Transcript Document

Introduction of Panel Members
PwC
The Sarbanes-Oxley
Act of 2002
What Companies Should
Be Doing Now
March 10, 2003
Insert
Worlds Image /
Client Specific Image
Here
Michael Cobb
(813) 222-6212
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
1
Sarbanes-Oxley Act of 2002
Section 302
Requires quarterly certification by the CEO / CFO of all companies
filing periodic reports under section 13 (a) or 15 (d) of the Securities
Exchange Act of 1934 regarding the completeness and accuracy of
such reports as well as the nature and effectiveness of internal controls
supporting the quality of information included in such reports.
Section 404
Requires an annual report by management regarding internal controls
and procedures for financial reporting, and an attestation as to the
accuracy of that report by the company’s auditors.
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
2
Addressing DC&P Requirements
LEGEND
Disclosure Requirements
Disclosure
Controls
and
Procedures
Operations
Financial
Reporting
Internal
Accounting
Controls
The Sarbanes-Oxley Act of 2002
Compliance
Internal
Controls over
Disclosure
Requirements
Internal
Controls Over
Financial
Reporting
PricewaterhouseCoopers
3
What are the Questions That Need to be Asked?
 What does our control structure look like and how does it operate?
 Who is accountable?
 How does it deal with change?
 What are the critical control activities?
 Are they monitored?
 Is all of this documented?
 How will I demonstrate that I have reviewed the controls every
quarter?
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
4
Why the Need for Control Structure Documentation?
 Available for third-party purposes
 Enables External Auditor’s attestation work
 Enables ongoing assessment of operating effectiveness
 Facilitates linkage to COSO
 Supports management assertions
 Reduces risk and supports operational efficiency
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
5
Controls over the IT environment
• Most business processes are critically enabled by IT
• Achieving objectives is often dependent on IT based controls
• Many controls depend on data generated by IT systems
• IT controls need to be considered at 2 levels:
– Controls over the IT environment (General Controls)
– Controls over individual applications
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
6
Audit of Financial Statements vs. 404 Controls Attestation
Audit of Financial Statements
• Understanding and consideration of internal
controls only to develop the audit approach
• Overall objective is the rendering of an opinion
on the financial statements, not to opine on
internal controls
• Internal control reports have been very rare in
practice and are the subject of different
404 Attestation
• 100% controls-based approach
• Must evaluate and test controls across business
and functional areas to opine on effectiveness
(broad and deep)
• Lack of errors, historically, in financial statements
is not de-facto evidence unto itself, of an
appropriate internal control structure
auditing standards
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
7
Management’s Requirements Under Section 404
Section 404 – Management Must Assess Internal Controls Annually (effective
date pending)
•
Internal control report states management’s responsibility for establishing
and maintaining adequate internal control structure and procedures for
financial reporting.
•
Management must assess effectiveness of internal control structure and
procedures for financial reporting as of the end of the most recent fiscal
year.
•
Attestation by external auditor (Section 404 and 103).
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
8
The Intersection of Sections 302 and 404
302:
Management’s
Certification
Related to the
Financial
Reporting
Elements of
DC&P
The Sarbanes-Oxley Act of 2002
404:
Internal
Controls for
Financial
Reporting
Basis for
Auditors’
Evaluation
And
Testing
PricewaterhouseCoopers
9
The Five Components under the COSO Framework
Monitoring
Control Activities
 Assessment of a control
 Policies/procedures that ensure
system’s performance over time.
management directives are
carried out.
 Combination of ongoing and
 Range of activities including
separate evaluation.
approvals, authorizations,
verifications, recommendations,
performance reviews, asset
security and segregation of
duties.
 Management and supervisory
activities.
 Internal audit activities.
Information and Communication
 Pertinent information identified,
captured and communicated in a
timely manner.
 Access to internal and externally
generated information.
 Flow of information that allows for
successful control actions from
instructions on responsibilities to
summary of findings for
management action.
The Sarbanes-Oxley Act of 2002
Control Environment
 Sets tone of organizationinfluencing control consciousness
of its people.
 Factors include integrity, ethical
values, competence, authority,
responsibility.
Risk Assessment
 Risk assessment is the
identification and analysis of
relevant risks to achieving the
entity’s objectives-forming the
basis for determining control
activities.
 Foundation for all other
components of control.
All five components must be in place
for a control to be effective.
PricewaterhouseCoopers
10
Control Objectives and Types of Financial Controls
to Be Identified
Standard Control Objectives
(All Cycles/Processes/Activities):
 Completeness of input
 Accuracy of input
 Completeness and accuracy of
output
 Authorization/Validity
 Timeliness
 Others:
– Safeguarding of assets
– Segregation of duties
The Sarbanes-Oxley Act of 2002
Types of Financial
Controls
 Basic/Application
Controls
 Monitoring Controls
 General/Computer
Controls
PricewaterhouseCoopers
11
Mapping to Controls
—
—
—
—
—
CYCLES/PROCESSES
to
CONTROLS
to
FINANCIAL
STATEMENTS
STEPS:
1. Map F/S line items to cycles/processes
2. Document each existing process (detailed flowcharts and narratives)
3. Identify controls in place
4. Test controls for effectiveness
5. Highlight missing controls
6. Assess impact of missing controls
7. Fill gaps
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
12
Implementation Issues
 Resources
 Training / Education
 Project management
 Scope Setting
– Centralized vs. decentralized processes
– Multinational / Multilocation
– Common vs. independent systems
– Acquisitions
– Shared service centers
 Measurement of control effectiveness
 Reporting
 Disclosure controls and procedures
– Financial
– Non-financial
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
13
Action Plan
Following an iterative approach to evaluate and assess control environment will provide readiness for 404 certifications and
improve 302 compliance
Educate Management /
Board
Mobilize
Collect Data on “AsIs” Environment
Address Needs for
Continuous
Improvement
Assess Maturity and
Perform Gap Analysis
This process should be repeated as necessary in a continual effort to improve the level of maturity of an
organization’s internal controls.
The Sarbanes-Oxley Act of 2002
PricewaterhouseCoopers
14