8/14/2009

ICFR for
Non-Accelerated
Filers:
Fil
Streamlining SOX
While Creating
Organizational
Value
August 2009

Welcome to Ac’sense 2009 ICFR for Non-

Accelerated Filers: Streamlining SOX While
C
Creating
i Organizational
O i i l Value
V l
The presentation will begin shortly.
To receive credit, please ensure you are logged on
and responsive to all
polling/review questions for the entire program.

For technical difficulties, please contact

Learn Live Customer Support at:
(888) 228-4188 or
BDOonline_support@learnlivetech.com
2

1
 8/14/2009

Reminders
In order to receive participation credit, you
must:
• Be appropriately registered for
Webcast #10371 within the BDO Online
CPE Network
• Be logged in for the entire webcast
• Be responsive to all polling/review
questions

Q&A Feature
• Technical questions may be submitted
via the Q&A Feature on your screen.
Time permitting,
permitting presenters will respond
to these at the end of the session.
• Please submit as much information as
possible (e.g., slide number reference,
presenter, etc.).
• Submit
S b it TTechnological
h l i lS Supportt IIssues tto
LiveChat under the “Support” tab.

2
 8/14/2009

Agenda
• Sarbanes-Oxley Key Sections
• SEC Control Guidance
• Lessons Learned and Approach for Management
• Financial Statement Risk Assessment
• Evaluation of Entity-Level Controls
• Transaction–Level Controls and Testing

Sarbanes-Oxley Act Key Sections

• Section 101:
Establishes Public Company Accounting Oversight Board
(PCAOB) to oversee audits of public companies.
• Section 302:
Requires CEO and CFO certifications of quarterly and annual
reports.
• Section 404:
Requires annual assessments of the effectiveness of internal
controls over financial reporting, including an attestation from an
external auditor.
• Section
S ti 409:409
Requires disclosure to public on a “rapid and current basis” on
material changes to financial condition or results of operations.

3
 8/14/2009

External Auditor Opinion

• PCAOB Auditing Standard No. 5 (AS 5), An Audit of Internal Control
Over Financial Reporting That is Integrated with An Audit of Financial
Statements
• The E External
ternal A
Auditor
ditor will
ill issue
iss e an opinion on the effecti
effectiveness
eness of
internal controls over financial reporting
• The External Auditor is still required to evaluate management’s annual
report presentations:
• The external auditor must modify their report if they determine that
any required elements of management’s annual report on ICFR are
incomplete or improperly presented
• If the
th auditor
dit d determines
t i th
thatt th
the required
i d di
disclosure
l about
b t a material
t i l
weakness is not fairly presented in all material respects, they must
follow the procedures set out in AS 5, paragraph 91
• Communicate with the audit committee in writing
• Describe their conclusion in their report.

Review Question
True or false: Management is required to assess the
effectiveness of internal controls over financial reporting on
an a
a annual
ua bas
basis?
s

A. True
B. False

4
 8/14/2009

SEC Internal Control Guidance

for Management

PCAOB Guidance for Auditors

(AS5)

SEC Guidance Overview

• In May 2007, the SEC finalized new guidance for
management for use when evaluating controls over financial
reporting This guidance is designed to alleviate the
reporting.
unnecessary costs associated with Section 404 compliance.
• SEC Guidance is principles-based, using a top-down, risk-
based approach.
• Management’s process and judgments in evaluating effective
internal controls will likely vary with the independent auditor’s
process and perhaps judgments,
process, j dgments in arriving
arri ing at the same
conclusion.
• Scalable based on size and complexity of the company.

10

5
 8/14/2009

PCAOB AS5 Overview

• The overall approach is consistent with SEC Guidance for
management, but is designed for external audit activities.
• Issued in May
May, 2007
• Effective for all audits of fiscal years ending on or after
November 15, 2007
• Designed to enable the external auditor to perform a more
efficient integrated audit while retaining the principles of the
Sarbanes-Oxley act.
• Top-down, risk-based approach for identifying significant
accounts and related assertions, risks and controls

11

Review Question
True or false: Both the SEC’s guidance for management
with respect to internal control over financial reporting and
AS
S 5 for
o aud
auditors
to s promote
p o ote a top
top-down,
do , risk-based
s based
approach?

