1 What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP Associates

2 The IIA Welcomes New President David A. Richards, CIA, CPA

3 Introduction & Overview Xenia Ley Parker, XLP Associates Internal Audits Role in SOX Larry Harrington, Staples How Solectron Addresses 404 & IT Controls Norman Marks, Solectron Internal Audit’s Role Dennis Drent, Nationwide Insurance Break Q & A Agenda

4 What is the Right Role? Organizations have to find the right process to address Sarbanes-Oxley –Internal Auditors have more than one possible role –Maintaining objectivity and independence is critical, whichever role they take on There is no one ‘right’ answer

5 Possible Roles Consideration of Internal Audit Standards and professional practices Other sources of information We’ll look at some of the possible roles –Project management –Consulting –Documentation and testing

6 Internal Audit’s Role in Sarbanes Oxley 302 & 404 Larry Harrington, CPA Chief Audit Executive Staples

7 Professional Practices Framework Definition of Internal Auditing Ethics & Standards Practice Advisories Development & Practice Aids

8 IIA Whitepaper- Internal Audit Role in Sarbanes Oxley 302 & 404 Purpose Summary Role of Management, Audit Committees, and External Auditors Recommended Role for Internal Audit Practical Considerations

9 Purpose of This White Paper Discuss the roles Internal Auditors play today: –Consulting –Monitoring/Testing –Creating the Documentation –Performing the Assessment –Managing the Entire Project Compliance with IIA International Standards –Objectivity –Independence –Evaluation & contribution to improving the company’s risk assessment, control, and governance process

10 Key Operating Principles Sarbanes Oxley creates requirements for Audit Committees, management, and external auditors Management is responsible for implementing the process to meet the requirements of Sarbanes Oxley, not Internal Audit

11 Roles for Internal Auditors Project Management –Participation on project steering committees Objectivity and independence is not impaired when effort is limited to evaluation/recommendation/monitoring (e.g. assessment methodology and tools; definition of documentation standards; communicating project status) Objectivity & independence is impaired when involved in the decision process and the implementation process –Training on project, risk and controls Objectivity and independence is not impaired when creating or delivering training on these topics –Facilitation between management and external audit

12 Roles for Internal Auditors Consulting –Advise on best practices Objectivity and independence not impaired when advising on documentation standards, tools, or test strategies Objectivity and independence is not impaired when advising on the design, scope, or testing frequency, or in assessing management’s testing and assessment process Providing advice control gaps, review management plans for correcting control gaps, and performing follow-ups to ascertain whether control gaps have been adequately addressed does not impair objectivity or independence.

13 Role For Internal Auditors Documentation and Testing –Provide IA documentation/create new documentation Objectivity and independence not impaired if assisting management in documentation because of limited resources Objectivity and independence is impaired if audit slips into making management decisions Management owns the design/testing process; however, IA may be asked to help. Objectivity and independence is not impaired when IA assists. Objectivity and independence is impaired if IA makes decisions-control design, effectiveness, what to remediate, etc.

14 Roles for Internal Auditors Documentation and Testing (cont.) –Performing a quality assessment review prior to management handoff to external audit does not impair objectivity or independence

15 Audit Committee Disclosure Disclosure to the Audit Committee that the internal auditors objectivity or independence has been impaired is required when: –Internal Audit actively participates in making or directing key management decisions –Internal Audit designs, installs, drafts procedures for, or operates such systems –Internal Audit makes key management decisions

16 Contact Information If you have any questions regarding the Professional Practices Framework or guidance materials or you wish to forward additions, contributions or suggestions The IIA at:

17 How Solectron Addresses 404 and IT Controls Norman Marks, CPA Vice President, Internal Audit Solectron Corporation

18 Topics Internal Audit and §404 in 2004 The future for Internal Audit and §404 Assessing the impact of IT control deficiencies

19 IA and §404 in 2004 Project led by Corporate Controller IA consults on controls theory and practice IA (independent) testing of key controls, incl. mitigating/compensating controls IA reports on testing results –Provides an opinion by location/function Controls design & effectiveness Adequacy of documentation

20 IA and §404 in 2004 Retesting of remediated controls Assessment of deficiencies and identification of mitigating/compensating controls –Impact on overall assessment by management Member of Disclosure Review Committee Consider §404 results in §302 assessment, & forming annual IA opinion on internal controls (COSO)

21 The future for IA and §404 How will the role of IA change as §404/§302 practices mature? Integration of §404/§302 testing into audit plan Impact on the charter of IA within the organization Norman’s opinion

22 What is the role of IA? “Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

23 What is the role of IA? It should be more than financial controls Financial controls is more than §404

24 Operations Financial Reporting Compliance Monitoring Information and Communication Control Activities Risk Assessment Control Environment COSO and §404

25 Operations Financial Reporting Compliance Monitoring Information and Communication Control Activities Risk Assessment Control Environment COSO and §404 §404

