Download - SOX Compliance - 2013
SOX Compliance - 2013
• SOX
• Section 302 Certification
• Ernst & Young Fees & Hiring EY staff
2
S O X
SOX
3
W H AT I S S O X ?
The Sarbanes–Oxley Act is a federal law that requires public companies to set up an internal system of control to insure that:
• Reduce the potential of fraud
• Financial Statements are accurate
• Top management has certified the above
• Protect the investors through actions above
• Restore faith in public markets
4
W H AT I S K E Y C O N T R O L ?
A key control is a control that provides reasonable assurance that material errors will be prevented or detected in a timely manner
5
VeriFone has identified 11 key process cycles:
1) Entity Level Controls
2) Order to Cash
3) Procure to Pay
4) Inventory
5) Fixed Assets
6) Payroll / HR
7) Financial Statement Close Process (FSCP)
8) Information Technology
9) Tax
10) Treasury
11) Equity
S O X – K E Y C O N T R O L S
6
S O X – E N T I T Y L E V E L C O N T R O L S
These are VeriFone’s code of conduct policy, governance (board and committees of the board oversight), authority and responsibility (authority matrix and 302 certifications), hiring practices (background checks), fraud prevention and detection controls (ethics hotline)
Entity level controls are internal controls that help ensure management directives pertaining to the entire entity are carried out.
7
S O X – E N T I T Y L E V E L C O N T R O L S
•We have ZERO tolerance on unethical behavior and fraud. We have an ethics hotline you can call +1-888-719-1218.
•Accounting records should be properly supported.
•You are responsible to read and understand all our policies.
REMINDERS:
8
C O N T R O L S – E N T I T Y L E V E L C O N T R O L S
Entity Level Controls
Key Controls (20)
Common Issues
Requirements
• Policies and Procedures
• Code of Ethics• Whistleblower
Process• Authorization
Matrix• Background
checks• Operating plan• Internal Audit
function• Budget to Actual• Audit comments
are addressed
• Knowledge of code and reporting process
• Performance of background checks
• Following the operating plan
• Responding to auditors
• Not following policy • Not signing code of
ethic acknowledgment
• Legal/practical difficulties with background checks
• No timely response to auditors
9
C O N T R O L S – O R D E R T O C A S H
Order To Cash
Key Controls (21)
Common Issues
Requirements
• Bad Debt Reserve is reviewed and approved
• AR adjustments are reviewed and approved
• Revenue is recognized as per policy
• Invoice data interfaces are monitored
• Quarterly revenue cutoff is performed
• Specific and General reserve
• AR adjustment matrix
• Revenue Recognition policy
• Logs/exceptions• Any non ex-
works shipping terms must be reviewed
• Documentation inadequate
• Not running or retaining exception reports
• Not performing cutoff entirely
10
C O N T R O L S – P R O C U R E T O PAY
Procure to Pay
Key Controls (12)
Common Issues
Requirements
• Accruals are recorded
• 3 – way match• Manual accruals
are reviewed and approved
• Invoices are supported and approved
• GL coding is accurate
• All significant contingencies must be disclosed
• All unprocessed invoices at period end must be reviewed
• Non-inventory invoices have to be approved prior to entry
• Invoice audits are not performed
• Coding to wrong GL account
• Not all accruals are recorded
• Not all contingencies are disclosed
11
C O N T R O L S – I N V E N T O RY
Inventory Key Controls (22)
Common Issues
Requirements
• Cycle/Physical counts results are reviewed and approved
• Doc Walk is performed
• CM liability is approved by each controller
• Warranty reserves are reviewed and approved
• Cycle count policy
• Last 5 / First 5• All liabilities with
CM must be included
• Warranty reserve calculation
• Adjustments not documented or approved
• Doc walk is not done or evidence is lacking
12
C O N T R O L S – F I X E D A S S E T S
Fixed Assets
Key Controls (4)
Common Issues
Requirements
• Additions, disposals and depreciation are recorded based on policy
• All additions should be supported
• All disposals must use a disposal form
• Depreciation should be calculated by system and verified
• Disposals not approved
• Incorrect in service dates of assets
• Depreciation calculated wrong
13
C O N T R O L S – F I N A N C I A L C L O S E P R O C E S S
Financial Statement
Close Process
Key Controls (22)
Common Issues
Requirements
• Flux analysis of actual results is performed via conference call
• 302 Certifications are completed
• Significant variances must be investigated and explained
• CEO and CFO are required to sign before filing
• Insufficient explanations
• Inadequate disclosures
14
C O N T R O L S – F I N A N C I A L C L O S E P R O C E S S
Financial Statement
Close Process
Key Controls (22)
Common Issues
Requirements
