Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act May 21, 2003.

Published byReynold Stafford Modified over 9 years ago

Similar presentations

Presentation on theme: "1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act May 21, 2003."— Presentation transcript:

1 1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act May 21, 2003 1:00 – 2:30 pm Eastern Time

2 2 The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L.L.P

3 3 Webcast Series on SOA Fostering Compliance with SOA: Internal Auditor’s Role Four sessions archived on IIA’s website and available on CD Originally aired January 28 – April 15, 2003

4 4 Webcast Series on SOA - Continues Emerging Trends & Best Practices in Implementing SOA Six Sessions archived on IIA’s website and available on CD May 21 – 404 Readiness Review: Documenting Your System of Internal Control June 10 – Helping the Audit Committee Implement Complaint Handling Remaining sessions with your input will be on July 8, August 12, September 9 and September 30

5 5 Agenda 1:00 Introductions and Overview 1:10 Critical Decisions on Documenting Internal Controls - Bill Gassel 1:20 Implementing Sarbanes-Oxley Sec 404 - Dennis Drent 1:30 Maintaining Objectivity - Paul Sobel 1:45 Break 1:50 Questions and Answers - Panel 2:25 Wrap up - Jim Key

6 6 Critical Decisions for Documenting Internal Controls Bill Gassel, CPA Director of Internal Audit Emerson

7 7 Chronology Nov ‘02 Formed core team & established goals & timetable Nov ‘02 Selected the documentation methodology & created a pilot questionnaire Dec ’02 Conducted pilots at 9 sites worldwide Dec ’02Started on website to facilitate documentation collection Jan ’03Led training and documentation rollout Mar ’03Divisions completed documentation - (tremendous effort) Internal Audit reviewed for sufficiency May ’03Executing the testing plan

8 8 Key Initial Decisions Documentation decisions made early on: Where? What format (narratives, flowcharts, questionnaires, or a combination)? What accounts or processes? How much must be documented? Who should certify? Who will own/maintain the documentation? How to train everyone?

9 9 Location Table

10 10 Example Documentation

11 11 Note: "Yes" answers require the following criteria : 1.Describe the control procedure in detail. 2.Who performs the control (employee title) and who reviews it? 3.Frequency of Control (daily, monthly, quarterly etc.) 4.Automated system or Manual control. "No" answers require : 1.What mitigating controls exist to achieve control objective. 2.Who performs mitigating controls & how often? 3.If no mitigating controls exist, how will the deficiency be fixed? "N/A" answers require : 1.Explain 'why' the control does not apply to the location. Guidance for Control Descriptions

12 12 Beneficial Steps Executive management support obtained Involved the Controllership function early Communicated early with KPMG and E&Y to interpret likely standards Standardized the documentation format Used pilot process to gain practical insights Collaborated with internal process experts to validate questionnaire focus

13 13 Beneficial Steps Held central training for all Finance Officers Created an “Example Completed ICQ” Tailored the questionnaire for smaller and international sites Reviewed a majority of the documentation for sufficiency Started testing controls 5 months prior to year- end (10 – 12,000 hours of effort) - significant locations first

14 14 Current 404 Considerations Develop Evaluation Methodology with Management –Which locations and controls will be tested? Accumulating and aggregating the testing results Broadening the evaluation methodology into ERM Migrating Control Questionnaire platform to CSA process Minimizing redundancy of testing between Internal and external auditors Availability of qualified staff

15 15 Steps in Implementing Sarbanes-Oxley Sec. 404 Dennis Drent Vice President – Internal Audit Nationwide Insurance

16 16 Implementing Sarbanes-Oxley § 404

17 17 Implementing Sarbanes-Oxley § 404

18 18 “CEO friendly” technology solution. Lotus Notes database allows for analysis and reporting. No flow charts. Used drop-down boxes for everything we could. Control and executive owners verses process owners. Internal Audit “owns” the database - the business owns the controls. 2 Develop evaluation strategy including use of technology

19 19 Implementing Sarbanes-Oxley § 404

20 20 Implementing Sarbanes-Oxley § 404

21 21 Control and executive owners certify in database - separate verification process. 30% of controls were changed, over 100 controls eliminated. Internal Audit administers “change” questionnaire and consults on verification procedures. Results of control certification/verification process reported to Disclosure Committee. 5 First quarter certification and verification process completed

22 22 Time to bring in the external auditors - jointly define “internal control adequacy.” At this point, most work performed by external auditor will be “audit services” and therefore mitigates independence conflict. 6 Control scrubbing, gap analysis, and control evaluation

23 23 Jun. 2003 Jul. 2003 Aug. 2003 Sep. 2003 Oct. 2003 Nov. 2003 Dec. 2003 Control scrubbing, gap analysis, and control evaluation Revise/redesign controls as deemed necessary XX Management prepared to assert KPMG attestation work Section 404 Steps Completed 8 9 7 6 Implementing Sarbanes-Oxley § 404

24 24 Jun. 2003 Jul. 2003 Aug. 2003 Sep. 2003 Oct. 2003 Nov. 2003 Dec. 2003 Control scrubbing,gap analysis, and control evaluation Revise/redesign controls as deemed necessary Management prepared to assert X KPMG attestation work Section 404 Steps Completed 8 9 7 6 Implementing Sarbanes-Oxley § 404

25 25 Jun. 2003 Jul. 2003 Aug. 2003 Sep. 2003 Oct. 2003 Nov. 2003 Dec. 2003 Control scrubbing, gap analysis, and control evaluation Revise/redesign controls as deemed necessary Management prepared to assert KPMG attestation work XXX Section 404 Steps Completed 8 9 7 6 Implementing Sarbanes-Oxley § 404

26 26 Maintaining Objectivity Paul Sobel Vice President, Risk Assessment Aquila, Inc.

