seminarie interne controle coso -sox voorgesteld · pdf fileseminarie interne controle coso...
TRANSCRIPT
SEMINARIE
Interne controle COSO - SOX
voorgesteld door de heer
L.ACKE
15 mei 2007 NOVOTEL Brussels Airport, Diegem
SEMINARIE
DOMEIN Audit - Controle
TITEL Interne controle COSO - sox
DOCENT L. ACKE
PLAATS NOVOTEL Brussels Airport, Diegem
DATUM Dinsdag 15 mei 2007
DEELNEMERS KANTOREN
Nathalie BURSENS Stagiaire IBR
CODE 07-103.1
DUUR 14u00-17u30
Freddy CALUWAERTS Bedrij fsrevisor
CALUW AERTS & C , bedrijfsrevisoren
JeanDERICK Bedrijfsrevisor
KariMAES Adjunct-auditeur
Peter RODET Stagiair IBR
Jules ROEBBEN Bedrijfsrevisor
Werner VAN DEN KEYBUS Bedrijfsrevisor
KurtVETS Stagiair IBR
Marc WEEMAES Bedrij fsrevisor
VGD, Bedrijfsrevisoren
Rekenhof
W. VAN DEN KEYBUS
MAZARS
IBR seminarie
INTERNE CONTROLE
COSO
sax
Mei 2007
Sourees: - casa ERM Framework - PwC -ISR presentations casa / sax
1
Why is internal control important?
The need for an integrated control framework.
casa - Integrated framework.
Evaluate the control environment.
Impact of Internal Controls on Audit Strategy.
Coso en de Belgische praktijk
sax
Internal control serves different purposes:
Management framework
Organisations are continuously faced with business risks. An adequate system of internal contral helps the client in managing these risks and thus achieving business objectives.
Internal contral impacts performance of organisations and shareholder value.
Legal / Statutory / Prudential requirements
Corporate Governance recommendations
Management's responsibility for the financial statements
"Management is responsible for the preparation and the fair presentation of these financial statements. This responsibility includes: designing, implementing and maintaining internal con trol relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud of error; selecting and applying appropriate accounting policies; and making accounting estimates that are reasonable in the circumstances."
Audit strategy
Audit opinion
"Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with the legal requirements and the Auditing Standards applicable in Belgium, as issued by the Institute of Registered Auditors (Institut des Reviseurs d'Entreprises I Instituut der Bedrijfsrevisoren). Those standards require that we plan and perform the audit to obtain reasonable assurance whether the financial statements are free from material misstatement, whether due to fraud or error.
In accordance with the above-mentioned auditing standards, we considered the association's accounting system, as weil as its internal con trol procedures. We have obtained from management and from the association 's officials the explanations and information necessary for executing our audit procedures. We have examined, on a test basis, the evidence supporting the amounts included in the financial statements. We have assessed the appropriateness of accounting policies and the reasonableness of the significant accounting estimates made by the association as weil as the overall financial statement pre sen ta ti on. We believe that these procedures provide a reasonable basis for our opinion. "
Impact of Internal Controls on Audit Strategy
8alance the audit work with perceived risks: AR == IR * CR * OR
AR == audit risk
IR == inherent risk
CR == control risk
OR == detection risk
Impact
AUDIT RISK
Inherent Risk
Control Risk
Detectlon Risk
[«""~-,"',;,
1':-' "'-
~"~~"J "" , /~~-t-' .. ~,~
f
Materlal errors
~ Yes
! Caught by controls ?
1 No 1
Uncovered by audit procedures?
I
No •
Wrong oplnlon
Incorrect opinion (incorrect assessment of Control Risk, high detection risk): arisk
~ Costly audit (too much work performed irt the control risk): ~-risk.
Internal Control Myths and Facts
MYTHS;
Internal control starts witha strong set of 111 ••• policies anp.RrQRElQUres>
Internal CO[ltro/;That'S why we have internfll' audifors! 11 •••
Internal contro!is afinance thing.
