caacm pre-conference training audit committee fundamentals – internal controls 23 june 2008
Post on 19-Dec-2015
220 views
TRANSCRIPT
Page 2
Objectives
► The Role and Importance of Internal Audit
► Structuring the Internal Controls Framework
► The impact of Sarbanes Oxley (SOX) on Internal Controls Efficiency
Page 3
The Role and Importance of Internal Audit
► Corporate Governance history
► Role of SOX in furthering Corporate Governance responsibility
► Management’s responsibilities under SOX
► Audit Committee responsibilities under SOX
► The role of Internal Audit
Page 4
Corporate Governance History
► SEC Acts of 1933 and 1934
► Created SEC and concept of “GAAP” in response to crash of 1929
► Affected all existing public companies and IPOs
► Addressed impacts of management malfeasance on creditors, citizens and the economy
► Foreign Corrupt Practices Act, etc. in the late ’70s
► Required management to develop and maintain internal controls over systems
► Required maintenance of records to reflect activity of corporate assets
Page 5
Corporate Governance History
► Committee of Sponsoring Organizations (COSO) and Blue-Ribbon Panel on Audit Committee Effectiveness in the ’80s and ’90s
► Provided practical, broadly accepted criteria for establishing internal controls and evaluating effectiveness
► Improve the effectiveness of Corporate Audit Committees
► Sarbanes Oxley Act of 2002
Page 6
Corporate Governance in the U.K.
► January 2003 : Higgs report on the role of Non Executive Directors and the Smith report on Audit Committees.
► July 2003 : The Financial Reporting Council subsequently reissued the revised Combined Code. This document includes the Code itself and related guidance comprising the
► Turnbull – Guidance on Internal Control
► Smith – Guidance on Audit Committees
► Higgs Report – Suggestions for good practice
► NB: UK listed companies are required to make a statement on corporate governance in their annual accounts – Statement of Compliance with the provisions of the Combined Code
Page 7
Sarbanes-Oxley Act of 2002
► Addresses Structural Weaknesses Affecting Capital Markets
► Misstatements in financial statements
► Enron, Worldcom, Global Crossing, Parmalait, etc.
► Failure of officers and auditors to identify and address weaknesses
► Failure of stock analysts to detect and advise investors accordingly
Page 8
Objectives of the Sarbanes-Oxley Act
► Increase the accountability of management of public companies
► Improve Corporate Governance
► Increase the oversight of public accounting firms
► Restore investor confidence in the capital markets
Page 9
Sarbanes-Oxley Act of 2002
► Efforts to Restore Investor Confidence by enhancing Corporate Governance
► Exerted pressure on corporate officers to report accurately (302, 404)
► Addressed Audit Committee independence and elimination of conflicts of interest
► Established the Public Company Accounting Oversight Board
► Required companies to publish more, sooner (10-Q, 10-K deadlines, 8-K filings)
► Installed penalty driven fraud and accountability controls
Page 10
Sarbanes-Oxley Act of 2002
► PCAOB Standards Issued to date:
► Auditing Standard No. 1 – References in Auditors' Reports to the Standards of the Public Company Accounting Oversight Board
► Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements
► Auditing Standard No. 3 – Audit Documentation
► Auditing Standard No. 4
► Auditing Standard No. 5 – An Audit of Internal Controls Over Financial Reporting that is integrated with an audit of Financial Statements (supersedes Auditing Standard No. 2)
Page 12
In Summary…Key Provisions of SOX 2002
Area Of Impact Provisions
Oversight of The Accounting Profession (Sections 101 & 102)
Formed the PCAOB to establish standards for auditing, QC, ethics, independence for auditors of public companies who must register with the Board
Page 13
Key Provisions of SOX 2002
Area Of Impact Provisions
Accounting Committee Responsibilities
Act requires all listed companies to have fully independent Audit Committees.
Responsibilities include:► Oversight of Auditors
► Independence
► Pre-approval of services
► Procedures – resolve control issues
Page 14
Key Provisions of SOX 2002
Area Of Impact Provisions
Executive Management Certification
CEO and CFO must certify with quarterly and annual report that:
► Designed controls to ensure material information is known
► Disclosed to the Ac and Auditors deficiencies & fraud
► Fin Statements fair in material respects
Page 15
Key Provisions of SOX 2002
Area Of Impact Provisions
Auditor Independence Act moved to eliminate impairment of independence.
