2015 SOX Compliance survey- webinar slides

SOX Compliance – Changes Abound Amid

Drive for Stability and Long-Term Value

Highlights from Protiviti’s 2015 Sarbanes-Oxley Survey

2

You can download a copy of the presentation via the Resources Area on your screen. Following

the webinar, all attendees will receive a link to a copy of the presentation and recording.

During the webinar you can ask questions by clicking on the Questions Area on your screen. Please

provide your e-mail address for a swift reply.

There will be a Q&A session at the end of the webinar.

If you are having trouble hearing the audio through the computer, a separate phone line is available.

US/Canada Line +1 (855) 707-0664

International Line +1 (734) 385-2579

Conference ID 41998571

A Reminder…

3

CPE Credits and Supplemental Information

• We are offering 1.5 CPE credits for this webinar

• To be eligible to receive these credits, please ensure you answer at least four (4) out

of the five (5) polling questions

• You will receive the CPE certificate via e-mail approximately 4 weeks after the webinar

date

• In the Resources Area, you can:

− Save/Print copy of today’s presentation

− Download Protiviti's 2015 Sarbanes-Oxley Survey report

If you are having trouble hearing the audio through the computer, a separate phone line is available.

US/Canada Line +1 (855) 707-0664

International Line +1 (734) 385-2579

Conference ID 41998571

4

Today’s Presenters

Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,

Conference ID: 41998571

Mike Heraty joined Gogo in 2014 to build an insourced internal audit

function and prepare the company for the first year of SOX Compliance

as a large accelerated public filer. As the Vice-President of Internal

Audit, he oversees Gogo’s internal audit function as well the SOX

testing program. Mike has 25 years of experience in leadership roles

spanning internal audit, finance, and accounting across industries

including telecommunications, manufacturing, and consumer products.

Mike is a registered CPA in the State of Illinois and holds a Bachelor’s

Degree in Accounting for The University of Notre Dame and a Master’s

Degree in Finance from The University of Chicago – Booth School of

Business. He is a member of the Institute of Internal Auditors and is a

former President of the Northwest Metro Chicago Chapter.

Email: [email protected]

Mike Heraty, Vice-President of Internal Audit, Gogo

5

Today’s Presenters

Brian Christensen is a member of Protiviti’s executive leadership team

and is the global leader of the firm’s Internal Audit and Financial

Advisory Solution. In this role, he is responsible for the development

and execution of Protiviti’s internal audit products. He has more than 25

years of experience in helping clients increase the value of their internal

audit function. He is a frequent speaker on auditing and risk topics at

national conferences.

Email: [email protected]

Brian Christensen, Executive Vice President – Global Internal Audit, Protiviti

Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,

Conference ID: 41998571

6

Today’s Presenters

Keith Kawashima is a Managing Director in Protiviti’s Silicon Valley

office. Keith has over 25 years of experience in finance and accounting

including 15+ years with Protiviti/Arthur Andersen’s Internal Audit

practice and more than 10 years corporate experience in both Finance

and Operations prior to joining Protiviti. He has been involved in all

aspects of a company’s internal audit function from establishing a

charter and developing a risk-based internal audit plan, to developing

and executing work programs, through reporting at the audit committee

and board level.

Email: [email protected]

Keith Kawashima, Managing Director, Protiviti

Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,

Conference ID: 41998571

7

Today’s Presenters

Sharon Lindstrom is a Managing Director with over 26 years

experience in providing audit and risk consulting services to companies

primarily in the manufacturing industry. Sharon leads the global

Industrial Products Industry team, which focuses on delivering solutions

to automotive, distribution and logistics, materials and chemicals, and

other manufacturing companies to enhance their business performance

through risk management, operational effectiveness and enhanced

governance.

Email: [email protected]

Sharon Lindstrom, Managing Director, Protiviti

Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,

Conference ID: 41998571

8

Today’s Presenters

Jeff Tecau is a Managing Director with Protiviti in Orlando, FL and has

16 years of Audit and Consulting experience. At Protiviti, Jeff has

focused on internal auditing and financial and accounting related

consulting and helps lead Protiviti’s Internal Audit and Financial

Advisory practice in the Florida market. Prior to Protiviti, Jeff spent

time in external audit with PricewaterhouseCoopers and was a Senior

Analyst in the Financial Planning and Analysis group of a Fortune 500

energy company.