< "" "
Internal cobtf'o/~ar~es$(;;ntiaIlY negative, like a list of:"thol!l:"shalt~Qts".
Internal controls.taketime away trom our core activitie~Qfm?R'ri\lgproducts, selling, and servÎngcu~t~mers·.·· .
I1
I1
I1
FACTS:
Internat contro!. starts with astrong cOlltrol environment
While internalauditors play a key ro/e (n the system ofpontro/;management is the primary owner oflnternal contro/.
People at every level În the organizat/on have responsibility for internal controls.
Internal control is integral to every aspect of business.
An integrated internaJcontrol system "'(iIlnat be effective withput anentity~wide approaph to corporategovernance, risk. managem~.nt and complianee.
lnternatçoDtro/ makes the right things rappen thelirst time. .
lnternal control shouldbe built "Into", not "ooto" business processes.
Public embarrassment of same of the world's most respected organisations
Robert Max\l\I'el! Fraud
MCI WorfdCom Accounting scandal
Sumitomo Unauthorised positions
Barings Unau'thorised positions
Parmalat Fraud
BCCI Fraud
UnitedWay Questinable management
practices
General Motors Frcilious sales
ENRON Accounting scandals
AlS Unaut!horised posmons
Risk increasing factors in today's business environment
">", ,"2..
,..~~:~ """J ;?_"~:'''
Globalisation Outsourdng
"Empowennent'f = more and more delegation of authority
less hierarchicallayers in an organisation
Extemal changes I. ,'",",',',.,",".,:,"",',;,.,"'.', è>,":.' C. han. ges in the , .' , . ,~ natuce of
"',./' (business) risks ;"""
';",' .... ~',::." ..... c-.' .. -........... ' ... , •...... " .. Requires a need for changes in the way weorganise and manage our business
The case of rethinking internal contrais:
Management's reliance on hard contrals is not sufficient to prateet shareholder value (refer to limitations on internal contrais).
Soft contrals and risk management mechanisms pravide fundamentals to a sound system of internal contral.
objectives
risks
Committee of Sponsoring Organizations of the Treadway Commission
Treadway Commission formed in 1985
Treadway Commission issues report in 1987 - calls for study to develop a common framework for internal control
Coopers & Lybrand selected to conduct the study and author the report
Report entitled Internal Control - Integrated Framework is issued in September 1992
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control.
Committee of Sponsoring Organizations of the Treadway Commission
Enterprise Risk Management - Integrated Framework
Recent years have seen heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk.
In 2001, COSO initiated a project, to develop a framework that would be readily usabie by managements to evaluate and improve their organizations' enterprise risk management.
The period of the framework's development was marked by a series of high-profile business scandals and failures where investors, company personnel, and other stakeholders suffered tremendous loss.
The Enterprise Risk Management - Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. It is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it.
ERM is about value
Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.
The fundamental premise underlying the Enterprise Risk Management - Integrated Framework is that all entities, whether for profit or not, exist to realize value for their stakeholders. The ongoing identification and mitigation of risks, as weil as knowing what opportunities to seize, are critica I to protecting and growing stakeholder value. Enterprise risk management supports value creation by enabling management to deal effectively with uncertainty, explicitly consider risk in investment decisions and minimize risks to achieving entity objectives.
ERM supports value creation by enabling management to: Deal effectively with potential future events that create uncertainty. Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
No entity operates in a risk-free environment, and enterprise risk management does not create such an environment. Rather, enterprise risk management enables management to operate more effectively in environments filled with risks. Enterprise risk management provides management with enhanced capabilities to align risk appetite and strategy, link growth, risk and return, minimize operational surprises and losses, identify and manage cross-enterprise risks and rationalize capital.
Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity's objectives. Enterprise risk management encompasses:
Aligning risk appetite and strategy - Management considers the entity's risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
Enhancing risk response decisions - Enterprise risk management provides the rigor to identify and select among alternative risk responses - risk avoidance, reduction, sharing, and acceptance.
