1 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation
2 Looking ahead: How upcoming rules and legislation might expand and alter internal auditing's roles The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Session #4 - April 15, 2003
3 The Webcast Series on Sarbanes-Oxleys Impact on Internal Auditing January 28 - Disclosure Controls* March 3 - Annual Certification of Internal Controls* April 1 - Coordination of Internal & External Audit Work* April 15 - Looking Ahead to Future Changes Impacting Internal Auditing* *Available on CD Rom and online archive for one year r
4 1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards 1:10 - 1:20SEC SOA Actions – Status Update – Greg Faucette 1:20 - 1:30Future for External and Internal Auditors – Andy Dahle 1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach 1:45 - 1:50Break 1:50 - 2:25Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Dave Richards Agenda
5 Audit Committees: Independence Financial Expert Direct Responsibility for External Auditor Code of Conduct complaints Engage advisors Reporting requirements Annual Assessment of performance Management: Certification of quarterly and annual financials Assessment of Disclosure Controls Annual Assessment of internal controls Penalties for false or misleading information Code of Ethics for Senior Officers SOA Areas
6 External Auditor Prohibited services Independence requirements & disclosures Quality assurance disclosures to audit committee Attestation opinion on annual internal control assessment Public Company Accounting Oversight Board (PCAOB) Audit partner rotation every 5 years SOA Areas
7 Handling the Future As the present reflects the past, so will the future reflect the present Actions we can take to prepare: 1. Knowledge of changes (stay in front) 2. Share your knowledge 3. Prepare for what you know is coming 4. Be proactive with your management and the audit committee 5. Prepare internal audit department staff for changes (e.g., focus on internal controls and financial issues)
8 Handling the Future Actions we can take: 6.Partner with your external auditors & third party providers to build the most flexible team 7.Dont be afraid to fail!! 8.Listen to your internal customers 9.Develop a strategy (vision) of what you want to become 10.Take advantage of opportunities (find someone looking for help and help them)
9 Internal auditing as a proactive function Staying in touch with changes Focus on financial auditing theory Staff skills & qualifications Scope of work for internal auditing Working relationship with external auditors Audit committee support & involvement Training needs for audit committee, internal audit, and management Resources for internal audit department Willingness to change Having the right strategic plan Issues
10 Agenda 1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards 1:10 - 1:20SEC SOA Actions – Status Update – Greg Faucette 1:20 - 1:30Future for External and Internal Auditors – Andy Dahle 1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach 1:45 - 1:50Break 1:50 - 2:25Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Dave Richards
11 SEC SOA Actions – Status Update Gregory A. Faucette Professional Accounting Fellow Office of the Chief Accountant Securities and Exchange Commission
12 Disclaimer The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. Therefore, the views expressed today are my own, and do not necessarily reflect the views of the Commission or the other members of the staff of the Commission.
13 Sarbanes-Oxley Act of 2002 Components of the SOA –Title I – Public Company Accounting Oversight Board –Title II – Auditor Independence –Title III – Corporate Responsibility Certifications Audit committee standards Improper influence of auditors Insider trading during pension fund blackouts Conduct standards for attorneys
14 Sarbanes-Oxley Act of 2002 Components of the SOA - Continued –Title IV – Enhanced Financial Disclosures MD&A disclosures Non-GAAP financial measures Reporting on internal controls Disclosures about code of ethics Disclosures of audit committee financial expert Accelerated reporting deadlines –Title V – Analysts Conflict of Interest Regulation Analyst Certification (Reg AC)
15 Sarbanes-Oxley Act of 2002 Components of the SOA - Continued –Title VI – Commission Resources and Authority –Title VII – Studies and Reports –Title VIII – Corporate and Criminal Fraud and Accountability –Title IX – White Collar Crime Penalty Enhancements –Title X – Corporate Tax Returns –Title XI – Corporate Fraud Accountability
16 Remaining SOA Requirements Declare the PCAOB functional (April 26, 2003) Complete a study on principle based accounting system (July 30, 2003) GAO to complete a study on mandatory auditor rotation (July 30, 2003) Complete rulemaking on improper influence on conduct of audits (April 26, 2003) Complete a study on SPE use and related financial reporting (October 7, 2004) Complete rulemaking on management assessment of and auditor reporting on internal controls Additional rulemaking on analyst conflicts of interest by either Commission or SROs (July 30, 2003)
17 Other Related To Dos Recognize an accounting standard setting body Complete rulemaking on procedure for filing Section 302 and Section 906 certifications Consider further rulemaking on professional conduct of attorneys practicing before the Commission Complete rulemaking on mandated electronic filing and website posting for Forms 3, 4, and 5 Consider rulemaking as necessary for disclosure on a rapid and current basis Complete rulemaking on MD&A disclosure of critical accounting policies
18 Possibilities? Rulemaking on material correcting adjustments identified by auditors
19 Thoughts for Internal Auditors Uniquely positioned within organizations to effect improved internal control, financial reporting and corporate governance Possible role in compliance with Section 404 certification process Monitor other developments from the trickle- down effect of Sarbanes-Oxley
20 Agenda 1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards 1:10 - 1:20SEC SOA Actions – Status Update – Greg Faucette 1:20 - 1:30Future for External and Internal Auditors – Andy Dahle 1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach 1:45 - 1:50Break 1:50 - 2:25Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Dave Richards
21 Andrew J. Dahle, CIA, CPA, CISA, CFE Partner, Internal Audit Services PricewaterhouseCoopers Future for External and Internal Auditors
22 Looking Ahead to Future Changes Impacting Internal Auditing
23 Future for External Auditors Increased focus on risks and controls Enhanced perceived value of internal control assurance - impacts cost also Focus on quality PCAOB impact COSO is being embraced by clients like never before Enhanced respect for hard decisions
