Download - Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004
![Page 1: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/1.jpg)
1
Controls Compliance – Rounding the Turn
The Institute of Internal AuditorsSeptember 14, 2004
Ed Dudley, CIA, CPARetired Vice-President &
General Auditor-ABB Americas
![Page 2: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/2.jpg)
2
• Introduction & Key Issues For Today Ed Dudley• SOX Lessons Learned
Dan Langer• Integration of SOX 302 and 404
Brian Appleton• SAS 70 Considerations for SOX 404
Nathan Prather• Break• Q & A• Summary of Main Points Ed Dudley
AgendaAgenda
![Page 3: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/3.jpg)
3
Key Controls Compliance Issues for Today
• Approach to Convergent regulatory challenges
• Process Improvements• Technology Infrastructure
Enhancements• Improvements in Leadership• Inventorying in 302/404
![Page 4: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/4.jpg)
4
Key Controls Compliance Issues for Today
• Role Clarifications in SOX 302/404• Software Utilization in SOX 302/404• Resource Issues in SOX 302/404• Inventorying Service
Organizations/Specialists in SAS 70
![Page 5: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/5.jpg)
5
Key Controls Compliance Issues for Today
• Understanding/Evaluating Significance in SAS 70
• Evaluating Evidence in SAS 70
![Page 6: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/6.jpg)
6
Controls Compliance – Rounding the Turn
SOX Lessons Learned
Daniel B. Langer, CPA, CIA, CCSASolutions Director, Internal Audit and Controls
Jefferson Wells International
![Page 7: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/7.jpg)
7
10-Step Program for Clarity and Sustainability
• Four Main Categories– Efficient and better organized approach to
convergent regulatory challenges– Process improvements– Technology infrastructure enhancements– Leadership improvements
• Helpful reference resources
![Page 8: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/8.jpg)
8
10-Step Program for Clarity and Sustainability
1) Established Post-404 Compliance Infrastructure– Improved/strengthened internal audit department– Full-time/dedicated ongoing compliance team,
Steering Committee, and external resources where appropriate
– Formally trained process owners– Instituted ongoing risk-assessment strategy– Established desk-top procedures and sub-process
“certifications”
![Page 9: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/9.jpg)
9
10-Step Program for Clarity and Sustainability
2) Beware of “too many” internal controls– Excessive detail when documenting internal
controls– Try to replace multiple ineffective controls with
one effective control 3) Excessive detail when documenting internal
controls– Use external auditor formulas as a guide– Evaluate as attestation process progresses
![Page 10: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/10.jpg)
10
10-Step Program for Clarity and Sustainability
4) Strive for the right “Tone at the Top”– Focus– Direction– Top management commitment to good governance-
related control compliance– Proactive education and awareness
5) Side-step confusion related to IT and internal controls – Assess system access controls as users are promoted,
transferred, or leave the company– Properly define and document SOX-related controls (not
all IT controls)
![Page 11: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/11.jpg)
11
10-Step Program for Clarity and Sustainability
6) Make the right compliance software investment– To date quality has been spotty, has not
met organization needs, and/or implementation resources have been inadequate
– Revisit as “sustaining organization needs” are defined
![Page 12: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/12.jpg)
12
10-Step Program for Clarity and Sustainability
7) Manage external auditor demands– Avoid time-consuming attestation reviews– Ensure they provide proper resources on
your reviews– Manage expectations/establish position
• Materiality levels• Key accounts• # of Controls
![Page 13: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/13.jpg)
13
10-Step Program for Clarity and Sustainability
8) Address external service provider key controls Focus– Strength of service provider– Adequacy of documentation– Pooled review with other “customers”
9) Consider compliance in the context of governance and risk management– Ongoing process of enterprise-level risk
assessment
![Page 14: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/14.jpg)
14
10-Step Program for Clarity and Sustainability
10) Properly staff the Internal Audit function
– Proper mix of industry, financial, operational, and technology practice experience and expertise
![Page 15: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/15.jpg)
15
So, how best can Internal Audit effectively participate in improving the reporting process
towards better governance and sustainable control compliance?
![Page 16: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/16.jpg)
16
Internal Auditors’ Role• Educate all levels about controls• Ongoing assessment of the “Tone at the Top”• Facilitate Board, key management, and external auditor
involvement in communication of strengthened control expectations
• Provide objective and independent participation in controls documentation, testing and assessment process
• Analyze and evaluate causes of company-wide non-compliance issues – both systemic or isolated
• Conduct regular KPI monitoring• Facilitate cost beneficial design modifications to achieve control• Evaluate effectiveness of corrective actions on an enterprise-
wide basis
![Page 17: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/17.jpg)
17
Internal Auditors’ Role• Ask yourself “good questions” *
– Would you have prepared the financials in the same manner?
