1 balancing sox with risk based audit planning the institute of internal auditors march 9, 2004 dave...
TRANSCRIPT
1
Balancing SOX with Risk Based Audit Planning
Balancing SOX with Risk Based Audit Planning
The Institute of Internal AuditorsMarch 9, 2004
Dave Richards, CIA, CPADirector, Internal AuditingFirstEnergy Corporation
2
• Introduction & Overview Dave Richards, FirstEnergy
• Finding the Balance Brian Appleton, National Penn Bancshares• Year 2 Audit Planning Carl Balderson, Pinnacle West Capital
• Balancing Issues for Large Shops Peg Weir, United States Postal Service
• Break
• Q & A
BalancingBalancing
SOX with Risk Based Audit PlanningSOX with Risk Based Audit Planning
3
Key Balancing IssuesKey Balancing Issues
1. Involvement in SOX 404 Work2. Expectations of AC & Sr. Mgt3. Risk Model Impacts 4. Emphasis on Financial Audits 5. Increased IT General Controls Topics6. Using 404 Results to Drive Audits7. Dealing with SOX Issues 8. Impact on External Auditor
Relationship & Work Support
4
Key Balancing IssuesKey Balancing Issues
9. Using 404 Model for Operational & Compliance Topics
10. Staff Productivity Enhancements11. IAD Tools for Control Assessments 12. Rotation of Audit Topics???13. Building on SOX 404 Work14. IAD Customer Relationships 15. Impact on Audit Contingency16. Internal Control Opinions in Audits
5
Finding the Balance Finding the Balance
Brian T. Appleton, CIA, MBA,CDP
Executive Vice President
Director of Internal Audit
National Penn Bancshares
6
Overview of Company Overview of Company
• Company Size
• Audit Division
• Client Focused Philosophy
• Process Owner Class
7
Status of 404Status of 404• Tone at the top
• How 404 is implemented makes a difference
• High level risk-assessment completed
• Documentation phase in progress
8
BalanceBalance
• Identify the coordinating scheme • Complement, not supplement• Be flexible and creative• Focus your scope
• Standardize the documentation • Take a closer look at opportunities
»Management »Audit
9
• Creates a more sophisticated clientele • Fosters uniformity in structure • Increases accountability for results• Promotes process ownership by
management
Impact on Internal ClientsImpact on Internal Clients
10
• Enhance auditor knowledge
• Career growth opportunity
• Role of auditors as facilitators
• Expansion of skill set to educator
• Springboard effect – Operational and compliance audits– Control Self Assessment– Enterprise Risk Management
Impact on Audit Approach Impact on Audit Approach
11
• Stronger assurance of controls
• Create new metrics
• Published accountability through sign-offs
Benefit to Audit CommitteeBenefit to Audit Committee
12
SummarySummary
• Identify the changes, find a balance• Allocate resources early• Sell the benefit to the company• Find and publish the positives• Think of SOX 404 as complementing
audit coverage
13
Year 2 Audit PlanningYear 2 Audit Planning
Carl Balderson, CIA, CPA, CFEDirector of Audit Services
Pinnacle West Capital Corporation
14
Driving ChangeDriving Change
• Re-balancing is continued evolution
• Changed audit committee expectations
• Changed management expectations
15
Impacts of SOXImpacts of SOX
• Increase management awareness of internal controls
• Audit customer responsiveness
• Greater emphasis on IT auditing
• Verify quarterly review for IC changes
16
Planning StepsPlanning Steps
• Risk based planning with pre-SOX methodology
• What we Think is needed for SOX– Follow-up open issues– Test changed process documentation– Test Key controls
• Integrate to avoid duplication• Alternate depth of efforts with future
years• Allocate available resources
17
Productivity InitiativesProductivity Initiatives
• Automated Work Papers
• Productive Time Targets
• Emphasize Project Budgets
• In-house and Local Training
18
Contingency PlanningContingency Planning
• Small number of hours unallocated• Renewed emphasis on “Stop & Go”
auditing• Administrative assistant/secretary vs.
para-professional auditor• Be more selective in what we address
19
Driving Long-Term ValueDriving Long-Term Value• Integrate SOX compliance and risk
management processes• Examine risk management processes
for efficiency• Documentation of new systems• Integrate SOX documentation with
business resumption plans• Utilize documentation for training
20
Balancing Issues for Large Balancing Issues for Large ShopsShops
Balancing Issues for Large Balancing Issues for Large ShopsShops
Margaret (Peg) Weir
Manager, Internal Control Group
United States Postal Service
21
• Independent government entity
• Self-sustaining
• Annual operating revenue +/- $70B• Second largest civilian employer
• 38,000 Post Offices
• Office of Inspector General
United States Postal Service
22
Internal Control GroupInternal Control Group
• CFO vision
• Established ICG organization– Complements OIG function– “End-to-end” process– Looks for efficiencies and risks of
inefficiencies
23
Internal Audit-Internal Control“Policy vs. Process”
Internal Audit-Internal Control“Policy vs. Process”
• Internal Audit - Financial Statements fairly represent operations
• Monies• Expenses• Work hours• Assets
• Internal Control - Reasonable Assurance – achievement of fundamental business goals
• Reliability• Exist, effective, efficient• Compliance with laws/regulations
24
Internal Control Group Internal Control Group
• Identify risk through data and process analysis
• Partner with process owner to mitigate prioritized risk
• Analyze trends and indicators• Conduct internal control reviews• Develop improved controls to
meet goals and objectives
25
Sarbanes-Oxley ActSarbanes-Oxley Act
• Voluntarily adopting parts of Section 404
• Makes good business sense
26
Internal Control GroupInternal Control Group
• Senior management provides direction and oversight
• Focus based on:– Guidance– Risk analysis– Risk prioritization
• Resources support mandate
27
Internal Control GroupInternal Control Group• Enterprise-wide from corporate to local• Interdependencies vs. stovepipes• Partnership with process owners• Data driven• Targeted reviews • Standardized approach using COSO
framework– Root causes– Meaningful recommendations to improve
controls• Reasonable assurance goals & objectives
will be met
28
Internal Control Group StatusInternal Control Group Status
• Implemented preliminary activities of COSO framework
• Adjusted as lessons learned
• Developing additional training
• Enhancing the analytical & reporting tool
29
Internal Control Group Internal Control Group • Internal Control Group
complements internal audit process
• Internal Control Group supports performance-based culture
• Internal Control Group establishes foundation for long-term enterprise-wide improvements and efficiencies
• Internal Control Group is dynamic & evolving
30
ConclusionsConclusions• SOX 404 WILL IMPACT what we do• What impact it has must be managed• Upfront drivers for impact must be understood• Changes in approach, scope, & results
expectations must be communicated• AC, Sr. Mgt. & IAD Customers must recognize
the impact on identifying & performing work• IAD must be more productive to meet this
challenge • External Auditor relationship must be managed
31
Next WebcastNext Webcast
April 13, 2004
““Strategies for Internal & External
Relationships””
See you at our next webcast!