IA Role in Sox Compliance PDF

Internal Auditors role in SOX Compliance
Akhilesh Thakur
Definition of Internal Audit - IIA

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Source : GAIN report on Measuring Internal Audit Performance 2

2012 Protiviti Consulting Private Limited CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Major Section of SOX with IA Impact

404 a): by which annual reports will include an internal controls report where Management recognize their responsibility to implement controls, and evaluates the effectiveness of internal controls in place 404 b): by which the external auditors will attest and report on the above Management statement. The Act only refers to internal controls for financial reporting. As a consequence, internal controls over errors, frauds, waste and embezzlement which do not have a material impact over financial reporting can possibly be excluded from this clause. 302: the company Officers (CEO and CFO) signing the SEC reports are responsible for what they sign and attest that they have implemented the necessary internal controls to ensure that they are informed of any material impact over financial reporting. The effect of the SarbanesOxley Act of 2002 (SOX) has been dramatic and global. SOX enhanced the regulatory framework for investor protection and confidence. Some of the points to be noted in relation to the effect are: SOX has required or encouraged a variety of best practices related to management accountability, auditor independence, audit committees, internal control reporting, risk management, and improvement of financial processes One of the important contributions of the regulatory guidance is the top-down risk-based assessment, a robust framework for identifying and assessing financial reporting risks Compliance approaches, benefits, and costs continue to evolve as practice and regulatory guidance change
Source: http://www.auditnet.org/articles/SOX&IA.htm 3
How is IA different from SOX

SOX only covers internal control over financial reporting. It does not cover: - Operational Efficiency - Improvement Opportunity - Benchmarking of best practices - Wastages and inefficiencies - Fraud which may not have material financial impact
Example 1: IA vs SOX
Internal Control: Finance Manager on monthly basis reviews the accounts receivables more than 180 Days. Reasons for these outstanding balances are reviewed and approved by the Finance Controller. Evidence Available: The account statement are available and signed off by the Financial Controller. See attachment:
Receivable > 180 Days
Question: What can be the treatment for this in SOX and IA?
Example 2: Inventory Review

Control: Old, slow, non moving inventory is reviewed by CFO and provisions are made for all inventory that are old, slow & non moving in excess of 180 days.
Treatment in SOX: In SOX, you will see the evidence of review and whether adequate provision is made Treatment in IA: ??????
Example 2: Inventory Review

Control: Old, slow, non moving inventory is reviewed by CFO and provisions are made for all inventory that are old, slow & non moving in excess of 180 days.
Treatment in IA: Root cause analysis to identify why inventory became slow and non moving Identify the method by which it can be avoided in future. E.g. define maximum inventory levels Use of FEFO to ensure that materials with shelf life are not expired Suggest the alternate ways to liquidate the materials Use of materials by other locations in case of multiple plant environment Possibility to liquidate the materials if these are not customized products Reprocess the materials. For e.g. plastic and metal can be extracted from residual Suggest on keeping slow and non-moving materials separately and regular reporting
Example 3: Sales
Description: Goods are not delivered in a timely manner to your customers resulting in liquidated damages Does it has any impact on SOX?
Example 3: Sales
Description: Goods are not delivered in a timely manner to your customers resulting in liquidated damages SOX Impact: NIL as this is an operational efficiency which is not covered by SOX IA: Analyze the reason (root cause) for the delays and suggest remedial action Examples Modify agreement with transporter for delayed delivery by them and recover the liquidated damages from them Identify bottleneck in production process if delay is due to delayed production
Internal Audit Survey Result
Role of IA and PMO in SOX Compliance

In most organizations, Internal Audit (IA) is primarily responsible for Sarbanes-Oxley compliance process, followed by executive management and the audit committee.
Source : GAIN report on Measuring Internal Audit Performance 11

Post - SOX Responsibilities

Primary Responsibility for overseeing SOX work
Since the advent of SOX, IA has been shouldering the primary responsibility for its compliance. Even though organizations are 8 years into the SOX compliance process, the results of SOX survey still reveal that the highest responsibility for overseeing SOX work in both large (27%) and small companies (29%) resides with internal auditors. While companies want to rebalance their internal audit departments, lead responsibility of SOX activities remains the most common role for internal audit till present.
12
Internal Audit Hours Dedicated to Each Year of SOX Compliance
The Rebalance Survey sheds light on the relative level of consistency internal audit departments have achieved or are in the process of achieving with respect to internal audit hours dedicated to SOX compliance. This indicates that the internal audit departments are planning or implementing rebalancing efforts rigorously to migrate to their core responsibilities of governance, risk and compliance.
13
Internal Audit Responsibilities
As seen, all SOX related technical areas (27 to 28) fall in the second quadrant of the graph indicating higher level of competency and lower needs to improve. With the fast changing risk and governance landscape and the critical role played by internal auditors in assisting management to mitigate these risks, the trend above highlights the transition of the internal audit function from traditional audits and SOX compliance to a more high-quality and expertise audits in newer areas such as GAIT, IFRS, XBRL, ISO 27000, and COBIT.
14
Internal Audit Rebalancing

