1 dave richards, cia, cpa director, internal auditing firstenergy corporation
TRANSCRIPT
1
Dave Richards, CIA, CPA
Director, Internal Auditing
FirstEnergy Corporation
2
Looking ahead: How upcoming rules and legislation might expand and alter
internal auditing's roles
Looking ahead: How upcoming rules and legislation might expand and alter
internal auditing's roles
The Institute of Internal Auditors
Webcast Series on Sarbanes-Oxley
Session #4 - April 15, 2003
3
The Webcast Series on Sarbanes-Oxley’s Impact on
Internal Auditing
The Webcast Series on Sarbanes-Oxley’s Impact on
Internal Auditing• January 28 - Disclosure Controls*
• March 3 - Annual Certification of Internal Controls*
• April 1 - Coordination of Internal & External Audit Work*
• April 15 - Looking Ahead to Future Changes Impacting Internal Auditing*
*Available on CD Rom and online archive for one year r
4
1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards
1:10 - 1:20 SEC SOA Actions – Status Update –Greg Faucette
1:20 - 1:30 Future for External and Internal Auditors –Andy Dahle
1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Dave Richards
AgendaAgenda
5
• Audit Committees:• Independence• Financial Expert• Direct Responsibility for External Auditor• Code of Conduct complaints• Engage advisors• Reporting requirements• Annual Assessment of performance
• Management: • Certification of quarterly and annual financials• Assessment of Disclosure Controls• Annual Assessment of internal controls• Penalties for false or misleading information• Code of Ethics for Senior Officers
SOA AreasSOA Areas
6
• External Auditor• Prohibited services• Independence requirements & disclosures• Quality assurance disclosures to audit
committee• Attestation opinion on annual internal
control assessment• Public Company Accounting Oversight
Board (PCAOB)• Audit partner rotation every 5 years
SOA AreasSOA Areas
7
Handling the FutureHandling the Future• “As the present reflects the past, so will
the future reflect the present”• Actions we can take to prepare:
1. Knowledge of changes (stay in front)2. Share your knowledge3. Prepare for what you know is coming4. Be proactive with your management and
the audit committee5. Prepare internal audit department staff for
changes (e.g., focus on internal controls and financial issues)
8
Handling the FutureHandling the Future• Actions we can take:
6. Partner with your external auditors & third party providers to build the most flexible team
7. Don’t be afraid to fail!!8. Listen to your internal customers9. Develop a strategy (vision) of what you
want to become10.Take advantage of opportunities (find
someone looking for help and help them)
9
• Internal auditing as a proactive function• Staying in touch with changes• Focus on financial auditing theory• Staff skills & qualifications• Scope of work for internal auditing• Working relationship with external auditors• Audit committee support & involvement• Training needs for audit committee, internal audit,
and management• Resources for internal audit department• Willingness to change• Having the right strategic plan
IssuesIssues
10
AgendaAgenda1:00 - 1:10 Introduction & Overview of SOA areas not
covered in Webcasts thus far – Dave Richards
1:10 - 1:20 SEC SOA Actions – Status Update –Greg Faucette
1:20 - 1:30 Future for External and Internal Auditors –Andy Dahle
1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Dave Richards
11
SEC SOA Actions –Status Update
SEC SOA Actions –Status Update
Gregory A. Faucette
Professional Accounting Fellow
Office of the Chief Accountant
Securities and Exchange Commission
12
DisclaimerDisclaimer
The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. Therefore, the views expressed today are my own, and do not necessarily reflect the views of the Commission or the other members of the staff of the Commission.
