The Road Ahead – Meeting the
challenges in complying with The
Sarbanes-Oxley Act
The Institute of Internal Auditors
Webcast Series on Sarbanes-Oxley
Session #6 – September 30, 2003
1
The IIA Webcast Moderator
Jim Key, CIA
Managing Partner
Shenandoah Group, L.L.P
2
Disclaimer
The views expressed in this webcast
are solely those of the panelists and
moderators and do not necessarily
reflect the views or policies of the
Institute of Internal Auditors or its
directors, officers, employees and
members.
3
Series 2: Emerging Trends and Best
Practices in Implementing SOA
• May 21 - Section 404 Readiness Review: How to
document your system of internal control. (Archived)
• June 10 - Helping your audit committee implement
complaint handling. (Archived)
• July 8 - Leveraging the COSO framework to meet
Section 404 requirements (Archived)
• August 12 - Project Administration – Setting and
revising priorities in the wake of the “Final 404 Rules”
(Archived)
• September 9 - Internal Audit support of Audit
Committees – What works best
• September 30 - The Road Ahead – Meeting the
challenges in complying with The Sarbanes-Oxley Act
4
Webcast Series on SOA
Fostering Compliance with SOA: Internal
Auditor’s Role
• Four sessions archived on IIA’s website and
available on CD
• Originally aired January 28 – April 15, 2003
5
IIA Online Training - New !
Conferences on Demand
• IIA’s August’s ERM/CSA Conference 10 best
sessions online for $199.
• Stay current and earn CPEs
• Visit http://www.theiia.org/iia/index.cfm?doc_id=4382 for a list of
the segments and additional information.
• Or, contact rbrindley@theiia.org.
6
Agenda
1:00
Introduction and Overview - Jim Key
1:05
Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of
Things to Come – Paul J. Sobel
7
1:55
Break
2:00
Questions & Answers – Panel
2:25 - 2:30
Concluding Remarks – Jim Key
Internal Control Testing
Strategy
Patricia Scipio, CIA, CPA
Vice President, Auditing
Wellchoice, Inc.
8
Where is your company at
in terms of 404 Readiness?
9
Choice
Count
%
Completed the scoping, planning
and mobilization
51
46.4%
Completed controls
documentation
18
16.4%
Completed the evaluation of the
design effectiveness of controls
8
7.3%
Completed the testing of the
operating effectiveness of controls
3
2.7%
Completed remediation of any
identified design gaps
1
0.9%
Completed remediation of any
identified operating controls
ineffectiveness
2
1.8%
Other, please explain:
27
24.5%
When is your company planning
to test the operating
effectiveness of key controls?
10
Choice
Count
%
2003 and 2004
63
58.9%
Only in 2004 and
why?
44
41.1%
Key Initial Decisions
• What controls will be tested?
• How will each type of control be tested?
• When will each control be tested?
• How often should each control be
tested?
• Who will perform the testing?
11
Testing Strategy
Objectives
• Standardize a methodology for testing the
operating effectiveness
• Develop proactive warning indicators to alert
management of potential control failures
• Monitor key processes by continuous
scanning for adverse developments
• Develop a turn key approach so business
owners can easily perform testing as part of
their routine
12
Financial Reporting
Control Objectives
• Existence or Occurrence
• Completeness
• Rights and Obligations
• Valuation or Allocations
• Presentation and Disclosure
13
Basic Controls
•
•
•
•
•
•
•
•
•
14
Accountability
Control Totals
Double Verification
Exception/Edit
Reports
Holding Files
Independent Checks
Interface Controls
Key Performance
Indicators
Management Review
• Numerical Sequencing
• Periodic Reconciliation
• Pre-numbered
Documents
• Proper Authorization
• Safeguard Assets
• Segregation of Duties
• System Configuration
• Transactions Recorded
Means of Achieving Control
• Organization – structured roles
• Policies – principles and guidelines
• Procedures – methods employed
• Personnel – qualifications to perform the job
• Accounting – financial control
• Budgeting – expected results
• Reporting – timely, accurate and meaningful
15
Controls by Function or Type
•
•
•
•
•
•
16
Directive Controls
Preventive Controls
Detective Controls
Corrective Controls
Manual vs Automated Controls
Hard vs Soft Controls
Testing Procedures
•
•
•
•
17
Inquiry
Observation
Inspection of Physical Evidence
Re-performance
Factors in Designing
Testing Strategy
• Nature of control & significance in
achieving objective
• One control supporting more than one
objective
• Significant changes in volume or nature
of transactions
• Changes in the design of the control
• Degree to which control relies on
effectiveness of other controls
18
Factors in Designing Testing
Strategy (continued)
•
•
•
•
•
•
•
19
Complexity of the Control
Manual vs. Automated Control
Existence of Self-assessment Programs
Entity wide Control
Frequency of Control
Timing of Test of Controls
Changes in key personnel who perform
or monitor the control
Summary
• Several factors must be considered in
determining the nature, timing and extent
of testing
• Management should monitor the quality
and performance of the system of
internal control over time