Reducing operationaJ surprises and Josses - Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
Identifying and managing multiple and cross-enterprise risks - Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response on the interrelated impacts, and integrated responses to multiple risks.
Seizing opportunities - By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
Improving deployment of capital- Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.
These capabilities inherent in enterprise risk management help management achieve the entity's performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity's reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.
Driving forces behind ERM
Investors
Demand increased financial disclosure and regulafory compliance
Stakeholders
Demandthat management
t adequately identify alJ malerial (J's/(s :thaHmtAact cash flow. captYa!ahtt •.. . \ ...
iMarket I Cre~itAnaJysts
RequÎfe that management strenghthen irs riskdisclosure capabilities
t .iAuditors
Current protocols require orgamzations to report risks jn a fOfWard-Jooking context
Enterprise Risk Management Defined
Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:
Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to pro vide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is: A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity-Ievel portfolio view of risk Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entity's management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories
Within the context of an entity's established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an entity's objectives, set forth in four categories:
Strategie - high level goals, aligned with and supporting its mission Operations - effective and efficient use of its resources Reporting - reliability of reporting Complianee - complianee with applicable laws and regulations
Because objectives relating to reliability of reporting and compliance with laws and regulations are within the entity's control, enterprise risk management can be expected to provide reasonable assurance of achieving those objectives. Achievement of strategic objectives and operations objectives, however, is subject to external events not always within the entity's control; accordingly, for these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving towards achievement of the objectives.
8 Management
Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are:
Infernal Environment- The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting - Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.
Event Identification - Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy of objective-setting processes.
8 Management
Risk Assessment - Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk Response - Management selects risk responses - avoiding, accepting, reducing, or sharing risk - developing a set of actions to align risks with the entity's risk tolerances and risk appetite.
Con trol Activities - Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Information and Communication - Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring - The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
StflJt~9jes
Companies deploy multiple strategies - from formulating strategie direction to complying with reg UIa tory changes
Evolving Risk Profile
Multiple strategies generate risks and a eontinually evolging risk profile
Companies establish a series of proeesses to help manage their ehanging risk profile
Process
fA ---Q)
> Q)
...J
c a
:.;::; co .N C co e> a Q)
..c ...... "l-a (IJ
Q) > Q)
co ...... co (IJ Q)
:.;::; .-> .-...... t> co ~ Q)
:0 (IJ c a t>
:;?! 0::: W
Cf) Q)
c:- Cf) Cf)
.~ Q) t.)
32 e ~
Cf) ..c c..
Q) ::J .:t= Cf) C
I Q) - ::J Cf) 0 Cf) ·e c c..
Cf)
"- .Q Q)
Q) Cf) .~ -I-' :~ c
Cf) ::J
w 0 co
Volgens de definitie is enterprise risk management dus een proces waarbij alle werknemers betrokken zijn en dat als doel heeft om aan het management een redelijke zekerheid te geven dat de doelstellingen zullen worden gerealiseerd dankzij een goed beheer van de risico's waarmee de onderneming wordt geconfronteerd. Een aantal stappen moeten worden doorlopen en bovendien zijn er ook een aantal beïnvloedende factoren, zoals de interne omgeving, de informatie en communicatie en de evaluatie van het ERM-proces.
~nte,nal mlfillantnent
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
Internal Environment
Risk Risk Appetite Risk Culture Board of Integrityand Commitment to Management Directors Ethical values Competence Philosophy
Value Value Independent Independent Standards of Knowledge
Communicate Qualitative Active Active behaviour SkilIs in words and Quantitative Involved Involved Prerequisite Trade-offs actions Linked to CEO example
strategy Incentives
Management Organizational Assignment of Human Resource Differences in Philosophy and Structure Authority and Policies and Environment Operating Style Responsibility Practices
Formal vs. Informal Reporting lines Empowerment Qualified Management
Conservative vs. Centralized / Accountability Training preferences
Aggressive Decentralized Compensation Value judgments
Aligned Matrix / Function / Incentives and Management styles Geography Discipline
Hard and soft controls
Hard controls consist of organizational structure, assignment of authority and responsibility, and human resources policies and practices. All three are relatively traditional areas examined in most audits. Audit evidence for each should be readily available.