26 COSO and §404 OperationsCompliance with laws and regulations Financial Reporting

27 COSO and §404 Operations §404 Compliance with laws and regulations Financial Reporting

28 COSO and §404 Operations §404 Not included in §404: Management reporting Matters not material to SEC financials Partly included in §404: Controls affecting future periods: IT security contingency planning physical security fraud Efficiency of financial reporting Compliance with laws and regulations Financial Reporting

29 Future role of IA §404 work should be integrated into the risk assessment and audit planning process Don’t limit yourself to §404 –Not even for the next 2 years –You will become defined as only there to do §404 –You will lose your mission and purpose –You will become irrelevant

30 Future role of IA Audit Committee and senior management: “We have: –management’s assessment of internal controls –the external auditor’s assessment” “Why do we also need IA’s opinion?” “We have survived with a limited IA function” “Why do we need a full scope one?”

31 Summary – the future Define the future role Don’t limit yourself to §404 Build an integrated plan, including §404 Communicate and sell your strategic vision – NOW!

32 IT control deficiencies Key Control Control Assertion

33 IT control deficiencies Key Control User procedure Automated process Control Assertion

34 IT control deficiencies Key Control User procedure Automated process Test Control Assertion

35 IT control deficiencies Key Control User procedure Automated process Test Control Assertion IT general controls Development & Maintenance Operations Program security

36 IT control deficiencies Key Control User procedure Automated process Test Control Assertion IT general controls Development & Maintenance Operations Program security

37 IT control deficiencies Key Control User procedure Automated process Test Control Assertion Deficiency IT general controls Development & Maintenance Operations Program security

38 IT control deficiencies Key Control User procedure Automated process Test Control Assertion Deficiency IT general controls Development & Maintenance Operations Program security

39 IT Security Deficiencies 1. What is the risk? Business disruption Fraud no §404 impact

40 IT Security Deficiencies 1. What is the risk? Business disruption Fraud no §404 impact 2. Could it result in financial reporting error? No Yes no §404 impact

41 IT Security Deficiencies 1. What is the risk? Business disruption Fraud no §404 impact 2. Could it result in financial reporting error? No Yes no §404 impact 3. Are there detective controls? no §404 impact Yes No Test

42 IT Security Deficiencies 1. What is the risk? Business disruption Fraud no §404 impact 2. Could it result in financial reporting error? No Yes no §404 impact 3. Are there detective controls? no §404 impact Yes No Test 4. Are there compensating controls? no §404 impact Yes No Test §404: Assess accounts affected

43 Internal Audit’s Role Dennis Drent, CPA Senior Vice President, Office of Internal Audit Nationwide Insurance

44 IAPMO Internal Audit “hired” as Section 404 Project Manager by Management with Audit Committee approval

45 Coordinate, consult on or perform documentation, gap analysis and remediation IAPMO

46 IAPMO Maintain documentation Coordinate, consult on or perform documentation, gap analysis and remediation

47 IAPMO Maintain documentation Coordinate quarterly control certification and management verification processes Coordinate, consult on or perform documentation, gap analysis and remediation

48 IAPMO Maintain documentation Coordinate ongoing gap analysis and remediation Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate quarterly control certification and management verification processes

49 IAPMO Maintain documentation Coordinate ongoing gap analysis and remediation Coordinate with Legal and Finance and report conclusions to Disclosure and Audit Committees Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate quarterly control certification and management verification processes

50 IAPMO Maintain documentation Coordinate ongoing gap analysis and remediation Coordinate with Legal and Finance and report conclusions to Disclosure and Audit Committees Perform independent testing of controls providing certification Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate quarterly control certification and management verification processes

51 Support Management Assertions Summary of Key Points: Ownership of control resides with business through the control certification process Internal Audit manages certification process and is in a position to perform real time analysis of control adequacy and ensures ongoing quality of control documentation Internal Audit develops deep understanding of link between controls and financial statements assertions; this provides value-added consulting services

52 Support Management Assertions Summary of Key Points (continued): Internal Audit, Finance and Legal jointly interpret “open items” for potential deficiency in a legal sense Works with External Auditor to ensure effective and efficient audit Internal Audit assures sustainability of Section 404/302 process

53 Looking Forward Maintenance of documentation and ongoing gap analysis will be core of what we do - “real time” auditing Sarbanes 404 will be embedded with NW ERM process in development Bolt operational and compliance controls on to Sarbanes controls data base over time to create full audit universe

54 To your questions, (Click link to left) To your questions, (Click link to left)

55 To Get Your CPE Certificate Click Here

56 Special Webcast May 25, 2004 “Does your SOX 404 work measure up? Hear what will satisfy your CPA firm!” See you at our next webcast!

57 June 8, 2004 “Anti Fraud Programs”

58 Webcast Evaluation