“convergence, communication and interactive data” december 3-6, 2007 vancouver, british...
TRANSCRIPT
“Convergence, Communication and Interactive Data”December 3-6, 2007
Vancouver, British Columbia, Canada
Internal Reporting Track XBRL application to Internal
Controls
December 4th, 2007Yuji Furusho
CISA (Certified Information Systems Auditor)Fujitsu Limited
Background Annual documentation and evaluation of Internal Controls are
“formal activities” for listed companies in the following countries:◦ U.S. - Sarbanes and Oxley Act (so-called SOX)◦ Canada - Bill-198 / Regulation 52-109◦ Japan - Financial Products Exchange Act (so-called J-SOX)◦ Korea, France, etc.
Evaluation of Internal Controls in accordance with the significance of the impact on the financial statements is key.◦ This means that evaluation of the internal controls should
be consistent with the significance of related accounts, and therefore consistent with the ultimate impact in the financial statements.
- 1 -
Basic Idea 1 Enterprise Model – connecting FS, GL, and
business process
Financial Statement (PL) sales (BS) A/R (BS) inventory ┆
General Ledger
Hardware sales Maintenance sales ┆ ┆ ┆
Sales Process- Head Quarter- related accounts:
(n) risk (n) control ┆
(PL) sales
Software sales
Software sales
Sales Process- North Region- related accounts:
(n) risk (n) control ┆
Software sales
A/R - Software
A/R - Software
- 2 -
Basic Idea 2 Internal Control Taxonomy to handle non-financial
business process information. ◦ Definition of “Control Objective”, “Risk”, and
“Control Activity” in a business process. ◦ “Design effectiveness”, “Operational
effectiveness”, and “Remediation plan/status” as values.
◦ Utilization of “COSO elements” For comprehensive Risk/Control identification. For focusing not only “Risk” but also “Opportunity”.
- 3 -
Internal Control Taxonomy Architecture
Instance Document
locationprocess
coso: activity
(n) subprocess
Fixed element
s
COSO element
s
related acct
key controlresult (score)
result (narrative)
remediation
status
issue
F,O,C,S
Internal Control Dimension
(n)control activityrelated
assertion(n)control activity
・ incomplete evidence・ control exception ( exception on
approval, processing, etc.)
assertion
- 4 -
Company
Extension
(n)risk (n)risk
(n)control objective (n)control objectiveF,O,C
COSO Taxonomy – activities in COSO tool 25 activities illustrated in COSO tool.
1/Activity : INBOUND2/Activity : OPERATIONS 3/Activity : OUTBOUND 4/Activity : MARKETING AND SALES 5/Activity : SERVICE 6/Activity : PROCUREMENT 7/Activity : TECHNOLOGY DEVELOPMENT 8/Activity : HUMAN RESOURCES 9/Activity : MANAGE THE ENTERPRISE10/Activity : MANAGE EXTERNAL RELATIONS11/Activity : PROVIDE ADMINISTRATIVE
SERVICES 12/Activity : MANAGE INFORMATION TECHNOLOGY13/Activity : MANAGE RISKS 14/Activity : MANAGE LEGAL AFFAIRS
15/Activity : PLAN16/Activity : PROCESS ACCOUNTS PAYABLE 17/Activity : PROCESS ACCOUNTS RECEIVABLE 18/Activity : PROCESS FUNDS19/Activity : PROCESS FIXED ASSETS 20/Activity : ANALYZE AND RECONCILE21/Activity : PROCESS BENEFITS AND RETIREE INFORMATION 22/Activity : PROCESS PAYROLL 23/Activity : PROCESS TAX COMPLIANCE 24/Activity : PROCESS PRODUCT COSTS 25/Activity : PROVIDE FINANCIAL AND MANAGEMENT REPORTING
- 5 -
Basic Idea 3 Using element / value to “link” taxonomies;
◦ FR taxonomy and GL taxonomy“xbrlinfo” elements in GL taxonomy
◦ GL taxonomy and IC (Internal Control) taxonomy“relatedAccount” element in IC taxonomy
sales: “682,xxx”
GL xbrlinfo:
FR sales:
xbrlinfo: “sales”
taxonomy
instance
accountMainID: “EX00100”
IC relatedAccount:
GL accountMainID:
relatedAccount: “EX00100”
taxonomy
instance
- 6 -
Implementation Model The following “FS – GL (Trial Balance) – IC” model
has been adopted for Proof-of-Concept.
Financial Statement (PL) sales (BS) A/R (BS) inventory ┆
General Ledger
┆
Journal Entry
┆
Trial Balance (by location)
(PL) sales (BS) A/R (BS) inventory ┆
Internal Controllocation x process related accounts (n) risk (n) control ┆
locationdefinition
acct-processmappingDefinition
using Dimension
alTaxonomy
aggregation
- 7 -
IC Taxonomy Architecture 1 Overall Structure
Process Information• Process• Location• Related Accounts etc.
Sub-Process Information• Control Objective• Risk• Control Activity• Key Control etc.
n
1
Evaluation and Remediation• Design Effectiveness• Operational Effectiveness• Remediation Plan
etc.
11
- 8 -
IC Taxonomy Architecture 2 “Process Information” section
Process Information
process
location
related accounts
Sales Process
Software Service Dept.
