1 Balancing SOX with Risk Based Audit Planning The Institute of Internal Auditors March 9, 2004 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy.

1

Balancing SOX with Risk Based Audit Planning

Balancing SOX with Risk Based Audit Planning

The Institute of Internal AuditorsMarch 9, 2004

Dave Richards, CIA, CPADirector, Internal AuditingFirstEnergy Corporation

2

• Introduction & Overview Dave Richards, FirstEnergy

• Finding the Balance Brian Appleton, National Penn Bancshares• Year 2 Audit Planning Carl Balderson, Pinnacle West Capital

• Balancing Issues for Large Shops Peg Weir, United States Postal Service

• Break

• Q & A

BalancingBalancing

SOX with Risk Based Audit PlanningSOX with Risk Based Audit Planning

3

Key Balancing IssuesKey Balancing Issues

1. Involvement in SOX 404 Work2. Expectations of AC & Sr. Mgt3. Risk Model Impacts 4. Emphasis on Financial Audits 5. Increased IT General Controls Topics6. Using 404 Results to Drive Audits7. Dealing with SOX Issues 8. Impact on External Auditor

Relationship & Work Support

4

Key Balancing IssuesKey Balancing Issues

9. Using 404 Model for Operational & Compliance Topics

10. Staff Productivity Enhancements11. IAD Tools for Control Assessments 12. Rotation of Audit Topics???13. Building on SOX 404 Work14. IAD Customer Relationships 15. Impact on Audit Contingency16. Internal Control Opinions in Audits

5

Finding the Balance Finding the Balance

Brian T. Appleton, CIA, MBA,CDP

Executive Vice President

Director of Internal Audit

National Penn Bancshares

6

Overview of Company Overview of Company

• Company Size

• Audit Division

• Client Focused Philosophy

• Process Owner Class

7

Status of 404Status of 404• Tone at the top

• How 404 is implemented makes a difference

• High level risk-assessment completed

• Documentation phase in progress

8

BalanceBalance

• Identify the coordinating scheme • Complement, not supplement• Be flexible and creative• Focus your scope

• Standardize the documentation • Take a closer look at opportunities

»Management »Audit

9

• Creates a more sophisticated clientele • Fosters uniformity in structure • Increases accountability for results• Promotes process ownership by

management

Impact on Internal ClientsImpact on Internal Clients

10

• Enhance auditor knowledge

• Career growth opportunity

• Role of auditors as facilitators

• Expansion of skill set to educator

• Springboard effect – Operational and compliance audits– Control Self Assessment– Enterprise Risk Management

Impact on Audit Approach Impact on Audit Approach

11

• Stronger assurance of controls

• Create new metrics

• Published accountability through sign-offs

Benefit to Audit CommitteeBenefit to Audit Committee

12

SummarySummary

• Identify the changes, find a balance• Allocate resources early• Sell the benefit to the company• Find and publish the positives• Think of SOX 404 as complementing

audit coverage

13

Year 2 Audit PlanningYear 2 Audit Planning

Carl Balderson, CIA, CPA, CFEDirector of Audit Services

Pinnacle West Capital Corporation

14

Driving ChangeDriving Change

• Re-balancing is continued evolution

• Changed audit committee expectations

• Changed management expectations

15

Impacts of SOXImpacts of SOX

• Increase management awareness of internal controls

• Audit customer responsiveness

• Greater emphasis on IT auditing

• Verify quarterly review for IC changes

16

Planning StepsPlanning Steps

• Risk based planning with pre-SOX methodology

• What we Think is needed for SOX– Follow-up open issues– Test changed process documentation– Test Key controls

• Integrate to avoid duplication• Alternate depth of efforts with future

years• Allocate available resources

17

Productivity InitiativesProductivity Initiatives

• Automated Work Papers

• Productive Time Targets

• Emphasize Project Budgets

• In-house and Local Training

18

Contingency PlanningContingency Planning

• Small number of hours unallocated• Renewed emphasis on “Stop & Go”

auditing• Administrative assistant/secretary vs.

para-professional auditor• Be more selective in what we address

19

Driving Long-Term ValueDriving Long-Term Value• Integrate SOX compliance and risk

management processes• Examine risk management processes

for efficiency• Documentation of new systems• Integrate SOX documentation with

business resumption plans• Utilize documentation for training

20

Balancing Issues for Large Balancing Issues for Large ShopsShops

Balancing Issues for Large Balancing Issues for Large ShopsShops

Margaret (Peg) Weir

Manager, Internal Control Group

United States Postal Service

21

• Independent government entity

• Self-sustaining

• Annual operating revenue +/- $70B• Second largest civilian employer

• 38,000 Post Offices

• Office of Inspector General

United States Postal Service

22

Internal Control GroupInternal Control Group

• CFO vision

• Established ICG organization– Complements OIG function– “End-to-end” process– Looks for efficiencies and risks of

inefficiencies

23

Internal Audit-Internal Control“Policy vs. Process”

Internal Audit-Internal Control“Policy vs. Process”

• Internal Audit - Financial Statements fairly represent operations

• Monies• Expenses• Work hours• Assets

• Internal Control - Reasonable Assurance – achievement of fundamental business goals

• Reliability• Exist, effective, efficient• Compliance with laws/regulations

24

Internal Control Group Internal Control Group

• Identify risk through data and process analysis

• Partner with process owner to mitigate prioritized risk

• Analyze trends and indicators• Conduct internal control reviews• Develop improved controls to

meet goals and objectives

25

Sarbanes-Oxley ActSarbanes-Oxley Act

• Voluntarily adopting parts of Section 404

• Makes good business sense

26

Internal Control GroupInternal Control Group

• Senior management provides direction and oversight

• Focus based on:– Guidance– Risk analysis– Risk prioritization

• Resources support mandate

27

Internal Control GroupInternal Control Group• Enterprise-wide from corporate to local• Interdependencies vs. stovepipes• Partnership with process owners• Data driven• Targeted reviews • Standardized approach using COSO

framework– Root causes– Meaningful recommendations to improve

controls• Reasonable assurance goals & objectives

will be met

28

Internal Control Group StatusInternal Control Group Status

• Implemented preliminary activities of COSO framework

• Adjusted as lessons learned

• Developing additional training

• Enhancing the analytical & reporting tool

29

Internal Control Group Internal Control Group • Internal Control Group

complements internal audit process

• Internal Control Group supports performance-based culture

• Internal Control Group establishes foundation for long-term enterprise-wide improvements and efficiencies

• Internal Control Group is dynamic & evolving

30

ConclusionsConclusions• SOX 404 WILL IMPACT what we do• What impact it has must be managed• Upfront drivers for impact must be understood• Changes in approach, scope, & results

expectations must be communicated• AC, Sr. Mgt. & IAD Customers must recognize

the impact on identifying & performing work• IAD must be more productive to meet this

challenge • External Auditor relationship must be managed

31

Next WebcastNext Webcast

April 13, 2004

““Strategies for Internal & External

Relationships””

See you at our next webcast!