oscpa webinar sox change readiness

Petra Learning LLC

SOX Nimbleness

“How Responsive is Your SOX Program

September 10, 2012

7/17/2013 Proprietary and Confidential

Page

1

Purpose and Objectives

Purpose: Inform and Equip

Objectives:

Explore the attributes of a responsive

SOX Program

Provide an assessment tool that can be

used to evaluate current SOX programs


Agenda


Discussion Topic

SOX Current State 5 minutes

Attributes of a Responsive SOX Program

1) Polling Questions (3)

2) Self-Assessment Tool (Summary Slide)

40 minutes

Call to Action 5 minutes

SOX Current State

We’ve Enjoyed a Relatively Static Environment

◦ Changes mainly related to SOX optimization.

◦ Limited impact on personnel, operations, and technology from accounting standards.

◦ Limited publicity or press related to SOX failures. Limited impact of disclosing deficiencies, material weaknesses, or having restatements.

SOX redesign is not a palatable undertaking for most

◦ Programs aren’t overly flexible

◦ Heavy on documentation, numerous very specific and detailed controls


“SEC Sanctions Direct Edge Electronic Exchanges and Orders

Remedial Measures to Strengthen Systems and Controls”

Responsive SOX Program Attributes

Overall characteristics you should strive for in your SOX program

Dynamic – ability to evolve; to reinvent their business model to achieve or maintain an advantage

Integrated – to make into a whole by bringing all parts together; unify; combining or coordinating separate elements so as to provide a harmonious, interrelated whole

Comprehensive – covering completely or broadly; dealing with all or many of the relevant details

Well Understood – widely or sufficiently understood or comprehended


Question # 1 and 2: Dynamic


1. How frequently is the design of controls (not the effectiveness) evaluated?

2. What triggers reevaluation of your design of controls?

Why this matters

Numerous accounting changes upcoming some of which allow for early adoption; most of which will require significant operational changes

Potential overlapping implementation dates means multiple projects may occur simultaneously.

What could you do to get ahead of this?

Polling Question # 1

To what extent would you agree that process and control owners within your company have a sufficient understanding of the difference between design effectiveness and control effectiveness?

a) Strongly agree

b) Somewhat agree

c) Somewhat disagree

d) Strongly disagree


Question 3: Dynamic3. How well do you understand and how easily can you identify the interdependencies between controls?

Why this matters

As sub-processes and their related controls are changed you need to be able to quickly assess the impact on the rest of your control environment.

Some areas are not as obvious, for example automated controls such as edit checks or comparisons / thresholds.



Question 4: Integration4. Do you have a good linkage between accounting information and supporting IT systems (in the broadest sense)?

Why this matters

Ability to identify information that may come from a system that is not currently in-scope or subject to the same IT environment.

Ability to flag information that comes from spreadsheets that will need revised so that you become more sensitive and focused on spreadsheet errors during the change period.

Ability to trace info to key databases and flags that will go through significant change.



Question 5: Integration5. How you assess other components of the control environment during this change period?

Why this matters

Qualifications of accounting personnel

Financial expertise of Audit Committee and especially Audit Committee Chair

Information and communication processes around changing accounting policies and processes

Disclosure committee and risk committee

What could you do to get ahead of this?7/17/2013 Proprietary and Confidential

Page

10

COSO FrameworkCurrent framework prior to revision expected to be issued final 1Q2013.


Page

11

COSO Releases

Thought Paper on

Enhancing Board

Oversight by Avoiding

and Challenging Traps

and Biases in

Professional Judgment

Polling Question # 2Evaluating the control environment and allowing this evaluation to influence the design and testing of transactional level controls has been a challenge in many SOX programs. What level of linkage have do you believe that you’ve been able to obtain between the control environment and transactional level controls?

a. Strong linkage – our control environment assessment directly influences our control effectiveness assessment

b. Partial linkage – our control environment assessment may impact our level of testing but does not impact our assessment of control effectiveness

c. No linkage – assessments are completely independent of each other; identified issues are addressed separately.


Page

12

Question 6: Comprehensive6. Do you have a systematic process for analyzing specific

scoping and materiality nuances?

Why this matters

Impact of adoption could be a material amount though the account itself is not material. Is reliance upon an entity-level control sufficient to catch these material items?

Some processes may feed into significant new disclosures though they are more operational in nature. Will those get added into scope and how would be responsible for assessing (ICOFR, IA)?

Some locations may not have been significant in the past but may contribute heavily to leases that will suddenly be on the balance sheet or to other new accounts.

What could you do to get ahead of this?7/17/2013 Proprietary and Confidential

Page

13

Question 7: Comprehensive7. Is your SOX process sensitive enough to detect:

a. material changes in assumptions even if the balances themselves do not fluctuate significantly?

b. Changes in assumptions that should’ve occurred but did not?

Why this matters

Underlying assumptions of material estimates are still an area of concern that continues to cause restatement. This risk will increase as new accounting standards are issued.



Page

14

Question 8: Understood8. How well do you understand and how easily can you identify the interdependencies between controls?

Why this matters

As sub-processes and their related controls are changed, you need to quickly assess the impact on the rest of your control environment.

Areas where interdependencies may not be as obvious include automated controls like edit checks or comparisons / thresholds.



Page

15

Polling Question # 3

Have you previously evaluated your

SOX program from a responsiveness

view?

a. Yes

b. No


Page

16

Self-Assessment ChecklistCriteria Yes No Ref

1. How frequently is the design of controls (not the effectiveness)

evaluated?

2. What triggers reevaluation of your design of controls?

3. How well do you understand and how easily can you identify the

interdependencies between controls?

4. Do you have a good linkage between accounting information and

supporting IT systems (in the broadest sense)?

5. How you assess other components of the control environment during

this change period?

6. Do you have a systematic process for analyzing specific scoping and

materiality nuances?

7. Is your SOX process sensitive enough to detect:

a. material changes in assumptions even if the balances themselves

do not fluctuate significantly?

b. Changes in assumptions that should’ve occurred but did not?

8. How well do you understand and how easily can you identify the

interdependencies between controls?


Page

17

Call to Action

Evaluate your SOX program flexibility as you wrap-up your 2012 testing and plan for 2013.

Consider querying your employees on their understanding of the design of controls

Consider your approach for keeping employees engaged and informed on accounting changes.


Page

18

oscpa webinar sox change readiness

Business