IIA SOX Presentation 8-26-14 PDF

Preview

Summary

erere...

Description

IIA Northwest Metro Chicago Chapter

Practical Approach to SOX

August 26, 2014

Agenda

■ SOX Control Trends (PCAOB Audit Findings) ■ COSO Impact on SOX ■ Top 10 List of Considerations ■ Driving an Efficient and Cost Effective Solution: Finding the Right Balance

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

SOX Update-

1

PCAOB Findings to Consider in your SOX Program

SOX – PCAOB Inspection findings

The PCAOB has observed a significant increase in inspection comments in the areas of auditing/Internal Control Over Financial Reporting (ICOFR), revealing the need for both management and auditor focus.

Significant areas of audit performance improvement over ICOFR testing include:

Identifying and testing relevant controls

Focus on ICOFR is increasing as seen from year-over-year comparison of comments below (excluding ITGC): Year

Total Comments

2012 (to date)

89

2011

46

2010

9

Testing management review controls (MRCs)

Inappropriate reliance on ITGCs

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

3

PCAOB Implications to SOX Environment: Control Testing Themes

Documentation

• Walkthrough of individual controls rather than walkthrough of transaction through issuer’s processes

Key Controls

• Failure to identify and test key controls associated with all relevant assertions over all significant accounts

Risk Assessment

• Inappropriate risk assessment of relevant controls (lower risk of failure)

Control Deficiencies

• Failure to identify control deficiencies or appropriately evaluate severity and failure to evaluate impact of control deficiencies on financial statement audit approach

Substantive Testing

• Inferring operating effectiveness of a control from absence of misstatements detected by substantive procedures

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

4

PCAOB Implications to SOX Environment: The Importance of the Risk Assessment Performing a risk assessment as part of your SOX program is an important step that allows management to focus on: • identifying relevant (key) controls • test controls associated with all relevant assertions over all significant accounts

Financial Statement Line Item Analysis Do we have the right materiality/qualitative factor coverage?

Location Analysis What locations are in scope and what coverage provided?

Financial to Process Mapping Are all key accounts mapped to processes in scope?

Process to Location Mapping Are the right processes covered at each location?

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

PCAOB Implications to SOX Environment: ITGC Themes

5

IT Dependent Controls

• Manual controls that may be dependent upon IT general controls to operate effectively (i.e., controls dependent on IT functionality, computer generated exception reports)

Infrastructure

• Relevant technology infrastructure controls designed to help ensure the completeness, accuracy, and availability of technology processing

Flow of Data

• Understanding the flow of transactions from initiation to recording and reporting

Access

• Consideration of “super user” access and how controlled, timely evaluation for instances of noncompliance, controls in place to monitor user activities

Use of Third-Parties

• 3rd parties with impact on financial reporting, controls in place to review 3rd party information, required SOC1 reports, considerations for user controls

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

6

PCAOB Implications to SOX Environment: Management Review Control Themes

Specificity of Scope/Precision

• Defining materiality/significance and including thresholds

Specificity of Review

• Including comprehensive details of what reviewer looks for during review and defining what constitutes an outlier/exception

Exceptions

• Follow-up on variances, inconsistencies, and outliers (e.g., retain emails, etc., to evidence follow-up and resolution)

Physical Evidence

• Physical evidence of the performance of a control is required

Information Provided by Entity (IPE)

• Management validation over completeness/accuracy of data and reports used in performance of controls

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

7

Possible Resulting SOX Efforts

■ More Controls in scope (e.g., unique transactions) ■ Additional documentation required ■ Enhanced walkthroughs – control and process ■ Additional testing over completeness and accuracy of information ■ Increased documentation retention of management 404 efforts ■ Enhanced deficiency evaluation documentation

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

8

Internal Control Framework (COSO) Impact on SOX

Internal Control Framework: COSO

The Committee of Sponsoring Organization’s (COSO’s) framework update for 2013 included the following changes that have had an impact on SOX for some organizations:

Considers Changes to the Business Environment Over Past 20 Years

Enhanced Governance

(including resource competence)

Improved Risk Assessment Practices

Extended Coverage and Applicability Beyond Financial Reporting (IT)

Enhanced Adaptability to Change and Varied Business Models

COSO 1992 Framework will be available until December 15, 2014, then superseded © 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

10

Top 10 List of Considerations to Develop an Effective SOX Program

1 2 3 4

Implement monitoring controls Refine management review controls Perform month-end reconciliations Restrict access to key systems

th External r

ffective ht

Key Considerations for Effective SOX Testing- “Top 10 List”

Identify SOD conflicts Ensure accuracy of system interfaces

Consider completeness and accuracy of reporting Update policies and procedures (DOA)

Consider key applications used for financial reporting

Coordination w Audit

Training and Oversi

5 6 7 8 9 10

Retain documentation and evidence your review

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Key Considerations for Effective SOX Testing

12

1 Implement Monitoring Controls

2

Implement controls for high risk areas/accounts that provide a monitoring mechanism for management to provide assurance that financial reporting information is appropriate, appears reasonable, and is consistently evaluated.

Refine Management Review Controls

For management review controls, establish thresholds for what you are reviewing, define review criteria, retain support for how you resolve variances and how you complete your review.

Perform MonthEnd Reconciliations

Reconciliation controls are key in substantiating financial reporting results and often referred to for key/high risk accounts. Reconciliations should be documented, include supporting documentation and evidence separate reviewers and preparers.

Restrict Access to Key Systems

Appropriately restricting access to key systems ensures that only authorized individuals have access to key financial data and may prevent unauthorized transactions and financial misstatements.

Identify SOD Conflicts

SOD conflicts should be identified in order to implement manual controls where automated options are not possible and allow for effective management to segregate control activities.

3

4

5

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

13

Key Considerations for Effective SOX Testing

6 Ensure Accuracy of System Interfaces

Accuracy of system interfaces is a key consideration in ensuring the accuracy of financial reporting, especially for consolidated reporting. Management should ensure that the interface is complete and accurate and exceptions are addressed timely.

Consider Completeness and Accuracy

The completeness and accuracy of reports/spreadsheets used in performing controls activities should be reviewed. Spreadsheets and reports used in calculating account balances are key.

Update Policies and Procedures

Policies and procedures should be aligned with control activities. Deviations may allow for control failures (control fails since it does not agree to policy) and overall ineffective governance over financial reporting.

Consider Key Applications

Applications used for financial reporting, to process transactions, consolidations and transfer data should be evaluated for ITGC testing. Ineffective ITGC’s may lead to manual controls.

Retain Documentation and Evidence your Review

Retaining all relevant documentation to support your control activities and evidencing your review will be essential to passing controls during the testing phase.

7

8

9

10

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International

14...