Sarbanes-Oxley Act Training.ppt

下载

下载

24积分

30积分

下载

30积分

VIP价：24积分

Sarbanes-Oxley Act Training June 24, 2003 PwC Table of Contents Agenda………………………………………………………………………………………….3 Project Overview……………………………………………………………………………….5 Sarbanes Oxley – The Act …………………………………………………………………..24 An Overview of the COSO Framework……………………………………………………..28 Controls Overview…………………………………………………………………………….40 Documentation Package Overview………………………………………………………….61 Communication Plan………………………………………………………………………….69 Break Out Sessions…………………………………………………………………………..77 Next Steps……………………………………………………………………………………..79 SWAT Team Contacts………………………………………………………………………..81 Agenda Introductions and Agenda Overview Project Overview – Why Am I Here? Project Strategy – What is Sarbanes-Oxley and Why? Why This is Important to Client X Key Project Sponsors and Constituents SWAT Team Introduction Timelines, Milestones and Deliverables Break Sarbanes-Oxley – The Act Reporting Requirements Managements’ Requirements under Section 404 Audited Financial Statements vs. Section 404 Certification 404 Roles, Activities and Deliverables 404 Financial Controls Framework An Overview of the COSO Framework The COSO Framework Defined COSO Framework – Control Environment COSO Framework – Risk Assessment COSO Framework – Control Activities COSO Framework – Information and Communication COSO Framework – Monitoring Internal Controls Maturity Framework Break Agenda Controls Overview Control Characteristics / Activities Control Objectives – CAVR CAVR – Summary of Control Techniques Financial Statement Assertions Control Objectives Linked to Financial Statement Assertions Application, Monitoring and General IT Controls: Defined Lunch Documentation Package Overview How to Guides Flowcharting Narratives Control Matrix Documentation Bad Example Case Study Good Example Case Study Communication Plan & Next Steps Status Reporting Issues Reporting Breakout Sessions Materiality Assessment Overview Identified Processes (to date) Working session Validate processes Begin detailed project plan Begin to identify process owners Group presentations Next Steps Project Overview Project Overview Why Am I Here? Project Strategy – What is Sarbanes-Oxley and Why? Why This is Important to Client X Key Project Sponsors and Constituents SWAT Team Introduction Timelines, Milestones and Deliverables Why Sarbanes-Oxley? Economic Recession: October 2001 Events of 911 and the economic downturn heightened regulatory concern for accounting reforms in the hi-tech sector Enron: December 2001 Admitted accounting errors that inflated earnings and subsequent bankruptcy filing brought public outcry Sarbanes-Oxley Act: January 2002 Protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws MCI WorldCom: June 2002 Overstated profits and understated expenses by $ which allowed the firm to meet artificial earnings projections over 5 quarters Sarbanes-Oxley Act: June 2003 Economic and market concerns underscored regulatory urgency for SEC action and legal mandates Effects of Sarbanes-Oxley Accountability: Final sign-off ensuring effective controls supporting financial statements Responsibility: Establish & maintain effective control structure for financial reporting Commitment: Define Internal control structure for financial reporting Document key internal controls and procedures over financial reporting Trust: Prevent & detect errors or fraud in significant account balances, transactions, & disclosures Segregate duties & safeguard assets controls Identify who performs controls testing Confidence: External Audit effective for Client’s 12/31/04 year end (SEC View: ‘Lack of errors in financial statements is not de facto evidence of an appropriate control structure.’) Sarbanes-Oxley will do the following for companies: Why is it Important to Client X? Accountability: Ownership Responsibility: Enterprise Safeguards Commitment: Standardization Trust: Management & Staff Maturity Confidence: Investor & Public Confidence Project Sponsors and Constituents Corporate & IA Domestic Telecom Information Services Wireless International Project Sponsors and Constituents (contd.) Champion the §404 effort in their areas of responsibility Monitor §404 project plan Make critical project decisions for the company as necessary Serve as advisors to the project management team throughout the §404 process Manage the resolution of gaps as identified Analyze and challenge results Approve and sign-off on final report Project Sponsors and Constituents (contd.) Considered ‘content’ specialists Update process / control documentation Prepares, directs and reviews the documentation of controls in their respective areas Ensure the documentation and controls are completed in a manner consistent with the planned methodology and approach First level sign-off on completeness and accuracy of documentation package compilation Ensure remediation plans are developed and completed in a timely manner Begin to develop testing plans for operational effectiveness SWAT Team Introduction: Team Architecture Project Management Team Corporate Liaison Revenue & Receivables - Front End Revenue & Receivables - Financial PP&E Corporate Books Intercompany Consolidation F/S & Reporting SWAT Team Introduction: Process Overview Client X: Project Flow / Materiality / Financial Statement Mapping / Training Client Executive Team Client PMO PwC Partner Team PwC PMO SWAT: Field Team SWAT: Training Team Auditor Materiality Definition Materiality Definition Review and Approval Provide Materiality Definitions Materiality Definitions Approved Validate Materiality Thresholds Validate Materiality Thresholds Validate Materiality Thresholds Financial Statement/ Process Mapping Financial Statement/Process Map Review and Approval Financial