Download presentation
Presentation is loading. Please wait.
1
1 What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP Associates
2
2 The IIA Welcomes New President David A. Richards, CIA, CPA
3
3 Introduction & Overview Xenia Ley Parker, XLP Associates Internal Audits Role in SOX Larry Harrington, Staples How Solectron Addresses 404 & IT Controls Norman Marks, Solectron Internal Audit’s Role Dennis Drent, Nationwide Insurance Break Q & A Agenda
4
4 What is the Right Role? Organizations have to find the right process to address Sarbanes-Oxley –Internal Auditors have more than one possible role –Maintaining objectivity and independence is critical, whichever role they take on There is no one ‘right’ answer
5
5 Possible Roles Consideration of Internal Audit Standards and professional practices Other sources of information We’ll look at some of the possible roles –Project management –Consulting –Documentation and testing
6
6 Internal Audit’s Role in Sarbanes Oxley 302 & 404 Larry Harrington, CPA Chief Audit Executive Staples
7
7 Professional Practices Framework Definition of Internal Auditing Ethics & Standards Practice Advisories Development & Practice Aids
8
8 IIA Whitepaper- Internal Audit Role in Sarbanes Oxley 302 & 404 Purpose Summary Role of Management, Audit Committees, and External Auditors Recommended Role for Internal Audit Practical Considerations
9
9 Purpose of This White Paper Discuss the roles Internal Auditors play today: –Consulting –Monitoring/Testing –Creating the Documentation –Performing the Assessment –Managing the Entire Project Compliance with IIA International Standards –Objectivity –Independence –Evaluation & contribution to improving the company’s risk assessment, control, and governance process
10
10 Key Operating Principles Sarbanes Oxley creates requirements for Audit Committees, management, and external auditors Management is responsible for implementing the process to meet the requirements of Sarbanes Oxley, not Internal Audit
11
11 Roles for Internal Auditors Project Management –Participation on project steering committees Objectivity and independence is not impaired when effort is limited to evaluation/recommendation/monitoring (e.g. assessment methodology and tools; definition of documentation standards; communicating project status) Objectivity & independence is impaired when involved in the decision process and the implementation process –Training on project, risk and controls Objectivity and independence is not impaired when creating or delivering training on these topics –Facilitation between management and external audit
12
12 Roles for Internal Auditors Consulting –Advise on best practices Objectivity and independence not impaired when advising on documentation standards, tools, or test strategies Objectivity and independence is not impaired when advising on the design, scope, or testing frequency, or in assessing management’s testing and assessment process Providing advice control gaps, review management plans for correcting control gaps, and performing follow-ups to ascertain whether control gaps have been adequately addressed does not impair objectivity or independence.
13
13 Role For Internal Auditors Documentation and Testing –Provide IA documentation/create new documentation Objectivity and independence not impaired if assisting management in documentation because of limited resources Objectivity and independence is impaired if audit slips into making management decisions Management owns the design/testing process; however, IA may be asked to help. Objectivity and independence is not impaired when IA assists. Objectivity and independence is impaired if IA makes decisions-control design, effectiveness, what to remediate, etc.
14
14 Roles for Internal Auditors Documentation and Testing (cont.) –Performing a quality assessment review prior to management handoff to external audit does not impair objectivity or independence
15
15 Audit Committee Disclosure Disclosure to the Audit Committee that the internal auditors objectivity or independence has been impaired is required when: –Internal Audit actively participates in making or directing key management decisions –Internal Audit designs, installs, drafts procedures for, or operates such systems –Internal Audit makes key management decisions
16
16 Contact Information If you have any questions regarding the Professional Practices Framework or guidance materials or you wish to forward additions, contributions or suggestions e-mail The IIA at: issues@theiia.org
17
17 How Solectron Addresses 404 and IT Controls Norman Marks, CPA Vice President, Internal Audit Solectron Corporation
18
18 Topics Internal Audit and §404 in 2004 The future for Internal Audit and §404 Assessing the impact of IT control deficiencies
19
19 IA and §404 in 2004 Project led by Corporate Controller IA consults on controls theory and practice IA (independent) testing of key controls, incl. mitigating/compensating controls IA reports on testing results –Provides an opinion by location/function Controls design & effectiveness Adequacy of documentation
20
20 IA and §404 in 2004 Retesting of remediated controls Assessment of deficiencies and identification of mitigating/compensating controls –Impact on overall assessment by management Member of Disclosure Review Committee Consider §404 results in §302 assessment, & forming annual IA opinion on internal controls (COSO)
21
21 The future for IA and §404 How will the role of IA change as §404/§302 practices mature? Integration of §404/§302 testing into audit plan Impact on the charter of IA within the organization Norman’s opinion
22
22 What is the role of IA? “Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
23
23 What is the role of IA? It should be more than financial controls Financial controls is more than §404
24
24 Operations Financial Reporting Compliance Monitoring Information and Communication Control Activities Risk Assessment Control Environment COSO and §404
25
25 Operations Financial Reporting Compliance Monitoring Information and Communication Control Activities Risk Assessment Control Environment COSO and §404 §404
26
26 COSO and §404 OperationsCompliance with laws and regulations Financial Reporting
27
27 COSO and §404 Operations §404 Compliance with laws and regulations Financial Reporting
28
28 COSO and §404 Operations §404 Not included in §404: Management reporting Matters not material to SEC financials Partly included in §404: Controls affecting future periods: IT security contingency planning physical security fraud Efficiency of financial reporting Compliance with laws and regulations Financial Reporting
29
29 Future role of IA §404 work should be integrated into the risk assessment and audit planning process Don’t limit yourself to §404 –Not even for the next 2 years –You will become defined as only there to do §404 –You will lose your mission and purpose –You will become irrelevant
30
30 Future role of IA Audit Committee and senior management: “We have: –management’s assessment of internal controls –the external auditor’s assessment” “Why do we also need IA’s opinion?” “We have survived with a limited IA function” “Why do we need a full scope one?”
