SOX Compliance – Changes Abound Amid Drive for Stability and Long-Term Value Highlights from Protiviti’s 2015 Sarbanes-Oxley Survey
Aug 20, 2015
SOX Compliance – Changes Abound Amid
Drive for Stability and Long-Term Value
Highlights from Protiviti’s 2015 Sarbanes-Oxley Survey
2
You can download a copy of the presentation via the Resources Area on your screen. Following
the webinar, all attendees will receive a link to a copy of the presentation and recording.
During the webinar you can ask questions by clicking on the Questions Area on your screen. Please
provide your e-mail address for a swift reply.
There will be a Q&A session at the end of the webinar.
If you are having trouble hearing the audio through the computer, a separate phone line is available.
US/Canada Line +1 (855) 707-0664
International Line +1 (734) 385-2579
Conference ID 41998571
A Reminder…
3
CPE Credits and Supplemental Information
• We are offering 1.5 CPE credits for this webinar
• To be eligible to receive these credits, please ensure you answer at least four (4) out
of the five (5) polling questions
• You will receive the CPE certificate via e-mail approximately 4 weeks after the webinar
date
• In the Resources Area, you can:
− Save/Print copy of today’s presentation
− Download Protiviti's 2015 Sarbanes-Oxley Survey report
If you are having trouble hearing the audio through the computer, a separate phone line is available.
US/Canada Line +1 (855) 707-0664
International Line +1 (734) 385-2579
Conference ID 41998571
4
Today’s Presenters
Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,
Conference ID: 41998571
Mike Heraty joined Gogo in 2014 to build an insourced internal audit
function and prepare the company for the first year of SOX Compliance
as a large accelerated public filer. As the Vice-President of Internal
Audit, he oversees Gogo’s internal audit function as well the SOX
testing program. Mike has 25 years of experience in leadership roles
spanning internal audit, finance, and accounting across industries
including telecommunications, manufacturing, and consumer products.
Mike is a registered CPA in the State of Illinois and holds a Bachelor’s
Degree in Accounting for The University of Notre Dame and a Master’s
Degree in Finance from The University of Chicago – Booth School of
Business. He is a member of the Institute of Internal Auditors and is a
former President of the Northwest Metro Chicago Chapter.
Email: [email protected]
Mike Heraty, Vice-President of Internal Audit, Gogo
5
Today’s Presenters
Brian Christensen is a member of Protiviti’s executive leadership team
and is the global leader of the firm’s Internal Audit and Financial
Advisory Solution. In this role, he is responsible for the development
and execution of Protiviti’s internal audit products. He has more than 25
years of experience in helping clients increase the value of their internal
audit function. He is a frequent speaker on auditing and risk topics at
national conferences.
Email: [email protected]
Brian Christensen, Executive Vice President – Global Internal Audit, Protiviti
Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,
Conference ID: 41998571
6
Today’s Presenters
Keith Kawashima is a Managing Director in Protiviti’s Silicon Valley
office. Keith has over 25 years of experience in finance and accounting
including 15+ years with Protiviti/Arthur Andersen’s Internal Audit
practice and more than 10 years corporate experience in both Finance
and Operations prior to joining Protiviti. He has been involved in all
aspects of a company’s internal audit function from establishing a
charter and developing a risk-based internal audit plan, to developing
and executing work programs, through reporting at the audit committee
and board level.
Email: [email protected]
Keith Kawashima, Managing Director, Protiviti
Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,
Conference ID: 41998571
7
Today’s Presenters
Sharon Lindstrom is a Managing Director with over 26 years
experience in providing audit and risk consulting services to companies
primarily in the manufacturing industry. Sharon leads the global
Industrial Products Industry team, which focuses on delivering solutions
to automotive, distribution and logistics, materials and chemicals, and
other manufacturing companies to enhance their business performance
through risk management, operational effectiveness and enhanced
governance.
Email: [email protected]
Sharon Lindstrom, Managing Director, Protiviti
Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,
Conference ID: 41998571
8
Today’s Presenters
Jeff Tecau is a Managing Director with Protiviti in Orlando, FL and has
16 years of Audit and Consulting experience. At Protiviti, Jeff has
focused on internal auditing and financial and accounting related
consulting and helps lead Protiviti’s Internal Audit and Financial
Advisory practice in the Florida market. Prior to Protiviti, Jeff spent
time in external audit with PricewaterhouseCoopers and was a Senior
Analyst in the Financial Planning and Analysis group of a Fortune 500
energy company.