Prohibits 9 categories of service to public audit clients:
1. Book-keeping or services related to accounting records
2. FIS implementation
3. Appraisal or valuation services
Page 16
Key Provisions of SOX 2002
Area Of Impact Provisions
Auditor Independence (cont’d) 4. Actuarial Services
5. Internal Audit Outsourcing
6. Legal services
7. Management functions or human resources
8. Broker or Dealer, investment advisor or investment banking
9. Any other service that Board determines is not permissible
Page 17
Key Provisions of SOX 2002
Area Of Impact Provisions
Internal Control Reporting Act requires annual management report and auditor attestation on effectiveness of internal controls structure and procedures for financial reporting
Page 18
Management’s Responsibilities under SOX
► Accept responsibility for the effectiveness of the Company’s internal control over financial reporting
► Evaluate the effectiveness of internal control over financial reporting using suitable control criteria
► Support its evaluation with sufficient evidence, including documentation and appropriate evidence of existence and effectiveness of internal controls
► Present a written assessment about the effectiveness of internal control over financial reporting as of the end of the Company’s most recent fiscal year
Page 19
Key SOX Provisions Relating to Audit Committees
► The Sarbanes-Oxley Act has required Audit Committees to adhere to certain provisions as follows:
► Each member of the Audit Committee must be independent
► At least one of the members must be a “Financial Expert”
► Directly responsible for appointment compensation and oversight of the public accounting firm
► All auditing and non-auditing services must be pre-approved by committee.
Page 20
Key SOX Provisions Relating to Audit Committees (cont’d)
► Establish procedures for handling complaints (whistleblower protection)
► Discuss with auditor prior to issuing audited financial statement:
► Critical accounting policies and alternative treatments
► Management letter, waived adjustments and material written communications
► Have authority to engage independent counsel and other advisors.
Page 21
The role of internal audit
► The role of internal audit can be broken down into the following broad categories:
► Improvement of internal controls under the following categories:
► Effectiveness and efficiency of operations
► Reliability of financial reporting
► Compliance with laws and regulations
► Monitor and evaluate the effectiveness of the organisation’s risk management process
► Support the Audit Committee of the Board of Directors in effectively executing its Corporate Governance Responsibility
Page 22
Structuring the Internal Control Framework
► A good internal control framework is based on internationally developed frameworks as identified in the earlier discussion regarding “Corporate Governance History”
► The framework clearly identifies what are controls
► Addresses the monitoring and evaluation of controls at the Entity level and the Transaction or Process level
Page 23
Other Suitable Frameworks:
• Guidance on Assessing Controls – Canadian Institute of Chartered Accountants
• Turnbull Report – Institute of Chartered Accountants in England and Wales
Understand the Definition of Internal Control(Phase 1)
Page 24
Understand the Definition of Internal Control
COSO
► The “Committee of Sponsoring Organizations”
► Organized in 1992 to study internal control and define a common framework for internal control
► Resulted in report titled “Internal Controls—an Integrated Framework”
Internal Control (as defined by COSO)
► A process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
► Reliability of financial reporting
► Effectiveness and efficiency of operations
► Compliance with applicable laws and regulations
Page 25
Understand the Definition of Internal Control (cont’d)
Internal controls over financial reporting (objectives)
► To ensure that companies have processes designed to provide reasonable assurance that:
► The company’s transactions are properly authorized
► The company’s assets are safeguarded against unauthorized or improper use
Page 26
Evaluate Internal Control at the Entity Level
Entity-level controls have a pervasive effect on the organization. Evaluation includes a consideration of factors in each of the five components of internal control that can have a pervasive effect on the risk of errors or fraud:
► Control Environment
► Risk Assessment
► Monitoring
► Information and Communication
► Control Activities
Entity Level
Transaction/ Process Level
Page 27
Evaluate Internal Control at the Entity Level
Control Environment
► Integrity, ethical values, and behaviour of key executives
► Management’s control consciousness and operating styles
► Management’s commitment to competence
► Board of Directors’ and/or Audit Committee participation in governance and oversight
► Organizational structure and assignment of authority and responsibility
► Human resource policies and procedures
Page 28
Evaluate Internal Control at the Entity Level
Risk Assessment
► Entity level objectives established and communicated
► Mechanisms are in place to anticipate, identify, and react to changes
► Established processes to:
► Identify significant changes in GAAP
► Identify changes in the business practices that may affect the method or the process of recording a transaction
► Identify significant changes in internal controls or operating environment
Page 29
Understand and Evaluate Internal Controls at the Transaction or Process Level
► Provides a good deal of the evidence management will need to support its overall assessment of the effectiveness of internal control over financial reporting.
► Management will need to consider controls, including information technology (IT) controls, that serve to prevent or detect errors of importance relating to each significant account.
