Beruflich Dokumente
Kultur Dokumente
Akhilesh Thakur
Source: http://www.auditnet.org/articles/SOX&IA.htm 3
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Example 1: IA vs SOX
Internal Control: Finance Manager on monthly basis reviews the accounts receivables more than 180 Days. Reasons for these outstanding balances are reviewed and approved by the Finance Controller. Evidence Available: The account statement are available and signed off by the Financial Controller. See attachment:
Receivable > 180 Days
Question: What can be the treatment for this in SOX and IA?
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Treatment in SOX: In SOX, you will see the evidence of review and whether adequate provision is made Treatment in IA: ??????
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Treatment in IA: Root cause analysis to identify why inventory became slow and non moving Identify the method by which it can be avoided in future. E.g. define maximum inventory levels Use of FEFO to ensure that materials with shelf life are not expired Suggest the alternate ways to liquidate the materials Use of materials by other locations in case of multiple plant environment Possibility to liquidate the materials if these are not customized products Reprocess the materials. For e.g. plastic and metal can be extracted from residual Suggest on keeping slow and non-moving materials separately and regular reporting
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Example 3: Sales
Description: Goods are not delivered in a timely manner to your customers resulting in liquidated damages Does it has any impact on SOX?
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Example 3: Sales
Description: Goods are not delivered in a timely manner to your customers resulting in liquidated damages SOX Impact: NIL as this is an operational efficiency which is not covered by SOX IA: Analyze the reason (root cause) for the delays and suggest remedial action Examples Modify agreement with transporter for delayed delivery by them and recover the liquidated damages from them Identify bottleneck in production process if delay is due to delayed production
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Since the advent of SOX, IA has been shouldering the primary responsibility for its compliance. Even though organizations are 8 years into the SOX compliance process, the results of SOX survey still reveal that the highest responsibility for overseeing SOX work in both large (27%) and small companies (29%) resides with internal auditors. While companies want to rebalance their internal audit departments, lead responsibility of SOX activities remains the most common role for internal audit till present.
12
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
The Rebalance Survey sheds light on the relative level of consistency internal audit departments have achieved or are in the process of achieving with respect to internal audit hours dedicated to SOX compliance. This indicates that the internal audit departments are planning or implementing rebalancing efforts rigorously to migrate to their core responsibilities of governance, risk and compliance.
13
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
As seen, all SOX related technical areas (27 to 28) fall in the second quadrant of the graph indicating higher level of competency and lower needs to improve. With the fast changing risk and governance landscape and the critical role played by internal auditors in assisting management to mitigate these risks, the trend above highlights the transition of the internal audit function from traditional audits and SOX compliance to a more high-quality and expertise audits in newer areas such as GAIT, IFRS, XBRL, ISO 27000, and COBIT.
14
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
15
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Update the test result for SOX testing in the required format
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Impact of SOX on IA
The Impact of SOX on IA, is seen on the following parameters Enhancing Investors Perceptions - Corporate failures like Enron and WorldCom dramatically affected investors perceptions of public companies. Many provisions of SOX are directed toward rebuilding investors confi dence in corporate America including formation of the Public Company Accounting Oversight Board, increased management accountability and auditor independence and stiffer criminal penalties. Despite being a primary goal of the act and being seen as highly important by respondents, the perceived impact on investor confidence was among the lowest in our study. Only 38 percent of respondents felt SOX has had a significant impact on strengthening investors perceptions of their companies Strengthening Internal Controls - Section 404, Management Assessment of Internal Controls, is one of the most significant provisions of Sarbanes-Oxley. This section requires management to issue a report stating their responsibility for internal control and provide an assessment of the effectiveness of internal control to which the auditor must attest Empowering Audit Committees - The provisions of Sarbanes-Oxley require the audit committee to directly oversee appointment, compensation and oversight of any public accounting firm employed by the issuer. The act also requires audit committee members to remain independent of the issuer and provides an incentive to employ a financial expert as a member of the committee Increasing Accountability - The provisions of Sarbanes- Oxley require CEOs and CFOs to prepare a statement and certify the appropriateness and fair presentation of the financial statements to increase involvement and accountability in financial reporting Strengthening External Auditor Independence - Sarbanes-Oxley prohibits external auditors from performing certain non-audit services for audit clients. Moreover, external auditors must report directly to the audit committee and the lead and reviewing partners must rotate off an audit client every five years
Source: http://www.tscpa.com/journal/articles/sarbanes-oxley.pdf 19
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Source: Internal Auditings Role In Sections 302 and 404 of The U.S. Sarbanes-Oxley Act Of 2002
20
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Source: http://www.deloitte.com/assets/DcomIsrael/Local%20Assets/Documents/Optimizing%20the%20role%20of%20internal%20audit%20in%20the%20sarbanes-oxley%20era%281%29.pdf 21
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Methodologies
Process does not carry out established policies or achieve intended result
22
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Business Processes: Validate acceptance and compliance with the process through its involvement in the Operating Effectiveness phase (i.e. testing will reveal compliance with change process). When business changes are contemplated, act as an internal consultant to management in analyzing the change events to determine their internal control impact. Assist the management in defining the method to risk-rank processes and defining the extent and timing of testing to be performed on controls in High risk, Medium risk and Low risk processes. Confirm that SOX documentation is appropriately updated to reflect business changes during the Operating Effectiveness phase. Confirm that test plans are updated to reflect documentation changes in a timely manner.
23
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Management Reports: Assist Management in creating the reporting structure by conducting an information needs analysis to determine the requirements of Corporate Controllers Group, BU CFOs, SOx Coordinators & SOx Process & Control Owners. Aid in the development and/or updating of existing reporting systems and structures to support additional required capabilities. Develop mitigating reporting strategies until information and reporting capabilities match requirements. Internal Audit reviews and provides a predetermined level of validation for information contained in management reports.
24
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Systems and Data: Assist with conducting a needs analysis to determine system requirements for key SOX compliance activities. Review SOX component processes that may be systematically assisted. Compare these activities with ones currently being supporting by Internal Audit resources for opportunities to reduce involvement. Aid in the development and/or updating of existing systems.
25
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
SOX Components
Resetting the Foundation Change Recognition Documentation Design Effectiveness Operating Effectiveness Reporting & Validation of Results
CO/BU
S P
CICO
P P P S
PMO
S S S
IA
S P S S P P
PO
P P P P S
S P
S P
CO/BU
P
CICO
P P
PMO
S P P S
COOR
IA
S
PO
S P S
P P P P
S P S
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Example 4: Fraud
Description: Fraud in company where there is theft of Rs 1,500,000 lakhs by cashier SOX Treatment: ensure that Fraud is detected, accounted as loss and reported in Financial Statement (if material) IA Treatment: Identify root cause for fraud Understand if it is process related gap or individual instance Understand if there is any Segregation of Duty issue Understand if there has been any collusion resulting in fraud
28
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Example 5: Procurement
Description: computers are purchased after appropriate approvals SOX Treatment: ensure that approval of PO is as per DoA IA Treatment: Review if the computer was required Understand if there were any unused computers in other department which could have been used See if computer purchased is of configuration required for the work
29
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
30
2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.