Скачать презентацию Project Administration — Setting and revising priorities in Скачать презентацию Project Administration — Setting and revising priorities in

c599d0b995dc955cef6990cf3e2da8a8.ppt

  • Количество слайдов: 58

Project Administration - Setting and revising priorities in the wake of the Project Administration - Setting and revising priorities in the wake of the "Final 404 Rules" The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Session #4 – August 12, 2003 1

The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L. L. P The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L. L. P 2

Disclaimer The views expressed in this webcast are solely those of the panelists and Disclaimer The views expressed in this webcast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees and members. 3

Emerging Trends and Best Practices in Implementing the Sarbanes-Oxley Act • May 21 - Emerging Trends and Best Practices in Implementing the Sarbanes-Oxley Act • May 21 - Section 404 Readiness Review: How to document your system of internal control • June 10 - Helping your audit committee implement complaint handling • July 8 - Leveraging the COSO framework to meet Section 404 requirements • August 12 - Project Administration - Setting and revising priorities in the wake of the "Final 404 Rules“ • September 9 - Internal Audit support of Audit Committees - What works best • September 30 - The Road Ahead - Meeting the challenges in complying with The Sarbanes-Oxley Act *Available online archive for one year and on CD 4

Agenda 1: 00 - 1: 05 Introduction and Overview - Jim Key 1: 05 Agenda 1: 00 - 1: 05 Introduction and Overview - Jim Key 1: 05 - 1: 25 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison 1: 25 - 1: 45 Preparing the 404 Work Plan – Kiko Harvey & David Richards ** Combined Presentation 1: 45 - 1: 50 Break 1: 50 - 2: 25 Questions & Answers – Panel 2: 25 - 2: 30 Concluding Remarks – Jim Key 5

Management’s Report on Internal Control Over Financial Reporting Sean Harrison, Esquire Special Counsel, Office Management’s Report on Internal Control Over Financial Reporting Sean Harrison, Esquire Special Counsel, Office of Rule Making Division of Corporate Finance U. S. Securities and Exchange Commission 6

Disclaimer As a matter of policy, the Securities and Exchange Commission disclaims responsibility for Disclaimer As a matter of policy, the Securities and Exchange Commission disclaims responsibility for any private publication or statement of any of its employees. The views expressed in this presentation reflect the views of the author and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff. 7

What is Internal Control Over Financial Reporting? The final rules define this term as: What is Internal Control Over Financial Reporting? The final rules define this term as: 8 – A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

What is Internal Control Over Financial Reporting? • Pertain to the maintenance of records What is Internal Control Over Financial Reporting? • Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant; 9

What is Internal Control Over Financial Reporting? • Provide reasonable assurance that transactions are What is Internal Control Over Financial Reporting? • Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and 10

What is Internal Control Over Financial Reporting? • Provide reasonable assurance regarding prevention or What is Internal Control Over Financial Reporting? • Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements 11

Management Report Requirements • A statement of management’s responsibility for establishing and maintaining adequate Management Report Requirements • A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company; • A statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control over financial reporting; 12

Management Report Requirements 1. Management’s assessment of the effectiveness of internal control over financial Management Report Requirements 1. Management’s assessment of the effectiveness of internal control over financial reporting as of the end of the company’s most recent fiscal year and disclosure of any material weaknesses in such control identified by management, if there is material weakness in the internal controls, management cannot conclude that the controls are effective; and 2. A statement that the company’s auditor has issued an attestation report on management’s assessment. 13

Framework for Management’s Evaluation • The new rules implicitly require management to use a Framework for Management’s Evaluation • The new rules implicitly require management to use a “framework” to evaluate the company’s internal control and to identify the framework in the report. • The rules do not prescribe the use of a particular framework, however, the rules state that the framework used must be a suitable, recognized control framework established by a body or group that has followed due-process procedures, including broad distribution of the framework for public comment. 14

Framework for Management’s Evaluation • The release states a suitable framework must: – Be Framework for Management’s Evaluation • The release states a suitable framework must: – Be free from bias; – Permit reasonably consistent qualitative and quantitative measurements of a company’s internal control; – Be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company’s internal controls are not omitted; and – Be relevant to an evaluation of internal control over financial reporting 15

Method of Evaluation • The new rules do not specify a method or procedures Method of Evaluation • The new rules do not specify a method or procedures to be followed. However, the rules do state that a company must maintain evidential matter, including documentation, that provides reasonable support for management’s assessment of effectiveness. • This is an inherent element of effective internal control and consistent with the internal accounting control requirements under section 13(b)(2) of the Exchange Act. 16