Page 30
Understand and Evaluate Internal Controls at the Transaction or Process Level
SignificantAccounts
ManagementAssertions
?What Can
Go Wrong?ControlsSignificant
Processes
Inherent andKey Business
Risks
2003
FinancialStatements
FinancialStatements
Management
Report on
Internal
Control
Report
FinancialImplications
ProcessImplications
Accounts Selected Based Upon:• Errors of importance*• Size and composition• Susceptibility to manipulation or loss• High transaction volume• Transaction complexity• Subjectivity in determining account balance• Nature of the account
Financial Statement Assertions:
• Existence (B/S) or Occurrence (I/S)
• Completeness• Valuation (B/S) or
Measurement (I/S)• Rights and Obligations
(B/S)
Types:• Flows of transactions
• Routine• Non-Routine• Estimation
• IT processes• Business processes• Financial Statement Close
Process (Presentation and Disclosure assertion)
For Each Assertion Ask:• Where are the points in the flow of
transactions where errors can occur?
• Example: Accounts: Cash or PayablesProcess: DisbursementsAssertion: ValuationWhat are the manual and programmed procedures to ensure that the amount of a check or transfer agrees with the amount approved for payment?
Factors in Evaluation:• Competence, integrity of
personnel performing control; degree of supervision; extent of employee turnover
• Potential for mgmt override• Lack of segregation of
duties, including within computer applications
• Effect of changes in controls
• Other specific risks
Detect: Monitors for errorsPrevent: Prevents an errorWho Performs?
Programmed Control?• Identify processing system
Evaluate/Monitor
Phase 5
Page 31
Evaluate Internal Control at the Entity Level
Identify Significant Accounts (Inventory, Fixed Assets)
► Size and composition of the account, including its susceptibility to loss or fraud
► Volume of activity and the size, complexity and homogeneity of the individual transactions processed through the account
► Subjectivity in determining the account balance (i.e., the extent to which the account is affected by judgments)
► Nature of the account (.e.g., suspense accounts generally warrant greater attention)
► Accounting and reporting complexities associated with the account
► Existence of related party transactions
Page 32
Understand and Evaluate Internal Controls at the Transaction or Process Level
Identify the Major Classes of Transactions and Related Processes that Influence the Significant Accounts
► Document how the major classes of transactions are initiated, recorded, authorised, processed, and reported
► Categorizing the processes using three transaction types - routine, non-routine, and estimation
Page 33
Understand and Evaluate Internal Controls at the Transaction or Process Level
Ask “What Can Go Wrong” Questions
► Considers the relevant financial statement assertions for the significant accounts
► Existence, Occurrence, Valuation or Measurement, Completeness, Rights and Obligations and Presentation and Disclosure
► Identifying the points within the flow of transactions where there can be failures to achieve the financial reporting objectives (i.e., the points where errors can occur that can result in inaccurate assertions in the financial statements)
Page 35
Identify Controls
► The objective is to identify the controls that provide reasonable assurance that errors relating to each of the relevant financial statement assertions are prevented, or that any errors that occur during processing are detected and corrected.
► Identify controls related to the initiation, recording, processing, and reporting of transactions.
Understand and Evaluate Internal Controls at the Transaction or Process Level
Page 36
Types of Controls
Understand and Evaluate Internal Controls at the Transaction or Process Level
Page 37
Understand and Evaluate Internal Controls at the Transaction or Process Level
Perform Walk-Throughs to Confirm Understanding of Process and Controls
► Project teams walk through each process, from the point at which the major classes of transactions are initiated to the end of the recording process, to confirm:
► the understanding of the processing procedures
► the correctness of the information obtained about the relevant prevent and/or detect controls in the process
► that these controls have, in fact, been placed in operation
Page 40
The impact of SOX on Internal Control Efficiencies
Most negative feedback from filers under AS 2 as follows:
► Burdensome, often times duplicated efforts
► Costly
Page 41
Overview of AS 5
New Auditing Standard:► An Audit of Internal Control Over Financial Reporting
That is Integrated With an Audit of Financial Statements (supersedes PCAOB Auditing Standard No. 2)
Rule 3525 – Audit Committee Pre-Approval of Non-Audit Services related to internal controls
Conforming Amendments to PCAOB Auditing Standards
Page 42
Overview of AS 5 (cont’d)
Focus on the matters most important to internal control
► Top-down approach
► Risk based approach
Eliminate unnecessary procedures
► Remove requirement to evaluate management’s assessment process
► Permit consideration of knowledge obtained during prior year audits
► Refocus multi-location testing requirements on risks
► Remove barriers to using the work of others
Scale the audit for smaller, less complex companies
Simplify the requirements
► Less prescriptive
► More sequential audit flow
Page 43
Summary
► The role of the internal auditor is more demanding ever from an operational, risk management, reporting and compliance stand point
► Fulfilling the roles requires specialised skills and tools as well as ongoing collaboration among all stakeholders
Page 44
Presenter
Frederick Bernard Senior Manager Risk Advisory Services Ernst & Young5/7 Sweet Briar Road St. Clair, Port of Spain Trinidad, WI
Phone: 1-868-628-1105 ext 5020Mobile: 1-868-722-2375Email: [email protected]