1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act May 21, 2003.

1

404 Readiness Review: Documenting Your System of

Internal Control

404 Readiness Review: Documenting Your System of

Internal Control

The Institute of Internal Auditors

Webcast Series on Sarbanes-Oxley Act

May 21, 2003

1:00 – 2:30 pm Eastern Time

2

The IIA Webcast ModeratorThe IIA Webcast ModeratorThe IIA Webcast ModeratorThe IIA Webcast Moderator

Jim Key, CIAManaging Partner

Shenandoah Group, L.L.P

3

Webcast Series on SOAWebcast Series on SOA

Fostering Compliance with SOA:

Internal Auditor’s Role

• Four sessions archived on IIA’s website and available on CD

• Originally aired January 28 – April 15, 2003

4

Webcast Series on SOA - Continues

Webcast Series on SOA - Continues

Emerging Trends & Best Practices in

Implementing SOA• Six Sessions archived on IIA’s website and available

on CD• May 21 – 404 Readiness Review: Documenting Your

System of Internal Control• June 10 – Helping the Audit Committee Implement

Complaint Handling• Remaining sessions with your input will be on July

8, August 12, September 9 and September 30

5

AgendaAgenda

1:00 Introductions and Overview

1:10 Critical Decisions on DocumentingInternal Controls - Bill Gassel

1:20 Implementing Sarbanes-Oxley Sec 404 -

Dennis Drent

1:30 Maintaining Objectivity - Paul Sobel

1:45 Break

1:50 Questions and Answers - Panel

2:25 Wrap up - Jim Key

6

Critical Decisions for Documenting Internal Controls

Critical Decisions for Documenting Internal Controls

Bill Gassel, CPADirector of Internal Audit

Emerson

7

ChronologyChronologyNov ‘02 Formed core team & established goals & timetable

Nov ‘02 Selected the documentation methodology & created a pilot questionnaire

Dec ’02 Conducted pilots at 9 sites worldwide

Dec ’02 Started on website to facilitate documentation collection

Jan ’03 Led training and documentation rollout

Mar ’03 Divisions completed documentation -(tremendous effort) Internal Audit reviewed for sufficiency

May ’03 Executing the testing plan

8

Key Initial DecisionsKey Initial Decisions

Documentation decisions made early on:

• Where?

• What format (narratives, flowcharts, questionnaires, or a combination)?

• What accounts or processes?

• How much must be documented?

• Who should certify?

• Who will own/maintain the documentation?

• How to train everyone?

9

Location TableLocation Table

10

Example DocumentationExample Documentation

11

Note:

"Yes" answers require the following criteria :

1. Describe the control procedure in detail.

2. Who performs the control (employee title) and who reviews it?

3. Frequency of Control (daily, monthly, quarterly etc.)

4. Automated system or Manual control.

"No" answers require :

1. What mitigating controls exist to achieve control objective.

2. Who performs mitigating controls & how often?

3. If no mitigating controls exist, how will the deficiency be fixed?

"N/A" answers require :

1. Explain 'why' the control does not apply to the location.

Guidance for Control Descriptions

Guidance for Control Descriptions

12

Beneficial StepsBeneficial Steps

• Executive management support obtained

• Involved the Controllership function early

• Communicated early with KPMG and E&Y to interpret likely standards

• Standardized the documentation format

• Used pilot process to gain practical insights

• Collaborated with internal process experts to validate questionnaire focus

13

Beneficial StepsBeneficial Steps• Held central training for all Finance Officers

• Created an “Example Completed ICQ”

• Tailored the questionnaire for smaller and international sites

• Reviewed a majority of the documentation for sufficiency

• Started testing controls 5 months prior to year-end (10 – 12,000 hours of effort) - significant locations first

14

Current 404 ConsiderationsCurrent 404 Considerations

• Develop Evaluation Methodology with Management

– Which locations and controls will be tested?