Sales, Account Receivable
【 Sample 】
- 9 -
IC Taxonomy Architecture 3 “Sub-Process Information” section
Sub-process AX05_Sales & billing
Step Safaia/FOCS sales: COSO elements
activity
PROCESS ACCOUNTS RECEIVABLE
sub-activity
-
controlobjective
Accurately record all authorized sales returns and allowances and only such returns and allowances
risk
Inaccurate input of data
control activity(sample)
Mail customer statements periodically and investigate and resolve disputes or inquiries, by individuals independent of the invoicing function
section
- financial reporting- operation- compliance
section
- safeguarding asset
assertion
risk-risk ID-risk
assertion
control activity-control ID -control-control method (manual/auto)-evidence/related documents
- 10 -
IC Taxonomy Architecture 4 “Sub-Process Information” section – “risk”
risk
COSO elements
company expansion assertion
risk ID risk existence complete-ness
rights and obligation evaluation allocation
and cut-off
presentation and
disclosure
Inaccurate input of data
Rxxxxxx
--- ------ --- ------------------ ------- --------- ----------- - -- --- -------.
Y Y
- 11 -
IC Taxonomy Architecture 5 “Sub-Process Information” section – “control activity”
control activty
(sample)
control activity
control ID control
method of controlperson
in charge
evidences related manuals and rule documets assertion
manual automatic
Mail customer statements periodically and investigate and resolve disputes or inquiries, by individuals independent of the invoicing function
Cxxxx
--- ---- -- ---- ---------- -- - ----- -------------- --- -------- ------- --.
Y Leader of xxx Dept
1. Request Form
1) ------------2) ----- ------3) ---------
-existence-complet- eness-rights and obligation-evaluation-allocationand cut-off-Presenta- tion anddiscloture
- 12 -
IC Taxonomy Architecture 6 “Evaluation and Remediation” section
design effectiveness
- date- person in charge of evaluation- results - score- results - narrative
key control
- yes / no (Boolean)
operational effectiveness
- date- person in charge of evaluation- population- number of samples - results - score- results - narrative
remediation
- person in charge of evaluation- summary- due date
- 13 -
IC Taxonomy - Technical Consideration Use of “dimensionItem”
◦ Multi dimension of “Control Objective”, “Risk”, and “Control Activity”
Use of Reference Link◦ Use of “part element”, setting Boolean value;
Control objective: F/R, O/R, C, S/A Assertion: Ex, C, R/O, Ev, A/C, P/D Type of Control: Manual, Automatic
- 14 -
assertion – E/O
- yes / no (Boolean)Risk Reference Link
Evaluation
Control Objective 1 Risk 1 Control Activity 1
Control Activity 2
Risk2 Control Activity 3
Merit of Enterprise Model Consistent and effective risk management for Financial Reporting
by balancing financial risk significance and control importance.
FR to GL
GL to IC
- 15 -
Merit of Enterprise Model - Scenario 1 Identify and understand internal control implications on
significant accounts – (Where and what kind of issues, etc. )
Financial Statement Internal Control▷ ▷ ▷
A/R Location A: A/R
Location B: A/R
15 %
75 %
process department
score issue
- 16 -
Merit of Enterprise Model - Scenario 2 Identify and understand accounts affected by internal
control issues.
Internal Control Financial Statement▷ ▷ ▷
Location A: A/R
Location B: A/R
A/R
15 %
75 %
process department
score issue
deficiencies
- 17 -
Merit of XBRL application Flexible definition and evaluation through taxonomy.
1. Relationship among “Control Objective”, “Risk”, and “Control Activity” using dimensional model
Evaluation of “Control Objective” and “Control Activity” relationship, skipping “Risk” element, or evaluation of “Risk” and “Control Activity” relationship, skipping “Control Objective”
2. “Risk” or “Control Activity” evaluation with respect to specific “Control Objective”
A company may want to focus on “Financial Reporting” objective, while other may want to include “Operational Effectiveness” objective.
3. Identification of compensating controls “Control Activity” relevant to “Risk” by evaluating
“Related Assertion”
- 18 -
Merit of XBRL application 1 - dimensional model Dimensional definition of “Control Objective”, “Risk”, and
“Control Activity”.
- 19 -
Merit of XBRL application 2 - focusing on “Control Objective” Flexible evaluation of “Risk” and “Control Activity” focusing
on “Control Objective” – Company may want to focus on “Financial Reporting” for SOX auditing purpose.
- 20 -
Financial Reporting - yes / no (Boolean)Control Objective Reference Link Operational Effectiveness - yes / no (Boolean)
Compliance - yes / no (Boolean)
Safeguarding Asset - yes / no (Boolean)Control Objective Reference Link
COSO Taxonomy
Company Extension
“part” element
“part” element
Merit of XBRL application 3 – compensating control Compensating controls may be identified through “assertion”
attributes assigned to “Risk” and “Control Activity”.◦ In cases of effectiveness failure of key controls,
compensating controls may be identified along with assertions assigned to them.
Risk
E/OY
CY
V/AY
R/O-
P/D-
assertion
Control 1 - key
E/OY
CY
V/A-
R/O-
P/D-
related assertion
E/OY
CY
V/A-
R/O-
P/D-
related assertion
failure
Find “Compensating control”Control 2 – non-key
- 21 -