– Was there full disclosure had you been an investor?
– Are internal audit procedures the same as if you were CEO?
– Are there any activities to move revenue or expenses from period-to-period?
* Warren Buffet, Berkshire Hathaway
![Page 18: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/18.jpg)
18
Governance Organizations• www.theiia.org - Institute of Internal Auditors• www.pcaobus.org - Public Company Accounting Oversight Board• www.coso.org - Committee of Sponsoring Organizations• www.nyse.com - New York Stock Exchange• www.nacdonline.org - National Association of Corporate Directors• www.issproxy.com - Institutional Shareholder Services • www.ecgi.org - European Corporate Governance Institute• www.icgn.org - International Corporate Governance Network• www.asx.com.au/ - Australian Stock Exchange• www.oecd.org – Organization for Economic Co-operation and Development• www.ifac.org - International Federation of Accountants• www.icaew.co.uk - Institute of Chartered Accountants in England and Wales• www.oceg.org - Open Compliance and Ethics Group
![Page 19: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/19.jpg)
19
Integration of SOX 302 & 404
Brian T. Appleton, CIA, MBA, CDPDirector of Internal Audit
National Penn Bancshares
![Page 20: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/20.jpg)
20
This is the Time
– Take an inventory– Budget considerations– Role clarification– Software utilization– Human resources– Integration
![Page 21: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/21.jpg)
21
Take an Inventory
• Review SOX 302 & 404 methodology• Overlay risk based work with SOX 302 &
404 work• Full consideration to SOX 302 & 404 in
annual risk analysis• Minimum - tentative 2005 audit plan
![Page 22: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/22.jpg)
22
Budget Considerations
• Schedule resource needs • Do not understate resource needs• Educate Audit Committee, CEO, and
Executives on needs • Manage your resource network
![Page 23: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/23.jpg)
23
Role Clarification
• Identify roles for ongoing compliance with Sarbanes-Oxley compliance. Include other company initiatives in the matrix. These may include CSA or ERM.
• Consider forming a transition team • Revisit your resource needs calculation
and encourage management to do the same.
![Page 24: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/24.jpg)
24
Software Utilization
• Business need or purpose• Tracking• Maintenance• Infrastructure compatibility• Cost benefit• Implementation plan
![Page 25: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/25.jpg)
25
Human Resources
• Leadership• Continual improvement• Staff development• Customer satisfaction• Audit results• Key performance indicators• Standards
![Page 26: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/26.jpg)
26
Integration
• Range of integration varies • What are other companies doing?
![Page 27: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/27.jpg)
27
Summary
– Inventory and integrate– Revisit software support– Develop HR, elevate standards
![Page 28: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/28.jpg)
28
Evaluating Third Parties SAS 70 Considerations for
SOX 404
Nathan PratherManager, Audit and Enterprise Risk Services
Deloitte & Touche LLP
![Page 29: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/29.jpg)
29
AgendaEvaluating Third Parties:• Step 1: Prepare Inventory Of Service Organizations
and Specialists • Step 2: Gain Understanding/Evaluate Significance• Step 3: Obtain Evidence• Step 4: Concluding
SAS 70 Issues and Considerations
Q&A
![Page 30: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/30.jpg)
30
Step 1: Prepare Inventory Of Service Organizations and
Specialists• Identify third party involvement in relevant
processes which involve the use of service providers and specialists
• Definitions: – Service organization: An entity that provides
services to a user organization that is part of the user organization’s information system
– Specialist: A person (or Firm) possessing special skill or knowledge in a particular field…
![Page 31: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/31.jpg)
31
Step 1: Prepare Inventory Of Service Organizations and Specialists – Summary
Evaluate UserControls?
Evaluate Third PartyControls?
