Module 5 - TV Worldwide
Download
Report
Transcript Module 5 - TV Worldwide
Does Your SOX 404
Work Measure Up?
Hear What Will Satisfy
Your CPA Firm!
The Institute of Internal Auditors
May 25, 2004
7/17/2015
Phillip Fretwell, CPA
Managing Director
Protiviti,
Inc.
© 2000 KPMG
Agenda
• Introduction & Overview
Phillip Fretwell, Protiviti, Inc.
• IT Consideration
Lynne Doughtie, KPMG LLP
• Using the Work of Others
Tim Messick, Ernst & Young LLP
• Gaps & Remediation
Larry Ishol, Deloitte
• Break
• Q&A
7/17/2015
© 2000 KPMG
IT Considerations
Lynne Doughtie, CPA
Partner
KPMG LLP
7/17/2015
© 2000 KPMG
Evaluation Framework –
COSO/COBIT
Source: IT Governance Institute
7/17/2015
© 2000 KPMG
IT Control Components
in an Organization
IT Considerations in the Control Environment
Etc.
Application Controls
Business Process
Logistics
Business Process
Manufacturing
Business Process
Finance
Business Process
Executive
Management
IT Services
OS/Data/Telecom/Continuity/Networks
IT General Controls
Source: IT Governance Institute
7/17/2015
© 2000 KPMG
IT Control Components
7/17/2015
IT Considerations in the Control
Environment
Systems planning
Governance
Enterprise policies
Operating style
Collaboration
Information Sharing
Code of Conduct
Fraud Prevention Programs
IT General Controls
Systems Security / Access
Change Management
System Development
Computer Operations
Application Controls
Authorization
Configuration / account mapping
Exception / edit reports
Interface / conversion
System access
© 2000 KPMG
Control Environment
• IT Management and Organization Structure
• Knowledge and Skills
• Training
• Information Architecture
• Assessment of Risks
• Compliance with External Requirements
• Management of Quality
• Independent Assurance
• Internal Audit
7/17/2015
© 2000 KPMG
General Controls
• System Security / Access
• Documented IT Security policy and appropriate compliance
• User profile maintenance procedures
• Logical access restrictions
• Periodic review of user access rights and system permissions
• Security activity logging
• Change Management
• Change management procedures and authorizations
• Testing requirements for all changes prior to implementation
• Documentation requirements for system, user and control changes
• Access restrictions for change migrations
• Restricted and monitored production environment changes
7/17/2015
© 2000 KPMG
General Controls
• System Development
• System Development methodology and monitoring
• System Development procedures and authorizations
• Testing procedures, including management and user acceptance
• Documentation requirements for system, users and controls
• Training requirements for new systems
• Post-implementation requirements including data integrity controls
• Computer Operations
• Backups procedures addressing critical systems and data
• Backups restoration testing
• Offsite storage procedures and authorization controls
• Defined problem management procedures
• Job scheduling procedures and monitoring procedures
7/17/2015
© 2000 KPMG
IT Control Scoping
Identify applications that support key processes
Determine the nature and location of each application
Identify IT General Controls for each application in scope
Focus is on Internal Control Over Financial Reporting
7/17/2015
IT General Controls
Location
Where
Application is
Hosted
© 2000 KPMG
Computer
Operations
Underlying
Infrastructure/
Architecture
(Database, Operating
System,
Hardware)
System
Development
Application
Name
Change
Management
Identified
Key
Process
System
Security / Access
•
•
•
•
Common Approach
•
•
Organize project team and planning
Define the IT Areas to be included within the scope of SOX 404:
•
•
•
Entities and locations
Key applications to be considered
Specific control objectives to be achieved
•
Document key IT areas within scope and identify key controls over
financial reporting (control environment, general controls, application
controls, process-level IT controls)
•
Design test plans, perform testing of IT controls, identify control gaps,
and develop remediation plans
•
Update test procedures as necessary
7/17/2015
© 2000 KPMG
USING THE WORK
OF INTERNAL AUDIT
& OTHERS
Tim Messick, Partner
Mid-Atlantic Area Control
& Methodology Leader
Ernst & Young
7/17/2015
© 2000 KPMG
PCAOB Std. No. 2—Brief History
• Using the work of others was hotly
debated in early stages of Standard No. 2
• Early drafts severely restricted the
reliance external audit could place on
others
• Final standard brings us much closer to
the existing SAS 65 model
7/17/2015
© 2000 KPMG
Who Can External Audit Rely On?
