1 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation

2 Coordinating Internal and External Audit Work in Meeting Sarbanes-Oxley Requirements The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Session #3 - April 1, 2003

3 The Webcast Series on Sarbanes-Oxley’s Impact on Internal Auditing January 28 - Disclosure Controls - Available in online archive and on CD Rom March 3 - Annual Certification of Internal Controls- Available in online archive and on CD Rom April 1 - Coordination of Internal & External Audit Work April 15 - Looking Ahead to Future Changes Impacting Internal Auditing Tuesdays from 1:00 - 2:30 p.m. EST

4 Agenda 1:00 - 1:10 Introduction & Overview of the Internal and External Auditor Relationship - Dave Richards 1:10 - 1:20Audit Committee Expectations - Steve Goepfert 1:20 - 1:30Impact on Annual Plan - Kimberly Gavaletz 1:30 - 1:40Reliance on Internal Audit Work - Darryl Briley 1:40 - 1:45Break 1:45 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards

5 No Relationship - no on-going working relationship with the external auditors; no support given Cost/Benefit Relationship - work performed to support the external auditor is based on reduction in fees Relationship Types

6 Sharing relationship - coordination exists for planning and results sharing to avoid duplication Partnership relationship - fosters joint pre-planning of work, sharing of risk assessments, common audit techniques, and information sharing Relationship Types

7 Criteria for Selecting the Type of Relationship Needed Resources available Charter of internal audit Expectations of audit committee Skill level of internal auditors Risks to the organization Complexity of transactions Organizational interaction needed Cost impacts Values to be derived from coordination

8 Impacts of SOA Common risk model Common control framework Knowledge of processes Leveraging off of prior work Common control testing techniques Material weakness or deficiency definitions The impacts of the quarterly and annual assessment process on the relationship: The impacts of the quarterly and annual assessment process on the relationship:

9 Impacts of SOA Reporting for external purposes Oversight of risks Evaluation of compliance to company policies, laws, and regulations Assessing the control environment Assessing performance Education / training of members Financial statement reviews Helping the audit committee carry out responsibilities in the areas of:

10 Willingness of internal and external auditors to work together? Will resources be available to provide coordinated approach? Are management and audit committee expectations aligned? Issues

11 Do independence issues require more work by external auditors vs. reliance on internal auditor’s work? Is the annual internal audit plan impacted by SOA regarding more financially focused audits which might duplicate external auditor work? Issues

12 1:00 - 1:10 Introduction & Overview of the Internal and External Auditor Relationship - Dave Richards 1:10 - 1:20Audit Committee Expectations - Steve Goepfert 1:20 - 1:30Impact on Annual Plan - Kimberly Gavaletz 1:30 - 1:40Reliance on Internal Audit Work - Darryl Briley 1:40 - 1:45Break 1:45 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards Agenda

13 Agenda 1:00 - 1:10 Introduction & Overview of the Internal and External Auditor Relationship - Dave Richards 1:10 - 1:20Audit Committee Expectations - Steve Goepfert 1:20 - 1:30Impact on Annual Plan - Kimberly Gavaletz 1:30 - 1:40Reliance on Internal Audit Work - Darryl Briley 1:40 - 1:45Break 1:45 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards

14 Agenda 1:00 - 1:10 Introduction & Overview of the Internal and External Auditor Relationship - Dave Richards 1:10 - 1:20Audit Committee Expectations - Steve Goepfert 1:20 - 1:30Impact on Annual Plan - Kimberly Gavaletz 1:30 - 1:40Reliance on Internal Audit Work - Darryl Briley 1:40 - 1:45Break 1:45 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards

15 Agenda 1:00 - 1:10 Introduction & Overview of the Internal and External Auditor Relationship - Dave Richards 1:10 - 1:20Audit Committee Expectations - Steve Goepfert 1:20 - 1:30Impact on Annual Plan - Kimberly Gavaletz 1:30 - 1:40Reliance on Internal Audit Work - Darryl Briley 1:40 - 1:45Break 1:45 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards

16 Audit Committee Expectations Steve D. Goepfert, CIA, CPA Senior Director, Internal Audit Continental Airlines

17 Changes in Audit Committee Charters Selection/oversight of external auditors Independence, qualifications and performance of external auditors Sec 404: Attestation and certification of internal controls Risk assessment and risk management Legal and regulatory compliance

18 Role/Responsibilities of External Auditors Non-audit services Performance of internal auditors, including staffing and budgets Early coordination for Section 302 and 404 attestation Partner rotation

19 Role/Responsibilities of Internal Audit Principles of conduct Complaint resolution Performance of independent accountants Fraud discussions Annual performance evaluation of audit committee

20 Shared Responsibilities and Impacts Risk assessments Coordination of audit work More audit committee meetings/ standing agenda item for private sessions Sarbanes-Oxley a standing agenda item for meetings

21 Section 404 Impacts Internal control committees Resources Outside parties Independent auditors Company personnel Management of process / risk & control assessments / testing Fees for Sarbanes-Oxley work (documentation/testing) and attestation

22 Agenda 1:00 - 1:10 Introduction & Overview of the Internal and External Auditor Relationship - Dave Richards 1:10 - 1:20Audit Committee Expectations - Steve Goepfert 1:20 - 1:30Impact on Annual Plan - Kimberly Gavaletz 1:30 - 1:40Reliance on Internal Audit Work - Darryl Briley 1:40 - 1:45Break 1:45 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards

23 Impact on Annual Audit Plan Kimberly Parker Gavaletz VP, Corporate Audit Lockheed Martin Corporation

24 Sarbanes-Oxley Affects on Internal Audit Audit Planning External Auditor Relationship

25 Audit Planning – Pre-Sarbanes-Oxley Trends Broad functional range –Overall business objectives –Financials, programs, I/T… (full risk spectrum) Risk based audit approaches –Focused efforts for maximum value –Optimized internal audit staff sizes & costs “Consulting” emphasis –Encouraged self-governance –Focus on prevention