Statement/ Process Mapping Approved Validate Financial Statement / Process Mapping Validate Financial Statement/ Process Mapping Validate Financial Statement/ Process Mapping Provide Financial Statement/ Process Map Develop Training Package Training Package Review and Approval Training Package Review and Approval Training Package Review and Approval Train SWAT Leads and Team SWAT Team Feedback Incorporated into revised training Feedback Summary for Incorporation Feedback Summary Review and Approval Materiality Financial Statement Mapping Training A SWAT Team Introduction: Process Overview Client X: Project Flow / Detailed Work Plan / Process Owner Training Executive Team Client PMO PwC Partner Team PwC PMO SWAT: Field Team SWAT: Training Team Process Owners Approved Training Package Detailed Work Plan Build Detailed Work Plan per Account Area (See Note^) Review Plan for Completeness Final Partner Approval Review and Approve Detailed Work Plan Final Work Plan Adopt New Work Plan A Process Owner Training Provide Client Contact List a) Confirm Process b) Identify Process Owners c) Notify Process Owners of training dates & get commitments d) Gather existing documentation Provide Training Update Training Package based on feedback Gather and Review Existing Documentation B SWAT Team Introduction: Process Overview Client X: Project Flow / Documentation ‘No Findings’ Client X Executive Team Client X PMO PwC Partner Team PwC PMO SWAT: Field Team SWAT: Training Team Process Owners B Schedule Meetings w/ Process Owners and Provide Guidance Documentation ‘No Findings’ Provide Weekly Status Reports Provide Weekly Status Reports Complete Documentation Package (Draft) Review Draft Package & Assistance with Flow Charts Update for SWAT Team Comments Review Final Draft Package Review Final Package Review Final Package Review Final Draft Package Final in Library SWAT Team Introduction: Process Overview Client: Project Flow / Documentation ‘With Findings’ Executive Team PMO PwC Partner Team PwC PMO SWAT: Field Team SWAT: Training Team Process Owners B Documentation ‘With Findings’ Schedule Meeting w/ Process Owners & Provide Guidance Provide Weekly Status Review Weekly Status Complete Draft Doc Package Review Draft Package Provide Issue Report & Remediation Plan Update for Comments Develop Remediation Plan Review Issues Report & Approve Remediation Plan Communicate Approval & Review Progress Enact Remediation Plan Revise Documentation Package Review Final Draft Package Review Final Draft Review Final Draft Review Final Draft SWAT Team Introduction: Process Overview Client X: Project Flow / QA Hotline Executive Team Client PMO PwC Partner Team PwC PMO SWAT: Field Team SWAT: Training Process Owners QA Hotline Design Real- Time / Interactive QA Program QA Program Review QA Program Partner Approval QA Program Review and Approval QA Program Update Implement QA Program B Break: 9:30 – 9:45 Sarbanes-Oxley: The Act SECTION 409 SECTION 404 SECTION 906 SECTION 302 Key Sarbanes-Oxley Reporting Requirements Disclosure to the public on a “rapid and current basis” of material changes to financial condition or results of operations (March 28, 2003) Perform ANNUAL assessment of the effectiveness of internal controls over financial reporting and obtain attestation from external auditors (Years ending on or after June 15, 2004) The periodic report states that financial information complies with the Exchange Act and fairly presents financial condition and results of operations (July 30, 2002) Various representations by certifying officers, similar to Section 906 plus additional representations related to disclosure controls and procedures, internal controls and fraud (August 29, 2002) Management’s Requirements Under Section 404 Section 404 – Management Must Assess Internal Controls Annually (effective for Client X’s 12/31/04 fiscal year end) Internal control report states management’s responsibility for establishing and maintaining adequate internal control structure and procedures for financial reporting. Management must: Define the internal control structure for financial reporting Document key internal controls and procedures over financial reporting including: The controls designed to prevent and detect errors or fraud in significant account balances, transactions and disclosures The related segregation of duties and safeguarding of asset controls Who performs the controls Testing of controls and documentation of results Evaluate under an acceptable controls framework (such as COSO) External auditor must perform attestation as of 12/31/04. SEC View: Lack of errors in financial statements is not de facto evidence of an appropriate control structure. Audit of Financial Statements vs. 404 Controls Attestation Audit of Financial Statements Understanding and consideration of internal controls only to develop the audit approach. Overall objective is the rendering of an opinion on the financial statements, not to opine on internal controls. Internal control reports have been very rare in practice and are the subject of different attestation standards. 