Risk Advisory Services

CAIB PRE-CONFERENCE TRAINING

Audit Committees: Making Corporate Governance work in the Caribbean

June 21, 2007

Risk Advisory Services

2 © 2006 KPMG Barbados, a Barbados partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Barbados.

Program Agenda

IntroductionBackground

Perspective;

Objectives of Sarbanes-Oxley Act;

Management’s Responsibilities;

Key SOX provisions relating to Audit Committees;

Impact of SOX on the Caribbean.


Program Agenda

What is SOX?

COSO Internal Control Framework – A Summary of Components

• A brief discussion on SOX testing

procedures;• Sample sizes and control frequency;• Evaluating test results and control

deficiencies;• Deficiency Assessment.

Welcome and Introductions


Program Objectives

• Discuss briefly the background and framework of Sarbanes-Oxley Act’s 404 (SOX) requirements.

• Impact of SOX on Caribbean Financial Institutions.

• SOX testing procedures.

• A SOX approach to Internal Controls as a Fraud Management tool.

Background


• Enron – shock!

• WorldCom – action!

• Ahold, Parmalat, Hollinger

• Nortel, Shell

• Restore investor confidence

• Increased transparency

These may have been the catalyst, but investors are demanding a higher standard of care. Markets have reacted to restore investor confidence.

Perspective


Objectives of the Sarbanes-Oxley Act

• Increase the accountability of management of public companies;

• Improve Corporate Governance;

• Increase the oversight of public accounting firms;

• Restore investor confidence in the capital markets.


Management’s Responsibilities under SOX

• Accept responsibility for the effectiveness of the Company’s internal control over financial reporting.

• Evaluate the effectiveness of internal control over financial reporting using suitable control criteria.

• Support its evaluation with sufficient evidence, including documentation and appropriate evidence of existence and effectiveness of internal controls.


Management’s Responsibilities under SOX

• Present a written assessment about the effectiveness of internal control over financial reporting as of the end of the Company’s most recent fiscal year.


Key SOX Provisions Relating to Audit Committees

The Sarbanes-Oxley act has required Audit Committees to adhere to certain provisions as follows:

• Each member of the Audit Committee must be independent.

• At least one of the members must be a “Financial Expert”.

• Directly responsible for appointment compensation and oversight of the public accounting firm.


Key SOX Provisions Relating to Audit Committees (Cont’d)

• All auditing and non-auditing services must be pre-approved by committee.

• Establish procedures for handling complaints (whistleblower protection)

• Discuss with auditor prior to issuing audited financial statement:

• Have authority to engage independent counsel and other advisors.

- Critical accounting policies and alternative treatments

- Management letter, waived adjustments and material written communications


Impact of SOX on the Caribbean

Over the last 3 years global companies have had to come to grips with the implementation and reporting requirements of Sections 302 and 404 of the US Sarbanes-Oxley Act – SOX 302 and 404. The SOX Act spells out the various roles of management, the audit committee, and the external auditors.

To this end the effects of the SOX Act has had an effect on Corporate Governance regionally. While the Act does not govern the regional companies, many of the large global companies have implemented various teams to ensure that even regional subsidiaries are SOX 404 compliant.


Impact of SOX on the Caribbean (Cont’d)Though the Sarbanes-Oxley is a U.S. legislation and only required by companies quoted on U.S. stock exchanges, there are a few benefits to adopting a SOX-like strategy to regional organizations as follows:

• Assists Directors in administering their Corporate Governance responsibilities;

• Developing Internal Controls that facilitate a robust internal fraud management strategy;

• Acts as another way of making local Financial Institutions more attractive to foreign investors;


Impact of SOX on the Caribbean (Cont’d)

• Creates an environment that makes it easier for regional Financial Institutions to adopt new legislations such e.g. Anti-Money Laundering;

• Facilitates the development of an Enterprise Risk Management Strategy.

What is SOX?


COSO* Internal Control Framework A Summary of the Components

Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people

Control Activities – These policies and procedures help ensure management directives are carried out

Information and Communication – Pertinent information must be identified, captured, and communicated in a form and time frame that supports all other control components.

Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the systems’ performance over time.

Risk Assessment – Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level

The COSO framework is a model against which the components of internal control within an organization can be measured and evaluated. This report is representative of one of the ways management applies its assessment of risk at the entity level. This assessment is in line with the risk categories of COSO across the top of the cube (Operations, Financial Reporting, and Compliance). See page 11 for a definition of internal control.

