CAACM Pre-conference Training Audit Committee Fundamentals – Internal Controls 23 June 2008

CAACM Pre-conference TrainingAudit Committee Fundamentals – Internal Controls

23 June 2008

Page 2

Objectives

► The Role and Importance of Internal Audit

► Structuring the Internal Controls Framework

► The impact of Sarbanes Oxley (SOX) on Internal Controls Efficiency

Page 3

The Role and Importance of Internal Audit

► Corporate Governance history

► Role of SOX in furthering Corporate Governance responsibility

► Management’s responsibilities under SOX

► Audit Committee responsibilities under SOX

► The role of Internal Audit

Page 4

Corporate Governance History

► SEC Acts of 1933 and 1934

► Created SEC and concept of “GAAP” in response to crash of 1929

► Affected all existing public companies and IPOs

► Addressed impacts of management malfeasance on creditors, citizens and the economy

► Foreign Corrupt Practices Act, etc. in the late ’70s

► Required management to develop and maintain internal controls over systems

► Required maintenance of records to reflect activity of corporate assets

Page 5

Corporate Governance History

► Committee of Sponsoring Organizations (COSO) and Blue-Ribbon Panel on Audit Committee Effectiveness in the ’80s and ’90s

► Provided practical, broadly accepted criteria for establishing internal controls and evaluating effectiveness

► Improve the effectiveness of Corporate Audit Committees

► Sarbanes Oxley Act of 2002

Page 6

Corporate Governance in the U.K.

► January 2003 : Higgs report on the role of Non Executive Directors and the Smith report on Audit Committees.

► July 2003 : The Financial Reporting Council subsequently reissued the revised Combined Code. This document includes the Code itself and related guidance comprising the

► Turnbull – Guidance on Internal Control

► Smith – Guidance on Audit Committees

► Higgs Report – Suggestions for good practice

► NB: UK listed companies are required to make a statement on corporate governance in their annual accounts – Statement of Compliance with the provisions of the Combined Code

Page 7

Sarbanes-Oxley Act of 2002

► Addresses Structural Weaknesses Affecting Capital Markets

► Misstatements in financial statements

► Enron, Worldcom, Global Crossing, Parmalait, etc.

► Failure of officers and auditors to identify and address weaknesses

► Failure of stock analysts to detect and advise investors accordingly

Page 8

Objectives of the Sarbanes-Oxley Act

► Increase the accountability of management of public companies

► Improve Corporate Governance

► Increase the oversight of public accounting firms

► Restore investor confidence in the capital markets

Page 9


► Efforts to Restore Investor Confidence by enhancing Corporate Governance

► Exerted pressure on corporate officers to report accurately (302, 404)

► Addressed Audit Committee independence and elimination of conflicts of interest

► Established the Public Company Accounting Oversight Board

► Required companies to publish more, sooner (10-Q, 10-K deadlines, 8-K filings)

► Installed penalty driven fraud and accountability controls

Page 10


► PCAOB Standards Issued to date:

► Auditing Standard No. 1 – References in Auditors' Reports to the Standards of the Public Company Accounting Oversight Board

► Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

► Auditing Standard No. 3 – Audit Documentation

► Auditing Standard No. 4

► Auditing Standard No. 5 – An Audit of Internal Controls Over Financial Reporting that is integrated with an audit of Financial Statements (supersedes Auditing Standard No. 2)

Page 11

404 Summary…

► Area of Impact and Provision

Page 12

In Summary…Key Provisions of SOX 2002

Area Of Impact Provisions

Oversight of The Accounting Profession (Sections 101 & 102)

Formed the PCAOB to establish standards for auditing, QC, ethics, independence for auditors of public companies who must register with the Board

Page 13

Key Provisions of SOX 2002


Accounting Committee Responsibilities

Act requires all listed companies to have fully independent Audit Committees.

Responsibilities include:► Oversight of Auditors

► Independence

► Pre-approval of services

► Procedures – resolve control issues

Page 14



Executive Management Certification

CEO and CFO must certify with quarterly and annual report that:

► Designed controls to ensure material information is known

► Disclosed to the Ac and Auditors deficiencies & fraud

► Fin Statements fair in material respects

Page 15



Auditor Independence Act moved to eliminate impairment of independence.

