UW Financial Reporting Conference May 5, FOUR! AVOIDING THE ICFR ROUGH
Panelists Frank Brod, Microsoft Brian Croteau, SEC John Fogarty, Deloitte Susan Insley, VMware 2
UW ICFR Panel Discussion Frank Brod CAO, Microsoft Corporation
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ SOX at Microsoft by the Numbers +$94B MS reported revenue 430+ worldwide SOX 404 Controls Auditor Scope 95%+ Revenue coverage 80+ IT systems and applications 390 Participants SOX 302 quarterly disclosure
SOX Program Goals Design Respond Improve Manage Prevent material weaknesses or significant deficiencies Anticipate and identify risks Rapid response to remediate deficiencies Provide leadership Ensure costs for compliance are appropriate Compliance above all else Encourage and maintain control vigilance culture throughout the organization
Involvement with Deloitte Work in tandem with Deloitte auditors and ensure transparency and open dialog Objective: Process: Include auditors in key close reviews Alignment of SOX plans Share managements 404 documentation Common process and control walkthroughs Testing designed to maximize auditor reliance
Best Practices Ensure ICFR coverage and compensating controls Controls to validate 10Q/10K and Earnings Release Ensure controls aligned with process changes and evolving risks Adopted FY ending June 30, 2014 Microsoft’s strong program minimized need for new controls Program designed to minimize risk of Material Weakness Standardized template and process to facilitate review individually and in aggregate COSO 2013 Early adoption
Deficiency Evaluation Template IssueIssue #SubcycleRelated ControlRemediation StateRepeat Deficiency Order Tool User Access15031RevenueT1-XXXPendingNo Control Deficiency Description One user was provisioned 'super user' access to the Order tool without documented evidence of approval. Access was deemed to be appropriate. Related SOX Control T1-XXX - Super User access is only available to authorized internal Microsoft employees and cannot be self-granted. Another authorized Microsoft employee Super User must approve and grant this application access role through business process. Related Financial Statement Caption Revenue – Product X COSO Root Cause Control performer or owner didn’t fully understand or perform their roles and responsibilities Deficiency Assessment Likelihood of potential misstatement or omission: remote In summary - The deficiency does not rise above “control deficiency” given that the user access was deemed appropriate and has relevant mitigating controls that further reduce the severity of the control deficiency Compensating Controls T1-UAL: Quarterly review of users with access to high risk SAP Finance roles T1 XX2 - Super user access, which is limited to authorized Microsoft internal users is reviewed on a quarterly basis. The business unit perform a quarterly audit of users with Super Admin role access and request access removal if no longer needed. Remediation Develop and deliver training for users authorized to provision access in the Tool, including awareness of the SOX control requirements relating to retaining documentation of access approvals Conduct a review of users authorized to provision access in the tool to determine if number can be limited further to a small user provisioning group. Finalize the list of users who should continue to be authorized to provision such access. New monthly report for management’s detective review of users authorized to provision access in the tool. Ensure the report is reviewed to determine that there is no inappropriate access.
Thank You
4-0-Four! Avoiding the ICFR Rough Panel Discussion Frank Brod, Microsoft Brian Croteau, SEC John Fogarty, Deloitte Susan Insley, VMware 10
Material Weakness A material weakness is defined as: A deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the registrant’s annual or interim financial statements will not be prevented or detected on a timely basis. 11
Management Review Controls “Reaching a Consensus on Management Review Controls” Recent article in CFO.com By John Fogarty, Partner, Deloitte & Touche LLP PDF copy of article available via Conference URL (printing a copy for personal use only permitted) 12
Evaluating Evidence of Operating Effectiveness of ICFR Determining the Sufficiency of Evidence Based on ICFR Risk Assessment High Misstatement Risk of Financial Reporting Element Medium Low MediumHigh Risk of Control Failure More Evidence
THANK YOU