A. True
B. False

12

6
 8/14/2009

Lessons L
L Learned
d and
dAApproach
h
for Management

13

Lessons Learned
Lack of Focus
• Risk assessment did not focus project on high risk areas
o y
only
• Process risks and controls documented and tested versus
high risk financial reporting
Poorly Embedded
• SOX not embedded into business (separate group)
• Lack of senior sponsorship
Disconnect/ Lack of Information
• Disconnect between business strategies and SOX risks
• Disconnect between IT and process
• Duplication of efforts with External Auditors
14

7
 8/14/2009

SOX Implementation –
Risk Management Capabilities Maturity Model

15

BDOC Value-Based SOX Approach

• Prioritize Risk Management Investment – Perform
enterprise-wide risk assessment vs. Sox risk assessment
• Leverage Entity Level and Monitoring Controls – Evaluate
health of your Entity-Level Controls (including IT General
Computer Controls)
• Focus transaction-level testing on automated controls
• Standardize controls across locations
• Seek opportunities to improve processes and leverage
technology
• Obtain External Auditor reliance – Requires ongoing
coordination with external auditors

16

8
 8/14/2009

Review Question
What is the final element in the Risk Management
Capabilities Maturity Model?

A. Formalized
B. Ad-Hoc
C. Optimized
D. Embedded

17

Step 1: Financial Statement

Risk Assessment

18

9
 8/14/2009

Top-down risk-based approach

• Focus on High risk areas
• Consider Enterprise-wide risk
assessment, t including
i l di fifinancial
i l
reporting (SOX) risks

Avoid Business Objectives

Disconnect!

• Both SEC and AS5 direct

management and the auditors to
increase their focus on fraud risk
and controls

19

Develop Your Risk Management

Strategy and Plan

Management/ Control Level

Prioritize Your Risk Management Effort!

20

10
 8/14/2009

Develop SOX Scope – Assess Risk of

Account Misstatement (RAM)
• RAM = Risk of Account Misstatement
• Evaluate the qualitative and quantitative risk
factors related to the financial statement line
items and disclosures. Factors to consider:
• Materiality
• Susceptibility of errors/fraud
• Transaction volume
• Complexity of account
• Complexity of accounting
• E
Exposure tto loss/contingent
l / ti t liliabilities
biliti
• Existence of related party transactions
• Changes from prior period
You should also use professional judgment when
determining the RAM.

21

Identify Financial Statement

Assertions & Risks
• Identify relevant assertions that could cause a material
weakness in the financial statements.
• Existence or Occurrence
• Completeness
• Rights and Obligations
• Valuation or Allocation
• Presentation and Disclosure
• For each relevant assertion,, management
g determines the
likely sources of potential misstatements that would cause
the financial statements to be materially misstated.

22

11
 8/14/2009

Coordination with External Auditors

• AS5 allows the auditor to use the work of others
(including management, internal auditors and 3rd parties
under the direction of management) to obtain evidence
about the design and operating effectiveness of controls.
• Frequent, substantive and timely communication is
critical.
• While management’s assessment can be solely
completed without coordination, this may minimize the
external auditor’s ability to rely on their work. This will
impact the auditor’s budget and fees.

Avoid duplication of effort!

23

Review Question
Which is NOT a relevant assertion that could cause a
material weakness in the financial statements?

A. Currency
B. Completeness
C. Rights and Obligations
D. Valuation or Allocation

24

12
 8/14/2009

Step 2: Evaluate Entity-Level

Controls

25

Assessing Entity-Level Controls

26

13
 8/14/2009

Entity-Level Controls –
What are They and Why Evaluate Them?
• ELC exist at the company-level and have a pervasive
impact on controls at the process, transaction, or
application level.
• Entity
Entity-level
level controls are an important starting point of
any SOX 404 engagement because the assessment
of these controls:
• Can have a significant effect on the overall
assessment of the effectiveness of internal
controls and procedures for financial reporting,
particularly when weaknesses are identified
• Can increase or decrease the nature, timing and
extent of transaction
transaction-level
level testing that
management will need to perform