Method of Evaluation • Evidential matter includes documentation regarding both the design of internal Method of Evaluation • Evidential matter includes documentation regarding both the design of internal control and the testing processes. • This evidential matter should provide reasonable support: (1) for the evaluation of whether the control is designed to prevent or detect material misstatements or omissions; (2) for the conclusion that the tests were appropriately planned and performed; and (3) that the results of the tests were appropriately considered. 17

Material Weaknesses in Internal Control Over Financial Reporting • Management cannot conclude that the Material Weaknesses in Internal Control Over Financial Reporting • Management cannot conclude that the company’s internal control over financial reporting is effective if there is a “material weakness” in such control. Any such material weakness must also be specifically disclosed. • The term “material weakness” has the meaning under generally accepted auditing standards (or GAAS), including the AICPA’s Codification of Statements on Auditing Standards Section 325. 18

Material Weaknesses in Internal Control Over Financial Reporting • It is possible that the Material Weaknesses in Internal Control Over Financial Reporting • It is possible that the PCAOB, will modify the definition of material weakness and significant deficiency. • It is also worth noting that on June 20, 2003 the Auditing Standards Board (ASB) of the AICPA submitted for the consideration of the PCAOB recommendations for Professional Auditing Standards, that among other things, recommended changes to the definitions of “significant deficiency” and “material weakness. ” 19

Quarterly Evaluations • Under the new rules, management will be required to perform quarterly Quarterly Evaluations • Under the new rules, management will be required to perform quarterly evaluations of changes that have materially affected, or are reasonably likely to have a material effect on, the company’s internal control over financial reporting. If such a change occurred during a company’s fiscal quarter, the company will have to disclose the change in its quarterly report. 20

Quarterly Evaluations • This disclosure requirement replaces paragraph (b) in existing Item 307 of Quarterly Evaluations • This disclosure requirement replaces paragraph (b) in existing Item 307 of Regulations S-K and S-B regarding quarterly disclosure of changes in internal controls and corrective actions and is incorporated in new Item 308 of Regulations S-K and S-B. 21

Quarterly Evaluations • The new rules do not explicitly require disclosure about the reasons Quarterly Evaluations • The new rules do not explicitly require disclosure about the reasons for the change, however, companies will have to determine, on a facts and circumstances basis, whether the reasons for the change, or other information about the circumstances surrounding the change, constitute material information necessary to make the disclosures in the report not misleading. 22

Auditor Independence Issues • Management and the company’s outside auditor will need to coordinate Auditor Independence Issues • Management and the company’s outside auditor will need to coordinate their processes of documenting and testing internal control over financial reporting. • The adopting release reminded companies and their auditors that the Commission’s rules on auditor independence prohibit an auditor from providing certain nonaudit services to an audit client. 23

Auditor Independence Issues • When the auditor is engaged to assist management in documenting Auditor Independence Issues • When the auditor is engaged to assist management in documenting internal controls or preparing evaluative tools, management must be actively involved in the process. Management cannot delegate its responsibility to assess its internal control over financial reporting to the auditor. 24

Compliance Dates • A company must begin to comply with the management report on Compliance Dates • A company must begin to comply with the management report on internal control over financial reporting disclosure requirements for fiscal years ending on or after June 15, 2004, if it is an “accelerated filer, ” as defined in Exchange Act Rule 12 b-2 as of the end of its first fiscal year ending on or after June 15, 2004. 25

Compliance Dates • Companies that are non-accelerated filers, including small business issuers and foreign Compliance Dates • Companies that are non-accelerated filers, including small business issuers and foreign private issuers, must begin to comply with the disclosure requirements in annual reports for their first fiscal year ending on or after April 15, 2005. 26

Compliance Dates • All companies must begin to comply with the quarterly evaluation of Compliance Dates • All companies must begin to comply with the quarterly evaluation of changes to internal control over financial reporting requirements for its first periodic report due after the first annual report that must include management’s report on internal control over financial reporting. 27

Agenda 1: 00 - 1: 10 Introduction and Overview - Jim Key 1: 10 Agenda 1: 00 - 1: 10 Introduction and Overview - Jim Key 1: 10 - 1: 20 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison 1: 20 - 1: 40 Preparing the 404 Work Plan – Kiko Harvey & David Richards ** Combined Presentation 1: 45 - 1: 50 Break 1: 50 - 2: 25 Questions & Answers – Panel 2: 25 - 2: 30 Concluding Remarks – Jim Key 28