• All BS accounts are reconciled timely
• All Manual JE are reviewed and approved
• Timely = before date noted on closing calendar
• Reconciled = entire balance explained
• Reviewed = determined the item is correct
• Approved = signature or email
• Items are not accurate
• Late/No approval• Items in
reconciliation not included with reconciliation
• Approval inadequate
Shared Controls
• AR• AP• Deferred
Revenue• Inventory• Fixed
Assets
15
C O N T R O L S – PAY R O L L
Payroll Key Controls (6)
Common Issues
Requirements
• Commissions are approved by Regional Controller
• New employees are approved, Payroll reports monitored for unusual activity
• Review and documentation of approval for commission calculation
• Approval of any new employee prior to adding to payroll
• Must compare current payroll expense to prior
• Improperly documented payroll reconciliation
• No approval for new hire
16
C O N T R O L S – I T G C ( I N F O R M AT I O N T E C H N O L O G Y G E N E R A L C O N T R O L S )
ITGC Key Controls (13)
Common Issues
Requirements
• ERP – Oracle System Controls
• User access approval
• Segregation of Duties
• Although these are system related in many instances there are manual parts of the control
• Relying on system while not performing manual portion of control
• Relying on system, when underlying is not system controlled or does not include all instances
17
S O D ( S E G R E G AT I O N O F D U T I E S ) C O N F L I C T S
SOD conflicts exist because of incompatible duties that a single person or group of persons may have, which elevates the risk associated with potential fraudulent activity
SOD reviews are performed in each location to identify SOD conflicts and mitigate through approved testing
Each location will identify conflicting activity and perform tests to mitigate the risk associated with the underlying SOD conflict
SOD conflicts are based on 9 policies
18
S O D C O N F L I C T S
Policy Number 2012 Policy Name
P01 AR Customers Credit and Sales Orders
P03 AP Invoices/Expense Reports and AP Vendors
P04 AP Invoices/Expense Reports and Purchase Orders
P05 AP Payments and AP Invoices/Expense Reports
P06 AR Invoices and AR Customers Credit
P07 AR Invoices and AR Cash Receipts
P09 Purchase Orders and AP Payments
P10 Purchase Order and Purchase Order Receipts
P13 Ship Confirm and Sales Orders
19
C O N T R O L S – TA X
Tax Key Controls (10)
Common Issues
Requirements
• Tax JE are approved VP of Tax
• Tax positions or events in each jurisdiction are reported
• Unusual events triggering tax planning should be reported
• Not reporting events or disregarding tax strategies
• Local tax audits potential adjustments disclosed too late
20
C O N T R O L S – T R E A S U RY
TreasuryKey
Controls (7)
Common Issues
Requirements
• Borrowing policy• Investments are
periodically evaluated
• Loan covenants are monitored
• Hedging strategy is reviewed and approved prior to execution
• All financing is subject to borrowing policy
• Investments must be monitored
• Everyone is responsible for covenant compliance
• Hedging should be approved
• Not aware of policy restrictions
• Misclassification of investments
• Not being aware of covenants
21
C O N T R O L S – E Q U I T Y
Equity Key Controls (7)
Common Issues
Requirements
• Equity awards are approved
• Grants are reconciled to 3rd party data
• Cancelations, vesting, etc are monitored
• Proper expense is recorded
• All new plans must be approved
• All grants must be recorded and approved
• Communicating grants without authorization
• Not terminating grants timely in system
22
VERIFONE SYSTEMS, INC. - WORLDWIDE 404/SOX PROCESS OWNER LIST AS OF JANUARY 2013
CORP/WW CORP/WW CORP/WW CORP/WW
KEY SOX FUNCTION Global Process Owner SUB/OWNER KEY SOX FUNCTION Global Process Owner SUB/OWNER
OVERALL INTERNAL CONTROL COMPLIANCE SAGIT MANOR OMAR PEREZ
FSCP - SEC BARBARA MCKEE PROCURE TO PAY - AP&DISB. ROGER KENT B REPOLLO
FSCP - M&A SUZANNE COLVIN PROCURE TO PAY - PURCHASING SEAN O'CONNOR JIM HUFF
FSCP - FP&A JIM JOHNSON WHITNEY NGUYEN PROCURE TO PAY - RECEIVING DAVE MANGELSDORF DAVID GRANTHAM
FSCP - CLOSE THE BOOKS
FSCP - CONSOLIDATION
TAX *
FIXED ASSETS/DEPRECIATION SAGIT MANOR ROGER KENT TAX - CORPORATE PROVISION LYNDA HAUSWIRTH ROSE ROACHELL
CAPITALIZED SOFTWARE DEVELOPMENT JIM JOHNSON GOPINATH GOLLAPUDI TAX - INTERNATIONAL LYNDA HAUSWIRTH ROSANNA LEE
TREASURY*
INVENTORY MGMT DAVE MANGELSDORF TREASURY - CASH RECONCILIATIONS DOUG REED SAGIT MANOR
INVENTORY COSTING CINDY DIERKEN TREASURY - CASH MGMT DOUG REED
INVENTORY EXCESS / OBSOLESENCE RESERVES ALASDAIR RENDALL TREASURY - BORROWING/HEDGING
WARRANTY RESERVES PAUL COCCOVILLO
CONTRACT MANUFACTURING LYNN WONG
ORDER TO CASH - ORDER MGMT PAYROLL PROCESSING DAWN LAPLANTE ANN CLEARKIN / MANDY JEFFERY
ORDER TO CASH - AR/CASH RECPTOTHER COMPENSATION(bonus, separation, etc.)