404 Controls Attestation 100% controls-based approach. No direct, positive assurance from substantive/analytical procedures. Must evaluate and test controls across business and functional areas to opine on effectiveness (broad and deep). Includes controls that affect systems derived accounts, manually derived accounts and accounts requiring estimation and judgment. Audit opinion will be based on internal control structure taken as a whole. Findings reported will include: Significant Deficiency (must be noted in opinion): a deficiency that could adversely affect an entity’s ability to record, process and report financial data Material Weakness (results in an “except for” qualified report): a deficiency that precludes the entity’s internal control structure from reducing the risk of material misstatement to an appropriately low level in a timely basis . Project Management Support Key Activities Educate/ Organize / Initiate Inventory Audit Readiness (Auditability) Assess Effectiveness and Remediate Assertions and Financial Reporting Objectives Attest Report Obtain, understand and communicate COSO framework to internal control/ financial reporting stakeholders Leverage 302 process (including support structure) as it relates to financial reporting controls framework and internal controls documentation Obtain, understand & communicate 404 regulatory developments Develop/ disseminate information for internal control/ financial reporting stakeholders Establish project team & deploy to critical areas Determine role of Internal Audit Map financial statements (FS) to business processes that drive financials and financial disclosures Collect internal control documentation for each control component of COSO Collect internal control evaluation documentation for appropriate entities/business units/etc. Compile an inventory of known control issues with financial reporting significance (internal audit, risk management, external audit, regulatory) Understand auditability requirements from external auditor Establish internal controls documentation format Communicate documentation standards to project team Develop exception handling process for internal control issues disclosed in Evaluation Phase Review inventoried controls documentation for design effectiveness Remediate design effectiveness issues identified as necessary Retest internal control design effectiveness Test operating effectiveness of internal control Remediate operating effectiveness issues identified as necessary Retest internal control operating effectiveness Determine current state of internal controls Use exception handling process for issues encountered during control evaluation Based on evaluation, document assertions on financial reporting based on Completeness, Accuracy, Timing, Cut-off, Existence, Occurrence, Valuation, Rights and Obligations, and Presentation and Disclosure Provide 404 assertion to external audit firm Review client’s 404 supporting documentation for management’s 404 assertion Design tests of client’s key control procedures Execute testing and evaluate results Assess any known internal control weaknesses identified by management during their 302 certification process Opine on management’s assertions pertaining to financial reporting objectives Material Weaknesses Reportable Conditions (Significant Deficiencies) Leverage SSAE10 AT501 reporting guidelines for internal control attestations and make appropriate adjustments based on PCAOB issuance of 404 standards Scoping, Understanding, Evaluating, Validating and Reporting Continuous Improvement Deliverables and Work Products 404 awareness and education Path forward defined Materiality decisions FS mapping Key process owners identified Key processes defined by cycle and FS account 404 Documentation Package Format for use in evaluation phase defined Exception handling process defined Internal control evaluation findings for internal use Management assertion Controls evaluation documentation Attestation report (and management assertion) filed annually with SEC Management Auditor 404 Roles, Activities and Deliverables 404 Financial Controls Framework Financial Statements Account Analysis Journal Entries Reporting Ledger Disclosure Footnotes Consolidation Risk Factors Non-Financial Information Quarterly Reporting (10Q, 10K) DCP Process & Control Certification (302, 404) Annual Report Preparation Eliminating Estimates Manual Adjustments Master Data (Chart of Accounts) Account Balances / Transactions Account Reconcilation Account Roll-up / Consolidation Reporting Account Mapping Balance Sheet Income Statement Assets Liabilities & Equity Cash & Cash Equivalents Accounts Receivable Inventory Prepaid Expenses Property, Plant & Equipment Long-Term Investments Deferred Revenue Common Stock Accrued Expenses Deferred Compensation Accounts Payable Sales Cost of Goods Sold Marketing, Sales & Services General & Administrative Depreciation and amortization Other Income Direct and Indirect Taxes Transactional Processes Closing Processes Estimates/ Judgments Disclosure and Reporting Note: In addition to the items above, significant functional areas under 404 include Information Systems, HR, Tax, Legal, and Compliance Billing Adjustments An Overview of the COSO Framework The COSO Objectives Are a Prerequisite for Internal Control Relates to an entity's basic business objectives, including performance and profitability goals and safeguarding of resources. Relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. Relates to complying with those laws and regulations to which the entity is subject. Effectiveness and Efficiency of Operations Reliability of Financial Reporting Compliance with Laws and Regulations The COSO report defines internal control as a process effected by the entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the categories below. The COSO Framework Control Activities Policies/procedures that ensure management directives are carried out. Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Monitoring Assessment of a control system’s performance over time. Combination of ongoing and separate evaluation. Management and supervisory activities. Internal audit activities. Control Environment Sets tone of organization-influencing control consciousness of its people. Factors include integrity, ethical values, competence, authority, responsibility. Foundation for all other components of control. Information and Communication Pertinent information identified, captured and communicated in a timely manner. Access to internal and externally generated information. Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. Risk Assessment Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives, forming the basis for determining control activities. All five components must be in place for a control to be effective. As a generally accepted methodology for control assessment, COSO identifies five components of internal control that need to be in place and integrated for a control to be considered “effective” (.: effectiveness and efficiency of operations; reliability of financial reporting; compliance with applicable laws and regulations). COSO Framework: Control Environment The Control Environment sets the tone of an organization influencing the control consciousness of its people. Examples may include: The achievement of the condition is a key part of executive personnel plans. Clear and regular communication and personal commitment by senior executives to the effort sets the “Tone at the Top” that the project is a high priority. Executive ownership is assigned to each condition, indicating the project’s importance Meetings among senior management and operating management reinforce a sense of urgency for information sharing and problem resolution. Significant involvement by Internal Audit demonstrates senior management’s concerns and controls force. Management decisions reflect a commitment to an appropriately controlled environment. COSO Framework: Risk Assessment Risk Assessment is the identification and analysis of risks to achievement of the objectives, helping to determine how the risks should be managed. Examples may include: The risks of not achieving any of the conditions are evaluated and high risk areas identified. Plans are put into place to address high risk areas. The assessment is updated as events warrant. Where appropriate, the risk of not achieving an objective is balanced with the cost, including potential penalties, public image, etc. All levels of management are involved in risk identification and objectives setting. COSO Framework: Control Activities Control activities are the policies and procedures that help ensure the necessary actions are taken to address risks related to the achievement of the organization’s objectives. They address one or more of the following control objectives (CAVR)*: Completeness: All information is input and processed once and only once. Accuracy: Information (including standing data) is input and processed correctly. Validity: Transactions and updates are authorized by appropriate personnel. Transactions are supported by valid source documents. Restricted Access: The ability to modify information is restricted to appropriate personnel. Company assets are protected from theft and misuse. * CAVR will be explained in greater detail later in the presentation. COSO Framework: Information and Communication Pertinent information must be identified and communicated in a form and timeframe that enables people to carry out their responsibilities and take actions as appropriate. Examples may include: Information sharing, for example via executive communication, among all levels of the organization demonstrates a sense of common ownership. Every employees’ control responsibilities are clearly defined and communicated by management. An appropriate process for regular communication among the management team and with external parties is established. Objectives and targets are established to measure progress and facilitate timely corrective action. COSO Framework: Monitoring Monitoring is the process to assess the quality of the internal control system’s performance over time, including regular management and supervisory activities. Examples may include: Owners clearly define and regularly review milestones and timelines specific to their responsibilities to ensure plans are progressing and appropriate corrective actions are being taken, if needed. Senior management requests progress evaluations from the owners to assess whether the appropriate risk and opportunity considerations have been made by the responsible team. Independent reviews of the internal control environment are regularly performed. Internal Controls Maturity Framework Level 5 – Optimized An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise-Wide Risk Management) Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed Level 4 – Monitored Standardized controls with periodic testing for effective design and operation with reporting to management Automation and tools may be used in a limited way to support control activities Level 3 – Standardized Control activities are designed and in place Control activities have been documented and communicated to employees Deviations from control activities will likely not be detected Level 2 – Informal Disclosure activities and controls are designed and in place but are not adequately documented Controls mostly dependent on people No formal training or communication of control activities Level 1 – Unreliable Unpredictable environment where control activities are not designed or in place UNRELIABLE Unpredictable environment where control activities are not designed or in place INFORMAL Control activities are designed and in place but are not adequately documented STANDARDIZED Control activities are designed, in place and are adequately documented MONITORED Standardized controls with periodic testing for effective design and operation with reporting to management OPTIMIZED Integrated internal controls with real time monitoring by management and continuous improvement RELIABILITY & INTEGRITY OF PROCESSES & RESULTING INFORMATION RISK OF ERROR OR MISTATEMENT