• Accumulating and aggregating the testing results

• Broadening the evaluation methodology into ERM

• Migrating Control Questionnaire platform to CSA process

• Minimizing redundancy of testing between Internal and external auditors

• Availability of qualified staff

15

Steps in Implementing Sarbanes-Oxley Sec. 404

Steps in Implementing Sarbanes-Oxley Sec. 404

Dennis DrentVice President – Internal Audit

Nationwide Insurance

16

Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404Nov. 2002

Dec. 2002

Jan. 2003

Feb. 2003

Mar. 2003

Apr. 2003

May 2003

Select Executive Sponsor and assemble team XDevelop evaluation strategy including use of technology XDocument key controls relating to financial reporting process X X X X

Train control and executive owners X XFirst quarter certification and verification process completed X X X

Jun. 2003

Jul. 2003

Aug. 2003

Sep. 2003

Oct. 2003

Nov. 2003

Dec. 2003

Control scrubbing, gap analysis, and control evaluation X X XRevise/redesign controls as deemed necessary X XManagement prepared to assert XKPMG attestation work X X X

Section 404 Steps Completed

Section 404 Steps to Do

3

4

5

8

2

1

9

7

6

17

Nov.

2002

Dec.

2002

Jan.

2003

Feb.

2003

Mar.

2003

Apr.

2003

May

2003

Select Executive Sponsor and assemble team X

Develop evaluation strategy including use of technology

Document key controls relating to financial reporting process

Train control and executive owners

First quarter certification and verification process completed


3

4

2

1

5

Implementing Sarbanes-Oxley § 404 Implementing Sarbanes-Oxley § 404

18

• “CEO friendly” technology solution.

• Lotus Notes database allows for analysis and reporting. No flow charts.

• Used drop-down boxes for everythingwe could.

• Control and executive owners verses process owners.

• Internal Audit “owns” the database - the business owns the controls.

2 Develop evaluation strategy including use of technology

19

Nov.

2002

Dec.

2002

Jan.

2003

Feb.

2003

Mar.

2003

Apr.

2003

May

2003

Select Executive Sponsor and assemble team



X X X X

Train control and executive owners



3

4

2

1

5


20

Nov.

2002

Dec.

2002

Jan.

2003

Feb.

2003

Mar.

2003

Apr.

2003

May

2003

Select Executive Sponsor and assemble team



Train control and executive owners X X



3

4

2

1

5


21

• Control and executive owners certify in database - separate verification process.

• 30% of controls were changed, over 100 controls eliminated.

• Internal Audit administers “change” questionnaire and consults on verification procedures.

• Results of control certification/verification process reported to Disclosure Committee.

5 First quarter certification and verification process completed

22

• Time to bring in the external auditors - jointly define “internal control adequacy.”

• At this point, most work performed by external auditor will be “audit services” and therefore mitigates independence conflict.

6 Control scrubbing, gap analysis, and control evaluation

23

Jun.

2003

Jul.

2003

Aug.

2003

Sep.

2003

Oct.

2003

Nov.

2003

Dec.

2003

Control scrubbing, gap analysis, and control evaluation

Revise/redesign controls as deemed necessary X X

Management prepared to assert

KPMG attestation work


8

9

7

6


24

Jun.

2003

Jul.

2003

Aug.

2003

Sep.

2003

Oct.

2003

Nov.

2003

Dec.

2003

Control scrubbing ,gap analysis, and control evaluation

Revise/redesign controls as deemed necessary

Management prepared to assert X

KPMG attestation work


8

9

7

6


25

Jun.

2003

Jul.

2003

Aug.

2003

Sep.

2003

Oct.

2003

Nov.

2003

Dec.

2003

Control scrubbing, gap analysis, and control evaluation

Revise/redesign controls as deemed necessary

Management prepared to assert

KPMG attestation work X X X


8

9

7

6


26

Maintaining ObjectivityMaintaining Objectivity

Paul SobelVice President, Risk Assessment

Aquila, Inc.