After the enactment of Sarbanes-Oxley Act in July 2002 (SOX), internal audit functions became deeply entrenched in the process of guiding their management and audit committee, assessing the risks and controls over financial reporting and complying with the new internal control reporting requirements. Internal auditors were highly focused on helping their organizations establish, design and test financial reporting controls. SOX survey and IA Rebalance Survey conducted by Protiviti establish that internal audit activity is moving away from SOX compliance functions towards a more strategic and critical role in meeting organizational goals effectively and efficiently.
15
Synergy between SOX and Internal Audit
Synergy between SOX and Internal Audit

Define scope for internal audit Planning for SOX and internal audit for next year Document the result for IA and SOX
Identify common areas with SOX testing
Update the test result for SOX testing in the required format
Prepare list of controls to be tested for internal audit

17
Identify controls and objectives which are common
Define common documentation standards
Internal Auditors Role in SOX
Impact of SOX on IA
The Impact of SOX on IA, is seen on the following parameters Enhancing Investors Perceptions - Corporate failures like Enron and WorldCom dramatically affected investors perceptions of public companies. Many provisions of SOX are directed toward rebuilding investors confi dence in corporate America including formation of the Public Company Accounting Oversight Board, increased management accountability and auditor independence and stiffer criminal penalties. Despite being a primary goal of the act and being seen as highly important by respondents, the perceived impact on investor confidence was among the lowest in our study. Only 38 percent of respondents felt SOX has had a significant impact on strengthening investors perceptions of their companies Strengthening Internal Controls - Section 404, Management Assessment of Internal Controls, is one of the most significant provisions of Sarbanes-Oxley. This section requires management to issue a report stating their responsibility for internal control and provide an assessment of the effectiveness of internal control to which the auditor must attest Empowering Audit Committees - The provisions of Sarbanes-Oxley require the audit committee to directly oversee appointment, compensation and oversight of any public accounting firm employed by the issuer. The act also requires audit committee members to remain independent of the issuer and provides an incentive to employ a financial expert as a member of the committee Increasing Accountability - The provisions of Sarbanes- Oxley require CEOs and CFOs to prepare a statement and certify the appropriateness and fair presentation of the financial statements to increase involvement and accountability in financial reporting Strengthening External Auditor Independence - Sarbanes-Oxley prohibits external auditors from performing certain non-audit services for audit clients. Moreover, external auditors must report directly to the audit committee and the lead and reviewing partners must rotate off an audit client every five years
Source: http://www.tscpa.com/journal/articles/sarbanes-oxley.pdf 19
Role of Audit Committees in SOX

Although Sections 302 and 404 of the Sarbanes-Oxley Act of 2002 do not assign specific responsibilities to audit committees, Sections 301 and 407 establish broad standards for and disclosures regarding audit committees Section 301 establishes certain general standards with which audit committee members are required to comply. These standards are: Except for board of director fees, audit committee members may not accept consulting, advisory, or other compensatory fees from the issuer and its subsidiaries. Audit committee members must also not be an affiliated person of the issuer and its subsidiaries Audit committees must be directly responsible for the appointment, compensation, retention, and oversight of all registered public accounting firms that prepare or issue audit reports or perform other audit, review, or attest services for the issuer Audit committees must establish procedures for receiving, retaining, and addressing complaints received by the issuer related to accounting, internal controls, and auditing Audit committees must have the authority to engage independent counsel, as they deem necessary Issuers must provide the audit committee with appropriate funding to enable it to fulfill its responsibilities Section 407 requires an issuer to disclose in its annual report whether it has at least one audit committee financial expert serving on its audit committee, and if so, whether the expert is independent of management. An issuer that does not have an audit committee financial expert must disclose this fact and explain why
Source: Internal Auditings Role In Sections 302 and 404 of The U.S. Sarbanes-Oxley Act Of 2002
20
SOX activities for IA