Controls evolve through a series of maturity levels as organizations employ a disciplined approach to the design and periodic assessment of the operating effectiveness of related processes. The cost/benefit of achieving higher levels along the maturity spectrum must also be consistently evaluated. Section 404 Assertion Break: 10:45 – 11:00 Controls Overview Controls Defined Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Internal Controls Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations. Reliability of financial reporting Compliance with applicable laws and regulations. Control Characteristics / Activities Controls can be preventative or detective: Preventative: Control mechanism that prevents problems from occurring (system controls preventing unauthorized journal entries from occurring) Detective: Control mechanism that uncovers a problem (periodic system access review via system log ons). Automated controls are supported by computer systems. To ensure that controls continue to work properly, general IT controls must be in place. Controls can be automated or performed manually: Manual: For example - manual reconciliations, authorized signatures, credit checks and approvals Automated: For example – three way match of invoices for payment, batch control totals, field level edits/validations Preventative controls are more effective than detective controls. Control Objectives: CAVR Control characteristics, which can be preventative or detective in nature, performed manually or automated, directly support the control objectives of: Completeness Accuracy Validity Restricted Access CAVR - Completeness Definition: All information is input and processed once and only once. Duplicate postings are rejected by the system. Any transactions that are rejected are addressed and fixed. Batch totaling - Documents grouped and a numerical total is calculated, . number of documents, total dollar amount, hash total. Batch total is entered into the system and total is calculated and compared to total entered. Computer sequence checking - Set range of tracking numbers on documents, system will not accept duplicate numbers or numbers out of the range, missing numbers are addressed. Computer matching - Match number on document to listing of acceptable numbers, unmatched numbers are addressed. One-for-one checking - Comparing each individual document with a report of accepted records, all originating documents must be on hand. CAVR - Accuracy Definition: Information (including standing data) is input and processed correctly. Changes to standing data are accurately input. Batch totaling - Documents grouped and a numerical total is calculated, . number of documents, total dollar amount, hash total. Batch total is entered into the system and total is calculated and compared to total entered. Computer matching - Match number on document to listing of acceptable numbers, unmatched numbers are addressed. One-for-one checking - Comparing each individual document with a report of accepted records, all originating documents must be on hand. Programmed edit checks - Tests to make sure that data falls within reasonable limits, tests to make sure that the relationship between data is reasonable, tests to make sure data matches possible data for that field. Pre-recorded input - Used to update master file data. New data is entered along with the old data. Old data is matched to a master file. If matched, new data overwrites old data. If not matched, reported as an exception. CAVR - Validity Definition: Transactions and updates are authorized by appropriate personnel. Transactions are supported by valid source documents. Computer or manual matching – Data is compared against an existing file (standing data, historical data, etc.) Rejected data is held in suspense. One-for-one checking – Selected manual authorization. Only high risk or unusual transactions would be individually authorized. CAVR – Restricted Access Definition: The ability to modify information is restricted to appropriate personnel. Company assets are protected from theft and misuse. Physical locks – Periodic review of users on the system to ensure that users only have access to functions and data relevant to their responsibilities / roles. IT personnel are only granted temporary access to production data as needed. Security over physical assets. Segregation of duties – Segregation of duties to prevent incompatible functions. Types of Controls There are four basic types of controls: Application Controls Business Performance Reviews General Computer Controls Monitoring of Controls Application and Business Performance Review Controls: Defined Transaction level control procedures designed to ensure the integrity of transaction processing records Application controls directly support the four control objectives of completeness, accuracy, validity and restricted access Can be either manual or automated in nature Regular management activities that are effective in identifying potential misstatements resulting from lack of, or breakdowns in, application or general IT controls or problems in the underlying accounting system. Note: Evidence of these type of controls is not always documented. In order to take credit for a business performance control, it needs to be evidenced. Application Controls Business Performance Review Controls General IT Controls and Monitoring Controls: Defined Assessment by appropriate personnel of the design and operation of controls on a suitably timely basis, and the taking of necessary actions (., effectiveness). Either on an ongoing basis – as most control systems will be structured, or Through separate evaluations – frequency will depend on the the degree and effectiveness of ongoing monitoring. Examples: control self-assessments, analysis of customer complaint logs, report reviews, control systems assessments Information Security: ensure that controls supporting logical and physical security exist and are adequate Computer Operations: ensure that controls supporting operational performance and Business Continuity/Disaster Recovery planning exist and are adequate Systems Maintenance: ensure that controls supporting change management procedures for existing systems are adequate Systems Development: ensure that controls supporting the development and implementation of new systems are adequate Monitoring Controls General IT Controls CAVR – Summary of Control Techniques x Pre-recorded Input x Physical Locks x Programmed Checks x x x Computer Matching x Computer Sequence Check x x Batch/Control Totals x x x One-for One Checking Restricted Access Validity Accuracy Completeness Financial Statement Assertions Each control characteristic / activity and its corresponding control objective should be linked to one or more financial statement assertions. There are seven financial statement assertions under the COSO model as outlined below: Existence or Occurrence Completeness Accuracy Cut-off Rights and Obligations Valuation or Allocation Presentation and Disclosure Financial Statement Assertions: Defined Assets are the rights, and liabilities are the obligations, of the entity at a given date. Rights and Obligations All transactions and other events and circumstances that occurred during a specific period, and should have been recognized in that period, have, in fact, been recorded. Completeness Asset, liability, revenue and expense components are recorded at appropriate amounts in conformity with relevant and appropriate accounting principles. Transactions are mathematically correct and appropriately summarized, and recorded in the entity’s books and records. Valuation or Allocation Assets, liabilities and ownership interests exist at a specific date, and recorded transactions represent events that actually occurred during a certain period. Existence or Occurrence Items in the financial statements are properly described, sorted and classified. Presentation and Disclosure All transactions have been recorded in the proper period. Cut-off All transactions have been recorded based on correct prices and quantities, all transactions are accurately computed. Accuracy Connected with the control objective validity which tells us that there are controls in place to ensure all transactions, such as those that result in an account balance, are authorized and therefore based on actual events. Rights and Obligations Presentation and Disclosure Valuation or Allocation Cut-off Accuracy Completeness Existence or Occurrence Can be affected by controls over accuracy – for example product/cost calculations recorded in the production/inventory system, could also be the basis for valuation of inventory (or automated calculations of obsolescence). Most closely connected with the control objective validity, which tells us that there are controls in place in order to ensure that all transactions are authorized and therefore based on actual events. Connected with the control objectives completeness and accuracy which ensure disclosures are properly classified. Can be related to control objectives, for example when controls are in place over the control objectives accuracy and completeness they typically also ensure that transactions are recorded in the correct period. Connected with the control objective accuracy which can help us in gaining comfort over the correct prices (cost), correct quantity and that the transaction is recorded in the correct period. The control objectives completeness and accuracy are often covered by the same controls. Connected with the control objective completeness which ensures that all transactions have been recorded. How do my Control Objectives link to Financial Statement Assertions at the transaction level? Example: Application Controls Verify SAP configurable controls. Select a sample of invoices and agree them to the sales orders. There is a programmed procedure within SAP that will not allow the warehouse to scan an item for shipping that is not on the sales order. An invoice will not be generated for that order until the products on the bill of lading agree to the products on the order. Are all shipments of goods referenced to a sales order? Verification Review a sample of documented reconciliations throughout the year. Control On a daily basis the bank transmits a file of the cash transactions received in the lockbox. This file is uploaded into the A/R system and a daily reconciliation of cash received per the lockbox is reconciled to cash received per A/R system. Points of Focus What ensures that all cash receipts are input for processing? Example: Business Performance Review Controls Review reconciliations for evidence of review by Controller. Accounts Receivable listing per the A/R sub-ledger is reconciled monthly to the General Ledger by the Finance Department. The reconciliations are reviewed monthly by the Controller. How does management monitor the effectiveness of the A/R reconciliation procedures? Verification Review report of journal entries for sign off of approval by Controller. Control A report of all journal entries input to the system is printed prior to posting. This is reviewed and approved by the Controller who signs and dates the report. Point of Focus How does management review unusual nonrecurring journal entries? Example: General IT Controls Verification Select a sample of changes from the system log and trace to the supporting documents: verify to production transfer form, new project request form and note evidence of approvals. Control Users