27

Corporate Governance Framework

Corporate Governance Framework

Corporate Stakeholders

Board of Directors

Governance “Umbrella”

Risk Management

Senior Management

Risk Owners

Assurance

Internal Auditors

External Auditors

28

Sarbanes-Oxley Act

Board of Directors

Governance “Umbrella”

Risk Management

Senior Management

Risk Owners

Assurance

Internal Auditors

External Auditors

Se c

. 40

4S

ec. 404Corporate Governance

FrameworkCorporate Governance

Framework

29

Objectivity StandardsObjectivity Standards

• Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.

– State of mind

– Personal feelings or prejudices shouldn’t distort the facts

• Cannot act in a management role or make management decisions

30

The Audit ProcessThe Audit ProcessAudit Phase Approach Audit Evidence

1. Project Objective Determined in Annual Audit Plan

Planning Memo

2. Risk Assessment Identify/Assess Key Risks Risk Memo/Matrix

3. Process Design Understand Process and Identify Key Controls

Flowcharts & Memos

4. Gap Analysis Evaluate Current vs. Desired State

Findings and Recommendations

5. Process Effectiveness

Develop and Execute Testing Plan

Testing Results

6. Gap Analysis Evaluate Current vs. Desired State

Findings and Recommendations

7. Reporting Communicate Results Audit Report

31

The Sarbanes-Oxley 404 ProcessThe Sarbanes-Oxley 404 Process

Audit Phase Approach Audit Evidence

1. Project Objective Understand S-O 404 Requirements Project Planning Memo

2. Risk Assessment • Link F/S Captions to Processes• Assess Risks to F/S Assertions

F/S / Risks / Assertions Linkage

3. Process Design Understand Processes & Identify Key Controls Over Financial Reporting

Flowcharts & Memos

4. Gap Analysis Evaluate Current vs. Desired State Findings and Remediation Plans


Develop and Execute Assurance/ Testing Plan

Testing Results

6. Gap Analysis Evaluate Current vs. Desired State Findings and Remediation Plans

7. Reporting Update Key Control Effectiveness (Control Owner Assertions)

Self Assessments and Audit Reports

32

Maintaining ObjectivityMaintaining ObjectivityAudit Phase Approach What Can IA Do?

1. Project Objective

Understand S-O 404 Requirements

No issues; objectives set by 3rd party (SEC)

2. Risk Assessment

• Link F/S Captions to Processes• Assess Risks to F/S Assertions

Make risk judgments; must gain mgmt. concurrence

3. Process Design Understand Processes & ID Key Controls Over Financial Reporting

Document processes; based on mgmt. input and validation

4. Gap Analysis Evaluate Current vs. Desired State Make judgments; validate with mgmt.


Develop and Execute Assurance/ Testing Plan

Determine what to test and evaluate test results

6. Gap Analysis Evaluate Current vs. Desired State Make judgments; validate with mgmt.

7. Reporting Update Key Control Effectiveness (Control Owner Assertions)

Facilitate/gather assessment results

33

SummarySummary• Internal Audit can lead a Sarbanes-Oxley 404 project

• Documentation phase is no different than that required in an audit– IA’s objectivity is not impaired if they lead the documentation

efforts

• It is important to engage management to validate judgments and decisions– They must own the results, not IA

• Communicate consistently with your external auditors to ensure they understand how your objectivity has not been impaired

• It’s not an objectivity issue; it’s an ownership issue!

34

BreakBreak

• 5 min break followed by Poll

35

Questions & AnswersQuestions & Answers

• Email your questions to [email protected]

36

Webcast SummaryWebcast Summary

• Engage management to develop control evaluation strategy

• Work with external auditors to reduce duplication

• Leverage technology to support process• Internal audit can own the process• Objectivity is a state of mind

1 404 Readiness Review: Documenting Your System of Internal Control The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act May 21, 2003.

Documents