The Institute of Internal Auditors May 25, 2004 Does Your SOX 404 Work Measure Up? Hear What Will Satisfy Your CPA Firm! The Institute of Internal Auditors May 25, 2004 Phillip Fretwell, CPA Managing Director Protiviti, Inc. 4/16/2017 © 2000 KPMG

Agenda Introduction & Overview Phillip Fretwell, Protiviti, Inc. IT Consideration Lynne Doughtie, KPMG LLP Using the Work of Others Tim Messick, Ernst & Young LLP Gaps & Remediation Larry Ishol, Deloitte Break Q & A 4/16/2017 © 2000 KPMG

Lynne Doughtie, CPA Partner KPMG LLP IT Considerations Lynne Doughtie, CPA Partner KPMG LLP 4/16/2017 © 2000 KPMG

Evaluation Framework – COSO/COBIT Source: IT Governance Institute 4/16/2017 © 2000 KPMG

IT Control Components in an Organization IT Considerations in the Control Environment Executive Application Controls Management Business Process Finance Manufacturing Business Process Business Process Logistics Business Process Etc. IT Services OS/Data/Telecom/Continuity/Networks IT General Controls Source: IT Governance Institute 4/16/2017 © 2000 KPMG

IT Control Components IT Considerations in the Control Environment Systems planning Governance Enterprise policies Operating style Collaboration Information Sharing Code of Conduct Fraud Prevention Programs IT Considerations in the Control Environment IT General Controls Systems Security / Access Change Management System Development Computer Operations Authorization Configuration / account mapping Exception / edit reports Interface / conversion System access Application Controls 4/16/2017 © 2000 KPMG

Control Environment IT Management and Organization Structure Knowledge and Skills Training Information Architecture Assessment of Risks Compliance with External Requirements Management of Quality Independent Assurance Internal Audit 4/16/2017 © 2000 KPMG

General Controls System Security / Access Change Management Documented IT Security policy and appropriate compliance User profile maintenance procedures Logical access restrictions Periodic review of user access rights and system permissions Security activity logging Change Management Change management procedures and authorizations Testing requirements for all changes prior to implementation Documentation requirements for system, user and control changes Access restrictions for change migrations Restricted and monitored production environment changes 4/16/2017 © 2000 KPMG

General Controls System Development Computer Operations System Development methodology and monitoring System Development procedures and authorizations Testing procedures, including management and user acceptance Documentation requirements for system, users and controls Training requirements for new systems Post-implementation requirements including data integrity controls Computer Operations Backups procedures addressing critical systems and data Backups restoration testing Offsite storage procedures and authorization controls Defined problem management procedures Job scheduling procedures and monitoring procedures 4/16/2017 © 2000 KPMG

Infrastructure/ Architecture   IT Control Scoping Identify applications that support key processes Determine the nature and location of each application Identify IT General Controls for each application in scope Focus is on Internal Control Over Financial Reporting Identified Key Process Application Name Underlying Infrastructure/ Architecture (Database, Operating System, Hardware) Location Where Application is Hosted IT General Controls Security / Access System Management Change Development System Computer Operations                                               4/16/2017 © 2000 KPMG

Common Approach Organize project team and planning Define the IT Areas to be included within the scope of SOX 404: Entities and locations Key applications to be considered Specific control objectives to be achieved Document key IT areas within scope and identify key controls over financial reporting (control environment, general controls, application controls, process-level IT controls) Design test plans, perform testing of IT controls, identify control gaps, and develop remediation plans Update test procedures as necessary 4/16/2017 © 2000 KPMG

USING THE WORK OF INTERNAL AUDIT & OTHERS Tim Messick, Partner Mid-Atlantic Area Control & Methodology Leader Ernst & Young 4/16/2017 © 2000 KPMG

PCAOB Std. No. 2—Brief History Using the work of others was hotly debated in early stages of Standard No. 2 Early drafts severely restricted the reliance external audit could place on others Final standard brings us much closer to the existing SAS 65 model 4/16/2017 © 2000 KPMG

Who Can External Audit Rely On? Internal Audit Third-party firms assisting with 404 (e.g., another CPA firm) Management For all of the above, certain restrictions are discussed in Standard No. 2 4/16/2017 © 2000 KPMG

Considerations in Using Others Nature of controls & accounts Competence & objectivity of individuals Need to re-perform certain of the work Specific PCAOB restrictions in certain areas “Principal evidence” must come from the external auditor 4/16/2017 © 2000 KPMG

Using the Work of Internal Audit Various models exist in practice: IA performing documentation & testing on behalf of management IA performing independent testing after management performs their work IA providing direct assistance to external audit 4/16/2017 © 2000 KPMG

Using IA’s Work Standard No. 2 prohibits relying on others in specific areas: Control environment Fraud programs & related controls Walk-throughs These must be performed by external audit in all instances “Principal evidence” needs to be considered 4/16/2017 © 2000 KPMG

Using IA’s Work (cont.) Areas where external audit can utilize a significant amount of IA work: Routine data processes Non-pervasive subjective processes 4/16/2017 © 2000 KPMG

Using IA’s Work (cont.) Areas where use of IA work would likely be limited: Pervasive controls Financial statement close process IT general controls 4/16/2017 © 2000 KPMG

