Upload
dangtram
View
217
Download
0
Embed Size (px)
Citation preview
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
1
Agenda
■ SOX Control Trends (PCAOB Audit Findings)
■ COSO Impact on SOX
■ Top 10 List of Considerations
■ Driving an Efficient and Cost Effective Solution: Finding the Right Balance
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
3
SOX – PCAOB Inspection findings
The PCAOB has observed a significant increase in inspection comments in the areas of auditing/Internal Control Over Financial Reporting (ICOFR), revealing the need for both management and auditor focus.
Identifying and testing relevant controls
Testing management review controls (MRCs)
Inappropriate reliance on ITGCs
Focus on ICOFR is increasing as seen from year-over-year comparison of comments below (excluding ITGC):
Year Total Comments
2012 (to date) 89
2011 46
2010 9
Significant areas of audit performance improvement over ICOFR testing include:
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
4
PCAOB Implications to SOX Environment: Control Testing Themes
• Walkthrough of individual controls rather than walkthrough of transaction through issuer’s processes Documentation
• Failure to identify and test key controls associated with all relevant assertions over all significant accounts Key Controls
• Inappropriate risk assessment of relevant controls (lower risk of failure)Risk Assessment
• Failure to identify control deficiencies or appropriately evaluate severity and failure to evaluate impact of control deficiencies on financial statement audit approach
Control Deficiencies
• Inferring operating effectiveness of a control from absence of misstatements detected by substantive procedures
Substantive Testing
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
5
PCAOB Implications to SOX Environment: The Importance of the Risk Assessment
Financial Statement Line Item Analysis
Do we have the right materiality/qualitative factor coverage?
Location AnalysisWhat locations are in scope and what coverage
provided?
Financial to Process MappingAre all key accounts mapped to processes in
scope?
Process to Location MappingAre the right processes covered at each
location?
Performing a risk assessment as part of your SOX program is an important step that allows management to focus on: • identifying relevant (key) controls• test controls associated with all relevant assertions over allsignificant accounts
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
6
PCAOB Implications to SOX Environment: ITGC Themes
• Manual controls that may be dependent upon IT general controls to operate effectively (i.e., controls dependent on IT functionality, computer generated exception reports)
IT Dependent Controls
• Relevant technology infrastructure controls designed to help ensure the completeness, accuracy, and availability of technology processing
Infrastructure
• Understanding the flow of transactions from initiation to recording and reportingFlow of Data
• Consideration of “super user” access and how controlled, timely evaluation for instances of non-compliance, controls in place to monitor user activities
Access
• 3rd parties with impact on financial reporting, controls in place to review 3rd party information, required SOC-1 reports, considerations for user controls
Use of Third-Parties
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
7
PCAOB Implications to SOX Environment: Management Review Control Themes
• Defining materiality/significance and including thresholds
Specificity of Scope/Precision
• Including comprehensive details of what reviewer looks for during review and defining what constitutes an outlier/exception
Specificity of Review
• Follow-up on variances, inconsistencies, and outliers (e.g., retain emails, etc., to evidence follow-up and resolution)
Exceptions
• Physical evidence of the performance of a control is requiredPhysical Evidence
• Management validation over completeness/accuracy of data and reports used in performance of controls
Information Provided by Entity (IPE)
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
8
Possible Resulting SOX Efforts
■ More Controls in scope (e.g., unique transactions) ■ Additional documentation required■ Enhanced walkthroughs – control and process■ Additional testing over completeness and accuracy of information■ Increased documentation retention of management 404 efforts■ Enhanced deficiency evaluation documentation
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
10
Internal Control Framework: COSO
The Committee of Sponsoring Organization’s (COSO’s) framework update for 2013 included the following changes that have had an impact on SOX for some organizations:
Considers Changes to the Business
Environment Over Past 20 Years
(including resource competence)
Enhanced Governance
Extended Coverage and Applicability Beyond Financial
Reporting (IT)
Improved Risk Assessment
Practices
Enhanced Adaptability to
Change and Varied Business Models
COSO 1992 Framework will be available until December 15, 2014, then superseded
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
12
Key Considerations for Effective SOX Testing- “Top 10 List”
Implement monitoring controls
Refine management review controls
Perform month-end reconciliations
Restrict access to key systems
Identify SOD conflicts
Ensure accuracy of system interfaces
Consider completeness and accuracy of reporting
Update policies and procedures (DOA)
Consider key applications used for financial reporting
123456789
Co
ord
inat
ion
wit
h E
xter
nal
A
ud
ito
r
Retain documentation and evidence your review10
Trai
nin
g a
nd
Eff
ecti
ve
Ove
rsig
ht
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
13
Key Considerations for Effective SOX Testing
Implement Monitoring Controls
1Implement controls for high risk areas/accounts that provide a monitoring mechanism for management to provide assurance that financial reporting information is appropriate, appears reasonable, and is consistently evaluated.
Refine Management
Review Controls
2For management review controls, establish thresholds for what you are reviewing, define review criteria, retain support for how you resolve variances and how you complete your review.
Perform Month-End
Reconciliations
3 Reconciliation controls are key in substantiating financial reporting results and often referred to for key/high risk accounts. Reconciliations should be documented, include supporting documentation and evidence separate reviewers and preparers.
Identify SOD Conflicts
SOD conflicts should be identified in order to implement manual controls where automated options are not possible and allow for effective management to segregate control activities.
Restrict Access to Key Systems
4Appropriately restricting access to key systems ensures that only authorized individuals have access to key financial data and may prevent unauthorized transactions and financial misstatements.
5
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
14
Key Considerations for Effective SOX Testing
Ensure Accuracy of System Interfaces
6Accuracy of system interfaces is a key consideration in ensuring the accuracy of financial reporting, especially for consolidated reporting. Management should ensure that the interface is complete and accurate and exceptions are addressed timely.
Consider Completeness and Accuracy
7The completeness and accuracy of reports/spreadsheets used in performing controls activities should be reviewed. Spreadsheets and reports used in calculating account balances are key.
Update Policies and Procedures
8 Policies and procedures should be aligned with control activities. Deviations may allow for control failures (control fails since it does not agree to policy) and overall ineffective governance over financial reporting.
Retain Documentation and Evidence your Review
Retaining all relevant documentation to support your control activities and evidencing your review will be essential to passing controls during the testing phase.
Consider Key Applications
9Applications used for financial reporting, to process transactions, consolidations and transfer data should be evaluated for ITGC testing. Ineffective ITGC’s may lead to manual controls.
10
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
16
Key Considerations in an Efficient and Cost Effective SOX Program:Finding the Right Balance
Cost Effective Compliance
• Joint walkthroughs with external auditor
• Use of offshore resources to perform testing
• Rationalization of controls • Enhanced risk
assessment process to arrive at key controls (top-down)
• Automation of controls• Guest Auditor Program for
“free” resources • Management Testing (self-
testing program)
Efficiency Considerations
• Co-sourcing to provide flexibility on resource needs and increase internal productivity rates
• Guest Auditor Program to tap into business insights
• Offshore resource considerations for multi-tasking and time sensitive activities
Effective Communications and IA Framework
• Tone at the Top from key business leaders within the organization
• Establishment of a Steering Committee for key updates and messaging
• Periodic meetings with the external auditors
• Consistent and clear reports on status
• Consideration of integrated audits (IA and SOX)
• Enhanced risk assessment process both for SOX and the ERA
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
17
Panel Discussion
All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.
© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 192969
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.