The following Sarbanes-Oxley-related activities were found to be allowable and appropriate for internal audit: consulting on internal control consulting on internal control in relation to enterprisewide risk management assisting the organization in identifying, evaluating, and implementing risk and control assessment methodologies recommending controls to address related risks assisting with designing systems of internal control (however, designing is not the same as installing; see below) drafting procedures for systems of internal control assisting with maintenance of the controls repository conducting effectiveness testing on behalf of management (but without concluding for management) aiding management in the design of tests for control effectiveness (however, in all cases, management should make the final decision on control design and operating effectiveness) taking on the role of lead project manager for all or part of the efforts related to complying with section 404 providing training and/or information on internal control identification and assessment, risk assessment, and test plan development providing information, training, and/or facilitating a control self-assessment The following Sarbanes-Oxley-related activities were found to be inappropriate for an objective internal audit function: concluding on the effectiveness of internal controls on behalf of management making or directing key management decisions regarding internal controls, remediation activities, and Sarbanes- Oxley compliance installing systems of internal control performing control activities
Source: http://www.deloitte.com/assets/DcomIsrael/Local%20Assets/Documents/Optimizing%20the%20role%20of%20internal%20audit%20in%20the%20sarbanes-oxley%20era%281%29.pdf 21
IA role using Six Element of Infrastructure

We can relook at internal auditors role in SOX using six element of Infrastructure.
Key elements of infrastructure must be linked by design:

Business Policies Business Processes People and Organization Management Reports Systems and Data
Methodologies
Risk if element is deficient:
Process does not carry out established policies or achieve intended result
People lack knowledge and experience to perform process
Reports do not provide information for effective management
Methodologies do not adequately analyze data and information
Information is not available for analysis and reporting
22

Business Policies: Internal Audit should gain policy support throughout the Company through joint development and execution of training related to new policies. Review and audit against new policies to validate operation and alignment with the future vision of the clients SOX processes across the organization. Validate the acceptance and compliance of policies through Entity Level Control Review processes. Conduct an assessment of other elements of compliance risk throughout the organization to find opportunities to integrate SOX related activities.
Business Processes: Validate acceptance and compliance with the process through its involvement in the Operating Effectiveness phase (i.e. testing will reveal compliance with change process). When business changes are contemplated, act as an internal consultant to management in analyzing the change events to determine their internal control impact. Assist the management in defining the method to risk-rank processes and defining the extent and timing of testing to be performed on controls in High risk, Medium risk and Low risk processes. Confirm that SOX documentation is appropriately updated to reflect business changes during the Operating Effectiveness phase. Confirm that test plans are updated to reflect documentation changes in a timely manner.
23

People and Organization: Develop a formal step in the departments standard audit program to inquire about change events in organization. A checklist with common change events that might have a SOX impact may be a useful tool to facilitate this step. Continue to act as a resource to management in evaluating the potential SOX impact of change events. Assist with developing the Companys training program utilizing its deep knowledge of risks, controls, COSO and SOX. Assist management in developing periodic communication regarding change recognition roles and responsibilities.
Management Reports: Assist Management in creating the reporting structure by conducting an information needs analysis to determine the requirements of Corporate Controllers Group, BU CFOs, SOx Coordinators & SOx Process & Control Owners. Aid in the development and/or updating of existing reporting systems and structures to support additional required capabilities. Develop mitigating reporting strategies until information and reporting capabilities match requirements. Internal Audit reviews and provides a predetermined level of validation for information contained in management reports.
24

Methodologies: Assist with developing the SOX compliance methodology. Through the exercise of its responsibilities, validate that the organization is complying with and utilizing the SOX compliance methodology.
Systems and Data: Assist with conducting a needs analysis to determine system requirements for key SOX compliance activities. Review SOX component processes that may be systematically assisted. Compare these activities with ones currently being supporting by Internal Audit resources for opportunities to reduce involvement. Aid in the development and/or updating of existing systems.
25
SOX Roles and Responsibilities

Degree of Responsibility & Accountability Primary: This role is formally designated, in which the duty is to actively manage and authorize actions in the area of responsibility. Secondary: This role is contributory, this group acts in a check and balance or advisory capacity. This group also helps determine the practical implications for the respective area of responsibility. Roles Internal Audit - IA SOx Coordinators COOR Process Owners PO Project Management Office PMO Chief Risk/Internal Control Officer CICO Certifying Officers CO Business Unit CFOs BU COOR
S S P P S S P S
SOX Components
Resetting the Foundation Change Recognition Documentation Design Effectiveness Operating Effectiveness Reporting & Validation of Results
CO/BU
S P
CICO
P P P S
PMO
S S S
IA
S P S S P P
PO
P P P P S
S P
S P
Six Elements of Infrastructure

Business Policies Business Processes People & Organization Management Reports Methodology Systems & Data
26
CO/BU
P
CICO
P P
PMO
S P P S
COOR
IA
S
PO
S P S
P P P P
S P S
SOX Roles and Responsibilities