ORDER TO CASH - AR RESERVES
ORDER TO CASH - REVENUE SUZANNE C. MANDIE HA
ORDER TO CASH - DEFRD REVENUE SUZANNE C. FAIZA RAHIM EQUITY DAWN LAPLANTE CAROLYN BELAMIDE
INCENTIVE COMPENSATION - COMMISSIONS
REGIONAL CONTROLLER & EXECUTIVE MGMT.
REGIONAL CONTROLLER & EXECUTIVE MGMT.
ORDER TO CASH - SHIPPING/RMAs DAVE MANGELSDORF DAVID GRANTHAM ITGC - CHANGE MGMT. WAYNE CHINGRAY NIGHTINGALE
VIVEK SETH
ITGC - ACCESS/SECURITY/ APPLICATION
ITGC - DATA CENTER
FINANCIAL STATEMENT CLOSE PROCESS (FSCP) *
SUZANNE COLVIN
SAGIT MANOR OSNAT LEVY
LAURA WEISS
PROCURE TO PAY PROCESSES *
PAYROLL AND INCENTIVE COMPENSATION *
EQUITY AND STOCK ADMINISTRATION *
INFORMATION TECHNOLOGY GENERAL CONTROLS *
CAPITALIZED ASSETS *
INVENTORY / SUPPLY CHAIN *
JOCHEN VOGT
ORDER TO CASH PROCESSES *
TIM MUSCO
23
S O X – K E Y C O N T R O L S T E S T I N G
Key controls testing is determined by the frequency of the control. Our current planned testing timetable is as follows:
For legacy entities:• Phase 1 in May to July for transactions from November to May;
• Phase 2 in September to October for transaction from June to August;
• Phase 3 in November for transactions from September to October;
For Point entities:• Phase 1 in August to September for July transactions;
• Phase 2 in September to October for transactions from August to September;
• Phase 3 in November for transactions in October.
Controls are not a deficiency at year end if it has been working before October 31, 2013 for the following frequency:
• Annual – Once;
• Quarterly – Last 2 quarters;
• Monthly – Last 2 months;
• Weekly – Last 5 weeks; and
• Transactional – Last 25 transactions
24
S O X – S O X D E F I C I E N C I E S A S S E S S M E N T• If a key control has not been working for the minimum period
immediately prior to year end then it is considered a deficiency.
• Deficiency assessment starts with realization of whether there is a possibility that the deficiency might result in a error.
• If there is a reasonable possibility then we need to identify the magnitude of the potential error.
• The quantitative and qualitative factors are considered to determine if it is a material, significant or control deficiency.
• SOX require that we look at the potential error that could result from the key control not working. If there was a an error of $2K in a reconciliation of $200 million, SOX require us to start the assessment at $200 million. We have to ask the local finance team what factors or other key controls will help us reduce the risk of not having an error of the entire $200 million.
25
S E C T I O N 3 0 2 S U B - C E RT I F I C AT I O N
Section 302 Sub-Certification
26
S E C T I O N 3 0 2 S U B - C E RT I F I C AT I O N On Section 302(a) of the Sarbanes–
Oxley Act VeriFone’s CEO and CFO are required to make certain certifications regarding the presentation of the financial statements
After the close of each quarter designated members of VeriFone management are sent representation letters for review, signature and explanation. Any exceptions in the representations are noted in a memo that is addressed to VeriFone’s CEO and CFO
The Sub-certification process provides assurances to the CEO and CFO so they can make the appropriate certifications
27
E R N S T & Y O U N G F E E S & H I R I N G E Y S TA F F
Ernst & Young Fees and Hiring EY Staff
28
E R N S T & Y O U N G F E E S & H I R I N G E Y S TA F F
Our auditor Ernst & Young (“E&Y”) have to be independent from VeriFone
VeriFone cannot engage E&Y or anyone related to E&Y to perform any work without the approval of VeriFone’s audit committee. Please submit any request through the Corporate Controller. There are NO EXCEPTIONS
This includes hiring any E&Y staff or their family members
Q&A