Prohibits 9 categories of service to public audit clients:

1. Book-keeping or services related to accounting records

2. FIS implementation

3. Appraisal or valuation services

Page 16



Auditor Independence (cont’d) 4. Actuarial Services

5. Internal Audit Outsourcing

6. Legal services

7. Management functions or human resources

8. Broker or Dealer, investment advisor or investment banking

9. Any other service that Board determines is not permissible

Page 17



Internal Control Reporting Act requires annual management report and auditor attestation on effectiveness of internal controls structure and procedures for financial reporting

Page 18

Management’s Responsibilities under SOX

► Accept responsibility for the effectiveness of the Company’s internal control over financial reporting

► Evaluate the effectiveness of internal control over financial reporting using suitable control criteria

► Support its evaluation with sufficient evidence, including documentation and appropriate evidence of existence and effectiveness of internal controls

► Present a written assessment about the effectiveness of internal control over financial reporting as of the end of the Company’s most recent fiscal year

Page 19

Key SOX Provisions Relating to Audit Committees

► The Sarbanes-Oxley Act has required Audit Committees to adhere to certain provisions as follows:

► Each member of the Audit Committee must be independent

► At least one of the members must be a “Financial Expert”

► Directly responsible for appointment compensation and oversight of the public accounting firm

► All auditing and non-auditing services must be pre-approved by committee.

Page 20

Key SOX Provisions Relating to Audit Committees (cont’d)

► Establish procedures for handling complaints (whistleblower protection)

► Discuss with auditor prior to issuing audited financial statement:

► Critical accounting policies and alternative treatments

► Management letter, waived adjustments and material written communications

► Have authority to engage independent counsel and other advisors.

Page 21

The role of internal audit

► The role of internal audit can be broken down into the following broad categories:

► Improvement of internal controls under the following categories:

► Effectiveness and efficiency of operations

► Reliability of financial reporting

► Compliance with laws and regulations

► Monitor and evaluate the effectiveness of the organisation’s risk management process

► Support the Audit Committee of the Board of Directors in effectively executing its Corporate Governance Responsibility

Page 22

Structuring the Internal Control Framework

► A good internal control framework is based on internationally developed frameworks as identified in the earlier discussion regarding “Corporate Governance History”

► The framework clearly identifies what are controls

► Addresses the monitoring and evaluation of controls at the Entity level and the Transaction or Process level

Page 23

Other Suitable Frameworks:

• Guidance on Assessing Controls – Canadian Institute of Chartered Accountants

• Turnbull Report – Institute of Chartered Accountants in England and Wales

Understand the Definition of Internal Control(Phase 1)

Page 24

Understand the Definition of Internal Control

COSO

► The “Committee of Sponsoring Organizations”

► Organized in 1992 to study internal control and define a common framework for internal control

► Resulted in report titled “Internal Controls—an Integrated Framework”

Internal Control (as defined by COSO)

► A process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

► Reliability of financial reporting

► Effectiveness and efficiency of operations

► Compliance with applicable laws and regulations

Page 25

Understand the Definition of Internal Control (cont’d)

Internal controls over financial reporting (objectives)

► To ensure that companies have processes designed to provide reasonable assurance that:

► The company’s transactions are properly authorized

► The company’s assets are safeguarded against unauthorized or improper use

Page 26

Evaluate Internal Control at the Entity Level

Entity-level controls have a pervasive effect on the organization. Evaluation includes a consideration of factors in each of the five components of internal control that can have a pervasive effect on the risk of errors or fraud:

► Control Environment

► Risk Assessment

► Monitoring

► Information and Communication

► Control Activities

Entity Level

Transaction/ Process Level

Page 27


Control Environment

► Integrity, ethical values, and behaviour of key executives

► Management’s control consciousness and operating styles

► Management’s commitment to competence

► Board of Directors’ and/or Audit Committee participation in governance and oversight

► Organizational structure and assignment of authority and responsibility

► Human resource policies and procedures

Page 28


Risk Assessment

► Entity level objectives established and communicated

► Mechanisms are in place to anticipate, identify, and react to changes

► Established processes to:

► Identify significant changes in GAAP

► Identify changes in the business practices that may affect the method or the process of recording a transaction

► Identify significant changes in internal controls or operating environment

Page 29

Understand and Evaluate Internal Controls at the Transaction or Process Level

► Provides a good deal of the evidence management will need to support its overall assessment of the effectiveness of internal control over financial reporting.

► Management will need to consider controls, including information technology (IT) controls, that serve to prevent or detect errors of importance relating to each significant account.