Email: [email protected]
Jeff Tecau, Managing Director, Protiviti
Trouble hearing the audio through the computer? Dial in! Phone: (855) 707-0664; International (734) 385-2579,
Conference ID: 41998571
9
Introduction – About The Survey
The Sarbanes-Oxley Act of 2002 is one of the most far-reaching
business reforms in U.S. history
• Internal control reporting provisions received considerable attention
• Protiviti’s sixth annual study:
– Assesses strategies and tactics companies have employed to
derive value from the Sarbanes-Oxley process
– Provides insight into how companies are complying with the
internal control-related provisions of this legislation
The Sarbanes-Oxley Act of 2002 is one of the most far-reaching business
reforms in U.S. history
11
Topics for Today:
New COSO Framework Successfully Guides SOX Documentation
Compliance Costs: External Audit Fees Rise
SOX Changes in the Current Market
Generating Value from SOX Compliance
13
Implementing COSO 2013 – Key Points
• An important endeavor for many public companies
in complying with Sarbanes-Oxley Section 404
• The SEC requires companies to use a “suitable
framework” as a basis for evaluating effectiveness
of internal control over financial reporting (ICFR)
– The COSO Framework meets the SEC’s
criteria for suitability
• COSO has indicated that it no longer supports the
original version of the framework released in 1992
– Considers it superseded by the updated
version of the framework for fiscal years ended
after December 15, 2014
14
As expected, most companies made impressive progress in transitioning to COSO’s
2013 Internal Control – Integrated Framework in the past 12 months.
15
The mapping of the new principles-based COSO framework to organizations’ existing
key controls did not result in the need for major remediation or rebuilding efforts.
16
Meet with Your Auditor Early and
Often
Establish an Effective and Relevant
Mapping Approach1 2
Conduct a Substantive Fraud
Risk Assessment
Take a Broader View of Outsourced
Processes Beyond the Service
Organization Control (SOC) Report3 4
Manage the Level of Depth When
Testing Indirect Controls
Understand and Document Control
Precision5 6
Evaluate the Adequacy of
Information Produced by Entity
(IPE)
Expect an Increase in Deficiency
Evaluation Efforts7 8
Adopt the Updated 2013
Framework “On Time”
Ask – Is Limiting Your Focus on Applying
the 2013 COSO Framework to SOX
Compliance the Answer?9 10
10 Lessons Learned from Implementing the COSO 2013 Framework
17
Some Guidance for those Implementing in 2015…
Take a fresh look – don’t get too focused on simply
organizing existing documentation under each
principle or just focusing on the 2013 changes
Don’t forget “present and functioning” applies to
the components AND the principles, and keep the
end in mind
The points of focus are not required; but it’s a
good idea to consider them
If your plans are to implement the framework only
for Sarbanes-Oxley compliance this year – consider
whether it makes sense to lay the foundation now
for applying it to the other objectives
20
PCAOB Inspection Observations and Alert 11
The most pervasive deficiencies identified in auditing internal control related to failures to:
• Identify and sufficiently test controls that are intended to address the risks of material
misstatement
• Sufficiently test the design and operating effectiveness of management review controls that are
used to monitor the results of operations
• Obtain sufficient evidence to update the results of testing of controls from an interim date to the
company's year end (i.e., roll-forward testing)
• Sufficiently test controls over the system-generated data and reports that support important
controls
• Sufficiently perform procedures regarding the use of the work of others; and
• Sufficiently evaluate identified control deficiencies and consider their effect on both the financial
statement audit and on the audit of internal control
Potential root causes identified by the PCAOB:
• Improper application of the top-down approach
• Decreases in audit firm staffing through attrition or other reductions, and related workload
pressures
• Insufficient firm training and guidance
• Ineffective communication with firms’ IT specialists on the engagement team
21
Impact on Issuers
Detailed report testing to validate completeness and accuracy of reports relied on for key
controls
Management and internal audit have experienced adjustments to external audit’s approach to their
annual financial and internal control audits, including:
Additional control design and operating effectiveness evaluation for review controls, especially
the precision level
Increased number of transactional level controls
More detailed ITGC testing, especially related to access and database reviews
Detailed testing of precision around conclusions reached in judgments related to estimates,
valuations and application of accounting standards
Increased focus on aggregating the effect of control failures around deficiencies and significant
deficiencies, and evaluating compensating controls
Additional forms/templates to document the audit trail
22
The majority of large companies continue to report an annual spend of more than $1
million. Not surprisingly, nearly all small companies report internal compliance costs of
less than $500,000.
