The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Session #6 – September 30, 2003 1 The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L.L.P 2 Disclaimer The views expressed in this webcast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members. 3 Series 2: Emerging Trends and Best Practices in Implementing SOA • May 21 - Section 404 Readiness Review: How to document your system of internal control. (Archived) • June 10 - Helping your audit committee implement complaint handling. (Archived) • July 8 - Leveraging the COSO framework to meet Section 404 requirements (Archived) • August 12 - Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules” (Archived) • September 9 - Internal Audit support of Audit Committees – What works best • September 30 - The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act 4 Webcast Series on SOA Fostering Compliance with SOA: Internal Auditor’s Role • Four sessions archived on IIA’s website and available on CD • Originally aired January 28 – April 15, 2003 5 IIA Online Training - New ! Conferences on Demand • IIA’s August’s ERM/CSA Conference 10 best sessions online for $199. • Stay current and earn CPEs • Visit http://www.theiia.org/iia/index.cfm?doc_id=4382 for a list of the segments and additional information. • Or, contact rbrindley@theiia.org. 6 Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 7 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key Internal Control Testing Strategy Patricia Scipio, CIA, CPA Vice President, Auditing Wellchoice, Inc. 8 Where is your company at in terms of 404 Readiness? 9 Choice Count % Completed the scoping, planning and mobilization 51 46.4% Completed controls documentation 18 16.4% Completed the evaluation of the design effectiveness of controls 8 7.3% Completed the testing of the operating effectiveness of controls 3 2.7% Completed remediation of any identified design gaps 1 0.9% Completed remediation of any identified operating controls ineffectiveness 2 1.8% Other, please explain: 27 24.5% When is your company planning to test the operating effectiveness of key controls? 10 Choice Count % 2003 and 2004 63 58.9% Only in 2004 and why? 44 41.1% Key Initial Decisions • What controls will be tested? • How will each type of control be tested? • When will each control be tested? • How often should each control be tested? • Who will perform the testing? 11 Testing Strategy Objectives • Standardize a methodology for testing the operating effectiveness • Develop proactive warning indicators to alert management of potential control failures • Monitor key processes by continuous scanning for adverse developments • Develop a turn key approach so business owners can easily perform testing as part of their routine 12 Financial Reporting Control Objectives • Existence or Occurrence • Completeness • Rights and Obligations • Valuation or Allocations • Presentation and Disclosure 13 Basic Controls • • • • • • • • • 14 Accountability Control Totals Double Verification Exception/Edit Reports Holding Files Independent Checks Interface Controls Key Performance Indicators Management Review • Numerical Sequencing • Periodic Reconciliation • Pre-numbered Documents • Proper Authorization • Safeguard Assets • Segregation of Duties • System Configuration • Transactions Recorded Means of Achieving Control • Organization – structured roles • Policies – principles and guidelines • Procedures – methods employed • Personnel – qualifications to perform the job • Accounting – financial control • Budgeting – expected results • Reporting – timely, accurate and meaningful 15 Controls by Function or Type • • • • • • 16 Directive Controls Preventive Controls Detective Controls Corrective Controls Manual vs Automated Controls Hard vs Soft Controls Testing Procedures • • • • 17 Inquiry Observation Inspection of Physical Evidence Re-performance Factors in Designing Testing Strategy • Nature of control & significance in achieving objective • One control supporting more than one objective • Significant changes in volume or nature of transactions • Changes in the design of the control • Degree to which control relies on effectiveness of other controls 18 Factors in Designing Testing Strategy (continued) • • • • • • • 19 Complexity of the Control Manual vs. Automated Control Existence of Self-assessment Programs Entity wide Control Frequency of Control Timing of Test of Controls Changes in key personnel who perform or monitor the control Summary • Several factors must be considered in determining the nature, timing and extent of testing • Management should monitor the quality and performance of the system of internal control over time • To the extent possible, internal controls should be structured to be selfmonitoring and self-correcting 20 Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 21 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key Fitting Into the Bigger Picture Kimberly Gavaletz VP, Internal Audit Lockheed Martin Corporation 22 Components • Framework • Quality • Keeping It Fresh Internal Audit’s Obligation & Opportunity 23 Framework II. Discussion of Amendments Implementing Section 404 1.B.3 Final Rules …a company’s annual report to include and internal control report of management that contains… • A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company’s internal control over financial reporting; 1.B.3.A Evaluation of Internal Control over Financial Reporting • …Management must base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. The COSO Framework satisfies our criteria and may be used as an evaluation framework…However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute… 24 June 5, 2003 SEC Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports COSO Control Environment Foundation – Discipline & Structure Risk Assessment Identification & Analysis of Risks to Predetermined Objectives Control Activity Policies/Procedures/Practices that Ensure Objectives are Achieved and Risk Mitigation Strategies are Carried Out Information & Communication Communication of Control Responsibilities to Employees in Form & Timeframe to Execute Monitoring Oversight of Internal Controls (Outside and Inside the Process) Big Picture Embodied in the Framework 25Other Frameworks: Guidance on Assessing Control, Turnbull Report, “Future