13
Sarbanes-Oxley Act of 2002Sarbanes-Oxley Act of 2002
Components of the SOA– Title I – Public Company Accounting
Oversight Board– Title II – Auditor Independence– Title III – Corporate Responsibility
• Certifications• Audit committee standards• Improper influence of auditors• Insider trading during pension fund blackouts• Conduct standards for attorneys
14
Sarbanes-Oxley Act of 2002Sarbanes-Oxley Act of 2002
Components of the SOA - Continued– Title IV – Enhanced Financial Disclosures
• MD&A disclosures• Non-GAAP financial measures• Reporting on internal controls• Disclosures about code of ethics• Disclosures of audit committee financial expert• Accelerated reporting deadlines
– Title V – Analysts Conflict of Interest• Regulation Analyst Certification (Reg AC)
15
Sarbanes-Oxley Act of 2002Sarbanes-Oxley Act of 2002
Components of the SOA - Continued– Title VI – Commission Resources and
Authority– Title VII – Studies and Reports– Title VIII – Corporate and Criminal Fraud and
Accountability– Title IX – White Collar Crime Penalty
Enhancements– Title X – Corporate Tax Returns– Title XI – Corporate Fraud Accountability
16
Remaining SOA RequirementsRemaining SOA Requirements
• Declare the PCAOB functional (April 26, 2003)• Complete a study on principle based accounting system
(July 30, 2003)• GAO to complete a study on mandatory auditor rotation
(July 30, 2003)• Complete rulemaking on improper influence on conduct
of audits (April 26, 2003) • Complete a study on SPE use and related financial
reporting (October 7, 2004)• Complete rulemaking on management assessment of
and auditor reporting on internal controls• Additional rulemaking on analyst conflicts of interest by
either Commission or SROs (July 30, 2003)
17
Other Related “To Dos”Other Related “To Dos”• Recognize an accounting standard setting body• Complete rulemaking on procedure for filing Section
302 and Section 906 certifications• Consider further rulemaking on professional conduct of
attorneys practicing before the Commission• Complete rulemaking on mandated electronic filing and
website posting for Forms 3, 4, and 5• Consider rulemaking as necessary for disclosure on a
“rapid and current basis”• Complete rulemaking on MD&A disclosure of critical
accounting policies
18
Possibilities?Possibilities?
Rulemaking on material correcting adjustments identified by auditors
19
Thoughts for Internal AuditorsThoughts for Internal Auditors
• Uniquely positioned within organizations to effect improved internal control, financial reporting and corporate governance
• Possible role in compliance with Section 404 certification process
• Monitor other developments from the trickle-down effect of Sarbanes-Oxley
20
AgendaAgenda1:00 - 1:10 Introduction & Overview of SOA areas not
covered in Webcasts thus far – Dave Richards
1:10 - 1:20 SEC SOA Actions – Status Update –Greg Faucette
1:20 - 1:30 Future for External and Internal Auditors –Andy Dahle
1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Dave Richards
21
Andrew J. Dahle, CIA, CPA, CISA, CFEPartner, Internal Audit Services
PricewaterhouseCoopers
Andrew J. Dahle, CIA, CPA, CISA, CFEPartner, Internal Audit Services
PricewaterhouseCoopers
Future for Externaland Internal AuditorsFuture for External
and Internal Auditors
22
Looking Ahead to Future Changes Impacting Internal
Auditing
Looking Ahead to Future Changes Impacting Internal
Auditing
23
Future for External Auditors
Future for External Auditors
• Increased focus on risks and controls• Enhanced perceived value of internal
control assurance - impacts cost also• Focus on quality• PCAOB impact• COSO is being embraced by clients like
never before• Enhanced respect for hard decisions
24
Future for Internal Audit-Near Term
Future for Internal Audit-Near Term
• Expectations: The bar is rising• Resources: Cannibalization or augmentation? • Coordination: More coordination between
external and internal auditor• Focus: Current swing towards financial• Objectivity: More is better• Testing: Scope requires judgment• Significance of issues: Where is the line?• Quality: Standards require
25
Evolving Approaches to Internal Audit Involvement with SOA
Certification
Evolving Approaches to Internal Audit Involvement with SOA
Certification
• The top-down assurance model
• The separate evaluation model
• The blended model
Links to Controls Maturity
26
Potential Internal Audit RolesPotential Internal Audit Roles
ReviewEvaluate what is there
RecommendChanges and
improvements
RepairHelp improve
Report (1)On effectiveness
of changes
Not operate
Note (1): External reporting role mandated to the external auditor
27
Future for Internal AuditFuture for Internal Audit
• Internal audit quality• Internal audit impact on governance• Enterprise wide risk management - optimized
internal control maturity• Internal controls over non-financial measures • An integrated approach to 302 and 404• Sustaining SOA controls assessments• Fraud risk management• Mandatory requirements for internal audit
28
The Bar is Rising on Internal Audit Expectations
The Bar is Rising on Internal Audit Expectations
29
AgendaAgenda1:00 - 1:10 Introduction & Overview of SOA areas not
covered in Webcasts thus far – Dave Richards
1:10 - 1:20 SEC SOA Actions – Status Update –Greg Faucette
1:20 - 1:30 Future for External and Internal Auditors –Andy Dahle
1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Dave Richards
30
Future for OthersImpacted by the SOA
Future for OthersImpacted by the SOA
James DeLoach Managing Director
Protiviti
31
What We Can ExpectWhat We Can Expect
