a smarter compliance process_june 2011

1/6/14 Internal Auditor

www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 1/8

S

Internal Auditor PRINT CLOSE

June 2011

A Smarter Compliance Process

A look at how one company uses control self-assessments to efficiently and effectively manage

its Sarbanes-Oxley initiatives around the globe.

Aleksei Brizhik, CPA, CFE

Director, Internal Audit–SOX Compliance

AES Corp.

Cecilia Lobo

Senior Manager, Internal Audit–SOX Compliance

AES Corp.

Tae Yoo, CIA

Manager, Internal Audit–SOX Compliance

AES Corp.

ince the enactment of the U.S. Sarbanes-Oxley Act of 2002, many companies have struggled with the

difficulties of implementing efficient compliance programs. Though challenging, a global company can

transform a Sarbanes-Oxley compliance initiative into an efficient, dynamic, and valuable organizational

program while minimizing the stress experienced by finance personnel.

AES, based in Arlington, Va., is a global S&P 500 power company that owns a portfolio of electricity

generation and distribution businesses in 30 countries spanning five continents. AES operates in more than

100 locations, comprising utilities, generation plants, shared services hubs, branches, and representative



offices where local finance and accounting staff can range from a small group to a few hundred.

Establishing and managing an effective Sarbanes-Oxley compliance program at a company is a difficult task

when the company operates across multiple locations, cultures, time zones, and reporting and regulatory

environments. As part of a continuous effort to improve internal controls, AES has been transitioning from

an autonomous accounting reporting structure with multiple financial platforms to a network of

geographically consolidated regional hubs with one unified enterprise resource planning system.

Sarbanes-Oxley Section 404 requires U.S. publicly listed companies to file an internal control report with

their annual and interim reports stating management’s responsibilities in establishing and maintaining

adequate internal controls and procedures for financial reporting, and management’s conclusion on the

effectiveness of these internal controls. Examining changes in timing of controls testing, appropriately

determining the assessments’ scope, and continuously aggregating testing results can lead to a “smarter”

way to comply with Sarbanes-Oxley regulations.

COMPLIANCE AT A GLANCE

The Sarbanes-Oxley Compliance Group, part of the internal audit department that is based at corporate

headquarters, is organized by geographic region. To implement the requirements of Section 404, AES uses

the U.S. Public Company Accounting Oversight Board’s (PCAOB’s) Auditing Standard No. 5 (AS5) and The

Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control–

Integrated Framework as guidelines. AES performs control self-assessments (CSAs) to assess the

effectiveness of internal controls over financial reporting for compliance purposes, and incorporates

activities including:

Quarterly process/control changes surveys through attestations certified by all financial officers

(Sarbanes-Oxley Section 302: Corporate Responsibility for Financial Reports certification).

Sarbanes-Oxley Section 404 annual assessments (through testing and periodic assessment of

aggregated control deficiencies).

Financial reporting internal audits with testing of internal controls related to audited areas as

determined by annual risk assessments.

IT general controls (ITGC) testing (as part of CSAs at significant locations).

Entity-level controls testing, including segregation of duties and an anti-fraud assessment.

A corrective action plan program.

Historically, CSAs were performed each quarter and coincided with the financial quarter or annual close,

causing the finance staff to deal with competing priorities and work long hours. The Compliance Group had



to determine how to perform the CSAs without causing additional work for the local businesses. Beginning

in 2009, CSA frequency was changed to three times per year with each cycle covering a four-month period.

CSA testers are granted approximately one month to complete their testing and finalize the submission of

results. Immediately after submission, the Compliance Group reviews the results, completes the control

deficiency aggregation process, and communicates final results to the disclosure committee, executive

officers, and the audit committee.

The AES Sarbanes-Oxley compliance process addresses each of the COSO components of internal

control:

Control Environment

Process owners and department heads lead implementation of the annual Sarbanes-Oxley Section 404

compliance plan at AES with support from the Compliance Group. The Compliance Group’s geographic

organization allows internal auditing to have a global presence and easily mobilize its resources. The

Compliance Group is in charge of the administration of the CSA process and all Sarbanes-Oxley-related

reporting requirements.

Risk Assessment

To establish the annual audit plan, internal auditing works with the Global Risks and Commodities Group to

identify major risks AES can potentially face. The Compliance Group determines the timing and scope of

internal control testing at the business units and corporate office based on risk assessment results and

other considerations, such as the significance of financial results, prior internal control testing results, and

significant changes in the business’ operations and structure, to ensure that all relevant risks have been

addressed. In addition, the Compliance Group evaluates the CSA test results to validate the adequacy of

test procedures performed and the conclusions rendered on the operating effectiveness of the controls.

