Transcript Title (Arial bold 30 point) second line title

CAACM Pre-conference
Training
Audit Committee Fundamentals – Internal
Controls
23 June 2008
Objectives
►
The Role and Importance of Internal Audit
►
Structuring the Internal Controls Framework
►
The impact of Sarbanes Oxley (SOX) on Internal Controls
Efficiency
Page 2
The Role and Importance of Internal Audit
►
Corporate Governance history
►
Role of SOX in furthering Corporate Governance
responsibility
►
Management’s responsibilities under SOX
►
Audit Committee responsibilities under SOX
►
The role of Internal Audit
Page 3
Corporate Governance History
►
►
SEC Acts of 1933 and 1934
►
Created SEC and concept of “GAAP” in response to crash of 1929
►
Affected all existing public companies and IPOs
►
Addressed impacts of management malfeasance on creditors,
citizens and the economy
Foreign Corrupt Practices Act, etc. in the late ’70s
►
Required management to develop and maintain internal controls
over systems
►
Required maintenance of records to reflect activity of corporate
assets
Page 4
Corporate Governance History
►
►
Committee of Sponsoring Organizations (COSO) and
Blue-Ribbon Panel on Audit Committee Effectiveness in
the ’80s and ’90s
►
Provided practical, broadly accepted criteria for establishing
internal controls and evaluating effectiveness
►
Improve the effectiveness of Corporate Audit Committees
Sarbanes Oxley Act of 2002
Page 5
Corporate Governance in the U.K.
►
January 2003 : Higgs report on the role of Non Executive
Directors and the Smith report on Audit Committees.
►
July 2003 : The Financial Reporting Council subsequently
reissued the revised Combined Code. This document includes
the Code itself and related guidance comprising the
►
►
Turnbull – Guidance on Internal Control
►
Smith – Guidance on Audit Committees
►
Higgs Report – Suggestions for good practice
NB: UK listed companies are required to make a statement on
corporate governance in their annual accounts – Statement of
Compliance with the provisions of the Combined Code
Page 6
Sarbanes-Oxley Act of 2002
►
Addresses Structural Weaknesses Affecting Capital
Markets
►
Misstatements in financial statements
►
Enron, Worldcom, Global Crossing, Parmalait, etc.
►
Failure of officers and auditors to identify and address weaknesses
►
Failure of stock analysts to detect and advise investors accordingly
Page 7
Objectives of the Sarbanes-Oxley Act
►
Increase the accountability of management of public
companies
►
Improve Corporate Governance
►
Increase the oversight of public accounting firms
►
Restore investor confidence in the capital markets
Page 8
Sarbanes-Oxley Act of 2002
►
Efforts to Restore Investor Confidence by enhancing
Corporate Governance
►
Exerted pressure on corporate officers to report accurately (302,
404)
►
Addressed Audit Committee independence and elimination of
conflicts of interest
►
Established the Public Company Accounting Oversight Board
►
Required companies to publish more, sooner (10-Q, 10-K
deadlines, 8-K filings)
►
Installed penalty driven fraud and accountability controls
Page 9
Sarbanes-Oxley Act of 2002
►
PCAOB Standards Issued to date:
►
Auditing Standard No. 1 – References in Auditors' Reports to the
Standards of the Public Company Accounting Oversight Board
►
Auditing Standard No. 2 – An Audit of Internal Control Over
Financial Reporting Performed in Conjunction with An Audit of
Financial Statements
►
Auditing Standard No. 3 – Audit Documentation
►
Auditing Standard No. 4
►
Auditing Standard No. 5 – An Audit of Internal Controls Over
Financial Reporting that is integrated with an audit of Financial
Statements (supersedes Auditing Standard No. 2)
Page 10
404 Summary…
►
Area of Impact and Provision
Page 11
In Summary…Key Provisions of SOX 2002
Area Of Impact
Provisions
Oversight of The Accounting
Formed the PCAOB to establish
Profession (Sections 101 & 102) standards for auditing, QC, ethics,
independence for auditors of
public companies who must
register with the Board
Page 12
Key Provisions of SOX 2002
Area Of Impact
Accounting Committee
Responsibilities
Page 13
Provisions
Act requires all listed companies
to have fully independent Audit
Committees.