• To the extent possible, internal controls
should be structured to be selfmonitoring and self-correcting
20
Agenda
1:00
Introduction and Overview - Jim Key
1:05
Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of
Things to Come – Paul J. Sobel
21
1:55
Break
2:00
Questions & Answers – Panel
2:25 - 2:30
Concluding Remarks – Jim Key
Fitting Into the Bigger
Picture
Kimberly Gavaletz
VP, Internal Audit
Lockheed Martin Corporation
22
Components
• Framework
• Quality
• Keeping It Fresh
Internal Audit’s Obligation & Opportunity
23
Framework
II. Discussion of Amendments Implementing Section 404
1.B.3 Final Rules …a company’s annual report to include and internal control
report of management that contains…
• A statement identifying the framework used by management to conduct the
required evaluation of the effectiveness of the company’s internal control over
financial reporting;
1.B.3.A Evaluation of Internal Control over Financial Reporting
• …Management must base its evaluation of the effectiveness of the company’s
internal control over financial reporting on a suitable, recognized control
framework that is established by a body or group that has followed due-process
procedures, including the broad distribution of the framework for public
comment. The COSO Framework satisfies our criteria and may be used as an
evaluation framework…However, the final rules do not mandate use of a
particular framework, such as the COSO Framework, in recognition of the fact
that other evaluation standards exist outside of the United States, and that
frameworks other than COSO may be developed within the United States in the
future, that satisfy the intent of the statute…
24
June 5, 2003
SEC Final Rule: Management’s Reports on Internal Control Over Financial
Reporting and Certification of Disclosure in Exchange Act Periodic Reports
COSO
Control Environment
Foundation – Discipline & Structure
Risk Assessment
Identification & Analysis of Risks to Predetermined Objectives
Control Activity
Policies/Procedures/Practices that
Ensure Objectives are Achieved and Risk
Mitigation Strategies are Carried Out
Information &
Communication
Communication of Control
Responsibilities to Employees in Form &
Timeframe to Execute
Monitoring
Oversight of Internal Controls (Outside
and Inside the Process)
Big Picture Embodied in the Framework
25Other Frameworks: Guidance on Assessing Control, Turnbull Report, “Future Developments”
Framework: Ownership
Objectives
Risks
Management
Owns
Controls
Monitoring
Key: Management Ownership
26
Internal Audit
Performs
Independent
Assessments/
Audits
Framework: Scope
Today’s Emphasis
Disclosure Controls-302
Internal Controls-404
Integrity of Financial
Reporting
27
Big Picture
Business Objectives
- Financial
- Technical Delivery
- Compliance
Performance with Integrity
Quality
• Who Decides
Quality of
Controls?
• Who Decides Level
of Consistency
Needed?
Roles
-Management
-Internal Audit
-External Audit
Drivers
-Rules
-Guidelines
Balance of Controls
ReactivegProactivegPreventive
28
Quality: Internal Audit
• Start: Serve as a Facilitator/Partner across
Management and External Auditors
– Start the Dialog
– Determine the Roles
• Options/Steps:
– Independently Assess Existing Quality
Assurance Structure
– Advise Management on the Need and Scope of
a Quality Assurance System
– If Necessary, “Gap Fill” as the Quality
Assurance Function
29
Keeping It Fresh
•Keep it Fresh
Continuous Improvement
Ongoing Involvement
Utilize Evolving Technology
Management
Internal
Audit
30
System of Internal Controls
External
Audit
Summary
• Focus on the Big Picture
 Framework-Scope-Ownership
• Focus on Quality
 Ownership
 Detection & Prevention
• Keep it Fresh
 Continuous Improvement-Involvement
31
Agenda
1:00
Introduction and Overview - Jim Key
1:05
Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of
Things to Come – Paul J. Sobel
32
1:55
Break
2:00
Questions & Answers – Panel
2:25 - 2:30
Concluding Remarks – Jim Key
COSO’s ERM Framework:
The Shape of Things to
Come
Paul J. Sobel
Vice President, Internal Audit
Mirant Corporation
33
The New COSO Cube
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
34
Internal Environment
•Today- An Integral Part of Sarbanes-Oxley 404
–Integrity and ethical values
–Control consciousness and operating style
–Commitment to competence
–Board/Audit Committee participation in
governance
•Tomorrow - Embracing Risk
–Risk management philosophy
–Risk culture
–Risk appetite
35
Internal Environment
Objective Setting
•Today - Financial Statement Assertions
–Access to assets
–Authorization
–Completeness and accuracy
–Existence and occurrence
–Presentation, classification and disclosure
–Rights and obligations
–Valuation or allocation
•Tomorrow - Business Objectives
–Beyond financial objectives
–Formalized risk tolerance levels
36
Objective Setting
Event Identification
•Today - An Ad Hoc Part of Risk Assessment
–Generic risk universes
–Standard risks and definitions
–Few scenarios considered
•Tomorrow - Formal Identification and Analysis
–Answer the questions “What can go
wrong?” and “What needs to go right?”
