04/18/23 © 2000 KPMG

Does Your SOX 404Work Measure Up?

Hear What Will SatisfyYour CPA Firm!

Does Your SOX 404Work Measure Up?

Hear What Will SatisfyYour CPA Firm!

The Institute of Internal AuditorsMay 25, 2004

Phillip Fretwell, CPAManaging Director

Protiviti, Inc.

04/18/23 © 2000 KPMG

• Introduction & Overview Phillip Fretwell, Protiviti, Inc.

• IT Consideration Lynne Doughtie, KPMG LLP

• Using the Work of Others Tim Messick, Ernst & Young LLP

• Gaps & Remediation Larry Ishol, Deloitte

• Break

• Q & A

AgendaAgenda

04/18/23 © 2000 KPMG

IT Considerations IT Considerations

Lynne Doughtie, CPA

Partner

KPMG LLP

04/18/23 © 2000 KPMG

Evaluation Framework – COSO/COBIT

Evaluation Framework – COSO/COBIT

Monitoring

Information and Communication

Control Activities

Risk Assessment

Control Environment

CO

SO

Co

mp

on

en

ts

COBIT Objectives

Sectio

n 3

02

Sectio

n 3

02

Sectio

n 4

04

Sectio

n 4

04

IT controls should consider the overall governance framework to support thequality and integrity of information.

Competency in all f ive layers of COSO’s framework are necessary to achieve an integrated control program.

Controls in IT are relevant to both f inancial reportingAnd disclosure requirements of Sarbanes-Oxley.

Source: IT Governance Institute

04/18/23 © 2000 KPMG

IT Control Componentsin an Organization

IT Control Componentsin an Organization

IT Services OS/Data/Telecom/Continuity/Networks

Bu

sin

ess P

rocess

Finance

Bu

sin

ess P

rocess

Manufacturing

Bu

sin

ess P

rocess

Logistics

Bu

sin

ess P

rocess

Etc.

Executive Management

IT Considerations in the Control Environment

Application Controls

IT General Controls

Source: IT Governance Institute

04/18/23 © 2000 KPMG

IT Control Components IT Control Components

IT Considerations in the Control Environment

Systems planningGovernanceEnterprise policiesOperating style CollaborationInformation SharingCode of ConductFraud Prevention Programs

IT General Controls Systems Security / AccessChange ManagementSystem DevelopmentComputer Operations

Application Controls

AuthorizationConfiguration / account mappingException / edit reportsInterface / conversionSystem access

04/18/23 © 2000 KPMG

Control EnvironmentControl Environment• IT Management and Organization Structure

• Knowledge and Skills

• Training

• Information Architecture

• Assessment of Risks

• Compliance with External Requirements

• Management of Quality

• Independent Assurance

• Internal Audit

04/18/23 © 2000 KPMG

• System Security / Access• Documented IT Security policy and appropriate compliance

• User profile maintenance procedures

• Logical access restrictions

• Periodic review of user access rights and system permissions

• Security activity logging

• Change Management• Change management procedures and authorizations

• Testing requirements for all changes prior to implementation

• Documentation requirements for system, user and control changes

• Access restrictions for change migrations

• Restricted and monitored production environment changes

General ControlsGeneral Controls

04/18/23 © 2000 KPMG

• System Development• System Development methodology and monitoring

• System Development procedures and authorizations

• Testing procedures, including management and user acceptance

• Documentation requirements for system, users and controls

• Training requirements for new systems

• Post-implementation requirements including data integrity controls

• Computer Operations• Backups procedures addressing critical systems and data

• Backups restoration testing

• Offsite storage procedures and authorization controls

• Defined problem management procedures

• Job scheduling procedures and monitoring procedures

General ControlsGeneral Controls

04/18/23 © 2000 KPMG

IT Control ScopingIT Control Scoping• Identify applications that support key processes

• Determine the nature and location of each application

• Identify IT General Controls for each application in scope

• Focus is on Internal Control Over Financial Reporting

 

 

IdentifiedKey

Process

Application

Name

UnderlyingInfrastructur

e/ Architecture (Database, OperatingSystem,

Hardware)

LocationWhere

Application is

Hosted

             

             

             

Syste

mS

ecu

rity

/

Access

Ch

an

ge

Man

ag

em

en

t

IT General Controls

Syste

mD

evelo

pm

en

t

Com

pu

ter

Op

era

tion

s

 

04/18/23 © 2000 KPMG

Common ApproachCommon Approach

• Organize project team and planning

• Define the IT Areas to be included within the scope of SOX 404:

•Entities and locations

•Key applications to be considered

•Specific control objectives to be achieved

• Document key IT areas within scope and identify key controls over financial reporting (control environment, general controls, application controls, process-level IT controls)

• Design test plans, perform testing of IT controls, identify control gaps, and develop remediation plans

• Update test procedures as necessary

04/18/23 © 2000 KPMG

USING THE WORK OF INTERNAL AUDIT

& OTHERS

USING THE WORK OF INTERNAL AUDIT

& OTHERSTim Messick, Partner

Mid-Atlantic Area Control

& Methodology Leader

Ernst & Young

04/18/23 © 2000 KPMG

PCAOB Std. No. 2—Brief HistoryPCAOB Std. No. 2—Brief History

• Using the work of others was hotly debated in early stages of Standard No. 2

• Early drafts severely restricted the reliance external audit could place on others

• Final standard brings us much closer to the existing SAS 65 model

04/18/23 © 2000 KPMG

Who Can External Audit Rely On?Who Can External Audit Rely On?