31
31 Summary – the future Define the future role Don’t limit yourself to §404 Build an integrated plan, including §404 Communicate and sell your strategic vision – NOW!
32
32 IT control deficiencies Key Control Control Assertion
33
33 IT control deficiencies Key Control User procedure Automated process Control Assertion
34
34 IT control deficiencies Key Control User procedure Automated process Test Control Assertion
35
35 IT control deficiencies Key Control User procedure Automated process Test Control Assertion IT general controls Development & Maintenance Operations Program security
36
36 IT control deficiencies Key Control User procedure Automated process Test Control Assertion IT general controls Development & Maintenance Operations Program security
37
37 IT control deficiencies Key Control User procedure Automated process Test Control Assertion Deficiency IT general controls Development & Maintenance Operations Program security
38
38 IT control deficiencies Key Control User procedure Automated process Test Control Assertion Deficiency IT general controls Development & Maintenance Operations Program security
39
39 IT Security Deficiencies 1. What is the risk? Business disruption Fraud no §404 impact
40
40 IT Security Deficiencies 1. What is the risk? Business disruption Fraud no §404 impact 2. Could it result in financial reporting error? No Yes no §404 impact
41
41 IT Security Deficiencies 1. What is the risk? Business disruption Fraud no §404 impact 2. Could it result in financial reporting error? No Yes no §404 impact 3. Are there detective controls? no §404 impact Yes No Test
42
42 IT Security Deficiencies 1. What is the risk? Business disruption Fraud no §404 impact 2. Could it result in financial reporting error? No Yes no §404 impact 3. Are there detective controls? no §404 impact Yes No Test 4. Are there compensating controls? no §404 impact Yes No Test §404: Assess accounts affected
43
43 Internal Audit’s Role Dennis Drent, CPA Senior Vice President, Office of Internal Audit Nationwide Insurance
44
44 IAPMO Internal Audit “hired” as Section 404 Project Manager by Management with Audit Committee approval
45
45 Coordinate, consult on or perform documentation, gap analysis and remediation IAPMO
46
46 IAPMO Maintain documentation Coordinate, consult on or perform documentation, gap analysis and remediation
47
47 IAPMO Maintain documentation Coordinate quarterly control certification and management verification processes Coordinate, consult on or perform documentation, gap analysis and remediation
48
48 IAPMO Maintain documentation Coordinate ongoing gap analysis and remediation Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate quarterly control certification and management verification processes
49
49 IAPMO Maintain documentation Coordinate ongoing gap analysis and remediation Coordinate with Legal and Finance and report conclusions to Disclosure and Audit Committees Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate quarterly control certification and management verification processes
50
50 IAPMO Maintain documentation Coordinate ongoing gap analysis and remediation Coordinate with Legal and Finance and report conclusions to Disclosure and Audit Committees Perform independent testing of controls providing certification Coordinate, consult on or perform documentation, gap analysis and remediation Coordinate quarterly control certification and management verification processes
51
51 Support Management Assertions Summary of Key Points: Ownership of control resides with business through the control certification process Internal Audit manages certification process and is in a position to perform real time analysis of control adequacy and ensures ongoing quality of control documentation Internal Audit develops deep understanding of link between controls and financial statements assertions; this provides value-added consulting services
52
52 Support Management Assertions Summary of Key Points (continued): Internal Audit, Finance and Legal jointly interpret “open items” for potential deficiency in a legal sense Works with External Auditor to ensure effective and efficient audit Internal Audit assures sustainability of Section 404/302 process
53
53 Looking Forward Maintenance of documentation and ongoing gap analysis will be core of what we do - “real time” auditing Sarbanes 404 will be embedded with NW ERM process in development Bolt operational and compliance controls on to Sarbanes controls data base over time to create full audit universe
54
54 To Email your questions, Email info@tvworldwide.com (Click link to left) info@tvworldwide.com To Email your questions, Email info@tvworldwide.com (Click link to left) info@tvworldwide.com
55
55 To Get Your CPE Certificate Click Here
56
56 Special Webcast May 25, 2004 “Does your SOX 404 work measure up? Hear what will satisfy your CPA firm!” See you at our next webcast!
57
57 June 8, 2004 “Anti Fraud Programs”
58
58 Webcast Evaluation
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.