Internal Control & Sarbanes-Oxley Act ERPANET Workshop Antwerp, April 14, 2004 PwC © 2000 PricewaterhouseCoopers. PricewaterhouseCoopers refers to the individual member firms of the world-wide PricewaterhouseCoopers organisation. All rights reserved.
Agenda Background The Sarbanes-Oxley Act - An Overview Approach to 404 readiness
Background So let’s now have a look at some of the background of the Act
Reasons for New Legislation
Congressional Votes Sarbanes-Oxley Act Yes 522 No 3 Not voting 9 Legalizing Marijuana** Yes 93 No 310 Not voting 31 **House of Representatives only Securities Litigation Reform Act Yes 387 No 130 Not voting 15 Authorizing Force against Iraq Yes 373 No 156 Not voting 12 Sarbanes-Oxley Act Yes 522 No 3 Not voting 9 Just to show you how convinced the American Congres was about the Act – have a look at these voting results.
Criminal Penalties Escaping from prison 1 to 2 years Kidnapping involving ransom 3 to 5 years Second degree murder 11 to 14 years Air piracy 20 to 25 years Sarbanes-Oxley Certification 10 to 20 years And the severity of these criminal penalties.
Is all wisdom coming from the US…? “Americans will always do the right thing….. after they have exhausted all other options.” Sir Winston Churchill
The Sarbanes-Oxley Act An Overview So let’s now have a look at some of the background of the Act
Titles of the Act Public Company Accounting Oversight Board Auditor Independence Corporate Responsibility Enhanced Financial Disclosures Analyst Conflicts of Interest Commission Resources and Authority Studies and Reports Corporate and Criminal Fraud Accountability White Collar Crime Penalty Corporate Tax Returns Corporate Fraud and Accountability SOX of 2002: An Act to protect investors by improving the accuracy and reliability of corporate disclosures ……… I PCAOB: must establish rules or adopt standards requiring auditing and related attestation standards
SOX: Who will be affected and how? Executives: Responsibility for financial reporting and keeping the markets informed Certifications: - 302 “Disclosure controles & procedures” - 404 “Internal controls for financial reporting” - 906 “CEO/CFO’s written statement on fairness” Implement Code of Ethics and whistleblower procedure Supervisory Board: Enhanced oversight Appointment of a “financial expert” Auditors: Independence Attestation on internal controls Definition of “internal control over financial reporting”: Encompasses subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives Including controls over safeguarding assets
SOX: Section 302 certification Section 302 requires (starting March 2002): Quarterly certification by the CEO / CFO regarding the completeness and accuracy of quarterly reports as well as the nature and effectiveness of disclosure controls and procedures (DC&P) supporting the quality of information included in such reports Representations by CEO and CFO as required by Section 302 to include: Review of report: no untrue statement or omission of facts & fair presentation of financial position, results and cash flow Responsibility for design and maintenance of controls & controls effective during 90 days prior to filing Disclosure of deficiencies in internal control and fraud to AC and auditor Significant changes that affect internal control and management response Actions: Enhance DC&P assessment and turn into consistent and continous process Ensure coverage of entire organization (incl. all material subsidiairies) Embedding into regular review and monitoring processes Disclosure controls and procedures need to ensure that information required to be disclosed by the issuer is recorded, processed, summarized and reported and is accumulated and communicated within the time periods specified in the Commission’s rules and forms
SOX: Section 404 certification Section 404 requires (domestic / foreign as of FY ending 15 November 2004 / 15 April 2005): Annual mngt report regarding effectiveness of internal control over financial reporting and attestation by the company’s auditors as to the accuracy of mngt’s assessment Representations by CEO and CFO as required by Section 404 to include: Management responsibility for adequate internal controls Conclusion about management’s evaluation of internal controls for financial reporting Actions: Document of processes & internal controls (process/activity, risk, control, responsibility) Management’s evaluation of effectiveness (audits and self assessments) Attestation by external auditor Attestation by the auditor on management’s report on internal control requires: Management accepts responsibility and assess internal controls Controls are suitable designed and appropriately documented Internal control is the process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with laws and regulations
SOX: Section 404 Assessment Management’s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness Management must maintain evidential matter, including documentation, to provide reasonable support for the assessment (both design and testing) of effectiveness Any material weakness in internal control over financial reporting precludes management from reporting that internal control is effective Reiteration of guidance regarding independence: Auditors may assist management in documenting internal controls. Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor KEY POINT: Management’s documentation is key and is required to be maintained as evidential matter to support its assessment. Prior to the final issuance of this Rule, many companies were wavering on the necessity of their documentation of their internal controls; however, the final rule makes it clear that both their internal controls and their assessment of the design and operating effectiveness must be maintained. Management must also report any material weaknesses they identify and such weaknesses will preclude them from reporting that internal control is effective.
Disclosure Requirements SOX: Scope of 302 and 404 302: Disclosure controls and procedures 404: Internal controls & procedures for financial reporting (COSO & “CobiT”) Disclosure Requirements Internal Accounting Controls Compliance & Regulatory Operations Financial Reporting Disclosure Controls and Procedures Other aspects of Compliance and Operations relate to DC&P Internal Controls Over Financial Reporting
SOX: Meeting SEC Expectations Compliance with COSO control standards (or other accepted standards; IT Governance Institute recently recommended CobiT for general IT controls assessment) Clear documentation of internal controls as well as the testing processes Evidence that management have evaluated the adequacy of the design and the effectiveness of operation of the procedures and controls Evidence that the auditor has adequately evaluated the design and operation of financial controls Evidence that the audit committee and/or disclosure committee have taken a keen interesting the effectiveness of controls
SOX: Auditor Responsibility (1) Independent evaluation of design effectiveness Independent tests of operating effectiveness Use of internal audit and management tests will need to be assessed to determine how they impact nature, timing and extent of auditor testing Requires some re-performance for each significant account, class of transactions, and disclosure Independent testing Limited use of or inability to use tests performed by others; e.g., internal audit Monitoring function may impair objectivity and ability to use in direct assistance Precluded from using internal testing related to certain controls
SOX: Auditor Responsibility (2) Auditors’ Report: On management’s assertion, if effective internal control or Directly on ineffectiveness of internal control over financial reporting Findings reported include: Significant Deficiency – referred to in body of opinion A deficiency that could adversely affect an entity’s ability to initiate, record, process and report financial data Material Weakness – results in an “except for” qualified report A deficiency that precludes the entity’s internal control from reducing to an appropriately low level the risk that a material misstatement will not be prevented or detected on a timely basis.
