Title | IIA SOX Presentation 8-26-14 |
---|---|
Course | Business |
Institution | Istanbul Üniversitesi |
Pages | 19 |
File Size | 1 MB |
File Type | |
Total Downloads | 13 |
Total Views | 148 |
erere...
IIA Northwest Metro Chicago Chapter
Practical Approach to SOX
August 26, 2014
Agenda
■ SOX Control Trends (PCAOB Audit Findings) ■ COSO Impact on SOX ■ Top 10 List of Considerations ■ Driving an Efficient and Cost Effective Solution: Finding the Right Balance
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
SOX Update-
1
PCAOB Findings to Consider in your SOX Program
SOX – PCAOB Inspection findings
The PCAOB has observed a significant increase in inspection comments in the areas of auditing/Internal Control Over Financial Reporting (ICOFR), revealing the need for both management and auditor focus.
Significant areas of audit performance improvement over ICOFR testing include:
Identifying and testing relevant controls
Focus on ICOFR is increasing as seen from year-over-year comparison of comments below (excluding ITGC): Year
Total Comments
2012 (to date)
89
2011
46
2010
9
Testing management review controls (MRCs)
Inappropriate reliance on ITGCs
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
3
PCAOB Implications to SOX Environment: Control Testing Themes
Documentation
• Walkthrough of individual controls rather than walkthrough of transaction through issuer’s processes
Key Controls
• Failure to identify and test key controls associated with all relevant assertions over all significant accounts
Risk Assessment
• Inappropriate risk assessment of relevant controls (lower risk of failure)
Control Deficiencies
• Failure to identify control deficiencies or appropriately evaluate severity and failure to evaluate impact of control deficiencies on financial statement audit approach
Substantive Testing
• Inferring operating effectiveness of a control from absence of misstatements detected by substantive procedures
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
4
PCAOB Implications to SOX Environment: The Importance of the Risk Assessment Performing a risk assessment as part of your SOX program is an important step that allows management to focus on: • identifying relevant (key) controls • test controls associated with all relevant assertions over all significant accounts
Financial Statement Line Item Analysis Do we have the right materiality/qualitative factor coverage?
Location Analysis What locations are in scope and what coverage provided?
Financial to Process Mapping Are all key accounts mapped to processes in scope?
Process to Location Mapping Are the right processes covered at each location?
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
PCAOB Implications to SOX Environment: ITGC Themes
5
IT Dependent Controls
• Manual controls that may be dependent upon IT general controls to operate effectively (i.e., controls dependent on IT functionality, computer generated exception reports)
Infrastructure
• Relevant technology infrastructure controls designed to help ensure the completeness, accuracy, and availability of technology processing
Flow of Data
• Understanding the flow of transactions from initiation to recording and reporting
Access
• Consideration of “super user” access and how controlled, timely evaluation for instances of noncompliance, controls in place to monitor user activities
Use of Third-Parties
• 3rd parties with impact on financial reporting, controls in place to review 3rd party information, required SOC1 reports, considerations for user controls
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
6
PCAOB Implications to SOX Environment: Management Review Control Themes
Specificity of Scope/Precision
• Defining materiality/significance and including thresholds
Specificity of Review
• Including comprehensive details of what reviewer looks for during review and defining what constitutes an outlier/exception
Exceptions
• Follow-up on variances, inconsistencies, and outliers (e.g., retain emails, etc., to evidence follow-up and resolution)
Physical Evidence
• Physical evidence of the performance of a control is required
Information Provided by Entity (IPE)
• Management validation over completeness/accuracy of data and reports used in performance of controls
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
7
Possible Resulting SOX Efforts
■ More Controls in scope (e.g., unique transactions) ■ Additional documentation required ■ Enhanced walkthroughs – control and process ■ Additional testing over completeness and accuracy of information ■ Increased documentation retention of management 404 efforts ■ Enhanced deficiency evaluation documentation
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
8
Internal Control Framework (COSO) Impact on SOX
Internal Control Framework: COSO
The Committee of Sponsoring Organization’s (COSO’s) framework update for 2013 included the following changes that have had an impact on SOX for some organizations:
Considers Changes to the Business Environment Over Past 20 Years
Enhanced Governance
(including resource competence)
Improved Risk Assessment Practices
Extended Coverage and Applicability Beyond Financial Reporting (IT)
Enhanced Adaptability to Change and Varied Business Models
COSO 1992 Framework will be available until December 15, 2014, then superseded © 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
10
Top 10 List of Considerations to Develop an Effective SOX Program
1 2 3 4
Implement monitoring controls Refine management review controls Perform month-end reconciliations Restrict access to key systems
th External r
ffective ht
Key Considerations for Effective SOX Testing- “Top 10 List”
Identify SOD conflicts Ensure accuracy of system interfaces
Consider completeness and accuracy of reporting Update policies and procedures (DOA)
Consider key applications used for financial reporting
Coordination w Audit
Training and Oversi
5 6 7 8 9 10
Retain documentation and evidence your review
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Key Considerations for Effective SOX Testing
12
1 Implement Monitoring Controls
2
Implement controls for high risk areas/accounts that provide a monitoring mechanism for management to provide assurance that financial reporting information is appropriate, appears reasonable, and is consistently evaluated.
Refine Management Review Controls
For management review controls, establish thresholds for what you are reviewing, define review criteria, retain support for how you resolve variances and how you complete your review.
Perform MonthEnd Reconciliations
Reconciliation controls are key in substantiating financial reporting results and often referred to for key/high risk accounts. Reconciliations should be documented, include supporting documentation and evidence separate reviewers and preparers.
Restrict Access to Key Systems
Appropriately restricting access to key systems ensures that only authorized individuals have access to key financial data and may prevent unauthorized transactions and financial misstatements.
Identify SOD Conflicts
SOD conflicts should be identified in order to implement manual controls where automated options are not possible and allow for effective management to segregate control activities.
3
4
5
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
13
Key Considerations for Effective SOX Testing
6 Ensure Accuracy of System Interfaces
Accuracy of system interfaces is a key consideration in ensuring the accuracy of financial reporting, especially for consolidated reporting. Management should ensure that the interface is complete and accurate and exceptions are addressed timely.
Consider Completeness and Accuracy
The completeness and accuracy of reports/spreadsheets used in performing controls activities should be reviewed. Spreadsheets and reports used in calculating account balances are key.
Update Policies and Procedures
Policies and procedures should be aligned with control activities. Deviations may allow for control failures (control fails since it does not agree to policy) and overall ineffective governance over financial reporting.
Consider Key Applications
Applications used for financial reporting, to process transactions, consolidations and transfer data should be evaluated for ITGC testing. Ineffective ITGC’s may lead to manual controls.
Retain Documentation and Evidence your Review
Retaining all relevant documentation to support your control activities and evidencing your review will be essential to passing controls during the testing phase.
7
8
9
10
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International
14...