24 Future for Internal Audit- Near Term Expectations: The bar is rising Resources: Cannibalization or augmentation? Coordination: More coordination between external and internal auditor Focus: Current swing towards financial Objectivity: More is better Testing: Scope requires judgment Significance of issues: Where is the line? Quality: Standards require
25 Evolving Approaches to Internal Audit Involvement with SOA Certification The top-down assurance model The separate evaluation model The blended model Links to Controls Maturity
26 Potential Internal Audit Roles Review Evaluate what is there Recommend Changes and improvements Repair Help improve Report (1) On effectiveness of changes Not operate Note (1): External reporting role mandated to the external auditor
27 Future for Internal Audit Internal audit quality Internal audit impact on governance Enterprise wide risk management - optimized internal control maturity Internal controls over non-financial measures An integrated approach to 302 and 404 Sustaining SOA controls assessments Fraud risk management Mandatory requirements for internal audit
28 The Bar is Rising on Internal Audit Expectations
29 Agenda 1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards 1:10 - 1:20SEC SOA Actions – Status Update – Greg Faucette 1:20 - 1:30Future for External and Internal Auditors – Andy Dahle 1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach 1:45 - 1:50Break 1:50 - 2:25Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Dave Richards
30 Future for Others Impacted by the SOA James DeLoach Managing Director Protiviti
31 What We Can Expect SOA is here to stay Continuation of expectations gap More SEC rule making and new exchange listing requirements More aggressive, less forgiving regulators Increasingly demanding shareholder activists Market premium for increased transparency and restoring investor confidence
32 Trends: Senior Management The raised bar will drive emphasis on restoring trust in the investing community Controls more repeating, defined and managed Improve entity-level analytics and monitoring Emphasis on keeping disclosure process fresh Enterprise-wide risk management builds upon disclosure controls and procedures Renewed focus on ethical behavior and responsible business practices
33 Trends: Board of Directors Reevaluate independence standards and restructure board committees Increased attention on senior management compensation and loans Become more anticipatory and proactive Hold more executive sessions and increase influence of independent directors Increase focus on business risk Increase emphasis on corporate performance Review board and director performance
34 Trends: Audit Committees More aggressive and assertive Inclusion of financial experts Increased need for independent advisors Pay close attention to feedback from whistleblowers and the complaint process Oversee 302 and 404 compliance processes Broadening of risk focus
35 Trends: Unit Management Support of and provide resources to 404 compliance Increased accountability for effects of decisions and change on: –Internal control structure –Public reporting Increased focus on developing more robust business plans
36 Trends: Process Owners Document and support control design and assume accountability for control operation Timely follow-up on implementing control improvements Self-assessment will become common practice Balancing responsibility for monitoring processes at entity and process levels Opportunity to broaden focus to compliance and operational controls
37 Trends: External Auditors No reward for under-scoping and risk-taking Higher audit fees Expect: –Less tolerance for errors, omissions and exceptions –Increased skepticism and insistence on supporting evidence –More probing questions –The unexpected Increased emphasis on appearance of independence
38 Agenda 1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards 1:10 - 1:20SEC SOA Actions – Status Update – Greg Faucette 1:20 - 1:30Future for External and Internal Auditors – Andy Dahle 1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach 1:45 - 1:50Break 1:50 - 2:25Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Dave Richards
39 Agenda 1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards 1:10 - 1:20SEC SOA Actions – Status Update – Greg Faucette 1:20 - 1:30Future for External and Internal Auditors – Andy Dahle 1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach 1:45 - 1:50Break 1:50 - 2:25Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Dave Richards
40 Agenda 1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards 1:10 - 1:20SEC SOA Actions – Status Update – Greg Faucette 1:20 - 1:30Future for External and Internal Auditors – Andy Dahle 1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach 1:45 - 1:50Break 1:50 - 2:25Questions & Answers – Panel 2:25 - 2:30Concluding Remarks – Dave Richards
41 Webcast Summary Webcast #1: SOA 302 Disclosure Controls –Disclosure controls identification –Disclosure controls testing within 90 days of Certification –Disclosure committee participation –Certification process flow –Sub-certification process & need for guidance in preparing documentation to support opinion statement
42 Webcast Summary Webcast #2 - SOA Annual Assessment of Internal Controls –New attestation standards –FDICIA assessment process (1991) –Process for doing 404 assessment –Use of CSA as a tool for assessment supplemented by testing –Use of COSO model to serve as benchmark for control assessment
43 Webcast Summary Webcast #3 - External / Internal Auditors Relationship –Options for relationship –Reliance on internal audit for 404 work –Material weakness and control deficiency definitions –Impact of SOA on internal audit annual plan –Audit committee changing expectations of external and internal auditor coordination and responsibilities
44 Webcast Summary Webcast #4 - The Future Impacts of SOA –The need for proactive involvement by internal audit –SEC actions still pending as a result of SOA –PCAOB impact on external audit future –External providers of services partner for success –Overview of other sections of SOA where internal audit should be active
45 Webcast Summary Key internal audit takeaways : –Cannot sit back and wait –Need to partner with external auditors –Need to be proactive with management –Work closely with audit committee to help drive closure on issues impacting the audit committee –Lead control awareness, assessment, testing, and reporting –Stay involved in the quarterly disclosure controls assessment
46 In Short: Internal Auditing needs to develop a strategy on how it wants to be involved in the many aspects of SO to further their efforts to add value to their organization. Opportunity is Knocking - will you answer?
47 Thank you for your participation! Dont miss our next Webcast series beginning May 6, 2003