Approach to 404 readiness So let’s now have a look at some of the background of the Act
Approach to 404 readiness Recommend a Sound but Practical approach Maximise what has already been achieved and is internally available Anticipate on upcoming Changes Value Added Approach Goals from Sarbanes-Oxley Efforts Value Added Approach – seek out operating improvements and identify best practices Avoid “process fatigue” Appropriate Control Documentation Formal management process to maintain compliance throughout organization Opportunity for ROI Enabling Technology Use technology throughout organization to facilitate assessment and communication Compliance would add recurring costs
Considerations Appropriate control documentation: Enabling technology: Compliance with SOX 404 regulations and proof of compliance Timely identification of control weaknesses Facilitation of prioritization of remedial actions and action tracking Provides basis for attestation by the auditors Enabling technology: Consistency and quality of controls documentation Transparency of weaknesses and improvement areas Maintenance and improvement of controls documentation Linkage to other risk and quality initiatives Auditability of controls Facilitation of project management
Project Structure Top down: develop at the center, execution by opco’s with support of “Group” teams Development of process and controls standards by corporate & “Group” teams Methodology to be developed by corporate project team and tested and tailored at pilot site (opportunity: extrapolate best practices) Based on Blueprint Internal Control Framework (guidelines following COSO/CobiT) and Roadmap (project steering) Steering Committee SOX 404 Core Project Team Group Team ICT Team
Project Responsibilities Corporate project team also responsible for: Communication to divisional teams Monitoring of progress Consolidation/consistency Quality assurance on divisional input Change management and training Coordination with steering committee Quality, progress and consistency of opco activities and deliverables to be assured by project teams on Group level Execution and addressing control gaps is the responsibility of each opco Decision to be taken on full roll out or selected companies only
Project Steps Step 0.1 Project setup Initial awareness, project owners, resources, budget Project team: roles & responsibilities Step 0.2 Develop Blueprint “Internal Control Framework” (COSO/CobiT) Internal control requirements, objectives & components Control environment Risk assessment Control activities Monitoring Information & communication: guidelines & tools Step 0.3 Develop Roadmap Project time line, organisation & quality assurance Project communication, training and information sessions
Next Steps… Phase 1 Project Preparation & Mobilisation Phase 2 Execution Phase 3 Evaluation Step 1 Mobilisation & Project Management Step 3 Setting the Scope for Pilots Step 6 Evaluating Results & Gap Analysis Step 4 Pilot Execution & Completion of Templates Step 7 Assessment & Testing Step 2 Information Gathering & Project Planning Step 8 Internal Reporting Step 5 Roll-out at the Selected Opcos Step 9 External Audit & Action Planning
Next steps… Phase 1: Preparation & Mobilisation Step 1: Mobilisation & project mngt Project organisation, project plan and initial communication Establishment of communication channels Step 2: Information gathering & detailed planning Overview of key processes Selected Opcos for pilot and full roll out Communication and training plan Detailed project plan & status reporting template Documentation templates
Next steps… Phase 2: Execution Step 3: Setting the scope for the pilots Key business processes relevant for reporting One pilot for each selected process Communication to all selected Opcos Step 4: Pilot execution and completion of templates Templates to be rolled out to all Opcos Trained Opco representatives Updated control self assessment questionnaire Updated detailed roll-out planning Step 5: Roll-out at the selected Opcos Populated documentation for all selected Opcos
Next steps… Phase 3: Evaluation Step 6: Evaluation of results & gap analysis Assessment of key controls Identification of gaps (internal control weaknesses) High level action plan for improvement (closing the gaps) Completed and validated documentation on process, risk and controls Step 7: Assessment & testing Testing plan and execution of internal testing Step 8: Internal reporting Overview of the assessment process Reported conclusions on effectiveness of internal control, weaknesses and reportable conditions and improvement actions Clear process for 302 certification and 404 reporting Definition of the text of the 302 certification and 404 reporting in SEC filing
Selecting relevant Business Units Evaluate documentation and test Is location or business unit Yes significant controls at each individually important? location or business unit No Are there specific Evaluate documentation and Yes and test controls over significant risks? specific risks No Are there locations or business Yes No further action units that are not important even required for such units when aggregated with others? No Evaluate documentation and Yes test entity - wide controls over group Are there documented entity - wide controls over this group? No Some testing of controls at individual locations or business units required
SOX: How does IT fit in (1)? COSO CE RA CA IC M CobiT: Control Objectives for information and related Technology x x x x x x x x x x x x x x x x x x x x
SOX: How does IT fit in (2)? CobiT: COSO CE RA CA IC M x x x x x x
SOX: How does IT fit in (3)? CobiT: COSO CE RA CA IC M x x x x x x x x x x x x x x x x x x x x x x x x x x x x x
SOX: How does IT fit in (4)? CobiT: COSO CE RA CA IC M x x x x x