Reliable Control Self-Assessment
Download
Report
Transcript Reliable Control Self-Assessment
Reliable Control
Self-Assessment
James Brady Vorhies (“Brad”)
Dallas CPA Society’s
Continuing Education Day
Hilton Anatole
May 26, 2011
Course Objective
To convince attendees of the
advantages of:
– Adopting “reliable” control selfassessments versus attribute testing.
– Obtaining “ongoing” assurance versus
one-time assurance from existing internal
audit investment.
Biggest Payback
Is going to be for SOX 404 compliant
companies
– Because they will be able to replace
management’s attribute testing of each
key control:
1.
2.
With ongoing key control monitoring, and
With management testing of the key control
process
Next Biggest Payback
If you develop the infrastructure then
you can monitor all of the company’s
key controls
– Examples:
Business Continuity key controls
Debt covenant compliance certifications
Any area’s key controls
– GRC Application?
SOX Testing Current State
Key financial controls are generally
attribute tested requiring
–
–
–
–
–
Annual scoping
Flowcharts and/or narratives
Test case per key control
Sample selection per key control
Attribute test per key control
Attribute Testing
Approach Challenges
Key control attribute testing requires
audit skills to perform
Difficult to embed testing in
management’s process
No ongoing assurance
Attribute testing is seen as a non value
add duplicative cost
Current SOX Cost Saving
Strategic Initiatives
Scoping to decrease controls tested
Automation of key control reviews
Increase reliance upon management’s
internal testing
New SOX Compliance
Strategy
To both decrease cost and improve
management’s controls monitoring
– Develop reliable key control selfassessments
– Create an ongoing management
monitoring process
– Embed responsibility with control owners
and responsible management
Transformation: SOX Testing
to Controls Monitoring
Transformation is accomplished by
creating “reliable” self-assessments
that replace control attribute testing
– AS 5 allows management to implement their
own process – only requirement is that it is
“effective”
– SEC guidance addresses self-assessments and
requires they be “reliable”
– COSO’s vision is controls monitoring
Transformation
Advantages
Ongoing assurance – right things get done right
Self-documenting
Embedded process owned by management
Better employee understanding & acceptance of controls
Self-assessments are great training aids
Better visibility – all key controls on an automated timeline
Ensures tasks get completed – regardless of employee status
Leverages off of current investment – start with key controls
Reduced compliance cost
Minimal attribute testing
Frees audit resources
Greater coverage - GRC framework for control assurance?
Evolution: Testing to
Monitoring – EFH’s Story
2001 - Ongoing manual KAC self-assessments program
(implemented - December 2001)
2004 - First SOX 404 Opinion:
– Deloitte RCTS application
Control owner - VP/manager who had key controls tested
– Annual scoping and testing effort
For each key control an individual test plan, sample and attribute test
Maintained narratives, flowcharts and other process documentation
– Sample size ~40/roll forward all high risk ~10
2006 - SOX 404 Opinion - Combined
– Automated key controls self-assessments
Control owner – owns, executes and self-assesses the key control
– Abandoned test plans – key controls documented in CMT
Key controls mapped to significant accounts & relevent assertions
– Limited sampling and attribute testing
Test the key controls process (key control owners)
Attribute test high volume transactions (easier)
–
–
Journal entries
Account Reconciliations
Key Control sample size ~40/roll forward ~None
Reliable Self-Assessments
3 Step process
Must construct reliable selfassessment process
Must monitor self-assessment process
Must test self-assessment process
Reliable Self-Assessments
Step 1
Must construct reliable self-assessment
process
– Required components
– Required Training
– Required Company cultural change
Online real-time self-assessment tool
necessary to improve timeliness of
assurance
– But manual process can be “reliable”
Necessary Components for
Reliable Self-Assessments
Quality standards
– Defines done right
– Derived from management’s control objectives
Evidence standards
– Sufficient competent – reliable evidence
Insufficient evidence, it didn’t happen
– Very similar to what you are currently using
Frequency of review
– Workday due – same for all periods (i.e. WD 3)
Calendar due date - for specific period
– Based upon how often management wants assurance
Intelligent review and approval
Intelligent Review and
Approval
High risk - must be reviewed and approved
Low/Medium risk - answer “Yes” & self
approve
Anytime answer “No”, must:
–
–
–
–
Document exception explanation
Document action plan
Forward for review and approval
Evaluate as a deficiency (financial controls)
Intelligent Review and
Approval - continued
Required review and approval if – High
Risk:
– New key controls