complete a new project request form for the requested change which is then reviewed and signed by the user’s manager. IT management then receives and logs all authorized change requests for tracking. The change is made by the programmer and testing is performed by the user who signs off his approval of the test results. The programmer then updates the systems documentation and completes a transfer to production request form. This is reviewed with the test results by his manager. The manager approves the request for the move and sends the form to the Operations group to perform the move. Operations reviews the form for appropriate sign-offs and performs the transfer into production. The system then creates an audit trail of the move. Point of Focus What ensures that program changes are authorized, documented and approved before they are moved into the production environment? Example: Monitoring of Controls Verification Select management sign-off forms from various organizational units throughout the period. Control Operating personnel are required to "sign off" on the accuracy of their units' financial statements and, are held responsible if errors are discovered. Point of Focus What ensures that control activities are enforced over time? Lunch: 12:00 – 12:30 Documentation Package Overview and Timeline Documentation Package Contents – Overview There are four components of the Documentation Package that must be populated to comply with the documentation phase of the Sarbanes-Oxley review. These documents are: Flowcharts Narratives Control Matrices Checklists Note: “How To” guides on flowcharting, preparing narratives and populating the control matrices have been created and disseminated separately. Flowcharting: Defined Definition: A Flowchart is a diagram that uses graphic symbols to depict the nature and flow of steps in a process. Promotes end-to-end process understanding Provides high level training tool Identifies problem areas and improvement opportunities Depicts key activities and corresponding control points Start by understanding the big picture Observe the current “as-is” process through review and validation procedures Document high level key process steps Logically arrange process step sequence and related control points Eliminate perception: Flowchart the current state process Depict all key steps in the current state process, regardless of whether they seem illogical. Highlight “rework” or redundancies in the process Highlight control points in the process Process owners should create flowcharts Benefits Keys to Success Recommendations Flowcharting Symbols There are many available flowcharting symbols that represent different key steps in the process. Some of the most commonly used symbols are: Flowcharting: Example D ISTRIBUTE A GING R PT TO C OLLECTORS P RINT O UT P AST D UE I NVOICE R EPORT FROM P EOPLE S OFT C OLLECTORS R EVIEW W ORKLIST P ARSE AND P RIORITIZE A GING R EPORT C REATE F OLDER TO M AINTAIN R ECORD OF A LL C ORRESPONDENCE CREATE AGING REPORT FROM PEOPLESOFT PEOPLESOFT PEOPLESOFT COMPARE INVOICE RPT TO AGING RPT A b a c a Heading contents denote pertinent information to ensure coverage across registrants, cycles and FS accounts. Different symbols reflect various key steps in the process, inputs / outputs, decisions, control points, etc. Using symbols consistently throughout various flowcharts promotes a more thorough understanding of the end-to-end process. Narratives: Defined with Example Definition: A Narrative explains each key step in the flowchart in greater detail including key activities, control points, parties involved, etc. Narrative heading contents mirror flowchart data. Each step in the narrative directly correlates to a step on the flowchart (., , , etc.). Key control points are defined and explained in further detail later in the narrative. Process Control Matrix: Defined with Example Definition: The Process Controls Matrix is based on the COSO framework and links control objectives, risks, and key control activities identified in the process flow and narrative. Process Control Matrix heading contents mirror flowchart and narrative data. Control objectives, risks, control activities, inputs / outputs, control type, etc. are detailed on the Process Control Matrix. Documentation Package: Bad Example See Handout Documentation Package: Good Example See Handout Communication Plan What is a Communication Plan? The communication plan is the key to accurate and timely reporting of project related information Provides a structured approach to successful communication throughout the project focusing on: Status Reporting Observation/Gap Reporting Outlines detailed steps for reporting project progress (baseline vs. actual) Provides a description of the automated tools that will be used to facilitate cross-team communications (still in-progress). Client project management is in the process of selecting an automated tool to capture status and gap reporting. As a “short-term” workaround we have identified manual tools to support the process. Once an automated tool has been selected, we will provide training to SWAT Team leads under a separate document. The plan provides the date and times for all scheduled status meetings, identifies the participants, and outlines the agenda Communication Plan Template The table below outlines the detailed information for the Project Team Weekly status meeting. These meetings will be held by PwC project and Client project management. The detailed objective of the meeting is high-lighted below. Meeting Weekly Project Status Meetings Time Friday, afternoon Eastern Standard Time (EST) Objective Communicate progress, plans and actions of the project to team Agenda Project Overview and Sta tus Progress for reporting