More than half of all large organizations (58 percent) spent $1 million or more on SOX
compliance costs (excluding external audit-related fees) in the most recent fiscal year,
and 25 percent spent more than $2 million.
23
For a vast majority of organizations, external audit fees increased in fiscal year 2014.
These findings align with expectations given changes in SOX compliance requirements,
including the transition to the new COSO framework.
24
Our results suggest that external
auditors are increasing their
focus on several key SOX
compliance activities, thereby
increasing the costs associated
with them.
The influence of the PCAOB
inspection reports on the cost
of SOX compliance activities
differed according to filer
status.
25
Overall, more than eight in 10 responding organizations report that their external auditors rely
on the work of others to the fullest extent possible for medium- and low-risk processes.
26
Keep in Mind for 2015…
• In September 2014, the PCAOB issued Alert No. 12 Matters Related to Auditing Revenue
in an Audit of Financial Statements to provide further examples of the deficiencies it
continues to see in its inspections. The PCAOB staff’s practice alert “doubles down” on
revenue recognition, alerting auditors of deficiencies noted in PCAOB inspections in the
revenue area even under current accounting rules.
Reve
nu
e
• Auditing Standard No. 18, applies to audits of fiscal years beginning on or after December
15, 2014. This standard focuses on obtaining sufficient appropriate audit evidence to
determine whether related parties and relationships and transactions with related parties
have been properly identified, accounted for, and disclosed in the financial statements.
Re
late
d P
art
ies
The PCAOB recently issued a paper discussing significant deficiencies in their recent
inspections that may be of concern to audit committees. These include auditing ICFR;
assessing and responding to risks of material misstatement; auditing accounting estimates,
including fair value measurement; deficient referred work (in cross-border audits).
Au
dit
Co
mm
itte
e
Dia
log
ue
29
Among all responding organizations, executive management and the audit committee
are most likely to have primary responsibility for executive sponsorship of SOX.
30
This year’s respondents clearly believe that these changes are directly related to the
PCAOB inspection reports for external auditing firms.
31
Overall, there are areas where the PCAOB’s inspection reports have spurred external
auditors to intensify their focus more substantially.
32
Two-thirds of organizations report that the total amount of hours they devoted to SOX
compliance increased in the most recent fiscal year.
34
There is a notable year-over-year increase in midsize organizations with significant plans
to automate more IT processes and controls.
35
What is Information Produced by Entity (IPE)?
Information Provided by the Entity (IPE) is information used in the operation of a control. It
is sometimes referred to as Electronic Audit Evidence (EAE).
The effectiveness of management review controls and other IPE-dependent controls depends
to a large extent on the quality of the information being reviewed.
IPE or EAE can take various forms:
• System-generated reports (ex: A/R aging)
• End user-generated information, such as spreadsheets or queries (ex: tax spreadsheet)
• Information provided by outsourced third party processors (ex: ADP pay summary)
Therefore, the focus of testing IPE is on access, completeness and accuracy.
39
In a positive trend, over the past three years, companies have steadily improved their
ability to leverage SOX compliance requirements to drive improvements in business
processes affecting financial reporting.
40
Key Findings
While compliance mastery remains an elusive state, more companies
are generating value from their compliance activities
External auditing fees and scrutiny are increasing, thanks to PCAOB
inspection reports
Nearly all companies are now using the new COSO framework, and
required only refinements rather than a rebuilding effort
Compliance programs are undergoing substantial changes, especially
regarding high-risk processes, IT controls and entity-level controls
41
Q & A
Let us know how we did on this webinar. Click on the
Survey icon to give us feedback.
Submit Your Questions