Dave Richards, CIA, CPA Director, Internal Auditing First. Energy Corp. 29 Dave Richards, CIA, CPA Director, Internal Auditing First. Energy Corp. 29

Kiko Harvey, CPA Director, Internal Audit Starbucks Corporation 30 Kiko Harvey, CPA Director, Internal Audit Starbucks Corporation 30

Preparing the 404 Work Plan A Step-by-Step Process 31 Preparing the 404 Work Plan A Step-by-Step Process 31

Overview Step 1: Step 2: Step 3: Step 4: Step 5: Step 6: 32 Overview Step 1: Step 2: Step 3: Step 4: Step 5: Step 6: 32 Organize the Project Team / Communicate Set the Project Scope Develop Tools Documentation Test and Evaluate Controls Reporting

Step 1: Organize the Project Team/ Communicate 33 Step 1: Organize the Project Team/ Communicate 33

First. Energy 404 Project Team Organization Chart Disclosure Committee VP - Controller CRO CIO First. Energy 404 Project Team Organization Chart Disclosure Committee VP - Controller CRO CIO VP - ED General Counsel BU Controller Steering Committee Project Manager Director, IA Internal Auditing Business Unit 5 people 34 Controller's 1 person 5 people

 • Core Team TRAINING – 404 Requirements – Co. Approach (process to be • Core Team TRAINING – 404 Requirements – Co. Approach (process to be followed) – Guidelines – Documentation tool • • • 35 Process Owner Process members (extended team) Steering Committee Audit Committee Disclosure Committee

SOA 404 Annual Control Assessment Process High level overview Financial Statements 36 Processes Materiality SOA 404 Annual Control Assessment Process High level overview Financial Statements 36 Processes Materiality Guidelines Risk & Control Process Matrix (draft) Assessment Team Risk Guidelines

SOA 404 Annual Control Assessment Process ICW GAPS Workshop(s) to confirm Matrix Workshop Guidelines SOA 404 Annual Control Assessment Process ICW GAPS Workshop(s) to confirm Matrix Workshop Guidelines 37 Design Assessment Corrective action No Gaps

SOA 404 Annual Control Assessment Process ICW GAPS Corrective action Testing to confirm controls SOA 404 Annual Control Assessment Process ICW GAPS Corrective action Testing to confirm controls Testing Guidelines 38 Testing Results Assessment Test Plan No Gaps Overall assessments statements

Step 2: Scope the Project • Identify cycles that drive financial statement information • Step 2: Scope the Project • Identify cycles that drive financial statement information • Identify other key processes critical to the company’s success • Map out significant transactions for each cycle and business process to form the basis for documenting controls 39

Step 2: Scope the Project Example Cycles Revenue Transactions Authorize Credit Maintain Customer Files Step 2: Scope the Project Example Cycles Revenue Transactions Authorize Credit Maintain Customer Files 40 Hiring, Training & Scheduling Employees Collecting Analyzing Bad Debt Transactions Key Processes Retail Operations Invoicing Point of Sale Maintenance Merchandising Sales and Cash & Promotions Audit Inventory & Asset Management

Step 2: Scope the Project • Map financial statement components to cycles and key Step 2: Scope the Project • Map financial statement components to cycles and key processes • Identify locations having a significant impact on the financial reporting environment for testing – Set materiality guidelines for balance sheet and P&L (i. e. % assets, EPS impact) – Introduce project to remote accounting locations selected for testing 41

Step 3: Develop Tools • Determine how you will organize the documentation – consider Step 3: Develop Tools • Determine how you will organize the documentation – consider using special purpose software (COSO based) • Develop checklists – Control self-assessment questionnaires – Policies and procedures surveys – Segregation of duty templates 42

Step 4: Documentation • Collect and inventory existing internal control documentation for cycles and Step 4: Documentation • Collect and inventory existing internal control documentation for cycles and key processes identified in scoping activity • Distribute checklists to new locations or where information requires update • Using the COSO documentation tool, document controls for all transaction cycles and key processes in a “controls repository” – replicate for locations selected for testing 43