• SOA is here to stay
• Continuation of expectations gap
• More SEC rule making and new exchange listing requirements
• More aggressive, less forgiving regulators
• Increasingly demanding shareholder activists
• Market premium for increased transparency and restoring investor confidence
32
Trends: Senior ManagementTrends: Senior Management
• The raised bar will drive emphasis on restoring trust in the investing community
• Controls more repeating, defined and managed
• Improve entity-level analytics and monitoring
• Emphasis on keeping disclosure process fresh
• Enterprise-wide risk management builds upon disclosure controls and procedures
• Renewed focus on ethical behavior and responsible business practices
33
Trends: Board of DirectorsTrends: Board of Directors• Reevaluate independence standards and
restructure board committees• Increased attention on senior management
compensation and loans• Become more anticipatory and proactive• Hold more executive sessions and increase
influence of independent directors• Increase focus on business risk • Increase emphasis on corporate performance • Review board and director performance
34
Trends: Audit CommitteesTrends: Audit Committees
• More aggressive and assertive
• Inclusion of financial experts
• Increased need for independent advisors
• Pay close attention to feedback from “whistleblowers” and the complaint process
• Oversee 302 and 404 compliance processes
• Broadening of risk focus
35
Trends: Unit ManagementTrends: Unit Management
• Support of and provide resources to 404 compliance
• Increased accountability for effects of decisions and change on:– Internal control structure– Public reporting
• Increased focus on developing more robust business plans
36
Trends: Process OwnersTrends: Process Owners
• Document and support control design and assume accountability for control operation
• Timely follow-up on implementing control improvements
• Self-assessment will become common practice
• Balancing responsibility for monitoring processes at entity and process levels
• Opportunity to broaden focus to compliance and operational controls
37
Trends: External AuditorsTrends: External Auditors
• No reward for under-scoping and risk-taking• Higher audit fees • Expect:
– Less tolerance for errors, omissions and exceptions– Increased skepticism and insistence on supporting
evidence– More probing questions– The unexpected
• Increased emphasis on appearance of independence
38
AgendaAgenda1:00 - 1:10 Introduction & Overview of SOA areas not
covered in Webcasts thus far – Dave Richards
1:10 - 1:20 SEC SOA Actions – Status Update –Greg Faucette
1:20 - 1:30 Future for External and Internal Auditors –Andy Dahle
1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Dave Richards
39
AgendaAgenda1:00 - 1:10 Introduction & Overview of SOA areas not
covered in Webcasts thus far – Dave Richards
1:10 - 1:20 SEC SOA Actions – Status Update –Greg Faucette
1:20 - 1:30 Future for External and Internal Auditors –Andy Dahle
1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Dave Richards
40
AgendaAgenda1:00 - 1:10 Introduction & Overview of SOA areas not
covered in Webcasts thus far – Dave Richards
1:10 - 1:20 SEC SOA Actions – Status Update –Greg Faucette
1:20 - 1:30 Future for External and Internal Auditors –Andy Dahle
1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach
1:45 - 1:50 Break
1:50 - 2:25 Questions & Answers – Panel
2:25 - 2:30 Concluding Remarks – Dave Richards
41
Webcast SummaryWebcast Summary• Webcast #1: SOA 302 Disclosure
Controls– Disclosure controls identification– Disclosure controls testing within 90 days of
Certification– Disclosure committee participation– Certification process flow– Sub-certification process & need for
guidance in preparing documentation to support opinion statement
42
Webcast SummaryWebcast Summary• Webcast #2 - SOA 404 - Annual Assessment of
Internal Controls– New attestation standards – FDICIA assessment process (1991)– Process for doing 404 assessment– Use of CSA as a tool for assessment supplemented
by testing– Use of COSO model to serve as benchmark for
control assessment
43
Webcast SummaryWebcast Summary• Webcast #3 - External / Internal Auditors
Relationship– Options for relationship– Reliance on internal audit for 404 work– Material weakness and control deficiency
definitions– Impact of SOA on internal audit annual plan– Audit committee changing expectations of
external and internal auditor coordination and responsibilities
44
Webcast SummaryWebcast Summary
• Webcast #4 - The Future Impacts of SOA– The need for proactive involvement by
internal audit – SEC actions still pending as a result of SOA– PCAOB impact on external audit future– External providers of services partner for
success– Overview of other sections of SOA where
internal audit should be active
45
Webcast SummaryWebcast Summary• Key internal audit takeaways :
– Cannot sit back and wait– Need to partner with external auditors– Need to be proactive with management– Work closely with audit committee to help
drive closure on issues impacting the audit committee
– Lead control awareness, assessment, testing, and reporting
– Stay involved in the quarterly disclosure controls assessment
46
In Short:
Internal Auditing needs
to develop a strategy on how
it wants to be involved in the many
aspects of SO to further their efforts
to add value to their organization.
Opportunity is Knocking - will you answer?
47
Thank you for your participation!
Thank you for your participation!
Don’t miss our next Webcast series beginning
May 6, 2003