Using IA’s Work (cont.) Recent PCAOB comments When external audit uses IA in a direct supervision mode, cannot exceed 20% of “principal evidence” Provision of the registered firm regulations Work-in-process—more to come 4/16/2017 © 2000 KPMG

Testing Considerations Amount of re-testing will be similar to SAS 65 model, but likely more than in the past: Competency and objectivity concerns Nature of control Who performed (e.g., IA vs. management) Now separately opining on IC, vs. reliance on the FS audit as in the past 4/16/2017 © 2000 KPMG

Other Comments As with other 404 areas, nothing is crystal clear Expect many implementation issues Clarifications from PCAOB and SEC to come over next several months Management, IA, and external audit should all be working together closely 4/16/2017 © 2000 KPMG

Larry Ishol, CPA Engagement Partner Deloitte Gaps & Remediation Larry Ishol, CPA Engagement Partner Deloitte 4/16/2017 © 2000 KPMG

Situational Assessment A recent Deloitte survey of Fortune 500 companies indicates that a significant amount of work remains 21% Remediation Testing of operating effectiveness 47% Evaluation of design effectiveness 75% Documentation Percentage Complete Activity Time to comply with section 404 is running out…many companies may need to rethink their project timeline—otherwise they are at risk of not complying with the law! Deloitte recommends that companies complete testing and remediation activities by the end of the third quarter Provides the company with sufficient time to test the operating effectiveness of remediated controls Provides the independent auditor with time to complete their audit procedures Many companies report that testing and remediation activities are more complex and time consuming than planned Lack of guidance for the number of selections or tests to be conducted Significant number of control deficiencies Difficulty in classifying control deficiencies (i.e., control deficiency, significant deficiency, or material weakness) Testing entity-level controls (e.g., control environment) Lack of sufficient and qualified resources to perform the work Implications of not completing testing and remediation activities are significant Insufficient time to remediate material weaknesses Adverse opinion on the effectiveness of internal control Negative market reaction Higher cost of capital 4/16/2017 © 2000 KPMG

What Constitutes a Gap? Type Likelihood Magnitude Deficiency Remote and/or Inconsequential Significant Deficiency More than remote and More than Inconsequential or Quantitatively significant Material Weakness More than remote and Material to Financial Statements 4/16/2017 © 2000 KPMG

Specific Considerations Ineffective: Audit committee Internal audit or risk assessment function Regulatory compliance function Control environment Period-end financial reporting process: Procedures used to enter transactions totals into the G/L Journal entries Recurring and non-recurring adjustments to the F/S Uncorrected significant deficiencies Identification of fraud of any magnitude on part of senior management Antifraud programs and control Identification of a material misstatement Non-routine and non-systematic transactions Restatement to reflect correction of a misstatement Selection and application of accounting policies Strong Indicator of “MW” At Least “SD” 4/16/2017 © 2000 KPMG

Sample Remediation Activities Remediation is simply the process of fixing a deficiency associated with the design or operating effectiveness of a control activity Sample Remediation Activities Design Deficiency Improve controls that have “fixable” design deficiencies Implement new controls when the design deficiency is too substantial to be repaired Implement new controls when there are no controls in place Operating Deficiency Communicate to the individual responsible for the testing the control that he or she perform the test Oversight to ensure that the control is tested in the future. 4/16/2017 © 2000 KPMG

Remediation Challenges Effective Decision & Governance Process Complex Program Management Initiatives Significant IT Environment Changes Impact on Human Resources Complex Re-testing, Roll-Forward Testing Activities Overall Need for Best Practices Effective Decision & Governance Process Evaluate and define requirements to effectively remediate gaps Prioritize control deficiencies to remediate gaps Plan effectively (e.g., long term, short term, budgeting, etc.) Cost / benefit / risk analysis models Coordinate decisions across business units / locations Complex Program Management Initiatives Numerous large, small remediation efforts Organizationally diverse Align remediation with other projects (e.g., system upgrades) Achieve timely improvements to demonstrate effectiveness Significant IT Environment Changes Remediation likely to impact enterprise systems Complex security and infrastructure issues IT remediation solutions require multi-disciplinary teams Impact on Human Resources Allocate appropriate resources to design and implement remediation Allocate resources to remediation efforts while maintaining ongoing business operations Retrain, change management challenges result from remediation Complex Re-testing, Roll-Forward Testing Activities “Change Management” of remediated systems, processes Plan and execute re-testing activities Overall Need for Best Practices Share best practices to minimize duplicative efforts Benchmark best methods and techniques to achieve compliance 4/16/2017 © 2000 KPMG

Taking Action - Remediation Questions to Consider Have you developed a process for classifying control deficiencies? Have you allotted sufficient time to remediate material weaknesses and significant deficiencies prior to year-end? Have you identified resources to assist in remediation controls in technical areas? 4/16/2017 © 2000 KPMG

Taking Action - Remediation Questions to Consider 4. What is the status of gap analysis? 5. Do you have a process to identify, classify and prioritize gaps and manage your remediation effort? 6. Do you have sufficient skill sets, knowledge bases, etc. to adequately develop and implement solutions to gaps? 4/16/2017 © 2000 KPMG

To Get Your CPE Certificate 4/16/2017 © 2000 KPMG

June 8, 2004 “Anti Fraud Programs” 4/16/2017 © 2000 KPMG

Webcast Evaluation 4/16/2017 © 2000 KPMG