Email: [email protected]

Jeff Tecau, Managing Director, Protiviti

Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,

Conference ID: 41998571

9

Introduction – About The Survey

The Sarbanes-Oxley Act of 2002 is one of the most far-reaching

business reforms in U.S. history

• Internal control reporting provisions received considerable attention

• Protiviti’s sixth annual study:

– Assesses strategies and tactics companies have employed to

derive value from the Sarbanes-Oxley process

– Provides insight into how companies are complying with the

internal control-related provisions of this legislation

The Sarbanes-Oxley Act of 2002 is one of the most far-reaching business

reforms in U.S. history

10

Insights from Our Participants

11

Topics for Today:

New COSO Framework Successfully Guides SOX Documentation

Compliance Costs: External Audit Fees Rise

SOX Changes in the Current Market

Generating Value from SOX Compliance

12

New COSO Framework Successfully Guides SOX Documentation

13

Implementing COSO 2013 – Key Points

• An important endeavor for many public companies

in complying with Sarbanes-Oxley Section 404

• The SEC requires companies to use a “suitable

framework” as a basis for evaluating effectiveness

of internal control over financial reporting (ICFR)

– The COSO Framework meets the SEC’s

criteria for suitability

• COSO has indicated that it no longer supports the

original version of the framework released in 1992

– Considers it superseded by the updated

version of the framework for fiscal years ended

after December 15, 2014

14

As expected, most companies made impressive progress in transitioning to COSO’s

2013 Internal Control – Integrated Framework in the past 12 months.

15

The mapping of the new principles-based COSO framework to organizations’ existing

key controls did not result in the need for major remediation or rebuilding efforts.

16

Meet with Your Auditor Early and

Often

Establish an Effective and Relevant

Mapping Approach1 2

Conduct a Substantive Fraud

Risk Assessment

Take a Broader View of Outsourced

Processes Beyond the Service

Organization Control (SOC) Report3 4

Manage the Level of Depth When

Testing Indirect Controls

Understand and Document Control

Precision5 6

Evaluate the Adequacy of

Information Produced by Entity

(IPE)

Expect an Increase in Deficiency

Evaluation Efforts7 8

Adopt the Updated 2013

Framework “On Time”

Ask – Is Limiting Your Focus on Applying

the 2013 COSO Framework to SOX

Compliance the Answer?9 10

10 Lessons Learned from Implementing the COSO 2013 Framework

17

Some Guidance for those Implementing in 2015…

Take a fresh look – don’t get too focused on simply

organizing existing documentation under each

principle or just focusing on the 2013 changes

Don’t forget “present and functioning” applies to

the components AND the principles, and keep the

end in mind

The points of focus are not required; but it’s a

good idea to consider them

If your plans are to implement the framework only

for Sarbanes-Oxley compliance this year – consider

whether it makes sense to lay the foundation now

for applying it to the other objectives

18

A Perspective on the Results

Michael Heraty, Vice-President of Internal

Audit, Gogo

19

Compliance Costs: External Audit Fees Rise

20

PCAOB Inspection Observations and Alert 11

The most pervasive deficiencies identified in auditing internal control related to failures to:

• Identify and sufficiently test controls that are intended to address the risks of material

misstatement

• Sufficiently test the design and operating effectiveness of management review controls that are

used to monitor the results of operations

• Obtain sufficient evidence to update the results of testing of controls from an interim date to the

company's year end (i.e., roll-forward testing)

• Sufficiently test controls over the system-generated data and reports that support important

controls

• Sufficiently perform procedures regarding the use of the work of others; and

• Sufficiently evaluate identified control deficiencies and consider their effect on both the financial

statement audit and on the audit of internal control

Potential root causes identified by the PCAOB:

• Improper application of the top-down approach

• Decreases in audit firm staffing through attrition or other reductions, and related workload

pressures

• Insufficient firm training and guidance

• Ineffective communication with firms’ IT specialists on the engagement team

21

Impact on Issuers

Detailed report testing to validate completeness and accuracy of reports relied on for key

controls

Management and internal audit have experienced adjustments to external audit’s approach to their

annual financial and internal control audits, including:

Additional control design and operating effectiveness evaluation for review controls, especially

the precision level

Increased number of transactional level controls

More detailed ITGC testing, especially related to access and database reviews

Detailed testing of precision around conclusions reached in judgments related to estimates,

valuations and application of accounting standards

Increased focus on aggregating the effect of control failures around deficiencies and significant

deficiencies, and evaluating compensating controls

Additional forms/templates to document the audit trail

22

The majority of large companies continue to report an annual spend of more than $1

million. Not surprisingly, nearly all small companies report internal compliance costs of

less than $500,000.