26 Audit Planning – Evolution Emphasis on financial internal controls –Audit plans & resources shifted –Significant focus on financial reporting & disclosure controls Primarily risk based planning –Still evolving (302 & 404) “Advisory services” –Resources shifted to financial areas –Remainder currently dominated by Sarbanes-Oxley

27 Audit Planning – Path Forward Audit plan emphasis –Must maintain full risk spectrum approach Mixture of coverage & risk based –Still evolving (302 & 404) –Continuous monitoring  continuous auditing

28 Audit Planning – Path Forward “Advisory services” –Evolve Sarbanes-Oxley efforts Incorporate into ongoing policies/processes, monitoring & self-assessments Incorporate into standard audit programs & coverage –Return of management requests and corporate wide initiative emphasis--(indicators of a healthy state)

29 External Auditor Relationship – Types* No relationship Cost-benefit relationship Sharing relationship Partnership relationship * “On the Right Track,” David A. Richards

30 External Auditor Relationship - Evolution Relationships are changing New external auditor rules (SEC+, in-house) Reporting relationships for external auditors Getting ready Examine current relationship state Examine current role of internal audit Level of independence (management, implementation) Continue open discussions Realize unknowns exist Flexibility is key

31 External Auditor Relationship – Path Forward “404” rules will shape/drive Reliance on work of internal audit Content of current internal audit plans/programs Ongoing communications/planning required Set the strategy Accomplish the respective audit plans Manage the relationship

32 Agenda 1:00 - 1:10 Introduction & Overview of the Internal and External Auditor Relationship - Dave Richards 1:10 - 1:20Audit Committee Expectations - Steve Goepfert 1:20 - 1:30Impact on Annual Plan - Kimberly Gavaletz 1:30 - 1:40Reliance on Internal Audit Work - Darryl Briley 1:40 - 1:45Break 1:45 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards

33 Darryl Briley, CPA Partner KPMG LLP (Much of this discussion is based on proposed SEC rules and Exposure Drafts issued by the AICPA. Management’s assessment of internal control over financial reporting and the related audit of internal control pursuant to section 404 of the Sarbanes-Oxley Act of 2002 will be directed by final rules issued by the SEC and auditing standards adopted by the PCAOB) Reliance on Internal Audit Work

34 Changing Professional Standards Exposure draft of revised SSAE on auditing an entity’s internal controls over financial reporting addresses consideration by external auditor of internal audit role. –Determine the extent that internal auditors monitor the effectiveness of internal controls –Direct assistance by internal audit - potential impairment of objectivity exists when internal audit performs a monitoring function, must evaluate objectivity based on internal audit’s responsibilities –Utilization of tests performed by others

35 Changing Professional Standards External auditor may use the results of internal audit procedures to alter nature, timing and extent of test work; but cannot rely on those results as principal evidence in the internal control audit External auditor must re-perform tests and also perform independent tests with respect to significant accounts, classes of transactions and disclosures

36 Changing Professional Standards External auditor cannot use tests performed by others in testing the control environment, including fraud programs and controls External auditor’s ability to use tests performed by others also is significantly reduced in the following areas: –Pervasive controls (e.g., general controls) –Controls over non-routine and non-systematic transactions (e.g., accounts involving judgments and estimates) –Controls over the process of closing the books and preparing the financial statements

37 Deficiencies A deficiency in design or operation may result from: –A missing control (design) –A control objective is not met by the control (design) –A control is not operating as designed (operating) –The person performing the control does not have the authority or qualifications needed to perform the control (operating) Deficiencies range from inconsequential to material

38 Deficiencies Significant deficiency – could adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements (previously called a reportable condition) Material weakness – precludes the entity’s internal control from reducing to an appropriately low level the risk that material misstatements in the financial statements will not be prevented or detected on a timely basis

39 Deficiencies Significant degree of judgment is required in determining the significance of deficiencies Aggregation of deficiencies may constitute a significant deficiency or material weakness –Numerous or repeated instances of a deficiency –Multiple instances of a deficiency around a common theme

40 Deficiencies In determining whether a significant deficiency is a material weakness also consider: –Range of amounts of misstatement that may result from two or more significant deficiencies –The risk that a combination of misstatements may be material –The amounts or transactions exposed to the deficiency –The overall control environment and other controls

41 Deficiencies The absence of identified misstatements is not a criterion for concluding as to whether significant deficiencies might constitute a material weakness

42 Internal Control Reporting A material weakness precludes an unqualified opinion on effectiveness, and results in either a qualified (“except for”) or an adverse (“internal control is not effective”) opinion on the audit of internal control by the external auditor External auditors reporting on effectiveness of internal control over financial reporting:

43 Internal Control Reporting Misstatements detected in the financial statement audit may alter judgments about the effectiveness of internal control A material misstatement not identified by management is indicative of a material weakness in internal control

44 Need for Coordination The changing environment and the need for coordination Planning Internal control procedures and findings –Renewed emphasis on internal control activities –Sharing findings –Timely communications and remediation of deficiencies Audit committees

45 Agenda 1:00 - 1:10 Introduction & Overview of the Internal and External Auditor Relationship - Dave Richards 1:10 - 1:20Audit Committee Expectations - Steve Goepfert 1:20 - 1:30Impact on Annual Plan - Kimberly Gavaletz 1:30 - 1:40Reliance on Internal Audit Work - Darryl Briley 1:40 - 1:45Break 1:45 - 2:25Questions & Answers - Panel 2:25 - 2:30Concluding Remarks - Dave Richards