1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act May 21, 2003.

Slides:



Advertisements
Similar presentations
Gary R. McGuire, CIA, CPA Vice President, Group Audit Services Alcatel Americas.
Advertisements

Garrett L. Stauffer, CPA Partner PricewaterhouseCoopers LLP.
Organizational Governance
ICGFM Working in the Field in a Time of Increased Oversight Sean Temeemi, Chief Compliance Officer, FHI 360 November 7, 2012.
Introduction to Enterprise Risk Management (ERM)
Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,
1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Dr. Julian Lo Consulting Director ITIL v3 Expert
Slide 1 CAQ WEBCAST AS 5: Preparing for Integrated Audits of Non-Accelerated Filers September 25, 2008 The views expressed by the presenters do not necessarily.
CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007.
Sarbanes-Oxley Compliance Process Automation
Seminar in Accounting & Society SOX – Section 404 April 23, 2008.
1 Strategies to Maintaining Internal & External Relationships The Institute of Internal Auditors April 13, 2004 Xenia Parker, CIA, CISA, CFSA Principal.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Quality evaluation and improvement for Internal Audit
1 What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP.
The CPA Profession Chapter 2.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Purpose of the Standards
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
® SOX Overview MTAC Meeting August 7, The Sarbanes-Oxley Act  Enacted in 2002 as a result of a series of large corporate financial scandals  Improves.
Chicagoland IASA Spring Conference
Internal Auditing and Outsourcing
Implementing a Calibration Management System Cory Otto Principal Metrology Engineer, Boston Scientific 10 October 2012.
Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall. Introduction to Managerial Accounting Chapter 1 1.
1 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation.
The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
1 Internal Audit Support of Audit Committees – What Works Best The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Session #5 – September.
Section Topics Establish a framework for assessing risk
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Page 1 Internal Audit Outsourcing The Moss Adams Approach to Internal Audit Outsourcing Proposed SOX 404 Changes.
Internal Control in a Financial Statement Audit
© 2007 KPMG, the Malaysian member firm of KPMG International, a Swiss cooperative. All rights reserved. 1 Differing Roles of Internal Auditor and Risk.
2008 New York - Member Forum Council for Responsible Jewellery Practices, Ltd. Overview of CRJP.
Corporate Governance at CDS Ian A. Gilhooley President and CEO.
Scandals (in the public and private sector)  Enron  Worldcom  Livent  Nortel  HRDC  Sponsorship Scandal.
Trends in Corporate Governance Dr. Sandra B. Richtermeyer, CMA, CPA President, Institute of Management Accountants (IMA) June 21, 2011.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
QAA Summative Review Staff Briefing Leeds College of Art 8 September 2010.
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
Richard F. Chambers, CIA, CGAP Vice President, IIA Learning Center The Institute of Internal Auditors.
1 Sarbanes-Oxley Overview. 2 Sarbanes-Oxley Act Summary The Sarbanes-Oxley Act of 2002 §201Prohibited Non-Audit Services §202Audit Committee Pre-Approval.
Change with a Purpose Kruger National Park Operations Division 21 st July 2006.
CHAPTER 5 INTERNAL CONTROL OVER FINANCIAL REPORTING.
Casualty Loss Reserve Seminar General Session II September 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS,
Change with a Purpose Human Resources Division 29 th June 2006.
NEACS: CRO Perspective William Feher Vice President, Internal Audit and Chief Risk Officer October 27, 2015.
INTERNAL AUDIT 2015 ANNUAL REPORT Internal Audit Assurance Independent Objective Collaborative Compliance Controls Efficiency Accountability Transparency.
1 Community-Based Care Readiness Assessment and Peer Review Overview Department of Children and Families And Florida Mental Health Institute.
AFSA Chapter Officer Training Module 1 Officer Roles and Responsibilities.
Page 1 Portfolio Committee on Water and Environmental Affairs 14 July 2009.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
The Sarbanes-Oxley Act of Overview of the Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act and the related SEC rule-making provide clarity and.
UW Financial Reporting Conference May 5, FOUR! AVOIDING THE ICFR ROUGH.
Internal Audit Quality Assessment Guide
Professional Growth and Effectiveness System Update Kentucky Board of Education August 8,
IS&T Project Reviews September 9, Project Review Overview Facilitative approach that actively engages a number of key project staff and senior IS&T.
Insurance Summit 2016 REGULATORY UPDATE. Panel Participants Ray Farmer (Director, South Carolina Department of Insurance) Tim Morris (Hanover Stone Solutions)
Internal Audit Quality Assessment Auditoria de Calidad
PLANNING THE INTERNAL AUDIT (8 - 10%)
Sarbanes Section 404 Readiness
Sarbanes-Oxley Act (404) An IT Viewpoint
Week Ten – IT Audit Reporting
Taking the STANDARDS Seriously
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
Presentation transcript:

1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act May 21, :00 – 2:30 pm Eastern Time

2 The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L.L.P

3 Webcast Series on SOA Fostering Compliance with SOA: Internal Auditor’s Role Four sessions archived on IIA’s website and available on CD Originally aired January 28 – April 15, 2003

4 Webcast Series on SOA - Continues Emerging Trends & Best Practices in Implementing SOA Six Sessions archived on IIA’s website and available on CD May 21 – 404 Readiness Review: Documenting Your System of Internal Control June 10 – Helping the Audit Committee Implement Complaint Handling Remaining sessions with your input will be on July 8, August 12, September 9 and September 30

5 Agenda 1:00 Introductions and Overview 1:10 Critical Decisions on Documenting Internal Controls - Bill Gassel 1:20 Implementing Sarbanes-Oxley Sec Dennis Drent 1:30 Maintaining Objectivity - Paul Sobel 1:45 Break 1:50 Questions and Answers - Panel 2:25 Wrap up - Jim Key

6 Critical Decisions for Documenting Internal Controls Bill Gassel, CPA Director of Internal Audit Emerson

7 Chronology Nov ‘02 Formed core team & established goals & timetable Nov ‘02 Selected the documentation methodology & created a pilot questionnaire Dec ’02 Conducted pilots at 9 sites worldwide Dec ’02Started on website to facilitate documentation collection Jan ’03Led training and documentation rollout Mar ’03Divisions completed documentation - (tremendous effort) Internal Audit reviewed for sufficiency May ’03Executing the testing plan

8 Key Initial Decisions Documentation decisions made early on: Where? What format (narratives, flowcharts, questionnaires, or a combination)? What accounts or processes? How much must be documented? Who should certify? Who will own/maintain the documentation? How to train everyone?

9 Location Table

10 Example Documentation

11 Note: "Yes" answers require the following criteria : 1.Describe the control procedure in detail. 2.Who performs the control (employee title) and who reviews it? 3.Frequency of Control (daily, monthly, quarterly etc.) 4.Automated system or Manual control. "No" answers require : 1.What mitigating controls exist to achieve control objective. 2.Who performs mitigating controls & how often? 3.If no mitigating controls exist, how will the deficiency be fixed? "N/A" answers require : 1.Explain 'why' the control does not apply to the location. Guidance for Control Descriptions

12 Beneficial Steps Executive management support obtained Involved the Controllership function early Communicated early with KPMG and E&Y to interpret likely standards Standardized the documentation format Used pilot process to gain practical insights Collaborated with internal process experts to validate questionnaire focus

13 Beneficial Steps Held central training for all Finance Officers Created an “Example Completed ICQ” Tailored the questionnaire for smaller and international sites Reviewed a majority of the documentation for sufficiency Started testing controls 5 months prior to year- end (10 – 12,000 hours of effort) - significant locations first

14 Current 404 Considerations Develop Evaluation Methodology with Management –Which locations and controls will be tested? Accumulating and aggregating the testing results Broadening the evaluation methodology into ERM Migrating Control Questionnaire platform to CSA process Minimizing redundancy of testing between Internal and external auditors Availability of qualified staff

15 Steps in Implementing Sarbanes-Oxley Sec. 404 Dennis Drent Vice President – Internal Audit Nationwide Insurance

16 Implementing Sarbanes-Oxley § 404

17 Implementing Sarbanes-Oxley § 404

18 “CEO friendly” technology solution. Lotus Notes database allows for analysis and reporting. No flow charts. Used drop-down boxes for everything we could. Control and executive owners verses process owners. Internal Audit “owns” the database - the business owns the controls. 2 Develop evaluation strategy including use of technology

19 Implementing Sarbanes-Oxley § 404

20 Implementing Sarbanes-Oxley § 404

21 Control and executive owners certify in database - separate verification process. 30% of controls were changed, over 100 controls eliminated. Internal Audit administers “change” questionnaire and consults on verification procedures. Results of control certification/verification process reported to Disclosure Committee. 5 First quarter certification and verification process completed