Service organization Yes Yes, if relevant
Specialist Yes* No
*Specialist Key Considerations:
• Evaluate the competence of the specialist
• Understand nature and scope of the work performed
• Key control considerations:
• Appropriateness of methods and assumptions
• Accuracy and completeness of data provided
• Reasonableness and recording of the results
![Page 32: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/32.jpg)
32
Step 2: Gain Understanding/Evaluate
Significance• Gain an understanding of the service
organization process flows and controls– Review SAS 70 or perform walkthrough of service
organization• Gain an understanding of the user organization
process, controls and monitoring activities• Conclude whether service organization
activities and controls necessary to achieving a user control objective(s)
![Page 33: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/33.jpg)
33
Step 2: Gain Understanding/Evaluate
Significance• When are user controls alone sufficient?
– If the control performed by the service organization were not outsourced, would the control be necessary to achieving a control objective(s)
– Detective/monitoring controls at the user organization should operate at an appropriately detailed level to conclude that a control objective is met
![Page 34: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/34.jpg)
34
Step 3: Obtain EvidenceDetermine if the scope of the SAS 70 is
appropriate• Type 1 SAS 70 addresses design of controls• Type 2 SAS 70 addresses design and operating
effectiveness of controls• Map controls at service organization to risks
and controls objectives for the user organization– Business process controls– Information technology controls
![Page 35: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/35.jpg)
35
Step 3: Obtain EvidenceDetermine if the nature and extent of testing
appropriate • Treatment of user controls identified in the SAR
– Determine relevance– Test of relevant controls
• Determine if the period of coverage is appropriate– Cover a sufficient period to conclude the
controls are operating effectively• Depends on the frequency and nature of the controls• Evaluate the need to update or “roll forward”
![Page 36: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/36.jpg)
36
Step 4: Concluding• Read the conclusions within the SAS70
for qualifying language– The service auditors’ opinion section
• If exceptions are noted in the SAS70– Evaluate the impact of the deficiency to the
user organization• Quantitative and qualitative aspects • Consider compensating controls
– Make inquiries of Service Organization
![Page 37: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/37.jpg)
37
SAS 70 Issues & Considerations• What if the service organization will not provide
access to obtain evidence directly or a suitable SAS 70?– Current thinking:
• SEC precludes management from qualifying their report• If management can’t get a SAS 70 management will need
to perform procedures at the service organization• If management is unable to access to the service
organization, they need to be able to demonstrate that user controls alone are sufficient
• If user controls are then insufficient management will need to determine if they have a deficiency in their control environment
![Page 38: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/38.jpg)
38
SAS 70 Issues & Considerations
• What if the Service Organization will not remediate exceptions?– Management will need to install mitigating
user controls
![Page 39: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/39.jpg)
39
Q & A
![Page 40: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/40.jpg)
40
• Establish a Post 404 Compliance Infrastructure
• Consider the possibility of “too many” internal controls
• Beware of excessive documentation detail
• Side-step confusion related to IT & internal controls
Summary of Main Points
![Page 41: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/41.jpg)
41
Summary of Main Points
• Make Right Compliance Software Decisions
• Manage External Auditor Demands• Compliance should be Considered within
the Needs of Governance & Risk • Inventory & Integrate Work within SOX
302/404
![Page 42: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/42.jpg)
42
Summary of Main Points
• Revisit Software Support for SOX 302/404
• Strive for Continual Improvement within SOX 302/404
• Identify Third Party Involvement & Processes for Possible SAS 70
• Understand Service Organization’s Process Flow & Controls
![Page 43: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/43.jpg)
43
Summary of Main Points
• Understand User Organization’s Process Flows, Controls & Monitoring
• Determine Appropriate Scope of SAS 70(Type 2 for both design & operating effectiveness)
• Evaluate Impact of Deficiency in Any Exceptions from SAS 70 Performed
![Page 44: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/44.jpg)
44
Get Your CPE Certificate:If you are a primary Webcast participant:
•If you view the live Webcast, you should be receiving your CPE certificate via email today.•You can also view the certificate in your account. Just log in and hit the “CPE” button.•If you are viewing the archived Webcast, you will have to take the corresponding quiz which you will find in your webcast account.
If you are not the primary participant but will be viewing the Webcast:•Additional viewers may obtain CPE for a $15 administrative fee per additional viewer per Webcast. Register online at http://www.auditlearning.org.
![Page 45: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/45.jpg)
45
October 12, 2004““Quality AssuranceQuality Assurance””
![Page 46: Controls Compliance – Rounding the Turn The Institute of Internal Auditors September 14, 2004](https://reader034.vdocuments.mx/reader034/viewer/2022052703/568147f1550346895db52a10/html5/thumbnails/46.jpg)
46
Webcast EvaluationVisit the Login Page
or CLICK HERE