27 27 Corporate Governance Framework Corporate Stakeholders Board of Directors Governance “Umbrella” Risk Management Senior Management Risk Owners Assurance Internal Auditors External Auditors

28 28 Sarbanes-Oxley Act Board of Directors Governance “Umbrella” Risk Management Senior Management Risk Owners Assurance Internal Auditors External Auditors Sec. 404 Corporate Governance Framework

29 29 Objectivity Standards Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. –State of mind –Personal feelings or prejudices shouldn’t distort the facts Cannot act in a management role or make management decisions

30 30 The Audit Process Audit PhaseApproachAudit Evidence 1.Project ObjectiveDetermined in Annual Audit Plan Planning Memo 2.Risk AssessmentIdentify/Assess Key RisksRisk Memo/Matrix 3.Process DesignUnderstand Process and Identify Key Controls Flowcharts & Memos 4.Gap AnalysisEvaluate Current vs. Desired State Findings and Recommendations 5.Process Effectiveness Develop and Execute Testing Plan Testing Results 6.Gap AnalysisEvaluate Current vs. Desired State Findings and Recommendations 7.ReportingCommunicate ResultsAudit Report

31 31 The Sarbanes-Oxley 404 Process Audit PhaseApproachAudit Evidence 1.Project Objective Understand S-O 404 RequirementsProject Planning Memo 2.Risk Assessment Link F/S Captions to Processes Assess Risks to F/S Assertions F/S / Risks / Assertions Linkage 3.Process Design Understand Processes & Identify Key Controls Over Financial Reporting Flowcharts & Memos 4.Gap Analysis Evaluate Current vs. Desired StateFindings and Remediation Plans 5.Process Effectiveness Develop and Execute Assurance/ Testing Plan Testing Results 6.Gap Analysis Evaluate Current vs. Desired StateFindings and Remediation Plans 7.Reporting Update Key Control Effectiveness (Control Owner Assertions) Self Assessments and Audit Reports

32 32 Maintaining Objectivity Audit PhaseApproachWhat Can IA Do? 1.Project Objective Understand S-O 404 Requirements No issues; objectives set by 3 rd party (SEC) 2.Risk Assessment Link F/S Captions to Processes Assess Risks to F/S Assertions Make risk judgments; must gain mgmt. concurrence 3.Process Design Understand Processes & ID Key Controls Over Financial Reporting Document processes; based on mgmt. input and validation 4.Gap Analysis Evaluate Current vs. Desired StateMake judgments; validate with mgmt. 5.Process Effectiveness Develop and Execute Assurance/ Testing Plan Determine what to test and evaluate test results 6.Gap Analysis Evaluate Current vs. Desired StateMake judgments; validate with mgmt. 7.Reporting Update Key Control Effectiveness (Control Owner Assertions) Facilitate/gather assessment results

33 33 Summary Internal Audit can lead a Sarbanes-Oxley 404 project Documentation phase is no different than that required in an audit –IA’s objectivity is not impaired if they lead the documentation efforts It is important to engage management to validate judgments and decisions –They must own the results, not IA Communicate consistently with your external auditors to ensure they understand how your objectivity has not been impaired It’s not an objectivity issue; it’s an ownership issue!

34 34 Break 5 min break followed by Poll

35 35 Questions & Answers Email your questions to info@tvworldwide.com

36 36 Webcast Summary Engage management to develop control evaluation strategy Work with external auditors to reduce duplication Leverage technology to support process Internal audit can own the process Objectivity is a state of mind

Download ppt "1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act May 21, 2003."

Similar presentations

Gary R. McGuire, CIA, CPA Vice President, Group Audit Services Alcatel Americas.

Gary R. McGuire, CIA, CPA Vice President, Group Audit Services Alcatel Americas.
Garrett L. Stauffer, CPA Partner PricewaterhouseCoopers LLP.

Garrett L. Stauffer, CPA Partner PricewaterhouseCoopers LLP.
Organizational Governance

Organizational Governance
ICGFM Working in the Field in a Time of Increased Oversight Sean Temeemi, Chief Compliance Officer, FHI 360 November 7, 2012.

ICGFM Working in the Field in a Time of Increased Oversight Sean Temeemi, Chief Compliance Officer, FHI 360 November 7, 2012.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation.

Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,

Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Slide 1 CAQ WEBCAST AS 5: Preparing for Integrated Audits of Non-Accelerated Filers September 25, 2008 The views expressed by the presenters do not necessarily.

Slide 1 CAQ WEBCAST AS 5: Preparing for Integrated Audits of Non-Accelerated Filers September 25, 2008 The views expressed by the presenters do not necessarily.
CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007.

CBIZ Risk & Advisory Services, LLC 1 Quality Assessments Lessons Learned/Best Practices Thomas A. Johnson, CIA November 13, 2007.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
Seminar in Accounting & Society SOX – Section 404 April 23, 2008.

Seminar in Accounting & Society SOX – Section 404 April 23, 2008.
1 Strategies to Maintaining Internal & External Relationships The Institute of Internal Auditors April 13, 2004 Xenia Parker, CIA, CISA, CFSA Principal.

1 Strategies to Maintaining Internal & External Relationships The Institute of Internal Auditors April 13, 2004 Xenia Parker, CIA, CISA, CFSA Principal.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
1 What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP.

1 What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP.
The CPA Profession Chapter 2.

The CPA Profession Chapter 2.

Similar presentations

Ads by Google