SHRM Foundation Thought Leaders
Retreat
Sarbanes Oxley Section 404:
Framing the Issues
pwc
Agenda
Session
Time
Setting the Scene – Background on the SOA
10
Getting the job done – The steps involved in 404/302
documentation and testing
10
Common HR Issues and Findings
15
Common HR Strategic Questions
10
Q&A
10
Total
55 min.
2
Human Resource Services
Workshop Objectives
At the end of this session you will:
• Have a general understanding of the Sarbanes Oxley Act
• Understand the key steps involved in the Section 404/302
documentation and testing requirements of the Sarbanes Oxley Act
• Understand common issues and findings at many companies
resulting from the documentation and testing of HR cycles
• Understand common implications and questions for a Company’s HR
strategy as a result of the requirements of sections 404/302 of the
Sarbanes Oxley Act
3
Human Resource Services
A Brief Overview of the Sarbanes
Oxley Act (SOA)
• There are 11 titles in the SOA:
–
–
–
–
–
Title I – Public Company Accounting Oversight Board
Title II – Auditor Independence
Title III – Corporate Responsibility
Title IV – Enhanced Financial Disclosures
Title V – Analyst Conflicts of Interest
–
–
–
–
Title VI – Commission Resources and Authority
Title VII – Studies and Reports
Title VIII – Corporate and Criminal Fraud Accountability
Title IX – White Collar Crime Penalty
– Title X – Corporate Tax Returns
– Title XI – Corporate Fraud & Accountability
4
Human Resource Services
Sections 404/302 of the SOA
• Requires attestation by CEO and CFO and auditor over the sufficiency of
key internal controls.
– There is a difference between the corporate audit and the 404
attestation.
• i.e. controls focus on how the numbers are generated while
the corporate audit focuses on what the numbers are and
whether or not they are correct.
– Just because there has never been an error in the financial statements
does not mean that the controls are strong.
5
Human Resource Services
Sections 404/302 of the SOA
• No all internal controls are in scope of the attestation.
– For example, controls over compliance of HR policies and programs
are not typically in scope of the review.
• The four main areas of focus are controls that :
– Mitigate the possibility of a financial restatement
– Provide for the security of assets
– Provide for approval over transactions
– Provide for record retention
6
Human Resource Services
The COSO Framework for
addressing Internal Controls
• The COSO framework is the framework agreed upon by the PCAOB
(Public Company Accounting Oversight Board) for addressing Sections
404/302 of the SOA.
• For each of the Financial, Operational and Compliance related internal
controls, the company must address each step in the COSO framework:
–
–
–
–
Control Environment
Risk Assessment
Control Activities
Information and Communication
– Monitoring
7
Human Resource Services
Control Activity Areas of Focus
high
Executive Compensation
• Areas most likely to
have a material
effect if errors occur
• Areas with direct
SOX impact
Compensation
Payroll
Health & Welfare
SOX relevance
Pensions
Equity Plans
Expatriate Services
Training
Performance Management
HR Administration
Regional HR Management
Diversity
Employment Disputes
low
Learning & Development
low
8
risk potential
high
Human Resource Services
The 404/302 documentation and
testing process
1. Develop risk assessment
2. Scope cycles to be documented
3. Develop risk and controls matrices
4. Develop narratives, flow charts, and populate risk and controls matrices
based upon control owner interviews
5. Validate draft documentation with control owners
6. Perform walk-throughs
7. Analyze design effectiveness of controls
8. Remediate and update documentation
9. Perform operational effectiveness testing of controls
10. Remediate as necessary
9
Human Resource Services
Common Issues HR Departments
are Facing
Completing 404/302 documentation:
• Completing the work when internal controls and/or financial reporting are not
core competencies for the HR department
• Justifying the HR cycles to be in-scope or out-of-scope
• Developing risk and controls matrices
– Getting our arms around – “It’s not Compliance!”
• How to monitor and communicate the effectiveness of key controls
10
Human Resource Services
Common Issues HR Departments
are Facing
Common findings of the 404/302 process for HR cycles:
• There are often good processes without formal controls
• International implications
– Cultural issues related to the Control Environment and formalized control
activities
– Demonstrating knowledge of US GAAP
• Connection and communication among HR/Finance/Treasury/Legal
Departments
• Reviewing work of third parties for reasonableness
• Centralized monitoring of executive employment contracts
11
Human Resource Services
Common HR Strategic Questions
Arising from 404/302 Compliance
• Impact on the question to Outsource or not to Outsource
– Outsourcer oversight responsibility
• Internal Staffing strategies and budgets
– Maintaining lean internal HR department staffing while complying with
segregation of duties and restricted access control requirements
– Outsourcer oversight responsibility
• Complicated compensation and benefits accounting – how much accounting
and financial knowledge should reside in the HR department?
• Implications to compensation plan design for executives:
– Performance measures based upon 404 results?
– Board assessment of CEO?
12
Human Resource Services
Q&A
13
Human Resource Services
Contacts
Mike Boro
PricewaterhouseCoopers
300 Madison Avenue
New York, NY 10017
(646) 394-2370
michael.boroo@us.pwc.com
Carrie Duarte
PricewaterhouseCoopers
One International Place
Boston, MA 02110
(617) 530-4597
carrie.duarte@us.pwc.com
14
Human Resource Services