–Understand events/scenarios (worse case,
most likely, etc.)
–Consider interdependencies (domino
effect)1000
Event Identification
37
Risk Assessment
•Today - Becoming common, but somewhat
Superficial
–Tends to be pretty broad
–May only be done in silos
–Minimal support for judgments
–One-time event
•Tomorrow - A Robust, Ongoing Activity
–Integrated with strategic planning
–Inherent and residual risk considered
–Enterprise-wide
Risk Assessment
38
Risk Response
•Today - Individual Judgments
–Based on past experience and instinct
–Typically focuses on a single response
–Little consideration to portfolio effect
•Tomorrow - Portfolio Approach
–Identify and evaluate range of possible
responses
–Consider enterprise-wide responses
–A formal process
Risk Response
39
Control Activities
•Today - Ensuring Adequate Control
–General and application/specific controls
–Preventative and detective controls
–Automated and manual controls
–Routine and non-routine controls
•Tomorrow - Ensuring Objective Achievement
–Integrated with risk response
–Focuses on strategic, operational, financial and
compliance objectives
Control Activities
40
Information & Communication
and Monitoring
•Today - Financial Reporting and Compliance
–Supports financial judgments
–Blend of internal and external information
–Multi-directional communications
–Monitor degree of success
•Tomorrow - Strategic and Operations
–All of the above for all objectives
–Integrated monitoring system
Information and Communication
41
Monitoring
What Does it Mean for
Internal Auditors?
• Transition to a Risk Management-Based
Internal Audit Approach
–Internal Environment - Expand focus to
include risk philosophy, risk culture and risk
appetite
–Objective Setting - Obtain understanding of
objectives; determine risk tolerance levels
–Event Identification - Imbed in annual and
process level risk assessments
–Risk Assessment - Lead or facilitate a robust,
ongoing, enterprise-wide process
42
What Does it Mean for
Internal Auditors?
• Transition to a Risk Management-Based
Internal Audit Approach (continued)
–Risk Response - Facilitate identification of
possible responses; bring process orientation
–Control Activities - Link controls back to
objectives;ensure integration with risk
response
–Information and Communication - Evaluate as a
part of every audit (make a separate risk)
–Monitoring - Recommend ways to enhance in
every process
43
Summary - The COSO
Evolution
• 1992 - Groundwork laid, but
not focused for most
companies
Control
Activities
• 2002 - Sarbanes-Oxley
brought internal control to
the forefront
• 2004+ - True ERM begins to
take shape
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
44
Monitoring
Agenda
1:00
Introduction and Overview - Jim Key
1:05
Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of
Things to Come – Paul J. Sobel
45
1:55
Break
2:00
Questions & Answers – Panel
2:25 - 2:30
Concluding Remarks – Jim Key
Agenda
1:00
Introduction and Overview - Jim Key
1:05
Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of
Things to Come – Paul J. Sobel
46
1:55
Break
2:00
Questions & Answers – Panel
2:25 - 2:30
Concluding Remarks – Jim Key
Agenda
1:00
Introduction and Overview - Jim Key
1:05
Internal Control Strategy – Patricia Scipio
Fitting into the Bigger Picture –
Kimberly Parker Gavaletz
COSO’s ERM Framework: The Shape of
Things to Come – Paul J. Sobel
47
1:55
Break
2:00
Questions & Answers – Panel
2:25 - 2:30
Concluding Remarks – Jim Key
Webcast Summary
• It is essential to be intentional about
planning your testing strategy
• Focusing on quality and continuous
improvement will leverage your control
framework for better results
• COSO ERM framework provides an
opportunity for Internal Audit to help
organizations meet strategic goals
48
Future Webcasts
• Webcast Steering Committee
• Survey - Input
49
Thank you for your
participation!
Your Comments/Feedback are very important –
please complete the evaluation form and redeem
a discount on an Online Training product.
Email agoodman@theiia.org for more details!
50