 101 Key Takeaways for Today ▪ You have a clear understanding of why Sarbanes-Oxley is important to ABC, Inc. ▪ You understand what it takes to comply ▪ You understand roles and responsibilities 53 QUESTIONS? Appendices ▪ Information Produced by the Entity (IPE) checklist Information Produced by the Entity (IPE) SOX 101 Review Checklist ▪ Data processed by the IT application from which the IPE is produced is not complete or accurate. Is the system processing the data correctly? ▪ Data extracted from the IT application into IPE is not the intended data or is not complete. Are parameters correct? ▪ Computations or categorizations performed in the creation of the IPE are inaccurate. Are the calculations within the system correct? Or the reports have been customized from the system? ▪ The data output from the application to the end-user computing (EUC) tool is modified or lost in the transfer. Are the reports exported into Excel, PowerPoint, PDF complete and accurate? ▪ Information added or changed (including new computations and categorizations) using the EUC tool is incomplete, inaccurate, or inappropriate. Are the reports modifiable? SOX 101 Abbreviations Frequently Used AC – Audit Committee CD – Control Deficiency COSO - Committee of Sponsoring Organizations of the Treadway Commission ELC – Entity Level Controls EUC – End User Computing IA – Internal Audit ICFR – Internal Control over Financial Reporting IPE – Information Produced by Entity ITDM – IT Dependent Manual Controls ITGC – IT general controls IUC – Information Used in Controls MRC – Management Review Controls MW – Material Weakness PCAOB – Public Company Accounting Oversight Board RCM – Risk and Control Matrix SAD – Summary of Aggregated Deficiencies SD – Significant Deficiency SOD – Segregation of Duties SOX – Sarbanes Oxley TOD – Test of Design TOE – Test of Effectiveness