6/2/2015© 2000 kpmg does your sox 404 work measure up? hear what will satisfy your cpa firm! the...
Post on 18-Dec-2015
213 views
TRANSCRIPT
04/18/23 © 2000 KPMG
Does Your SOX 404Work Measure Up?
Hear What Will SatisfyYour CPA Firm!
Does Your SOX 404Work Measure Up?
Hear What Will SatisfyYour CPA Firm!
The Institute of Internal AuditorsMay 25, 2004
Phillip Fretwell, CPAManaging Director
Protiviti, Inc.
04/18/23 © 2000 KPMG
• Introduction & Overview Phillip Fretwell, Protiviti, Inc.
• IT Consideration Lynne Doughtie, KPMG LLP
• Using the Work of Others Tim Messick, Ernst & Young LLP
• Gaps & Remediation Larry Ishol, Deloitte
• Break
• Q & A
AgendaAgenda
04/18/23 © 2000 KPMG
Evaluation Framework – COSO/COBIT
Evaluation Framework – COSO/COBIT
Monitoring
Information and Communication
Control Activities
Risk Assessment
Control Environment
CO
SO
Co
mp
on
en
ts
COBIT Objectives
Sectio
n 3
02
Sectio
n 3
02
Sectio
n 4
04
Sectio
n 4
04
IT controls should consider the overall governance framework to support thequality and integrity of information.
Competency in all f ive layers of COSO’s framework are necessary to achieve an integrated control program.
Controls in IT are relevant to both f inancial reportingAnd disclosure requirements of Sarbanes-Oxley.
Source: IT Governance Institute
04/18/23 © 2000 KPMG
IT Control Componentsin an Organization
IT Control Componentsin an Organization
IT Services OS/Data/Telecom/Continuity/Networks
Bu
sin
ess P
rocess
Finance
Bu
sin
ess P
rocess
Manufacturing
Bu
sin
ess P
rocess
Logistics
Bu
sin
ess P
rocess
Etc.
Executive Management
IT Considerations in the Control Environment
Application Controls
IT General Controls
Source: IT Governance Institute
04/18/23 © 2000 KPMG
IT Control Components IT Control Components
IT Considerations in the Control Environment
Systems planningGovernanceEnterprise policiesOperating style CollaborationInformation SharingCode of ConductFraud Prevention Programs
IT General Controls Systems Security / AccessChange ManagementSystem DevelopmentComputer Operations
Application Controls
AuthorizationConfiguration / account mappingException / edit reportsInterface / conversionSystem access
04/18/23 © 2000 KPMG
Control EnvironmentControl Environment• IT Management and Organization Structure
• Knowledge and Skills
• Training
• Information Architecture
• Assessment of Risks
• Compliance with External Requirements
• Management of Quality
• Independent Assurance
• Internal Audit
04/18/23 © 2000 KPMG
• System Security / Access• Documented IT Security policy and appropriate compliance
• User profile maintenance procedures
• Logical access restrictions
• Periodic review of user access rights and system permissions
• Security activity logging
• Change Management• Change management procedures and authorizations
• Testing requirements for all changes prior to implementation
• Documentation requirements for system, user and control changes
• Access restrictions for change migrations
• Restricted and monitored production environment changes
General ControlsGeneral Controls
04/18/23 © 2000 KPMG
• System Development• System Development methodology and monitoring
• System Development procedures and authorizations
• Testing procedures, including management and user acceptance
• Documentation requirements for system, users and controls
• Training requirements for new systems
• Post-implementation requirements including data integrity controls
• Computer Operations• Backups procedures addressing critical systems and data
• Backups restoration testing
• Offsite storage procedures and authorization controls
• Defined problem management procedures
• Job scheduling procedures and monitoring procedures
General ControlsGeneral Controls
04/18/23 © 2000 KPMG
IT Control ScopingIT Control Scoping• Identify applications that support key processes
• Determine the nature and location of each application
• Identify IT General Controls for each application in scope
• Focus is on Internal Control Over Financial Reporting
IdentifiedKey
Process
Application
Name
UnderlyingInfrastructur
e/ Architecture (Database, OperatingSystem,
Hardware)
LocationWhere
Application is
Hosted
Syste
mS
ecu
rity
/
Access
Ch
an
ge
Man
ag
em
en
t
IT General Controls
Syste
mD
evelo
pm
en
t
Com
pu
ter
Op
era
tion
s
04/18/23 © 2000 KPMG
Common ApproachCommon Approach
• Organize project team and planning
• Define the IT Areas to be included within the scope of SOX 404:
•Entities and locations
•Key applications to be considered
•Specific control objectives to be achieved
• Document key IT areas within scope and identify key controls over financial reporting (control environment, general controls, application controls, process-level IT controls)
• Design test plans, perform testing of IT controls, identify control gaps, and develop remediation plans
• Update test procedures as necessary
04/18/23 © 2000 KPMG
USING THE WORK OF INTERNAL AUDIT
& OTHERS
USING THE WORK OF INTERNAL AUDIT
& OTHERSTim Messick, Partner
Mid-Atlantic Area Control
& Methodology Leader
Ernst & Young
04/18/23 © 2000 KPMG
PCAOB Std. No. 2—Brief HistoryPCAOB Std. No. 2—Brief History
• Using the work of others was hotly debated in early stages of Standard No. 2
• Early drafts severely restricted the reliance external audit could place on others
• Final standard brings us much closer to the existing SAS 65 model
04/18/23 © 2000 KPMG
Who Can External Audit Rely On?Who Can External Audit Rely On?