• Internal Audit

• Third-party firms assisting with 404 (e.g., another CPA firm)

• Management

• For all of the above, certain restrictions are discussed in Standard No. 2

04/18/23 © 2000 KPMG

Considerations in Using OthersConsiderations in Using Others

• Nature of controls & accounts

• Competence & objectivity of individuals

• Need to re-perform certain of the work

• Specific PCAOB restrictions in certain areas

• “Principal evidence” must come from the external auditor

04/18/23 © 2000 KPMG

Using the Work of Internal AuditUsing the Work of Internal Audit

• Various models exist in practice:– IA performing documentation & testing on

behalf of management– IA performing independent testing after

management performs their work– IA providing direct assistance to external

audit

04/18/23 © 2000 KPMG

Using IA’s WorkUsing IA’s Work

• Standard No. 2 prohibits relying on others in specific areas:– Control environment– Fraud programs & related controls– Walk-throughs

• These must be performed by external audit in all instances

• “Principal evidence” needs to be considered

04/18/23 © 2000 KPMG

Using IA’s Work (cont.)Using IA’s Work (cont.)

• Areas where external audit can utilize a significant amount of IA work:– Routine data processes– Non-pervasive subjective processes

04/18/23 © 2000 KPMG

Using IA’s Work (cont.)Using IA’s Work (cont.)

• Areas where use of IA work would likely be limited:– Pervasive controls

• Financial statement close process• IT general controls

04/18/23 © 2000 KPMG

Using IA’s Work (cont.)Using IA’s Work (cont.)

• Recent PCAOB comments– When external audit uses IA in a direct

supervision mode, cannot exceed 20% of “principal evidence”

– Provision of the registered firm regulations– Work-in-process—more to come

04/18/23 © 2000 KPMG

Testing ConsiderationsTesting Considerations

• Amount of re-testing will be similar to SAS 65 model, but likely more than in the past:– Competency and objectivity concerns– Nature of control– Who performed (e.g., IA vs. management)– Now separately opining on IC, vs. reliance

on the FS audit as in the past

04/18/23 © 2000 KPMG

Other CommentsOther Comments

• As with other 404 areas, nothing is crystal clear

• Expect many implementation issues

• Clarifications from PCAOB and SEC to come over next several months

• Management, IA, and external audit should all be working together closely

04/18/23 © 2000 KPMG

Gaps & RemediationGaps & Remediation

Larry Ishol, CPA

Engagement Partner

Deloitte

04/18/23 © 2000 KPMG

Situational Assessment Situational Assessment

21%Remediation

21%Testing of operating effectiveness

47%Evaluation of design effectiveness

75%Documentation

Percentage CompleteActivity

A recent Deloitte survey of Fortune 500 companies indicates that a significant

amount of work remains

04/18/23 © 2000 KPMG

What Constitutes a Gap?Type Likelihood Magnitude

Deficiency

Significant Deficiency

Remote and/or Inconsequential

More than remote

and More than Inconsequenti

al

or

Quantitatively significant

Material Weakness

More than remote

and Material to Financial

Statements

04/18/23 © 2000 KPMG

Specific Considerations

Ineffective:

Audit committee

Internal audit or risk assessment function

Regulatory compliance function

Control environment

Period-end financial reporting process:

Procedures used to enter transactions totals into the G/L

Journal entries

Recurring and non-recurring adjustments to the F/S

Uncorrected significant deficiencies

Identification of fraud of any magnitude on part of senior management

Antifraud programs and control

Identification of a material misstatementNon-routine and non-systematic transactions

Restatement to reflect correction of a misstatement

Selection and application of accounting policies

Strong Indicator of “MW”At Least “SD”

04/18/23 © 2000 KPMG

RemediationRemediationRemediation is simply the process of fixing a

deficiency associated with the design or operating effectiveness of a control activity

Design Deficiency• Improve controls that have

“fixable” design deficiencies

• Implement new controls when the design deficiency is too substantial to be repaired

• Implement new controls when there are no controls in place

Operating Deficiency• Communicate to the individual

responsible for the testing the control that he or she perform the test

•Oversight to ensure that the control is tested in the future.

Sample Remediation Activities

04/18/23 © 2000 KPMG

Remediation ChallengesRemediation Challenges• Effective Decision & Governance Process

• Complex Program Management Initiatives

• Significant IT Environment Changes

• Impact on Human Resources

• Complex Re-testing, Roll-Forward Testing Activities

• Overall Need for Best Practices

04/18/23 © 2000 KPMG

Taking Action - Remediation Questions to Consider

Taking Action - Remediation Questions to Consider

1. Have you developed a process for classifying control deficiencies?

2. Have you allotted sufficient time to remediate material weaknesses and significant deficiencies prior to year-end?

3. Have you identified resources to assist in remediation controls in technical areas?

04/18/23 © 2000 KPMG

Taking Action - Remediation Questions to Consider

Taking Action - Remediation Questions to Consider

4. What is the status of gap analysis?

5. Do you have a process to identify, classify and prioritize gaps and manage your remediation effort?

6. Do you have sufficient skill sets, knowledge bases, etc. to adequately develop and implement solutions to gaps?

04/18/23 © 2000 KPMG

To Get Your CPE Certificate

To Get Your CPE Certificate

04/18/23 © 2000 KPMG

June 8, 2004

““Anti Fraud Programs”Anti Fraud Programs”

04/18/23 © 2000 KPMG

Webcast EvaluationWebcast Evaluation