Information and Communication

The Compliance Group also is responsible for managing the CSA component that addresses ITGC and

works closely with IT management to identify critical applications throughout the organization for inclusion in

the CSA. IT departments at each in-scope location are responsible for executing the testing and providing

the results to internal auditing for review. This approach allows for individuals most familiar with the

applications to perform the testing and provides IT with valuable insights into the strength of its internal

control environment.

Control Activities



In addition to managing the execution and review of periodic CSAs, the Compliance Group is responsible

for managing the CSA re-performance audits. As part of this process, internal audit resources at the hubs

test and follow-up on the implementation of corrective action plans to address control deficiencies. These

independent audits provide an additional level of assurance as to the testing results through validation of

samples already tested and evaluation of additional/independent samples for select controls. The audits

are performed at businesses, hubs, and corporate areas that are selected based on the risk profile and

history of CSA deficiencies at each entity.

Monitoring

Senior management’s responsibility also involves continuous monitoring regarding the resolution of

deficiencies and any changes that could affect the internal control environment. This includes

communicating any changes in processes or controls and any issues affecting compliance with Sarbanes-

Oxley requirements or corporate policies. Such communication is made either through quarterly Sarbanes-

Oxley Section 302 certification or through other appropriate channels. Furthermore, AES uses the CSA

process to support the quarterly Section 302 disclosure within the company’s 10-Qs and year-end 10-K.

Finally, CSAs are used as one of the venues for the businesses to report control failures for inclusion in

corrective action plans.

CSA testing results are captured in a Web-based application where testers upload their workpapers and

document their conclusions. Testers are granted access to their specific business or hubs. The application

contains a sign-off sheet where the performers and reviewer of the CSA must be identified. It also includes

a page for documenting the assessment of process/control changes (attestation) that is used for analysis

and support of Sarbanes-Oxley Section 302. Each financial cycle is separately tabbed for efficient testing of

the respective controls. The application allows for customization of CSAs according to the applicability of

controls to specific businesses (i.e., controls for generation companies vs. controls for distribution

companies).

ADJUSTING OUR APPROACH

Due to the company’s global exposure and operations, the AES Sarbanes-Oxley program required some

flexibility to appropriately meet its compliance requirements. The program has evolved into a dynamic and

customizable approach that leads to a more efficient and effective assessment of internal controls. Two of

the elements in our approach that have been subject to this evolution and adjustment are scope and

aggregation of control deficiencies.

Scope

When the CSA process was first implemented, AES tested a single set of controls (scope) at every



operating business. Consideration of size, risks, industry, and complexity of the businesses were not

factored into the CSA scope, and the Compliance Group realized this one-size-fits-all approach was costly

and time consuming. If the CSA process was to be improved, it had to address the following issues:

The creation of regional hubs both transferred and consolidated key accounting functions to the hub

level, eliminating the need to test some controls at the business level.

Many entities participating in CSA reviews were quantitatively immaterial but still were fully tested.

Certain accounting processes were immaterial or irrelevant to a given business, yet were still being

tested.

Small businesses with limited resources struggled with the level of effort required to conduct CSAs;

the main difficulties were the frequency of the CSAs (quarterly) and the volume of controls tested

each quarter.

Accounting personnel reductions caused by hub transition and economic downturn at many AES

businesses hindered their ability to perform effective and timely CSAs.

Today the CSA process is customized to address the unique risks and control environment of the various

business types that make up AES. The different categories of CSA scope include:

Full CSA. Performed at businesses that are quantitatively and/or qualitatively significant (i.e.,

historically had many control deficiencies).

CSA “Light.” A customized scope performed at businesses with certain functions that were moved to

the regional hubs and are quantitatively and/or qualitatively not as significant.

Equity Affiliate CSA. Focuses on testing AES monitoring and core financial reporting and accounting

controls over the company’s equity affiliates, businesses where AES has influence, but not control.

Corporate CSA. A full-scope CSA designed to test a set of controls unique to corporate functions

such as financial consolidation and reporting, tax provision, and long-term compensation.

Aggregation of Control Deficiencies

The examination of control deficiencies is critical to understanding an organization’s weaknesses, analyzing

the root causes, and implementing and monitoring remediation actions to improve the control environment

continuously. The impact of control deficiencies on a stand-alone basis could be viewed as short-sighted

without a broader consideration of how deficiencies impact AES collectively. Effectively aggregating the

control deficiencies can yield improvements in the organization’s control environment and should be a top

priority for senior management.

At AES, deficiencies are identified through four primary sources: the CSA, internal audits, external audits,

and an analysis of the summary of accounting adjustments. All four sources serve as arteries to the

assessment of the control environment that supplies vital information, including indications of possible



errors and lack of adherence to policies and procedures. The same four sources feed into an overall

aggregation process that produces a comprehensive list of control deficiencies that impact the company.