Developments” Framework: Ownership Objectives Risks Management Owns Controls Monitoring Key: Management Ownership 26 Internal Audit Performs Independent Assessments/ Audits Framework: Scope Today’s Emphasis Disclosure Controls-302 Internal Controls-404 Integrity of Financial Reporting 27 Big Picture Business Objectives - Financial - Technical Delivery - Compliance Performance with Integrity Quality • Who Decides Quality of Controls? • Who Decides Level of Consistency Needed? Roles -Management -Internal Audit -External Audit Drivers -Rules -Guidelines Balance of Controls ReactivegProactivegPreventive 28 Quality: Internal Audit • Start: Serve as a Facilitator/Partner across Management and External Auditors – Start the Dialog – Determine the Roles • Options/Steps: – Independently Assess Existing Quality Assurance Structure – Advise Management on the Need and Scope of a Quality Assurance System – If Necessary, “Gap Fill” as the Quality Assurance Function 29 Keeping It Fresh •Keep it Fresh Continuous Improvement Ongoing Involvement Utilize Evolving Technology Management Internal Audit 30 System of Internal Controls External Audit Summary • Focus on the Big Picture Framework-Scope-Ownership • Focus on Quality Ownership Detection & Prevention • Keep it Fresh Continuous Improvement-Involvement 31 Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 32 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key COSO’s ERM Framework: The Shape of Things to Come Paul J. Sobel Vice President, Internal Audit Mirant Corporation 33 The New COSO Cube Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring 34 Internal Environment •Today- An Integral Part of Sarbanes-Oxley 404 –Integrity and ethical values –Control consciousness and operating style –Commitment to competence –Board/Audit Committee participation in governance •Tomorrow - Embracing Risk –Risk management philosophy –Risk culture –Risk appetite 35 Internal Environment Objective Setting •Today - Financial Statement Assertions –Access to assets –Authorization –Completeness and accuracy –Existence and occurrence –Presentation, classification and disclosure –Rights and obligations –Valuation or allocation •Tomorrow - Business Objectives –Beyond financial objectives –Formalized risk tolerance levels 36 Objective Setting Event Identification •Today - An Ad Hoc Part of Risk Assessment –Generic risk universes –Standard risks and definitions –Few scenarios considered •Tomorrow - Formal Identification and Analysis –Answer the questions “What can go wrong?” and “What needs to go right?” –Understand events/scenarios (worse case, most likely, etc.) –Consider interdependencies (domino effect)1000 Event Identification 37 Risk Assessment •Today - Becoming common, but somewhat Superficial –Tends to be pretty broad –May only be done in silos –Minimal support for judgments –One-time event •Tomorrow - A Robust, Ongoing Activity –Integrated with strategic planning –Inherent and residual risk considered –Enterprise-wide Risk Assessment 38 Risk Response •Today - Individual Judgments –Based on past experience and instinct –Typically focuses on a single response –Little consideration to portfolio effect •Tomorrow - Portfolio Approach –Identify and evaluate range of possible responses –Consider enterprise-wide responses –A formal process Risk Response 39 Control Activities •Today - Ensuring Adequate Control –General and application/specific controls –Preventative and detective controls –Automated and manual controls –Routine and non-routine controls •Tomorrow - Ensuring Objective Achievement –Integrated with risk response –Focuses on strategic, operational, financial and compliance objectives Control Activities 40 Information & Communication and Monitoring •Today - Financial Reporting and Compliance –Supports financial judgments –Blend of internal and external information –Multi-directional communications –Monitor degree of success •Tomorrow - Strategic and Operations –All of the above for all objectives –Integrated monitoring system Information and Communication 41 Monitoring What Does it Mean for Internal Auditors? • Transition to a Risk Management-Based Internal Audit Approach –Internal Environment - Expand focus to include risk philosophy, risk culture and risk appetite –Objective Setting - Obtain understanding of objectives; determine risk tolerance levels –Event Identification - Imbed in annual and process level risk assessments –Risk Assessment - Lead or facilitate a robust, ongoing, enterprise-wide process 42 What Does it Mean for Internal Auditors? • Transition to a Risk Management-Based Internal Audit Approach (continued) –Risk Response - Facilitate identification of possible responses; bring process orientation –Control Activities - Link controls back to objectives;ensure integration with risk response –Information and Communication - Evaluate as a part of every audit (make a separate risk) –Monitoring - Recommend ways to enhance in every process 43 Summary - The COSO Evolution • 1992 - Groundwork laid, but not focused for most companies Control Activities • 2002 - Sarbanes-Oxley brought internal control to the forefront • 2004+ - True ERM begins to take shape Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication 44 Monitoring Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 45 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 46 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key Agenda 1:00 Introduction and Overview - Jim Key 1:05 Internal Control Strategy – Patricia Scipio Fitting into the Bigger Picture – Kimberly Parker Gavaletz COSO’s ERM Framework: The Shape of Things to Come – Paul J. Sobel 47 1:55 Break 2:00 Questions & Answers – Panel 2:25 - 2:30 Concluding Remarks – Jim Key Webcast Summary • It is essential to be intentional about planning your testing strategy • Focusing on quality and continuous improvement will leverage your control framework for better results • COSO ERM framework provides an opportunity for Internal Audit to help organizations meet strategic goals 48 Future Webcasts • Webcast Steering Committee • Survey - Input 49 Thank you for your participation! Your Comments/Feedback are very important – please complete the evaluation form and redeem a discount on an Online Training product. Email agoodman@theiia.org for more details! 50