– Significant changes in key control(s)
– New control owner
– Issues with key control completion
Key Control Exception
= Failure to meet a:
– Quality standard,
– Evidence standard,
– Or, due date established in the standard
< May not be a deficiency
– May not create a potential for misstatement if
failure was only to achieve a quality or evidence
standard
No exceptions is the theoretical
goal
Challenge – No Transactions
During Period
More efficient to say “No Occurrence” than to report
a key control exception
So answers for what the control standard achieved
would be:
– Yes
– No
– No Occurrence
Have to provide an explanation in comment field
(business rule should require comment)
Important for backup personnel who “own” the
same control as the primary control owner
Can apply to almost any control owner’s control
Reliable Self-Assessments
Step 2
Must monitor self-assessment process
Annual review of all key controls
– Discuss with control owner
Ensure understand their key controls
Control standards written right
Evidence exists as stated
Comments appropriate
Process advantage – control owner
understanding of their key controls
Reliable Self-Assessments
Step 3
Must attribute test self-assessment process
Test to determine if control owners
complied with process requirements and
that the process is reliable
Interim testing of about 40 control owners
and all of there key controls
– Also, attribute test high volume areas
Journal entries
Account reconciliations
Self-Assessment Advantages
over Attribute Testing
Ongoing assurance
Cost savings
– Fewer test samples and attribute tests
– No test cases to update (must maintain KCR’s)
– Less need to maintain narratives, flowcharts and control
matrix (matrix maintained in KC’s application)
Insignificant cost to add a new key
control to monitor
– Ops – add a new KCR
Self-Assessment
Challenges
Requires executive management support
– If management isn’t testing now – they may not
want to monitor
– You will have to convince your Auditors
Requires fundamental change in company
culture
– Must become an embedded part of normal job
responsibilities
– Just signing off is falsifying company records
May need to pay for an automated process?
– Difficult to cost justify
Internal Audit – Controls
Monitoring?
EFH’s Internal Audit function primarily
operates on a pre-SOX basis
Review the SOX key controls along with all
other key controls during their ongoing audits
Audit reviews the financial controls compliance
department’s annual testing
Could Internal Audit determine an
area’s key controls and then monitor
them via control self-assessments?
Internal Audit’s Transformation from
One-time to Ongoing Assurance
Goal - Enable Internal Audit
achievement of ongoing assurance
and risk monitoring
– Enable ongoing monitoring of the company’s key
operational and compliance controls
– Decrease the number and cost of “New” audits
– For essentially the same investment as required
for a one-time internal audit with one-time
assurance.
Internal Audit’s Payback
Challenge “New” Audits
Current State
“New” Audits because of
normal audit cycle and changes
that occur
High “New” audit investment
During each “New” audit
– Spend time and resources
determining controls and
recommendations to
implement missing or to fix
broken controls
– Perform follow-up review
– Only obtain one-time
assurance for investment
Future State
Perform same “New” audit
– Perform same audit and
reporting steps
– THEN - IA helps the area’s
management develop key
control self-assessments for
each of the area’s identified
key controls.
– Obtain ongoing assurance for
essentially the same
investment
– Prevent future “New” audits
and full “New” audit cost
Enable Ongoing IA Client
Engagement & Assurance
Current State
Assurance is only obtained
from a one-time follow-up
review to ensure that internal
audit’s recommendations were
appropriately implemented
Future State
IA stays engaged with the
area’s management on an
ongoing basis.
IA’s existing role as internal
consultants will be greatly
augmented
IA’s independence is not
affected
For essentially the same
investment as for a one-time
audit with one-time assurance
obtain ongoing assurance
Follow-up Reviews
Current State
A future full size and full cost
repeat audit effort is required
when the area hits the audit
cycle again
Future State
•
Follow-up reviews for
“monitored areas” will be used
to:
– Review each area’s key controls
and self-assessment reports.
– Ensure that the right key
controls are
•
•
•
•
Identified
Appropriately monitored
Designed and operating
effectively.
An audit universe risk based
approach can still be used to
define the frequency of followup reviews for monitored areas
Challenges to IA
Monitoring Approach
Value proposition decreases if company
doesn’t have “New” audit syndrome
Must sell value to executive management
– New “cost” (non incremental) to areas being
monitored
Determine if payback is there:
– Mitigate risk by “pilot project”
– Determine success of monitoring approach
– If successful – rollout