More than half of all large organizations (58 percent) spent $1 million or more on SOX

compliance costs (excluding external audit-related fees) in the most recent fiscal year,

and 25 percent spent more than $2 million.

23

For a vast majority of organizations, external audit fees increased in fiscal year 2014.

These findings align with expectations given changes in SOX compliance requirements,

including the transition to the new COSO framework.

24

Our results suggest that external

auditors are increasing their

focus on several key SOX

compliance activities, thereby

increasing the costs associated

with them.

The influence of the PCAOB

inspection reports on the cost

of SOX compliance activities

differed according to filer

status.

25

Overall, more than eight in 10 responding organizations report that their external auditors rely

on the work of others to the fullest extent possible for medium- and low-risk processes.

26

Keep in Mind for 2015…

• In September 2014, the PCAOB issued Alert No. 12 Matters Related to Auditing Revenue

in an Audit of Financial Statements to provide further examples of the deficiencies it

continues to see in its inspections. The PCAOB staff’s practice alert “doubles down” on

revenue recognition, alerting auditors of deficiencies noted in PCAOB inspections in the

revenue area even under current accounting rules.

Reve

nu

e

• Auditing Standard No. 18, applies to audits of fiscal years beginning on or after December

15, 2014. This standard focuses on obtaining sufficient appropriate audit evidence to

determine whether related parties and relationships and transactions with related parties

have been properly identified, accounted for, and disclosed in the financial statements.

Re

late

d P

art

ies

The PCAOB recently issued a paper discussing significant deficiencies in their recent

inspections that may be of concern to audit committees. These include auditing ICFR;

assessing and responding to risks of material misstatement; auditing accounting estimates,

including fair value measurement; deficient referred work (in cross-border audits).

Au

dit

Co

mm

itte

e

Dia

log

ue

27

A Perspective on the Results

Michael Heraty, Vice-President of Internal

Audit, Gogo

28

SOX Changes in the Current Market

29

Among all responding organizations, executive management and the audit committee

are most likely to have primary responsibility for executive sponsorship of SOX.

30

This year’s respondents clearly believe that these changes are directly related to the

PCAOB inspection reports for external auditing firms.

31

Overall, there are areas where the PCAOB’s inspection reports have spurred external

auditors to intensify their focus more substantially.

32

Two-thirds of organizations report that the total amount of hours they devoted to SOX

compliance increased in the most recent fiscal year.

33

34

There is a notable year-over-year increase in midsize organizations with significant plans

to automate more IT processes and controls.

35

What is Information Produced by Entity (IPE)?

Information Provided by the Entity (IPE) is information used in the operation of a control. It

is sometimes referred to as Electronic Audit Evidence (EAE).

The effectiveness of management review controls and other IPE-dependent controls depends

to a large extent on the quality of the information being reviewed.

IPE or EAE can take various forms:

• System-generated reports (ex: A/R aging)

• End user-generated information, such as spreadsheets or queries (ex: tax spreadsheet)

• Information provided by outsourced third party processors (ex: ADP pay summary)

Therefore, the focus of testing IPE is on access, completeness and accuracy.

36

A Perspective on the Results

Michael Heraty, Vice-President of Internal

Audit, Gogo

37

Generating Value from SOX Compliance

38

39

In a positive trend, over the past three years, companies have steadily improved their

ability to leverage SOX compliance requirements to drive improvements in business

processes affecting financial reporting.

40

Key Findings

While compliance mastery remains an elusive state, more companies

are generating value from their compliance activities

External auditing fees and scrutiny are increasing, thanks to PCAOB

inspection reports

Nearly all companies are now using the new COSO framework, and

required only refinements rather than a rebuilding effort

Compliance programs are undergoing substantial changes, especially

regarding high-risk processes, IT controls and entity-level controls

41

Q & A

Let us know how we did on this webinar. Click on the

Survey icon to give us feedback.

Submit Your Questions

42