• Internal Audit
• Third-party firms assisting with 404 (e.g., another CPA firm)
• Management
• For all of the above, certain restrictions are discussed in Standard No. 2
04/18/23 © 2000 KPMG
Considerations in Using OthersConsiderations in Using Others
• Nature of controls & accounts
• Competence & objectivity of individuals
• Need to re-perform certain of the work
• Specific PCAOB restrictions in certain areas
• “Principal evidence” must come from the external auditor
04/18/23 © 2000 KPMG
Using the Work of Internal AuditUsing the Work of Internal Audit
• Various models exist in practice:– IA performing documentation & testing on
behalf of management– IA performing independent testing after
management performs their work– IA providing direct assistance to external
audit
04/18/23 © 2000 KPMG
Using IA’s WorkUsing IA’s Work
• Standard No. 2 prohibits relying on others in specific areas:– Control environment– Fraud programs & related controls– Walk-throughs
• These must be performed by external audit in all instances
• “Principal evidence” needs to be considered
04/18/23 © 2000 KPMG
Using IA’s Work (cont.)Using IA’s Work (cont.)
• Areas where external audit can utilize a significant amount of IA work:– Routine data processes– Non-pervasive subjective processes
04/18/23 © 2000 KPMG
Using IA’s Work (cont.)Using IA’s Work (cont.)
• Areas where use of IA work would likely be limited:– Pervasive controls
• Financial statement close process• IT general controls
04/18/23 © 2000 KPMG
Using IA’s Work (cont.)Using IA’s Work (cont.)
• Recent PCAOB comments– When external audit uses IA in a direct
supervision mode, cannot exceed 20% of “principal evidence”
– Provision of the registered firm regulations– Work-in-process—more to come
04/18/23 © 2000 KPMG
Testing ConsiderationsTesting Considerations
• Amount of re-testing will be similar to SAS 65 model, but likely more than in the past:– Competency and objectivity concerns– Nature of control– Who performed (e.g., IA vs. management)– Now separately opining on IC, vs. reliance
on the FS audit as in the past
04/18/23 © 2000 KPMG
Other CommentsOther Comments
• As with other 404 areas, nothing is crystal clear
• Expect many implementation issues
• Clarifications from PCAOB and SEC to come over next several months
• Management, IA, and external audit should all be working together closely
04/18/23 © 2000 KPMG
Gaps & RemediationGaps & Remediation
Larry Ishol, CPA
Engagement Partner
Deloitte
04/18/23 © 2000 KPMG
Situational Assessment Situational Assessment
21%Remediation
21%Testing of operating effectiveness
47%Evaluation of design effectiveness
75%Documentation
Percentage CompleteActivity
A recent Deloitte survey of Fortune 500 companies indicates that a significant
amount of work remains
04/18/23 © 2000 KPMG
What Constitutes a Gap?Type Likelihood Magnitude
Deficiency
Significant Deficiency
Remote and/or Inconsequential
More than remote
and More than Inconsequenti
al
or
Quantitatively significant
Material Weakness
More than remote
and Material to Financial
Statements
04/18/23 © 2000 KPMG
Specific Considerations
Ineffective:
Audit committee
Internal audit or risk assessment function
Regulatory compliance function
Control environment
Period-end financial reporting process:
Procedures used to enter transactions totals into the G/L
Journal entries
Recurring and non-recurring adjustments to the F/S
Uncorrected significant deficiencies
Identification of fraud of any magnitude on part of senior management
Antifraud programs and control
Identification of a material misstatementNon-routine and non-systematic transactions
Restatement to reflect correction of a misstatement
Selection and application of accounting policies
Strong Indicator of “MW”At Least “SD”
04/18/23 © 2000 KPMG
RemediationRemediationRemediation is simply the process of fixing a
deficiency associated with the design or operating effectiveness of a control activity
Design Deficiency• Improve controls that have
“fixable” design deficiencies
• Implement new controls when the design deficiency is too substantial to be repaired
• Implement new controls when there are no controls in place
Operating Deficiency• Communicate to the individual
responsible for the testing the control that he or she perform the test
•Oversight to ensure that the control is tested in the future.
Sample Remediation Activities
04/18/23 © 2000 KPMG
Remediation ChallengesRemediation Challenges• Effective Decision & Governance Process
• Complex Program Management Initiatives
• Significant IT Environment Changes
• Impact on Human Resources
• Complex Re-testing, Roll-Forward Testing Activities
• Overall Need for Best Practices
04/18/23 © 2000 KPMG
Taking Action - Remediation Questions to Consider
Taking Action - Remediation Questions to Consider
1. Have you developed a process for classifying control deficiencies?
2. Have you allotted sufficient time to remediate material weaknesses and significant deficiencies prior to year-end?
3. Have you identified resources to assist in remediation controls in technical areas?
04/18/23 © 2000 KPMG
Taking Action - Remediation Questions to Consider
Taking Action - Remediation Questions to Consider
4. What is the status of gap analysis?
5. Do you have a process to identify, classify and prioritize gaps and manage your remediation effort?
6. Do you have sufficient skill sets, knowledge bases, etc. to adequately develop and implement solutions to gaps?