Page 30


SignificantAccounts

ManagementAssertions

?What Can

Go Wrong?ControlsSignificant

Processes

Inherent andKey Business

Risks

2003

FinancialStatements

FinancialStatements

Management

Report on

Internal

Control

Report

FinancialImplications

ProcessImplications

Accounts Selected Based Upon:• Errors of importance*• Size and composition• Susceptibility to manipulation or loss• High transaction volume• Transaction complexity• Subjectivity in determining account balance• Nature of the account

Financial Statement Assertions:

• Existence (B/S) or Occurrence (I/S)

• Completeness• Valuation (B/S) or

Measurement (I/S)• Rights and Obligations

(B/S)

Types:• Flows of transactions

• Routine• Non-Routine• Estimation

• IT processes• Business processes• Financial Statement Close

Process (Presentation and Disclosure assertion)

For Each Assertion Ask:• Where are the points in the flow of

transactions where errors can occur?

• Example: Accounts: Cash or PayablesProcess: DisbursementsAssertion: ValuationWhat are the manual and programmed procedures to ensure that the amount of a check or transfer agrees with the amount approved for payment?

Factors in Evaluation:• Competence, integrity of

personnel performing control; degree of supervision; extent of employee turnover

• Potential for mgmt override• Lack of segregation of

duties, including within computer applications

• Effect of changes in controls

• Other specific risks

Detect: Monitors for errorsPrevent: Prevents an errorWho Performs?

Programmed Control?• Identify processing system

Evaluate/Monitor

Phase 5

Page 31


Identify Significant Accounts (Inventory, Fixed Assets)

► Size and composition of the account, including its susceptibility to loss or fraud

► Volume of activity and the size, complexity and homogeneity of the individual transactions processed through the account

► Subjectivity in determining the account balance (i.e., the extent to which the account is affected by judgments)

► Nature of the account (.e.g., suspense accounts generally warrant greater attention)

► Accounting and reporting complexities associated with the account

► Existence of related party transactions

Page 32


Identify the Major Classes of Transactions and Related Processes that Influence the Significant Accounts

► Document how the major classes of transactions are initiated, recorded, authorised, processed, and reported

► Categorizing the processes using three transaction types - routine, non-routine, and estimation

Page 33


Ask “What Can Go Wrong” Questions

► Considers the relevant financial statement assertions for the significant accounts

► Existence, Occurrence, Valuation or Measurement, Completeness, Rights and Obligations and Presentation and Disclosure

► Identifying the points within the flow of transactions where there can be failures to achieve the financial reporting objectives (i.e., the points where errors can occur that can result in inaccurate assertions in the financial statements)

Page 34


Page 35

Identify Controls

► The objective is to identify the controls that provide reasonable assurance that errors relating to each of the relevant financial statement assertions are prevented, or that any errors that occur during processing are detected and corrected.

► Identify controls related to the initiation, recording, processing, and reporting of transactions.


Page 36

Types of Controls


Page 37


Perform Walk-Throughs to Confirm Understanding of Process and Controls

► Project teams walk through each process, from the point at which the major classes of transactions are initiated to the end of the recording process, to confirm:

► the understanding of the processing procedures

► the correctness of the information obtained about the relevant prevent and/or detect controls in the process

► that these controls have, in fact, been placed in operation

Page 38


Page 39

The Impact of SOX on Internal Controls Efficiencies

Page 40

The impact of SOX on Internal Control Efficiencies

Most negative feedback from filers under AS 2 as follows:

► Burdensome, often times duplicated efforts

► Costly

Page 41

Overview of AS 5

New Auditing Standard:► An Audit of Internal Control Over Financial Reporting

That is Integrated With an Audit of Financial Statements (supersedes PCAOB Auditing Standard No. 2)

Rule 3525 – Audit Committee Pre-Approval of Non-Audit Services related to internal controls

Conforming Amendments to PCAOB Auditing Standards

Page 42

Overview of AS 5 (cont’d)

Focus on the matters most important to internal control

► Top-down approach

► Risk based approach

Eliminate unnecessary procedures

► Remove requirement to evaluate management’s assessment process

► Permit consideration of knowledge obtained during prior year audits

► Refocus multi-location testing requirements on risks

► Remove barriers to using the work of others

Scale the audit for smaller, less complex companies

Simplify the requirements

► Less prescriptive

► More sequential audit flow

Page 43

Summary

► The role of the internal auditor is more demanding ever from an operational, risk management, reporting and compliance stand point

► Fulfilling the roles requires specialised skills and tools as well as ongoing collaboration among all stakeholders

Page 44

Presenter

Frederick Bernard Senior Manager Risk Advisory Services Ernst & Young5/7 Sweet Briar Road St. Clair, Port of Spain Trinidad, WI

Phone: 1-868-628-1105 ext 5020Mobile: 1-868-722-2375Email: [email protected]

Documents

CAACM Pre-conference Training Audit Committee Fundamentals – Internal Controls 23 June 2008