• Internal Audit
• Third-party firms assisting with 404 (e.g.,
another CPA firm)
• Management
• For all of the above, certain restrictions
are discussed in Standard No. 2
7/17/2015
© 2000 KPMG
Considerations in Using Others
•
•
•
•
Nature of controls & accounts
Competence & objectivity of individuals
Need to re-perform certain of the work
Specific PCAOB restrictions in certain
areas
• “Principal evidence” must come from the
external auditor
7/17/2015
© 2000 KPMG
Using the Work of Internal Audit
• Various models exist in practice:
– IA performing documentation & testing on
behalf of management
– IA performing independent testing after
management performs their work
– IA providing direct assistance to external
audit
7/17/2015
© 2000 KPMG
Using IA’s Work
• Standard No. 2 prohibits relying on others in
specific areas:
– Control environment
– Fraud programs & related controls
– Walk-throughs
• These must be performed by external audit in
all instances
• “Principal evidence” needs to be considered
7/17/2015
© 2000 KPMG
Using IA’s Work (cont.)
• Areas where external audit can utilize a
significant amount of IA work:
– Routine data processes
– Non-pervasive subjective processes
7/17/2015
© 2000 KPMG
Using IA’s Work (cont.)
• Areas where use of IA work would likely
be limited:
– Pervasive controls
• Financial statement close process
• IT general controls
7/17/2015
© 2000 KPMG
Using IA’s Work (cont.)
• Recent PCAOB comments
– When external audit uses IA in a direct
supervision mode, cannot exceed 20% of
“principal evidence”
– Provision of the registered firm regulations
– Work-in-process—more to come
7/17/2015
© 2000 KPMG
Testing Considerations
• Amount of re-testing will be similar to
SAS 65 model, but likely more than in the
past:
– Competency and objectivity concerns
– Nature of control
– Who performed (e.g., IA vs. management)
– Now separately opining on IC, vs. reliance
on the FS audit as in the past
7/17/2015
© 2000 KPMG
Other Comments
• As with other 404 areas, nothing is
crystal clear
• Expect many implementation issues
• Clarifications from PCAOB and SEC to
come over next several months
• Management, IA, and external audit
should all be working together closely
7/17/2015
© 2000 KPMG
Gaps & Remediation
Larry Ishol, CPA
Engagement Partner
Deloitte
7/17/2015
© 2000 KPMG
Situational Assessment
A recent Deloitte survey of Fortune 500
companies indicates that a significant
amount of work remains
Activity
7/17/2015
Percentage Complete
Documentation
75%
Evaluation of design
effectiveness
47%
Testing of operating
effectiveness
21%
Remediation
21%
© 2000 KPMG
What Constitutes a Gap?
Type
Likelihood
Magnitude
Deficiency
Remote
and/or
Inconsequential
Significant Deficiency
More than remote
and
More than Inconsequential
or
Quantitatively significant
Material Weakness
7/17/2015
More than remote
© 2000 KPMG
and
Material to Financial
Statements
Specific Considerations
Strong Indicator of “MW”
At Least “SD”
Selection and application of accounting policies
Restatement to reflect correction of a
misstatement
Non-routine and non-systematic transactions
Identification of a material misstatement
Antifraud programs and control
Identification of fraud of any magnitude on
part of senior management
Period-end financial reporting process:
Procedures used to enter transactions totals
into the G/L
Journal entries
Recurring and non-recurring adjustments to
the F/S
Ineffective:
Audit committee
Internal audit or risk assessment function
Regulatory compliance function
Control environment
Uncorrected significant deficiencies
7/17/2015
© 2000 KPMG
Remediation
Remediation is simply the process of fixing a
deficiency associated with the design or
operating effectiveness of a control activity
Sample Remediation Activities
Design Deficiency
Operating Deficiency
• Improve controls that have
“fixable” design deficiencies
• Communicate to the individual
responsible for the testing the
control that he or she perform
the test
• Implement new controls when
the design deficiency is too
substantial to be repaired
• Implement new controls when
there are no controls in place
7/17/2015
• Oversight to ensure that the
control is tested in the future.
© 2000 KPMG
Remediation Challenges
• Effective Decision & Governance Process
• Complex Program Management Initiatives
• Significant IT Environment Changes
• Impact on Human Resources
• Complex Re-testing, Roll-Forward Testing
Activities
• Overall Need for Best Practices
7/17/2015
© 2000 KPMG
Taking Action - Remediation
Questions to Consider
1. Have you developed a process for
classifying control deficiencies?
2. Have you allotted sufficient time to
remediate material weaknesses and
significant deficiencies prior to year-end?
3. Have you identified resources to assist in
remediation controls in technical areas?
7/17/2015
© 2000 KPMG
Taking Action - Remediation
Questions to Consider
4. What is the status of gap analysis?
5. Do you have a process to identify, classify
and prioritize gaps and manage your
remediation effort?
6. Do you have sufficient skill sets, knowledge
bases, etc. to adequately develop and
implement solutions to gaps?
7/17/2015
© 2000 KPMG
To Get Your CPE
Certificate
7/17/2015
© 2000 KPMG
June 8, 2004
“Anti Fraud Programs”
7/17/2015
© 2000 KPMG
Webcast Evaluation
7/17/2015
© 2000 KPMG