Responsibilities include:
► Oversight of Auditors
►
Independence
►
Pre-approval of services
►
Procedures – resolve control
issues
Key Provisions of SOX 2002
Area Of Impact
Executive Management
Certification
Page 14
Provisions
CEO and CFO must certify with
quarterly and annual report that:
► Designed controls to ensure
material information is known
► Disclosed to the Ac and
Auditors deficiencies & fraud
► Fin Statements fair in material
respects
Key Provisions of SOX 2002
Area Of Impact
Auditor Independence
Page 15
Provisions
Act moved to eliminate impairment
of independence.
Prohibits 9 categories of service to
public audit clients:
1. Book-keeping or services
related to accounting records
2. FIS implementation
3. Appraisal or valuation
services
Key Provisions of SOX 2002
Area Of Impact
Auditor Independence (cont’d)
Provisions
4.
5.
6.
7.
8.
9.
Page 16
Actuarial Services
Internal Audit Outsourcing
Legal services
Management functions or
human resources
Broker or Dealer, investment
advisor or investment
banking
Any other service that Board
determines is not permissible
Key Provisions of SOX 2002
Area Of Impact
Internal Control Reporting
Page 17
Provisions
Act requires annual management
report and auditor attestation on
effectiveness of internal controls
structure and procedures for
financial reporting
Management’s Responsibilities under SOX
►
Accept responsibility for the effectiveness of the
Company’s internal control over financial reporting
►
Evaluate the effectiveness of internal control over financial
reporting using suitable control criteria
►
Support its evaluation with sufficient evidence, including
documentation and appropriate evidence of existence and
effectiveness of internal controls
►
Present a written assessment about the effectiveness of
internal control over financial reporting as of the end of the
Company’s most recent fiscal year
Page 18
Key SOX Provisions Relating to Audit
Committees
►
►
The Sarbanes-Oxley Act has required Audit Committees
to adhere to certain provisions as follows:
►
Each member of the Audit Committee must be independent
►
At least one of the members must be a “Financial Expert”
►
Directly responsible for appointment compensation and oversight
of the public accounting firm
All auditing and non-auditing services must be preapproved by committee.
Page 19
Key SOX Provisions Relating to Audit
Committees (cont’d)
►
Establish procedures for handling complaints
(whistleblower protection)
►
►
Page 20
Discuss with auditor prior to issuing audited financial statement:
►
Critical accounting policies and alternative treatments
►
Management letter, waived adjustments and material written
communications
Have authority to engage independent counsel and other advisors.