Leverage ELCs and Monitoring Controls

and Improve Efficiency
27

How to Evaluate Entity-Level Controls

• Depending on the size and culture of the company, you can
gather information by one or a combination of:
• Distributing questionnaires to Senior Management and
employees
• Interviewing key employees and documenting the key controls
• The use of questionnaires is both a data gathering method
and a form of testing for some elements of the company’s
entity-level control environment

28

14
 8/14/2009

Types of Entity-Level Controls

• Some controls have a more direct effect on the likelihood

that they will be able to prevent or detect a financial
misstatement.
i t t t
• Three types of ELC:
• Indirect
• Monitoring
• Direct
• There are no examples in the SEC guidance
guidance. The SEC
wanted to avoid a ‘checklist approach’ to evaluating
entity-level controls.

29

Types of Entity-Level Controls – cont’d

• Indirect – Those entity-level controls that have an
important, but indirect, effect on the likelihood that a
misstatement will be detected or prevented in a timely
basis. These controls must be documented and tested, but
they cannot be relied upon solely to address the financial
assertion risk.
Examples include:
• Code of conduct
• Board of Director and Audit Committee charters
• Board member independence
• Audit Committee member with financial expertise
• Management supports a disciplined, objective approach when
developing accounting estimates

30

15
 8/14/2009

Types of Entity-Level Controls – cont’d

• Monitoring – These entity-level controls monitor the
effectiveness of other controls (either other entity-level
controls or transaction-level controls).) These controls,,
when operating effectively, might allow management to
reduce the testing of other transaction-level controls
related to that financial assertion risk.
Examples:
• Summary of bank account reconciliations
• Frequent management visits to subsidiary or divisional
locations

31

Types of Entity-Level Controls – cont’d

• Direct – These entity-level controls are designed to
operate at a level of precision that would adequately
prevent or detect on a timely basis misstatements to one or
more financial assertions. If operating effectively,
management may not need to test any related transaction-
level controls related to that financial assertion.
Example:
• Periodic budget-to-actual review of financials. This may be
monthly, quarterly or annual depending on the line item.
• The review should include detailed analytics and a threshold
over which exceptions are documented and reviewed by
management.
• For lower risk areas, these processes may
eliminate the need for transaction level testing;
for high risk, this may only lower the testing.
32

16
 8/14/2009

Evaluating Design Effectiveness of ELC

Not all COSO or CobiT control considerations must be
present at a company for the overall control objective
to be met.
• The assessment is a subjective judgment resulting from an assessment
of what is appropriate for the company based on many factors,
including size, industry, complexity, culture, etc.
• The COSO for Small Public Companies (Volume II, Guidance) contains
examples of how some companies have applied the COSO principles.
• Documentation might include memoranda, e-mails, and instructions or
directions to and from management to company employees
employees.

33

Steps 3 and
St d44:
Transaction-Level Controls and
Testing

34

17
 8/14/2009

Identify Transaction-Level Controls

• The objective is to document only key controls
designed to prevent or detect a material
misstatement to the financial statements
• Utilize SEC and COSO guidance
• Focus on use of automated controls (vs. manual)
• Standardize controls across locations

Standardization and
Automation
Improve Processes and
Efficiency!!

35

Policies and Procedures Documentation

• SEC guidance assumes management maintains a system of internal
accounting controls as required by the Foreign Corrupt Practices Act
((FCPA)) and as defined byy their Internal Control Framework ((COSO))
• Per COSO, management should have policies and procedures (formal or
informal) for generating accounting transactions and financial elements
and accounting systems and controls

“More formal documentation is appropriate for higher

risk areas, such as:
• Financial statement close
• Fraud prevention and detection
• Key controls over financial reporting.
Documentation may be in the form of memos, policy
manuals, narratives or flowcharts.”

