Transcript Slide 1

Sarbanes-Oxley 404
ISACA Luncheon Session
April 20, 2005
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
1
Introduction
Patrick Gunderman – KPMG



Director/Sr Mngr with Risk Advisory Practice.
15 years experience working with internal controls
Working on SOX 404 for over two years
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
2
Current Events Update

The April Round Table has occurred.

New guidance has been promised from the PCAOB by
Mid-May.

Many material weaknesses have been reported

Most companies survived the their first year of
Sarbanes-Oxley 404.
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
3
Opening Questions


How many people have spent a significant amount
their time in the last six months on SOX 404 related
work? (more than a two weeks)
How many spent time on either internal testing or
documentation of the companies processes?
 How many spent time answering questions, being
tested, or on remediation of deficiencies identified?
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
4
IT General Controls
IT General Controls are those controls that may have a
pervasive impact on controls at the application level.
Though there are many ways in which general controls may be
defined, and have been classified, general controls typically
include the central functions of the IT environment such as
change management, new system development/acquisition,
access to programs/data, computer operations, vital records
management, etc…
COBIT definition:
Controls embedded in IT Services form General Controls
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
5
IT General Controls Examples
 Restricted Access and Security
•
Only appropriate users have system access (network,
application, etc).
•
Only authorized users have the ability to maintain users
access list, update profiles, change user authorizations or
roles.
 Change management
•
Formal procedures are followed and documented including
appropriate approvals and user acceptance.
•
Program changes are prepared and tested in a segregated
controlled environment prior to moving to production
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
6
Application Controls
Application Controls are those system features or functions that
may be expected to provide control within a given business
process (also called programmed controls).
This can include edit checks to control data entry, parameters set
in the system to control a process, account mapping controls,
system interfaces & calculations, matching or verification
functions, and controls that limit access to perform a given
function or authorize a transaction.
COBIT definition:
Controls embedded in business process applications, such as
large EPR system and smaller best-of-breed systems, are
commonly referred to as application controls.
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
7
Application Controls Examples
Sales or Revenue Cycle:
 Required fields ensure that customer master data is entered
completely
 Orders entered that are greater than the approved credit limit
are automatically placed on credit hold
 All goods shipped are “automatically” invoiced
 Invoices are accurately calculated and prices are obtained
from authorized tables or fields
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
8
Questions