The role of internal audit
►
The role of internal audit can be broken down into the
following broad categories:
►
Improvement of internal controls under the following categories:
►
Effectiveness and efficiency of operations
►
Reliability of financial reporting
►
Compliance with laws and regulations
►
Monitor and evaluate the effectiveness of the organisation’s risk
management process
►
Support the Audit Committee of the Board of Directors in
effectively executing its Corporate Governance Responsibility
Page 21
Structuring the Internal Control Framework
►
A good internal control framework is based on
internationally developed frameworks as identified in the
earlier discussion regarding “Corporate Governance
History”
►
The framework clearly identifies what are controls
►
Addresses the monitoring and evaluation of controls at the Entity
level and the Transaction or Process level
Page 22
Understand the Definition of Internal Control
(Phase 1)
Other Suitable Frameworks:
• Guidance on Assessing
Controls – Canadian
Institute of Chartered
Accountants
• Turnbull Report – Institute
of Chartered Accountants in
England and Wales
Page 23
Understand the Definition of Internal Control
COSO
►
The “Committee of Sponsoring Organizations”
►
Organized in 1992 to study internal control and define a common
framework for internal control
►
Resulted in report titled “Internal Controls—an Integrated Framework”
Internal Control (as defined by COSO)
►
Page 24
A process, affected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
►
Reliability of financial reporting
►
Effectiveness and efficiency of operations
►
Compliance with applicable laws and regulations
Understand the Definition of Internal Control
(cont’d)
Internal controls over financial reporting (objectives)
►
To ensure that companies have processes designed to
provide reasonable assurance that:
►
The company’s transactions are properly authorized
►
The company’s assets are safeguarded against unauthorized or
improper use
Page 25
Evaluate Internal Control at the Entity Level
Entity-level controls have a pervasive effect on the
organization. Evaluation includes a consideration of factors
in each of the five components of internal control that can
have a pervasive effect on the risk of errors or fraud:
►
Control Environment
►
Risk Assessment
►
Monitoring
►
Information and Communication
►
Control Activities
Page 26
Entity Level
Transaction/ Process
Level
Evaluate Internal Control at the Entity Level
Control Environment
►
Integrity, ethical values, and behaviour of key
executives
►
Management’s control consciousness and operating
styles
►
Management’s commitment to competence
►
Board of Directors’ and/or Audit Committee participation
in governance and oversight
►
Organizational structure and assignment of authority
and responsibility
►
Human resource policies and procedures
Page 27
Evaluate Internal Control at the Entity Level
Risk Assessment
►
Entity level objectives established and communicated
►
Mechanisms are in place to anticipate, identify, and
react to changes
►
Established processes to:
Page 28
►
Identify significant changes in GAAP
►
Identify changes in the business practices that may affect the
method or the process of recording a transaction
►
Identify significant changes in internal controls or operating
environment
Understand and Evaluate Internal Controls at
the Transaction or Process Level
►
Provides a good deal of the evidence management will
need to support its overall assessment of the
effectiveness of internal control over financial reporting.
►
Management will need to consider controls, including
information technology (IT) controls, that serve to
prevent or detect errors of importance relating to each
significant account.
Page 29
Understand and Evaluate Internal Controls at
the Transaction or Process Level
Accounts Selected Based Upon:
• Errors of importance*
• Size and composition
• Susceptibility to manipulation or loss
• High transaction volume
• Transaction complexity
• Subjectivity in determining account balance
• Nature of the account
Phase 5
Financial
Implications
2003
Financial
Statements
Financial
Statements
Significant
Accounts
Process
Implications
Inherent and
Key Business
Risks
Page 30
?
Significant
Processes
Management
Assertions
Financial Statement
Assertions:
• Existence (B/S) or
Occurrence (I/S)
• Completeness
• Valuation (B/S) or
Measurement (I/S)
• Rights and Obligations
(B/S)
Management
Report on
Internal
Control
What Can
Go Wrong?
Types:
For Each Assertion Ask:
• Flows of transactions
• Where are the points in the flow of
• Routine
transactions where errors can
• Non-Routine
occur?
• Estimation
• Example:
• IT processes
Accounts:
Cash or Payables
Process:
Disbursements
• Business processes
Valuation
• Financial Statement Close Assertion:
Process (Presentation and What are the manual and programmed
procedures to ensure that the amount
Disclosure assertion)
of a check or transfer agrees with the
amount approved for payment?
Controls
Detect: Monitors for errors
Prevent: Prevents an error
Who Performs?
Programmed Control?