36

18
 8/14/2009

Segregation of Duties
• Difficult at smaller companies because of resource
constraints. As documented in COSO for Smaller Public
Companies there are actions management can take to
Companies,
compensate:
• Review reports of detailed transactions – Managers review on a
regular and timely basis system reports of the detailed transactions.
• Review selected transactions – Managers select transactions for
review of supporting documents.
• Take periodic asset counts – Managers periodically conduct counts of
physical
h i l iinventory,
t equipment
i t or other
th assets
t andd compare ththem with
ith
the accounting records.
• Check reconciliations – Managers from time to time review
reconciliations of account balances such as cash or perform them
independently.

37

Risk of Control Failure Rating

(RCFR)
• Professional judgment assessment of the following factors:
• Changes in volume or nature of transactions
• History of errors or adjustments
• Existence, nature and effectiveness of entity-level control
• Frequency of control
• Automated/manual control
• Use of critical spreadsheets
• Competency of personnel
• Risk of management override
• Complexity/use of judgment

38

19
 8/14/2009

Internal Control Over Financial

Reporting Risk (ICFR)
ICFR = RAM + RCFR
Risk of Account Misstatement
(RAM) + Risk of Control Failure
Rating (RCFR)
• The test strategy is based on the
ICFR and your knowledge from
prior year control assessments.
• As the risk associated with the
control
t l being
b i ttested
t d iincreases, th
the
evidence that the auditor should
obtain also increases.

39

Control Testing
• A smaller, less complex company might have less formal
documentation regarding the operation of its controls.
• As the ICFR risk increases,
increases management will adjust the
nature of the evidence that is obtained to determine
operational effectiveness.
• Sample sizes should be discussed and agreed with
management and then their external auditor early in the
planning process to maximize the auditor’s ability to rely on
management’s
management s testing.
testing

Avoid duplication of effort!

40

20
 8/14/2009

Evaluate Deficiencies
• A deficiency in the design of ICFR exists when
• Necessary controls are missing; or
• Existing controls are not properly designed so that
that, even if the
control operates as designed, the financial reporting risks
would not be addressed.
• Management considers whether each deficiency,
individually or in combination, is a material weakness as of
the end of the fiscal year.

41

Evaluating and Reporting Deficiencies

• Management considers whether each deficiency,
individually or in combination, is a material weakness as of
the end of the fiscal year
year.
• Control deficiencies that are determined to be a material
weakness must be disclosed in management’s annual
report on its assessment of the effectiveness of ICFR.
• Control deficiencies that are considered to be significant
deficiencies are reported to the company’s audit committee
and the external auditor
auditor.

Severity = Possibility and Magnitude

42

21
 8/14/2009

Deficiency Remediation
• Root Cause Analysis identifies specific control,
technology and process failures leading to deficiency
• Issue often caused by simultaneous breakdowns in
people, process and technology
• Critical to developing remediation plan and longer term
business process redesign to enable retesting, process
improvement and sustainability
• Avoid “band-aid” fixes

Improve Processes!

43

Review Question
Which is NOT a high risk area where you would expect to
see more formal policies and procedures documentation?

A. Financial statement close process

B. Fraud prevention and detection
C. Call center process
D. Key controls over financial reporting

44

22
 8/14/2009

Resources
• Ac’senseSM Programs and Website at:
http://www.bdo.com/acsense/
• NOTE: Link to a self-study course of today’s program will be available
shortly at:
http://www.bdo.com/acsense/events/ICFRAug09.aspx
Upcoming seminars:
• Ac’senseSM Focus on Fraud: Fraud and Misconduct in the
Corporate World webinar to be held on September 23, 2009
• Ac’senseSM Ethics and the Corporate Board webinar to be held on
October 27, 2009
• Ac’senseSM 2009 Year-End Technical Update webinar to be held
on January 8 8, 2010
• Links to upcoming webinars and archives of previously held programs
will be/are posted to the main website above
• BDO Consulting
http://www.bdoconsulting.com/

45

Biographic Information – Curricula Vitae

Jennifer Meiselman Salzman is a Managing Director in the Risk Advisory Services group of
BDO Consulting, a division of BDO Seidman, LLP. Ms. Salzman has more than 17 years
experience in operational risk and information technology consulting. She has helped
companies revitalize their operational risk programs and internal audit departments, from both
internal and consulting roles. Jennifer’s experience has also included the development of
control framework self-assessment p programs
g to help
p organizations
g manage
g strategic,
g
operational and regulatory compliance risks. She has held positions as Director of Internal
Audit, manager and consultant at “Fortune 500”, mid-size companies and major accounting
firms.