Various Components of SOX are described below: Resetting the Foundation Preliminary building blocks are established to define an overall project plan, communication plan, measures of success, financial statement & assertion identification and linkage, locations and deliverables. These items must be evaluated each year. Although many of these items were prepared in year 1, Internal Audit should influence these foundation elements and subsequently define the strategy for Internal Audit. The foundation setting process should integrate SOX regulatory compliance with other business and strategic objectives in addressing infrastructure priorities. Change recognition Changes in business activities and M&A activity require a process for discovery and escalation to aid in proactive assessment of SOX compliance implications. Change recognition needs to be monitored, not only from top-down, but also from bottom up. The appropriate information should be provided to both Corporate and BU-level personnel. Internal Audit must participate in this effort to adjust their risk-based audit plan and/or SOX testing approach. Documentation Documentation standards for Narratives, Flowcharts, Risk & Control Matrices, etc. drive efficient controls evaluation. Methodology for consistently maintaining/updating the process documentation for changes in the business and their impact on the control environment enables the sharing of process ideas and forming best practices, as well as driving the Internal Audit plan. Design Effectiveness Assessment of the design of controls to mitigate the financial reporting risks and includes the method of reviewing, reporting and evaluating design effectiveness. Design effectiveness should be linked to change recognition activities to verify the completeness of the controls in the documentation. Operating Effectiveness A standard process for managing the various components of operational effectiveness is executed consistently across the organization. There is a standard procedure for evaluating testing results and the aggregation of deficiencies to assess material weakness. Testing procedures Define the testing techniques, timing, resources, documentation of results and evaluation of results. Testing Scope Define sample size, key controls, locations to test, etc. Self Assessment Determine if, and how, process owners will self-validate control operating effectiveness. Validation Efforts Define the process to validate the results of managements testing. Often, Internal Audit is used to verify the results of managements testing, regardless of the testing approach used by management (i.e. self-assessment or detail testing). Classification of Gaps Evaluate testing failures to determine whether a deficiency exists. If a deficiency exists, determine its severity (e.g. deficiency, significant deficiency, material weakness). Remediation Develop, assign and monitor action plans. Prioritize and schedule remediation as appropriate throughout the year. Refresh Testing Develop and execute a plan to bring current the testing done throughout the year. Reporting & Verification of Results A formal reporting process regarding the assessment process and results that will support the SOX certification process.
27
Example 4: Fraud
Description: Fraud in company where there is theft of Rs 1,500,000 lakhs by cashier SOX Treatment: ensure that Fraud is detected, accounted as loss and reported in Financial Statement (if material) IA Treatment: Identify root cause for fraud Understand if it is process related gap or individual instance Understand if there is any Segregation of Duty issue Understand if there has been any collusion resulting in fraud
28
Example 5: Procurement
Description: computers are purchased after appropriate approvals SOX Treatment: ensure that approval of PO is as per DoA IA Treatment: Review if the computer was required Understand if there were any unused computers in other department which could have been used See if computer purchased is of configuration required for the work
29
30

IA Role in Sox Compliance PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

IA Role in Sox Compliance PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Internal Auditors role in SOX Compliance

Definition of Internal Audit - IIA

Source : GAIN report on Measuring Internal Audit Performance 2

Major Section of SOX with IA Impact

How is IA different from SOX

Example 2: Inventory Review

Example 2: Inventory Review

Internal Audit Survey Result

Role of IA and PMO in SOX Compliance

Source : GAIN report on Measuring Internal Audit Performance 11

Post - SOX Responsibilities

Internal Audit Hours Dedicated to Each Year of SOX Compliance

Internal Audit Responsibilities

Internal Audit Rebalancing

Synergy between SOX and Internal Audit

Synergy between SOX and Internal Audit

Identify common areas with SOX testing

Prepare list of controls to be tested for internal audit

Identify controls and objectives which are common

Define common documentation standards

Internal Auditors Role in SOX

Role of Audit Committees in SOX

SOX activities for IA

IA role using Six Element of Infrastructure

Key elements of infrastructure must be linked by design:

Risk if element is deficient:

People lack knowledge and experience to perform process

Reports do not provide information for effective management

Methodologies do not adequately analyze data and information

Information is not available for analysis and reporting

IA role using Six Element of Infrastructure

IA role using Six Element of Infrastructure

IA role using Six Element of Infrastructure

SOX Roles and Responsibilities

Six Elements of Infrastructure

SOX Roles and Responsibilities

Das könnte Ihnen auch gefallen