• Identify processing system
Evaluate/
Monitor
Factors in Evaluation:
• Competence, integrity of
personnel performing
control; degree of
supervision; extent of
employee turnover
• Potential for mgmt override
• Lack of segregation of
duties, including within
computer applications
• Effect of changes in
controls
• Other specific risks
Report
Evaluate Internal Control at the Entity Level
Identify Significant Accounts (Inventory, Fixed Assets)
►
Size and composition of the account, including its
susceptibility to loss or fraud
►
Volume of activity and the size, complexity and
homogeneity of the individual transactions processed
through the account
►
Subjectivity in determining the account balance (i.e.,
the extent to which the account is affected by
judgments)
►
Nature of the account (.e.g., suspense accounts
generally warrant greater attention)
►
Accounting and reporting complexities associated with
the account
Page 31
Understand and Evaluate Internal Controls at
the Transaction or Process Level
Identify the Major Classes of Transactions and Related
Processes that Influence the Significant Accounts
►
Document how the major classes of transactions are
initiated, recorded, authorised, processed, and reported
►
Categorizing the processes using three transaction
types - routine, non-routine, and estimation
Page 32
Understand and Evaluate Internal Controls at
the Transaction or Process Level
Ask “What Can Go Wrong” Questions
►
Considers the relevant financial statement assertions
for the significant accounts
►
►
Page 33
Existence, Occurrence, Valuation or Measurement,
Completeness, Rights and Obligations and Presentation and
Disclosure
Identifying the points within the flow of transactions
where there can be failures to achieve the financial
reporting objectives (i.e., the points where errors can
occur that can result in inaccurate assertions in the
financial statements)
Understand and Evaluate Internal Controls at
the Transaction or Process Level
Page 34
Understand and Evaluate Internal Controls at
the Transaction or Process Level
Identify Controls
►
The objective is to identify the controls that provide
reasonable assurance that errors relating to each of the
relevant financial statement assertions are prevented,
or that any errors that occur during processing are
detected and corrected.
►
Identify controls related to the initiation, recording,
processing, and reporting of transactions.
Page 35
Understand and Evaluate Internal Controls at
the Transaction or Process Level
Types of Controls
Page 36
Understand and Evaluate Internal Controls at
the Transaction or Process Level
Perform Walk-Throughs to Confirm Understanding of
Process and Controls
►
Page 37
Project teams walk through each process, from the
point at which the major classes of transactions are
initiated to the end of the recording process, to confirm:
►
the understanding of the processing procedures
►
the correctness of the information obtained about the relevant
prevent and/or detect controls in the process
►
that these controls have, in fact, been placed in operation
Understand and Evaluate Internal Controls at
the Transaction or Process Level
Page 38
The Impact of SOX on Internal Controls
Efficiencies
Page 39
The impact of SOX on Internal Control
Efficiencies
Most negative feedback from filers under AS 2 as follows:
►
Burdensome, often times duplicated efforts
►
Costly
Page 40
Overview of AS 5
New Auditing Standard:
►
An Audit of Internal Control Over Financial Reporting
That is Integrated With an Audit of Financial Statements
(supersedes PCAOB Auditing Standard No. 2)
Rule 3525 – Audit Committee Pre-Approval of Non-Audit
Services related to internal controls
Conforming Amendments to PCAOB Auditing Standards
Page 41
Overview of AS 5 (cont’d)
Focus on the matters most important to internal control
►
Top-down approach
►
Risk based approach
Eliminate unnecessary procedures
►
Remove requirement to evaluate management’s assessment process
►
Permit consideration of knowledge obtained during prior year audits
►
Refocus multi-location testing requirements on risks
►
Remove barriers to using the work of others
Scale the audit for smaller, less complex companies
Simplify the requirements
►
Less prescriptive
►
More sequential audit flow
Page 42
Summary
► The
role of the internal auditor is more demanding ever
from an operational, risk management, reporting and
compliance stand point
► Fulfilling
the roles requires specialised skills and tools as
well as ongoing collaboration among all stakeholders
Page 43
Presenter
Frederick Bernard
Senior Manager
Risk Advisory Services
Ernst & Young
5/7 Sweet Briar Road
St. Clair, Port of Spain
Trinidad, WI
Phone: 1-868-628-1105 ext 5020
Mobile: 1-868-722-2375
Email: [email protected]
Page 44