Professional Documents
Culture Documents
ELC
ELC
ELC
ICFR for
Non-Accelerated
Filers:
Fil
Streamlining SOX
While Creating
Organizational
Value
August 2009
1
8/14/2009
Reminders
In order to receive participation credit, you
must:
• Be appropriately registered for
Webcast #10371 within the BDO Online
CPE Network
• Be logged in for the entire webcast
• Be responsive to all polling/review
questions
Q&A Feature
• Technical questions may be submitted
via the Q&A Feature on your screen.
Time permitting,
permitting presenters will respond
to these at the end of the session.
• Please submit as much information as
possible (e.g., slide number reference,
presenter, etc.).
• Submit
S b it TTechnological
h l i lS Supportt IIssues tto
LiveChat under the “Support” tab.
2
8/14/2009
Agenda
• Sarbanes-Oxley Key Sections
• SEC Control Guidance
• Lessons Learned and Approach for Management
• Financial Statement Risk Assessment
• Evaluation of Entity-Level Controls
• Transaction–Level Controls and Testing
3
8/14/2009
Review Question
True or false: Management is required to assess the
effectiveness of internal controls over financial reporting on
an a
a annual
ua bas
basis?
s
A. True
B. False
4
8/14/2009
10
5
8/14/2009
11
Review Question
True or false: Both the SEC’s guidance for management
with respect to internal control over financial reporting and
AS
S 5 for
o aud
auditors
to s promote
p o ote a top
top-down,
do , risk-based
s based
approach?
A. True
B. False
12
6
8/14/2009
Lessons L
L Learned
d and
dAApproach
h
for Management
13
Lessons Learned
Lack of Focus
• Risk assessment did not focus project on high risk areas
o y
only
• Process risks and controls documented and tested versus
high risk financial reporting
Poorly Embedded
• SOX not embedded into business (separate group)
• Lack of senior sponsorship
Disconnect/ Lack of Information
• Disconnect between business strategies and SOX risks
• Disconnect between IT and process
• Duplication of efforts with External Auditors
14
7
8/14/2009
SOX Implementation –
Risk Management Capabilities Maturity Model
15
16
8
8/14/2009
Review Question
What is the final element in the Risk Management
Capabilities Maturity Model?
A. Formalized
B. Ad-Hoc
C. Optimized
D. Embedded
17
18
9
8/14/2009
19
10
8/14/2009
21
22
11
8/14/2009
Review Question
Which is NOT a relevant assertion that could cause a
material weakness in the financial statements?
A. Currency
B. Completeness
C. Rights and Obligations
D. Valuation or Allocation
24
12
8/14/2009
25
26
13
8/14/2009
Entity-Level Controls –
What are They and Why Evaluate Them?
• ELC exist at the company-level and have a pervasive
impact on controls at the process, transaction, or
application level.
• Entity
Entity-level
level controls are an important starting point of
any SOX 404 engagement because the assessment
of these controls:
• Can have a significant effect on the overall
assessment of the effectiveness of internal
controls and procedures for financial reporting,
particularly when weaknesses are identified
• Can increase or decrease the nature, timing and
extent of transaction
transaction-level
level testing that
management will need to perform
28
14
8/14/2009
29
30
15
8/14/2009
31
16
8/14/2009
33
Steps 3 and
St d44:
Transaction-Level Controls and
Testing
34
17
8/14/2009
Standardization and
Automation
Improve Processes and
Efficiency!!
35
36
18
8/14/2009
Segregation of Duties
• Difficult at smaller companies because of resource
constraints. As documented in COSO for Smaller Public
Companies there are actions management can take to
Companies,
compensate:
• Review reports of detailed transactions – Managers review on a
regular and timely basis system reports of the detailed transactions.
• Review selected transactions – Managers select transactions for
review of supporting documents.
• Take periodic asset counts – Managers periodically conduct counts of
physical
h i l iinventory,
t equipment
i t or other
th assets
t andd compare ththem with
ith
the accounting records.
• Check reconciliations – Managers from time to time review
reconciliations of account balances such as cash or perform them
independently.
37
38
19
8/14/2009
39
Control Testing
• A smaller, less complex company might have less formal
documentation regarding the operation of its controls.
