Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Institute of Internal Auditors May 25, 2004

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Institute of Internal Auditors May 25, 2004"— Presentation transcript:

1 The Institute of Internal Auditors May 25, 2004
Does Your SOX 404 Work Measure Up? Hear What Will Satisfy Your CPA Firm! The Institute of Internal Auditors May 25, 2004 Phillip Fretwell, CPA Managing Director Protiviti, Inc. 4/16/2017 © 2000 KPMG

2 Agenda Introduction & Overview Phillip Fretwell, Protiviti, Inc.
IT Consideration Lynne Doughtie, KPMG LLP Using the Work of Others Tim Messick, Ernst & Young LLP Gaps & Remediation Larry Ishol, Deloitte Break Q & A 4/16/2017 © 2000 KPMG

3 Lynne Doughtie, CPA Partner KPMG LLP
IT Considerations Lynne Doughtie, CPA Partner KPMG LLP 4/16/2017 © 2000 KPMG

4 Evaluation Framework – COSO/COBIT
Source: IT Governance Institute 4/16/2017 © 2000 KPMG

5 IT Control Components in an Organization
IT Considerations in the Control Environment Executive Application Controls Management Business Process Finance Manufacturing Business Process Business Process Logistics Business Process Etc. IT Services OS/Data/Telecom/Continuity/Networks IT General Controls Source: IT Governance Institute 4/16/2017 © 2000 KPMG

6 IT Control Components IT Considerations in the Control Environment
Systems planning Governance Enterprise policies Operating style Collaboration Information Sharing Code of Conduct Fraud Prevention Programs IT Considerations in the Control Environment IT General Controls Systems Security / Access Change Management System Development Computer Operations Authorization Configuration / account mapping Exception / edit reports Interface / conversion System access Application Controls 4/16/2017 © 2000 KPMG

7 Control Environment IT Management and Organization Structure
Knowledge and Skills Training Information Architecture Assessment of Risks Compliance with External Requirements Management of Quality Independent Assurance Internal Audit 4/16/2017 © 2000 KPMG

8 General Controls System Security / Access Change Management
Documented IT Security policy and appropriate compliance User profile maintenance procedures Logical access restrictions Periodic review of user access rights and system permissions Security activity logging Change Management Change management procedures and authorizations Testing requirements for all changes prior to implementation Documentation requirements for system, user and control changes Access restrictions for change migrations Restricted and monitored production environment changes 4/16/2017 © 2000 KPMG

9 General Controls System Development Computer Operations
System Development methodology and monitoring System Development procedures and authorizations Testing procedures, including management and user acceptance Documentation requirements for system, users and controls Training requirements for new systems Post-implementation requirements including data integrity controls Computer Operations Backups procedures addressing critical systems and data Backups restoration testing Offsite storage procedures and authorization controls Defined problem management procedures Job scheduling procedures and monitoring procedures 4/16/2017 © 2000 KPMG

10 Infrastructure/ Architecture
IT Control Scoping Identify applications that support key processes Determine the nature and location of each application Identify IT General Controls for each application in scope Focus is on Internal Control Over Financial Reporting Identified Key Process Application Name Underlying Infrastructure/ Architecture (Database, Operating System, Hardware) Location Where Application is Hosted IT General Controls Security / Access System Management Change Development System Computer Operations 4/16/2017 © 2000 KPMG

11 Common Approach Organize project team and planning
Define the IT Areas to be included within the scope of SOX 404: Entities and locations Key applications to be considered Specific control objectives to be achieved Document key IT areas within scope and identify key controls over financial reporting (control environment, general controls, application controls, process-level IT controls) Design test plans, perform testing of IT controls, identify control gaps, and develop remediation plans Update test procedures as necessary 4/16/2017 © 2000 KPMG

12 USING THE WORK OF INTERNAL AUDIT & OTHERS
Tim Messick, Partner Mid-Atlantic Area Control & Methodology Leader Ernst & Young 4/16/2017 © 2000 KPMG

13 PCAOB Std. No. 2—Brief History
Using the work of others was hotly debated in early stages of Standard No. 2 Early drafts severely restricted the reliance external audit could place on others Final standard brings us much closer to the existing SAS 65 model 4/16/2017 © 2000 KPMG