period Deliverables/Activities Not Achieved for reporting period and reasons Key Project Mgmt items Actions/Decisions Required Participants/Stakeholders Frequency Weekly, Project Management Bridge: TBD Writer of Minutes Project Management Distribution List See participant list Authority Responsible for follow - up actions Project Management Status Reports Status Reporting Each SWAT team is responsible for reporting their teams’ progress in an accurate and timely manner. Individual SWAT teams will be responsible for developing their detailed project plan which will be used as the baseline to measure progress as the project moves forward. SWAT team status reports will need to be submitted on each Thursday by 6:00 . EST to the PwC Program Management Office. SWAT team leads will hold a conference call on Fridays at 10:00 . EST to discuss status reports with PwC PMO. The consolidated report will be presented to Client project management each Friday afternoon, EST. Status Report Template: SWAT Teams Meeting Workstream Status Meetings Objective Communicate progress, plans and actions to workstream team members Agenda · SWAT Team Overview and Status · Progress for reporting Period · Deliverables/Activities Not Achieved for reporting period and reasons · Key Project Mgmt items · Actions/Decisions Required Participants SWAT Team Members Frequen cy As determined by team lead (at a minimum, weekly but must be before Thursday at 6:00 pm in order to submit status report to PMO) Writer of Minutes Determined by the team Distribution List Project Management Authority Responsible for follow - up action Determined by the team The table below outlines the detailed information for the weekly SWAT Team meeting. These meetings will be held by the SWAT Team lead and their individual team members. The detailed objective of the meeting is high-lighted below. SWAT Team Status Meeting Status Reporting Template: SWAT Teams Graphically represents SWAT progress against plan Details overall Project Management progress – Completed by Project Management Details overall Project Management issues – Completed by Project Management Identifies individual SWAT team progress against plan Identifies individual SWAT team issues This identifies the actionable items that arise during status meetings. The above sample status report will be completed by the individual teams and “rolled up” into an overall project status report that will be reported Client X project management. The outstanding issues on these status reports are project management related. Observation Tracking Observation Tracking The accurate tracking of observations/gaps is critical to the successful completion of the project, this will provide a mechanism for project management to resolve observations/gaps. Observations should be documented as they are identified, if possible an observation/gap owner should be identified. This person will ensure the observation is properly resolved prior to the due date. How do I know if an observation is really an gap? A control is not effectively designed to meet a defined control objective. Each observation should be reported during the weekly status meetings to ensure the appropriate level of visibility has been given. Once an observation/gap has been closed, it will remain on the tracking document to ensure a complete audit trail exists. Observation Tracking Template Legend: Date: Date observation was identified SWAT Team Name: SWAT team that identified the observation Observation Author: SWAT Team member that identified the observation Observation Owner: Person responsible for the resolution of the observation Classification (slide 61a) – A-Process and documentation B-Process and partial documentation C-Process and no documentation D-No Process Date: SWAT Team Name: Observation Author : Observation Owner: Classification Observation Description: Observation Resolution : Impact : Breakout Session & Case Studies: 2:00 – 5:00 Materiality, Process Identification and SWAT Team Tasks See Handouts Next Steps Next Steps See Handouts SWAT Team Contacts SWAT Team Contact Information See Handout John John John John Karen Second bullet and sub-bullets are not part of law but logical assumptions based on what needs to be done Emphasize that this is where Tom’s team will likely be most involved Karen Second bullet and sub-bullets are not part of law but logical assumptions based on what needs to be done Emphasize that this is where Tom’s team will likely be most involved Karen PricewaterhouseCoopers has developed this “iterative process” action plan that provides guidance for how companies can tackle the challenge of developing a process to support the new quarterly and annual controls certifications under Sarbanes-Oxley. Karen They are probably at at 2 to 3 in most areas The Internal Controls Maturity Framework can be applied to an entire company, a single business unit of a company, a department, a function, or a process. There is flexibility in how it can be used. In the context of certification requirements: Many businesses are in the informal state because controls may exist but have not been sufficiently documented. Even though a company has an internal audit department, they may still be at the “Informal” stage if controls have not been sufficiently documented. To be ready for an auditor attest (under Section 404), companies should be between Levels 3 and 4. Ideally, at Level 4. If companies are at the highest Level, #5, then it is likely that they could submit a sufficient certification at any time during the year. They typically have a sophisticated, integrated real-time system of assuring changing risks and monitoring controls year-round. Missing assertions are Rights & Obligations and Presentation & Disclosure