How many have been working IT General Controls?
How many have been working on Application
Controls?
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
9
Key Controls Identified – KPMG Survey Results
Key controls are most
prevalent in the
areas/processes of:
information technology
(21 percent),
financial reporting and close
(17 percent),
and revenue (15 percent).
Other
Assets/Liabil
ities
7%
Taxes
6%
Information
Technology
21%
Treasury
8%
Financial
Reporting
and Close
17%
Human
Resources
8%
Companylevel
9%
Procure to
Pay
9%
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
Revenue
15%
10
What were/are people worried about?
IT controls dominate the deficiencies, significant deficiencies,
and material weaknesses identified through the S-O 404
assessment.
The estimated percentage of deficiencies identified show IT controls
accounting for the most (34 percent), followed distantly by revenue
(13 percent), procure to pay (10 percent), and fixed assets (10
percent).
The estimated percentage of significant deficiencies identified again
shows IT controls leading the way (23 percent), followed by financial
reporting and close (14 percent), procure to pay (13 percent), and
revenue (12 percent).
The estimated percentages of material weaknesses identified include
IT controls (27 percent), revenue (18 percent), taxes (11 percent), and
financial
reporting
andtheclose
(10
percent).
It is important
to note that
results
presented
here are based on self-reporting by the
companies that participated in the survey. Conclusions may be affected by the differing
methods companies use to report on various elements of Sarbanes-Oxley compliance.
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
11
Manual Versus Automated Controls
What is the estimated percentage of your
company’s manual controls versus automated
controls?
Most controls are still
manual.
66 percent estimated
their controls to be
weighted more toward
manual than
automated, 17 percent
estimated the
percentages to be 50
/50, and 17 percent
estimated their controls
to be weighted more
toward automated.
50
40
40
25
30
17
20
10
8
8
1
1
0
100 % vs
0%
80% vs
20%
60% vs
40%
Totally Manual
50% vs
50%
vs
40% vs
60%
20% vs
80%
0% vs
100%
Total Automated
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
12
Detective Versus Preventative Controls
Most controls are
still weighted more
toward detective
versus preventive.
47 percent estimated
their controls to be
weighted more
toward detective
than preventive, 27
percent estimated
the percentage to be
50/50, and 26
percent estimated
their controls to be
weighted more
toward preventive.
What is the estimated percentage of detective
controls versus preventive controls (excluding
information technology controls)?
50
40
31
30
18
15
20
10
27
7
1
1
0
100 % vs
0%
80% vs
20%
60% vs
40%
Totally Detective
50% vs
50%
vs
40% vs
60%
20% vs
80%
0% vs
100%
Totally Preventative
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
13
Cost of Compliance in Year 2
Approximately two in
three companies (67
percent) expect their
costs related to S-O
404 compliance to
decrease in 2005.
However, the majority
expects a decrease of
10 percent to 30
percent.
If your cost of compliance is decreasing,
what do you estimate will be the cost of
Sarbanes-Oxley 404 compliance in 2005 as a
percentage of 2004 cost?
50
40
27
30
18
20
20
19
10
6
10
0
Less than
50%
50%
60%
70%
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
80%
90%
14
Control Transformation
What happens when?
Tomorrow
Today
People leave
Project driven
Inconsistent
Document centric
Manual controls
Processes get improved
“The way we do business”
New systems get
implemented
Integrated into processes
Businesses get sold/
acquired
Dynamic controls
Owned by “support”
Process and Data centric
Owned by the “business”
Processes are outsourced
How do we comply with 404?
Becomes…
How do we evolve controls to enable and provide a new platform of
value for an ever-changing business?
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
15
Lessons Learned and
Leading Practices from Year One
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
16
Top Lessons Learned from 2004
Information
Technology
Governance
Cost
Auditor
Relationship
Personnel &
Resources
Project
Management
F&A
Reporting
Complexity
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
17
Top Lessons Learned from 2004
Information
Technology
Area with many significant deficiencies
Alignment of IT and business often not at desired level
Documentation and testing of IT controls was one of the
most challenging areas
Data, process, controls and systems are more complex
than previously realized
Heavier than realized reliance on third party outsourcers
– with black box mentality by management
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
18
Top Lessons Learned from 2004
Cost
Cost of initial compliance much higher than initially
planned (36% - 100%+)
Total cost of control is significant SG&A component
Cost of ongoing compliance largely unknown but
suspected as significant
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
19
Top Lessons Learned from 2004
Personnel &
Resources
Management’s prior knowledge was heavily based on
inquiry and observation rather than testing
Roles, responsibilities and authority not always clearly
understood
Employees base of knowledge of internal controls was
low
Significant amount of training was required, and the
information needed to be repeated for it to sink in
Internal audit can’t do it all
Non-Audit personnel – especially IT – have a lower level
of familiarity with controls
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
20
Top Lessons Learned from 2004
F&A
Reporting
Complexity
Enabled by multiple systems and wide spread use of
spreadsheets and other “one-off” processes
Internal Control documentation didn’t previously exist
Number of processes and controls is greater than realized
Quantifying and classifying deficiencies is challenging
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
21
Top Lessons Learned from 2004
Project
Management
Effort was greater than anticipated; better
planning/budgeting critical
Strong, centralized project management is vital
Ensure ownership and accountability for compliance
within the business, beyond just the Internal Audit or
Internal Control functions
Establish a process that ensures the quality and accuracy
of the documentation and testing
Change Management is important
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
22
Top Lessons Learned from 2004
Auditor
Relationship
Relationship with auditor fundamentally changed
Oversight of auditor independence is important to
process
Engage the external auditor in process as early as
possible
Working with them and explaining things can be
extremely helpful
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
23
Top Lessons Learned from 2004
Audit Committees understanding of audit effort improved
Governance
Audit Committee authority has expanded
SEC and PCAOB rules are critical
While effort is highly prescriptive, many judgment calls
still required
© 2004 KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A.
24