14 Who Can External Audit Rely On?
Internal Audit Third-party firms assisting with 404 (e.g., another CPA firm) Management For all of the above, certain restrictions are discussed in Standard No. 2 4/16/2017 © 2000 KPMG

15 Considerations in Using Others
Nature of controls & accounts Competence & objectivity of individuals Need to re-perform certain of the work Specific PCAOB restrictions in certain areas “Principal evidence” must come from the external auditor 4/16/2017 © 2000 KPMG

16 Using the Work of Internal Audit
Various models exist in practice: IA performing documentation & testing on behalf of management IA performing independent testing after management performs their work IA providing direct assistance to external audit 4/16/2017 © 2000 KPMG

17 Using IA’s Work Standard No. 2 prohibits relying on others in specific areas: Control environment Fraud programs & related controls Walk-throughs These must be performed by external audit in all instances “Principal evidence” needs to be considered 4/16/2017 © 2000 KPMG

18 Using IA’s Work (cont.) Areas where external audit can utilize a significant amount of IA work: Routine data processes Non-pervasive subjective processes 4/16/2017 © 2000 KPMG

19 Using IA’s Work (cont.) Areas where use of IA work would likely be limited: Pervasive controls Financial statement close process IT general controls 4/16/2017 © 2000 KPMG

20 Using IA’s Work (cont.) Recent PCAOB comments
When external audit uses IA in a direct supervision mode, cannot exceed 20% of “principal evidence” Provision of the registered firm regulations Work-in-process—more to come 4/16/2017 © 2000 KPMG

21 Testing Considerations
Amount of re-testing will be similar to SAS 65 model, but likely more than in the past: Competency and objectivity concerns Nature of control Who performed (e.g., IA vs. management) Now separately opining on IC, vs. reliance on the FS audit as in the past 4/16/2017 © 2000 KPMG

22 Other Comments As with other 404 areas, nothing is crystal clear
Expect many implementation issues Clarifications from PCAOB and SEC to come over next several months Management, IA, and external audit should all be working together closely 4/16/2017 © 2000 KPMG

23 Larry Ishol, CPA Engagement Partner Deloitte
Gaps & Remediation Larry Ishol, CPA Engagement Partner Deloitte 4/16/2017 © 2000 KPMG

24 Situational Assessment
A recent Deloitte survey of Fortune 500 companies indicates that a significant amount of work remains 21% Remediation Testing of operating effectiveness 47% Evaluation of design effectiveness 75% Documentation Percentage Complete Activity Time to comply with section 404 is running out…many companies may need to rethink their project timeline—otherwise they are at risk of not complying with the law! Deloitte recommends that companies complete testing and remediation activities by the end of the third quarter Provides the company with sufficient time to test the operating effectiveness of remediated controls Provides the independent auditor with time to complete their audit procedures Many companies report that testing and remediation activities are more complex and time consuming than planned Lack of guidance for the number of selections or tests to be conducted Significant number of control deficiencies Difficulty in classifying control deficiencies (i.e., control deficiency, significant deficiency, or material weakness) Testing entity-level controls (e.g., control environment) Lack of sufficient and qualified resources to perform the work Implications of not completing testing and remediation activities are significant Insufficient time to remediate material weaknesses Adverse opinion on the effectiveness of internal control Negative market reaction Higher cost of capital 4/16/2017 © 2000 KPMG

25 What Constitutes a Gap? Type Likelihood Magnitude Deficiency Remote
and/or Inconsequential Significant Deficiency More than remote and More than Inconsequential or Quantitatively significant Material Weakness More than remote and Material to Financial Statements 4/16/2017 © 2000 KPMG

26 Specific Considerations
Ineffective: Audit committee Internal audit or risk assessment function Regulatory compliance function Control environment Period-end financial reporting process: Procedures used to enter transactions totals into the G/L Journal entries Recurring and non-recurring adjustments to the F/S Uncorrected significant deficiencies Identification of fraud of any magnitude on part of senior management Antifraud programs and control Identification of a material misstatement Non-routine and non-systematic transactions Restatement to reflect correction of a misstatement Selection and application of accounting policies Strong Indicator of “MW” At Least “SD” 4/16/2017 © 2000 KPMG