Step 4: Documentation Example Organization of Controls Repository Transaction Identified during scoping phase (by Step 4: Documentation Example Organization of Controls Repository Transaction Identified during scoping phase (by cycle and key process) Map to financial statement accounts, disclosures, footnotes, etc. Identify Risk Identify risks for each transaction based on financial statement assertions (existence, accuracy, completeness, etc. ) Identify Control 44 Document key control activities for each risk identified Determine if preventive or detective in nature Determine if automated or manual Frequency of control activity (daily, monthly, quarterly)

Step 5: Test and Evaluate Controls - Testing Guidance • • 45 Testing definition Step 5: Test and Evaluate Controls - Testing Guidance • • 45 Testing definition Objectives for testing Methods (options) for testing How to determine proper test Expectations of results of test Which controls to test (ID Key control) Documentation

Step 5: Test and Evaluate Controls - Testing Guidance • • • Evaluation (expectations Step 5: Test and Evaluate Controls - Testing Guidance • • • Evaluation (expectations vs. results) Frequency of testing Who performs the test Determination of “gaps” Action plans Identification of deficiency, significant deficiency or material weakness • Retesting 46

Deficiency Significant Deficiency Material Weakness 47 Control Activity / Technique Multiple Control Activities COSO Deficiency Significant Deficiency Material Weakness 47 Control Activity / Technique Multiple Control Activities COSO Financial Control Objective not met

Control Objectives = COSO Financial Statement Assertions 1. 2. 3. 4. 5. 6. 7. Control Objectives = COSO Financial Statement Assertions 1. 2. 3. 4. 5. 6. 7. 48 Existence / Occurrence Completeness Measurement / Valuation Rights & Obligations Recorded Proper Classification & Disclosures Safeguarding of Assets Fraud Prevention / Detection

Deficiency “Design gap” or “Operational gap” = Missing control (design) = Control objective not Deficiency “Design gap” or “Operational gap” = Missing control (design) = Control objective not met (design) = Control not present (operational) = Control not operating as designed (operational) = Control cannot be confirmed (operational) = Inconsistent application (person performing control not qualified) (operational) 49

Payroll Process 50 Payroll Process 50

Significant Deficiency • Frequency of deficiencies noted • Errors in multiple controls tied to Significant Deficiency • Frequency of deficiencies noted • Errors in multiple controls tied to key risk • More than one control activity contains testing errors beyond expectations • Control objective key risks are mitigated but only because one control activity has tested ok vs. all controls tied to the risk 51

Property Accounting 52 Property Accounting 52

Material Weakness • Key risks (HH) tied to control objective not mitigated • Control Material Weakness • Key risks (HH) tied to control objective not mitigated • Control objective cannot be achieved • All controls designed to mitigate a risk have deficiencies • Significant “material” transactions flow through the process ($10, 000) 53

Account Mapping to Material Accounts = Processes Process: Zai*net Deal Capture Control Objective #2: Account Mapping to Material Accounts = Processes Process: Zai*net Deal Capture Control Objective #2: Completeness of transactions Key Risk #2. 1: Transactions may be inaccurately recorded Control Activity #2. 1. 4: Confirmation process used to ensure deals are captured & complete Test: Select 30 transactions over test period; compare confirms to Zai*net data (9 characteristics) 54 Expectation: all deals will be confirmed with all 9 characteristics matching

Step 6: 404 Reporting • • Team meeting agendas & minutes Assignments Monthly report Step 6: 404 Reporting • • Team meeting agendas & minutes Assignments Monthly report Steering Committee meetings Disclosure Committee meetings Updates to Audit Committee Updates to Senior Management (CEO, CFO, President, Key VPs) • External Financial Audit Team 55

Agenda 1: 00 - 1: 10 Introduction and Overview - Jim Key 1: 10 Agenda 1: 00 - 1: 10 Introduction and Overview - Jim Key 1: 10 - 1: 20 Management’s Report on Internal Control Over Financial Reporting - Sean Harrison 1: 20 - 1: 40 Preparing the 404 Work Plan - Kiko Harvey & David Richards ** Combined Presentation 1: 45 - 1: 50 Break 1: 50 - 2: 25 Questions & Answers – Panel 56 2: 25 - 2: 30 Concluding Remarks – Jim Key

Summary • Interpretation of SEC Rules is subjective • Check SEC website www. sec. Summary • Interpretation of SEC Rules is subjective • Check SEC website www. sec. gov regularly for regulatory actions • Approach 404 management assessment of internal controls as major project • Apply project management disciplines to ensure compliance 57

The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L. L. P The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L. L. P 58