• As the ICFR risk increases,
increases management will adjust the
nature of the evidence that is obtained to determine
operational effectiveness.
• Sample sizes should be discussed and agreed with
management and then their external auditor early in the
planning process to maximize the auditor’s ability to rely on
management’s
management s testing.
testing
40
20
8/14/2009
Evaluate Deficiencies
• A deficiency in the design of ICFR exists when
• Necessary controls are missing; or
• Existing controls are not properly designed so that
that, even if the
control operates as designed, the financial reporting risks
would not be addressed.
• Management considers whether each deficiency,
individually or in combination, is a material weakness as of
the end of the fiscal year.
41
42
21
8/14/2009
Deficiency Remediation
• Root Cause Analysis identifies specific control,
technology and process failures leading to deficiency
• Issue often caused by simultaneous breakdowns in
people, process and technology
• Critical to developing remediation plan and longer term
business process redesign to enable retesting, process
improvement and sustainability
• Avoid “band-aid” fixes
Improve Processes!
43
Review Question
Which is NOT a high risk area where you would expect to
see more formal policies and procedures documentation?
44
22
8/14/2009
Resources
• Ac’senseSM Programs and Website at:
http://www.bdo.com/acsense/
• NOTE: Link to a self-study course of today’s program will be available
shortly at:
http://www.bdo.com/acsense/events/ICFRAug09.aspx
Upcoming seminars:
• Ac’senseSM Focus on Fraud: Fraud and Misconduct in the
Corporate World webinar to be held on September 23, 2009
• Ac’senseSM Ethics and the Corporate Board webinar to be held on
October 27, 2009
• Ac’senseSM 2009 Year-End Technical Update webinar to be held
on January 8 8, 2010
• Links to upcoming webinars and archives of previously held programs
will be/are posted to the main website above
• BDO Consulting
http://www.bdoconsulting.com/
45
Ms. Salzman designed and implemented risk management programs, including the execution of
risk assessments to identify, evaluate and monitor operational and regulatory compliance risks.
Audit plans were developed to address inherent and residual risk areas. Developed control
mitigation strategies at the corporate and business unit level. She implemented control
Jennifer Salzman framework self-assessment programs utilizing a structured, systematic process to assess risk
(based on the COSO framework). This program included operational, project, regulatory and
CISA information technology risks.
Jennifer introduced new awareness and training programs to enhance the culture of risk and
Managing Director compliance across a company. She assisted in due diligence teams with the evaluation of
BDO Consulting internal audit departments and subsequent integration into existing teams. Identified process
improvements to reduce financial and system risk while strengthening the internal control
Boston, MA environment and reducing cost.
jsalzman@bdo.com Ms. Salzman reported to independent audit committees and assisted the Committees with the
evaluation of their corporate governance responsibilities and recommended ongoing monitoring
617-422-0700 activities. The program included annual presentation of the audit plan and quarterly updates of
audit plan progress, changes to the control environment and significant risks identified.
46
23
8/14/2009
47
Evaluation
• We continually try and improve upon our programming and
appreciate constructive feedback
• Following the program,
program we will be sending out a thank you
e-mail that contains a link to a brief evaluation
• Thank you in advance for you consideration!
48
24
8/14/2009
CPE Certificates
• Certificates will be processed and will be accessible by
participant for printing as follows:
1. Individuals - by logging onto the
http://university learnlivetech com/BDOonline after the
http://university.learnlivetech.com/BDOonline
session is completed and clicking on My Learning - Completed
Items. Under the Certificate column, click the Print button beside
the completed webcast.
2. Group participants - After receipt and processing of submitted
group sign-in sheets to cpdregistrar@bdo.com, group
participants will be proctored into LearnLive and will be notified
via e-mail when they can retrieve their certificates, following the
steps
p above.
3. Sign-in sheets may be downloaded from the following:
https://university.learnlive.com/content/public/1029/accessinst
ructions/CPE%20Attendance%20Sheet.doc
49
ICFR for
Non-Accelerated
Filers:
Fil
Streamlining SOX That concludes
While Creating today’s program.
Organizational
Value Thank you for
August 2009 attending!
25