Thus, the aggregation process provides a “scorecard” that helps identify areas where the risk of

noncompliance and significant financial impact resulting from control gaps and exceptions is higher.

Communication is a key factor that helps to avoid duplication of efforts. For instance, if deficiencies have

already been identified and evidenced through internal audits, the other three sources will help monitor the

correction of the exceptions rather than reporting the same errors. Therefore, having these four different

sources of information joined through the aggregation of deficiencies process provides efficiency in testing

and reporting.

Aggregation is performed after each CSA testing period and initiated with each Sarbanes-Oxley manager

collecting, reviewing, and producing a consolidated list of deficiencies sourced from the four primary

sources for their respective regions and businesses. Each deficiency is reviewed and assessed to

determine whether the root cause is attributed to a control deficiency and what, if any, potential financial

impact exists.

Regional summary reports of aggregated deficiencies feed the master aggregation file that becomes the

baseline for a consolidated report of deficiencies to management. Deficiencies are categorized by the

nature of the exception, evaluated both individually and collectively, and aggregated across all businesses.

Additionally, the Compliance Group determines whether the issue escalates to levels that would trigger

further qualitative analysis or whether the company has a significant deficiency or material weakness. A

summary of the aggregation of deficiencies is presented to the Disclosure Committee, members of the

executive office, and the Audit Committee for consideration before issuance of the 10-Qs and annual 10-K.

All subsequent aggregation after the first CSA is rolled forward until the third and final CSA is completed at

year-end. Deficiencies determined to be remedied after retesting are removed from the aggregation to

represent the current state of all deficiencies identified throughout the year. A continuous aggregation

process affords us the advantage of projecting problematic areas or trends that management needs to

address timely.

Although there may be other methods to aggregation, the processes we use ultimately provide AES with a

clear picture of the control environment to concisely define the

deficiencies, analyze the root causes, and develop appropriate remedies to prevent such issues from

occurring in the future.



LEARNING TO ADAPT

Sarbanes-Oxley compliance requires time to adapt to changing environments and effort to be open-minded

to new strategies that better fit with the organization. Modifying the timing and scope of controls tested are

good examples of how audit shops can evolve their Sarbanes-Oxley initiatives to achieve greater success.

Continuous monitoring of our internal stakeholders’ needs revealed process improvement opportunities that

led to enhanced effectiveness and efficiency of our Sarbanes-Oxley program. Course changes included the

periodic reassignment of CSA testers based on roles and responsibilities to ensure greater tester

independence, and the issuance of workpaper templates with standardized testing procedures for testing

and documentation consistency. Other notable modifications to our approach include the customization of

CSA test plans per unique needs and type of business (e.g., generation, distribution, holding company,

equity affiliate), and the annual rationalization (consolidation) of controls to reduce redundancy and

eliminate noncritical controls from being tested.

The shift of testing to off-quarter close periods allows personnel to concentrate on performing the CSA

testing more diligently and effectively with less stress. Furthermore, business units and corporate

departments now have the opportunity to complete testing of their quarterly and monthly controls before the

year-end close, leaving only a few annual controls to be tested during January of the following fiscal year.

As a result, the Compliance Group is now able to dedicate more time to meaningful review and accurate

aggregation of deficiencies. The results of these changes led to more timely and efficient analysis and

reporting of control deficiency aggregation, thus providing the ability to react and correct control

weaknesses before they become deficiencies with significant financial and compliance impact.

The new multiscope CSA approach allows AES to recognize both greater efficiency and broader coverage

with regard to its internal control assessment program. After the first year of implementing the multiscope

CSA program, the company has experienced:

Improved resource allocation at businesses and with the Sarbanes-Oxley Compliance Group.

A CSA process that is aligned with the new hub structure.

Time and cost reductions while allotting greater attention toward problematic processes and controls.

Greater cooperation from process owners and testers.

Continued assessment of the most critical controls and risks at smaller AES businesses.

A culture of strong processes and internal controls across AES businesses, regardless of size.

Our CSA process and best practices provide a value proposition to our organization and key stakeholders



that are worth consideration. Internal auditors should recognize that by being flexible with timing and

controls to be tested, companies can eliminate unnecessary stress and frustration related to the CSA

process. Aggregating and communicating control deficiencies throughout the year helps remedy

deficiencies before they result in major problems.

See the AES CSA Survey Questions and Schedule.

Sahba Yazdani, CIA, manager, Internal Audit–SOX Compliance at AES Corp., contributed to this

article.

Internal Auditor

247 Maitland Ave, Altamonte Springs Florida, 32701

Tel. 123

www.internalauditoronline.org

http://www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/csa-survey-example/

http://www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/csa-schedule/

http://www.internalauditoranline.org/

a smarter compliance process_june 2011

Documents