practical approach to sox - chapters site - home considerations for effective sox testing- “top 10...

IIA Northwest Metro Chicago Chapter

Practical Approachto SOX

August 26, 2014

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

1

Agenda

■ SOX Control Trends (PCAOB Audit Findings)

■ COSO Impact on SOX

■ Top 10 List of Considerations

■ Driving an Efficient and Cost Effective Solution: Finding the Right Balance

SOX Update-PCAOB Findings to Consider in your SOX Program


3

SOX – PCAOB Inspection findings

The PCAOB has observed a significant increase in inspection comments in the areas of auditing/Internal Control Over Financial Reporting (ICOFR), revealing the need for both management and auditor focus.

Identifying and testing relevant controls

Testing management review controls (MRCs)

Inappropriate reliance on ITGCs

Focus on ICOFR is increasing as seen from year-over-year comparison of comments below (excluding ITGC):

Year Total Comments

2012 (to date) 89

2011 46

2010 9

Significant areas of audit performance improvement over ICOFR testing include:


4

PCAOB Implications to SOX Environment: Control Testing Themes

• Walkthrough of individual controls rather than walkthrough of transaction through issuer’s processes Documentation

• Failure to identify and test key controls associated with all relevant assertions over all significant accounts Key Controls

• Inappropriate risk assessment of relevant controls (lower risk of failure)Risk Assessment

• Failure to identify control deficiencies or appropriately evaluate severity and failure to evaluate impact of control deficiencies on financial statement audit approach

Control Deficiencies

• Inferring operating effectiveness of a control from absence of misstatements detected by substantive procedures

Substantive Testing


5

PCAOB Implications to SOX Environment: The Importance of the Risk Assessment

Financial Statement Line Item Analysis

Do we have the right materiality/qualitative factor coverage?

Location AnalysisWhat locations are in scope and what coverage

provided?

Financial to Process MappingAre all key accounts mapped to processes in

scope?

Process to Location MappingAre the right processes covered at each

location?

Performing a risk assessment as part of your SOX program is an important step that allows management to focus on: • identifying relevant (key) controls• test controls associated with all relevant assertions over allsignificant accounts


6

PCAOB Implications to SOX Environment: ITGC Themes

• Manual controls that may be dependent upon IT general controls to operate effectively (i.e., controls dependent on IT functionality, computer generated exception reports)

IT Dependent Controls

• Relevant technology infrastructure controls designed to help ensure the completeness, accuracy, and availability of technology processing

Infrastructure

• Understanding the flow of transactions from initiation to recording and reportingFlow of Data

• Consideration of “super user” access and how controlled, timely evaluation for instances of non-compliance, controls in place to monitor user activities

Access

• 3rd parties with impact on financial reporting, controls in place to review 3rd party information, required SOC-1 reports, considerations for user controls

Use of Third-Parties


7

PCAOB Implications to SOX Environment: Management Review Control Themes

• Defining materiality/significance and including thresholds

Specificity of Scope/Precision

• Including comprehensive details of what reviewer looks for during review and defining what constitutes an outlier/exception

Specificity of Review

• Follow-up on variances, inconsistencies, and outliers (e.g., retain emails, etc., to evidence follow-up and resolution)

Exceptions

• Physical evidence of the performance of a control is requiredPhysical Evidence

• Management validation over completeness/accuracy of data and reports used in performance of controls

Information Provided by Entity (IPE)


8

Possible Resulting SOX Efforts

■ More Controls in scope (e.g., unique transactions) ■ Additional documentation required■ Enhanced walkthroughs – control and process■ Additional testing over completeness and accuracy of information■ Increased documentation retention of management 404 efforts■ Enhanced deficiency evaluation documentation

Internal Control Framework (COSO) Impact on SOX


10

Internal Control Framework: COSO

The Committee of Sponsoring Organization’s (COSO’s) framework update for 2013 included the following changes that have had an impact on SOX for some organizations:

Considers Changes to the Business

Environment Over Past 20 Years

(including resource competence)

Enhanced Governance

Extended Coverage and Applicability Beyond Financial

Reporting (IT)

Improved Risk Assessment

Practices

Enhanced Adaptability to

Change and Varied Business Models

COSO 1992 Framework will be available until December 15, 2014, then superseded

Top 10 List of Considerations to Develop an Effective SOX Program


12

Key Considerations for Effective SOX Testing- “Top 10 List”

Implement monitoring controls

Refine management review controls

Perform month-end reconciliations

Restrict access to key systems

Identify SOD conflicts

Ensure accuracy of system interfaces

Consider completeness and accuracy of reporting

Update policies and procedures (DOA)

Consider key applications used for financial reporting

123456789

Co

ord

inat

ion

wit

h E

xter

nal

A

ud

ito

r

Retain documentation and evidence your review10

Trai

nin

g a

nd

Eff

ecti

ve

Ove

rsig

ht


13

Key Considerations for Effective SOX Testing

Implement Monitoring Controls

1Implement controls for high risk areas/accounts that provide a monitoring mechanism for management to provide assurance that financial reporting information is appropriate, appears reasonable, and is consistently evaluated.

Refine Management

Review Controls

2For management review controls, establish thresholds for what you are reviewing, define review criteria, retain support for how you resolve variances and how you complete your review.

Perform Month-End

Reconciliations

3 Reconciliation controls are key in substantiating financial reporting results and often referred to for key/high risk accounts. Reconciliations should be documented, include supporting documentation and evidence separate reviewers and preparers.

Identify SOD Conflicts

SOD conflicts should be identified in order to implement manual controls where automated options are not possible and allow for effective management to segregate control activities.

Restrict Access to Key Systems

4Appropriately restricting access to key systems ensures that only authorized individuals have access to key financial data and may prevent unauthorized transactions and financial misstatements.

5


14

Key Considerations for Effective SOX Testing

Ensure Accuracy of System Interfaces

6Accuracy of system interfaces is a key consideration in ensuring the accuracy of financial reporting, especially for consolidated reporting. Management should ensure that the interface is complete and accurate and exceptions are addressed timely.

Consider Completeness and Accuracy

7The completeness and accuracy of reports/spreadsheets used in performing controls activities should be reviewed. Spreadsheets and reports used in calculating account balances are key.

Update Policies and Procedures

8 Policies and procedures should be aligned with control activities. Deviations may allow for control failures (control fails since it does not agree to policy) and overall ineffective governance over financial reporting.

Retain Documentation and Evidence your Review

Retaining all relevant documentation to support your control activities and evidencing your review will be essential to passing controls during the testing phase.

Consider Key Applications

9Applications used for financial reporting, to process transactions, consolidations and transfer data should be evaluated for ITGC testing. Ineffective ITGC’s may lead to manual controls.

10

Driving an Efficient and Cost Effective Solution


16

Key Considerations in an Efficient and Cost Effective SOX Program:Finding the Right Balance

Cost Effective Compliance

• Joint walkthroughs with external auditor

• Use of offshore resources to perform testing

• Rationalization of controls • Enhanced risk

assessment process to arrive at key controls (top-down)

• Automation of controls• Guest Auditor Program for

“free” resources • Management Testing (self-

testing program)

Efficiency Considerations

• Co-sourcing to provide flexibility on resource needs and increase internal productivity rates

• Guest Auditor Program to tap into business insights

• Offshore resource considerations for multi-tasking and time sensitive activities

Effective Communications and IA Framework

• Tone at the Top from key business leaders within the organization

• Establishment of a Steering Committee for key updates and messaging

• Periodic meetings with the external auditors

• Consistent and clear reports on status

• Consideration of integrated audits (IA and SOX)

• Enhanced risk assessment process both for SOX and the ERA


17

Panel Discussion

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 192969

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

practical approach to sox - chapters site - home considerations for effective sox testing- “top 10...

Documents