*Committee of Sponsoring Organizations of the Treadway Commission


COSO* Internal Control Framework A Summary of the Components

*Committee of Sponsoring Organizations of the Treadway Commission

Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Financial Reporting

The absence of a key financial control causes a material error in the financial statements, including the footnotes

Compliance with Laws and Regulations

Company is in violation of applicable regulatory requirements

Efficiency and Effectiveness of Operations

Company does not meet strategic objectives

The process does not operate efficiently

Customers are not satisfied with services received

A brief discussion on SOX testing procedures


Sample Sizes and Control Frequency

Determine the extent of tests

of controls

Manual ControlApplication

Control (programmed)

Annually

Quarterly

Monthly Weekly

Many time per day or daily or performed frequently but less

than daily

General Controls are ineffective

1 2 3 10 25Test

Extents*

* Larger sample sizes may be appropriate when:

General Controls

are effective

• Deviations from designed controls are expected

• Likelihood of errors or override is considered other than low

• The control is « primary » or only control related to a significant account

• Control is applied by a number of different personnel at various locations


Nature of Control and Frequency of Performance

Minimum Number of Items to Test (Extent of Test of Controls)

Manual control, performed many times per day At least 25

Manual control, performed daily At least 25

Manual control, performed frequently but less than daily

25% of the number of occurrences or at least 25

Manual control, performed weekly At least 10

Manual control, performed monthly At least 3

Manual control, performed quarterly At least 2

Manual control, performed annually Test annually

Automated control Test one application of each programmed control for each type of transaction if supported by effective IT general controls (that have been tested); otherwise test at least 25

IT general controls Follow guidance above for manual and programmed aspects of IT general controls

Sample Testing Guidance

Sample Sizes and Control Frequency


Evaluating the Testing Results

Control operates effective

ly

Control deficiencies/ exceptions were

found

Amend decision to rely on control and consider

another control

Address deficiency

Extend test extents **

Additional exceptions

notedNo additional exceptions

Evaluate Design

Effectiveness of Control

** If after evaluating the exception, it is determined to be isolated, consider expanding the sample size. (for example, by an addition 10 tests for each exception)

Evaluate the Testing Results

Select key controls


Assessment of Control Deficiencies

3 levels:

Inconsequential;

Significant Deficiency;

Material Weakness.


Control Deficiencies

Significant Deficiency

• A control deficiency that adversely affects the Company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP.

• Could be a single deficiency or a combination of deficiencies that results in more than a remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential will not be prevented or detected.


Control Deficiencies

Significant Deficiency

• Material Weakness;• A significant deficiency, or a combination of significant

deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected;

• Material Weakness = Adverse Opinion;

• “Remote”: the chance of the future event or events occurring is slight.


Evaluating Significant Deficiencies

• Must evaluate all identified deficiencies in internal control over financial reporting for significance based on:

• Likelihood that a deficiency, or combination of deficiencies, could result in a misstatement of an account balance or disclosure.

• Magnitude of the potential misstatement resulting from the deficiency or deficiencies.

• Evaluation of significance includes both quantitative and qualitative factors.

• Maintain a log of all deficiencies:• Requires aggregation – all locations reporting.

A brief overview of Internal Control as a Fraud Management tool


Accountability and Control Red Flags

• Lack of separation of duties;

• Lack of physical security and/or key control;

• Weak links in chain of controls and accountability.

• Missing independent checks on performance;

• Lax management style;

• Poor system design;

• Inadequate training.


How to Minimize Fraud Risk

• Adhere to policies/procedures (especially documentation and authorization);

• Ensure physical security over assets;

• Provide proper training to employees;

• Independently review and monitor tasks;

• Provide for segregation of duties;

• Establish clear line of authority;

• Rotate duties in positions susceptible to fraud;

• Ensure employees take regular vacations;

• Schedule regular independent audits of areas susceptible to fraud;

• Ensure background check for employees handling financial transactions;


How to Minimize Fraud Risk

• Make sure internal controls are being followed;

• Review, Review, Review!

• Ask for documentation;

• Ensure that one person dos not have total responsibility for a process;

• Evaluate performance regularly;

• Report suspicious activity.

Thank You


Contacts

Frederick Bernard KPMG BarbadosPhone: 1-246-427-5230Mobile: 1-246-233-2883Email: [email protected]

Michael Edghill

KPMG Barbados

Phone: 1-246-427-5230

Mobile: 1-246-231-1111

Email: [email protected]

Rendra Gopee

KPMG Barbados

Phone: 1-246-427-5230

Mobile: 1-246-233-5165


Frank Myers

KPMG St. Lucia

Phone: 1-758-4531471


Documents

Risk Advisory Services