Ms. Salzman designed and implemented risk management programs, including the execution of
risk assessments to identify, evaluate and monitor operational and regulatory compliance risks.
Audit plans were developed to address inherent and residual risk areas. Developed control
mitigation strategies at the corporate and business unit level. She implemented control
Jennifer Salzman framework self-assessment programs utilizing a structured, systematic process to assess risk
(based on the COSO framework). This program included operational, project, regulatory and
CISA information technology risks.

Jennifer introduced new awareness and training programs to enhance the culture of risk and
Managing Director compliance across a company. She assisted in due diligence teams with the evaluation of
BDO Consulting internal audit departments and subsequent integration into existing teams. Identified process
improvements to reduce financial and system risk while strengthening the internal control
Boston, MA environment and reducing cost.
jsalzman@bdo.com Ms. Salzman reported to independent audit committees and assisted the Committees with the
evaluation of their corporate governance responsibilities and recommended ongoing monitoring
617-422-0700 activities. The program included annual presentation of the audit plan and quarterly updates of
audit plan progress, changes to the control environment and significant risks identified.

46

23
 8/14/2009

Biographic Information – Curricula Vitae

Sydney Rose Leo is a Managing Director in the Boston office of BDO Consulting, a
division of BDO Seidman, LLP, where she leads the firm’s Risk Advisory Services
practice. Ms. Leo’s practice area includes Business Process Enhancement, CFO
Advisory, Enterprise Risk Management, Technology Advisory, Internal Audit, and
Compliance Services. Ms. Leo is also the National Enterprise Risk Management Core
Competency Lead
Lead.

Ms. Leo has led multiple global engagements including:

•Enterprise Risk Management
•Internal Audit Services
•Finance Process Improvement
•Finance Business System Enhancement
•Project Management Office
•Oracle Applications System Implementations
Syndey Rose Leo, •Technology Advisory
CIA •Sarbanes-Oxley Attest and Advisory Engagements

She has over 19 years of experience as a business process reengineer, information

Managing Director systems consultant,
consultant risk management consultant and operations and information
systems auditor in the life sciences, automotive, retail, manufacturing, and media and
BDO Consulting entertainment industries.
Boston, MA
Prior to BDO, Ms. Leo was a Director at KPMG and managed the growth of the Detroit
sleo@bdo.com KPMG’s Risk Advisory Services practice. She managed multiple global Sarbanes Oxley
617-422-0700 advisory engagements and was the National Sarbanes Oxley Attest Training and
Methodology Lead, as well as, the Oracle Systems Advisory Lead.

47

Evaluation
• We continually try and improve upon our programming and
appreciate constructive feedback
• Following the program,
program we will be sending out a thank you
e-mail that contains a link to a brief evaluation
• Thank you in advance for you consideration!

48

24
 8/14/2009

CPE Certificates
• Certificates will be processed and will be accessible by
participant for printing as follows:
1. Individuals - by logging onto the
http://university learnlivetech com/BDOonline after the
http://university.learnlivetech.com/BDOonline
session is completed and clicking on My Learning - Completed
Items. Under the Certificate column, click the Print button beside
the completed webcast.
2. Group participants - After receipt and processing of submitted
group sign-in sheets to cpdregistrar@bdo.com, group
participants will be proctored into LearnLive and will be notified
via e-mail when they can retrieve their certificates, following the
steps
p above.
3. Sign-in sheets may be downloaded from the following:
https://university.learnlive.com/content/public/1029/accessinst
ructions/CPE%20Attendance%20Sheet.doc

49

ICFR for
Non-Accelerated
Filers:
Fil
Streamlining SOX That concludes
While Creating today’s program.
Organizational
Value Thank you for
August 2009 attending!

25