27 Sample Remediation Activities
Remediation is simply the process of fixing a deficiency associated with the design or operating effectiveness of a control activity Sample Remediation Activities Design Deficiency Improve controls that have “fixable” design deficiencies Implement new controls when the design deficiency is too substantial to be repaired Implement new controls when there are no controls in place Operating Deficiency Communicate to the individual responsible for the testing the control that he or she perform the test Oversight to ensure that the control is tested in the future. 4/16/2017 © 2000 KPMG

28 Remediation Challenges
Effective Decision & Governance Process Complex Program Management Initiatives Significant IT Environment Changes Impact on Human Resources Complex Re-testing, Roll-Forward Testing Activities Overall Need for Best Practices Effective Decision & Governance Process Evaluate and define requirements to effectively remediate gaps Prioritize control deficiencies to remediate gaps Plan effectively (e.g., long term, short term, budgeting, etc.) Cost / benefit / risk analysis models Coordinate decisions across business units / locations Complex Program Management Initiatives Numerous large, small remediation efforts Organizationally diverse Align remediation with other projects (e.g., system upgrades) Achieve timely improvements to demonstrate effectiveness Significant IT Environment Changes Remediation likely to impact enterprise systems Complex security and infrastructure issues IT remediation solutions require multi-disciplinary teams Impact on Human Resources Allocate appropriate resources to design and implement remediation Allocate resources to remediation efforts while maintaining ongoing business operations Retrain, change management challenges result from remediation Complex Re-testing, Roll-Forward Testing Activities “Change Management” of remediated systems, processes Plan and execute re-testing activities Overall Need for Best Practices Share best practices to minimize duplicative efforts Benchmark best methods and techniques to achieve compliance 4/16/2017 © 2000 KPMG

29 Taking Action - Remediation Questions to Consider
Have you developed a process for classifying control deficiencies? Have you allotted sufficient time to remediate material weaknesses and significant deficiencies prior to year-end? Have you identified resources to assist in remediation controls in technical areas? 4/16/2017 © 2000 KPMG

30 Taking Action - Remediation Questions to Consider
4. What is the status of gap analysis? 5. Do you have a process to identify, classify and prioritize gaps and manage your remediation effort? 6. Do you have sufficient skill sets, knowledge bases, etc. to adequately develop and implement solutions to gaps? 4/16/2017 © 2000 KPMG

31 To Get Your CPE Certificate
4/16/2017 © 2000 KPMG

32 June 8, 2004 “Anti Fraud Programs” 4/16/2017 © 2000 KPMG

33 Webcast Evaluation 4/16/2017 © 2000 KPMG

Download ppt "The Institute of Internal Auditors May 25, 2004"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Intermediate Single Audit Issues: Planning, Performing and Reporting NASACT Audio Conference April 2, 2008 Presented by Frank Crawford, CPA Crawford &

Intermediate Single Audit Issues: Planning, Performing and Reporting NASACT Audio Conference April 2, 2008 Presented by Frank Crawford, CPA Crawford &
G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.

G L O B A L S E R V I C E / I N D U S T R Y A U D I T / T A X / A D V I S O R Y / L I N E O F B U S I N E S S SAS 112 Presentation California State University.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
IT Considerations in Integrated Audit By: Yusuf Musaji.

IT Considerations in Integrated Audit By: Yusuf Musaji.
Internal Control Chapter 7 covers two distinct, but related topics:

Internal Control Chapter 7 covers two distinct, but related topics:
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
SAS 112 – The Year After Presented by Chris Ray Partner - KPMG LLP KPMG LLP.

SAS 112 – The Year After Presented by Chris Ray Partner - KPMG LLP KPMG LLP.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Current Developments at the PCAOB Ensuring Integrity: 3 rd Annual Auditing Conference at Baruch College December 4, 2008.

Current Developments at the PCAOB Ensuring Integrity: 3 rd Annual Auditing Conference at Baruch College December 4, 2008.
Review of Introduction to Auditing

Review of Introduction to Auditing
SAS 112 Update Chapter 9 Presented by Chris Ray, Partner KPMG LLP KPMG LLP.

SAS 112 Update Chapter 9 Presented by Chris Ray, Partner KPMG LLP KPMG LLP.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
1 What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP.

1 What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP.
UCSD Office of the Controller1 SAS112 Implementation UCSD Status Update.

UCSD Office of the Controller1 SAS112 Implementation UCSD Status Update.

Similar presentations

Ads by Google