22 Time to bring in the external auditors - jointly define “internal control adequacy.” At this point, most work performed by external auditor will be “audit services” and therefore mitigates independence conflict. 6 Control scrubbing, gap analysis, and control evaluation

23 Jun Jul Aug Sep Oct Nov Dec Control scrubbing, gap analysis, and control evaluation Revise/redesign controls as deemed necessary XX Management prepared to assert KPMG attestation work Section 404 Steps Completed Implementing Sarbanes-Oxley § 404

24 Jun Jul Aug Sep Oct Nov Dec Control scrubbing,gap analysis, and control evaluation Revise/redesign controls as deemed necessary Management prepared to assert X KPMG attestation work Section 404 Steps Completed Implementing Sarbanes-Oxley § 404

25 Jun Jul Aug Sep Oct Nov Dec Control scrubbing, gap analysis, and control evaluation Revise/redesign controls as deemed necessary Management prepared to assert KPMG attestation work XXX Section 404 Steps Completed Implementing Sarbanes-Oxley § 404

26 Maintaining Objectivity Paul Sobel Vice President, Risk Assessment Aquila, Inc.

27 Corporate Governance Framework Corporate Stakeholders Board of Directors Governance “Umbrella” Risk Management Senior Management Risk Owners Assurance Internal Auditors External Auditors

28 Sarbanes-Oxley Act Board of Directors Governance “Umbrella” Risk Management Senior Management Risk Owners Assurance Internal Auditors External Auditors Sec. 404 Corporate Governance Framework

29 Objectivity Standards Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. –State of mind –Personal feelings or prejudices shouldn’t distort the facts Cannot act in a management role or make management decisions

30 The Audit Process Audit PhaseApproachAudit Evidence 1.Project ObjectiveDetermined in Annual Audit Plan Planning Memo 2.Risk AssessmentIdentify/Assess Key RisksRisk Memo/Matrix 3.Process DesignUnderstand Process and Identify Key Controls Flowcharts & Memos 4.Gap AnalysisEvaluate Current vs. Desired State Findings and Recommendations 5.Process Effectiveness Develop and Execute Testing Plan Testing Results 6.Gap AnalysisEvaluate Current vs. Desired State Findings and Recommendations 7.ReportingCommunicate ResultsAudit Report

31 The Sarbanes-Oxley 404 Process Audit PhaseApproachAudit Evidence 1.Project Objective Understand S-O 404 RequirementsProject Planning Memo 2.Risk Assessment Link F/S Captions to Processes Assess Risks to F/S Assertions F/S / Risks / Assertions Linkage 3.Process Design Understand Processes & Identify Key Controls Over Financial Reporting Flowcharts & Memos 4.Gap Analysis Evaluate Current vs. Desired StateFindings and Remediation Plans 5.Process Effectiveness Develop and Execute Assurance/ Testing Plan Testing Results 6.Gap Analysis Evaluate Current vs. Desired StateFindings and Remediation Plans 7.Reporting Update Key Control Effectiveness (Control Owner Assertions) Self Assessments and Audit Reports

32 Maintaining Objectivity Audit PhaseApproachWhat Can IA Do? 1.Project Objective Understand S-O 404 Requirements No issues; objectives set by 3 rd party (SEC) 2.Risk Assessment Link F/S Captions to Processes Assess Risks to F/S Assertions Make risk judgments; must gain mgmt. concurrence 3.Process Design Understand Processes & ID Key Controls Over Financial Reporting Document processes; based on mgmt. input and validation 4.Gap Analysis Evaluate Current vs. Desired StateMake judgments; validate with mgmt. 5.Process Effectiveness Develop and Execute Assurance/ Testing Plan Determine what to test and evaluate test results 6.Gap Analysis Evaluate Current vs. Desired StateMake judgments; validate with mgmt. 7.Reporting Update Key Control Effectiveness (Control Owner Assertions) Facilitate/gather assessment results

33 Summary Internal Audit can lead a Sarbanes-Oxley 404 project Documentation phase is no different than that required in an audit –IA’s objectivity is not impaired if they lead the documentation efforts It is important to engage management to validate judgments and decisions –They must own the results, not IA Communicate consistently with your external auditors to ensure they understand how your objectivity has not been impaired It’s not an objectivity issue; it’s an ownership issue!

34 Break 5 min break followed by Poll

35 Questions & Answers your questions to

36 Webcast Summary Engage management to develop control evaluation strategy Work with external auditors to reduce duplication Leverage technology to support process Internal audit can own the process Objectivity is a state of mind

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.