Soft controls include ethics, commitment to competence, and management operating style. Such controls have traditionally been overlooked in audits because documented evidence of the audit condition is difficult to obtain and test.
Rating
If any one of the hard controls isn't functioning effectively in the area being audited, an unsatisfactory rating is warranted.
On the other hand, proper behavior is assumed for soft controls. An unfavorable audit conclusion is reached only if improper behavior is observed. A satisfactory rating wouldn't be ruled out if the auditor finds no direct evidence that the "soft controls" are in place. Only if instances of unethical, incompetent, or improper management behavior are discovered should the auditor consider an unsatisfactory rating. The level of assurance provided by the auditor for soft controls is, therefore, much less than normally rendered. As techniques for testing soft controls improve, rating criteria may be revised to render more positive assurance.
Evaluation of the control environment
The control environment is one of the key components of an entity's internal control; it sets the tone of an entity, influences the control consciousness of people within an organization and is the foundation for all other components of the internal control system.
Management is responsible for evaluation and reporting on a company's controls. The external auditors are responsible for auditing management's assertion and independently coming to their own conclusions about the company's internal control effectiveness. They must evaluate management's assessment and also perform their own, independent tests in many areas, including the control environment.
The control environment has a pervasive structure that affects many business process activities. It includes elements such as management's integrity and ethical values, operating philosophy and commitment to organizational competence.
Adding to the difficulty of the task is the fact that the control environment is not transaction-oriented. Tests of controls that auditors are accustomed to performing, such as walk-troughs or the reperformance of the control for a sample of items, will not be possible. And focusing solely on activity-Ievel controls is inappropriate.
Evaluation of the control environment
Designing and performing tests at the control environment level will be a complex and challenging task - for example, a company may point to its code of conduct as documenting its ethical values. Ultimately though, the mere existence of the documentation of a contral is not sufficient to support a conclusion about its operating effectiveness. Management and auditors must do more that demonstrate that a code exists; they must evaluate the effectiveness of the code's implementation. For example, the entity's implementation procedures may include training sessions for management and employees on the company's code and the establishment of formal channels for the confidential communication of code violations to senior management.
To determine whether the code of conduct has been implemented effectively, these questions need to be asked:
How is the code communicated? Do the entity's employees and management follow the code? How is compliance with the code monitored? Does compliance with the code improve the effectiveness of other control policies and procedures?
Tests of the con trol environment will consist of a combination of procedures, including a review of relevant documentation of the design, inquiries of management and employees and direct observation.
Auditors will have to probe for understanding and awareness and try to understand the company's attitude toward internal control over financial reporting. They also should ask management for a self-assessment.
Most companies have focused on the documentation, evaluation and testing of activity-Ievel controls. For example, bank reconciliations, the matching of shipping documents to invoices and computerized checks of data entered into the accounting system all are examples of activity-Ievel controls.
As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, activity-Ievel controls are just one component of internal con trol over financial reporting. In an evaluation of internal control, both management and the auditors need to consider all its components. If they focus exclusively on activity-Ievel controls to draw a conclusion about all elements of internal control, they may reach inappropriate conclusions about internal control taken as a whoie.
For example, consider the entity that requires its board of directors to approve all significant decisions made by the CEO. Suppose, however, the philosophy of the CEO is that he or she alone knows what's best for the organization. Suppose, too, the CEO, through a committee he or she controls, is able to handpick the majority of the board members. And because the primary criterion for advancement within the organization is personal loyalty to the CEO, the information that senior management presents to the board is tightly controlled and presented in a way that makes ratification of the CEO's agenda 0 foregone conclusion.
Focusing solely on the activity-Ievel con trol is inappropriate. Read the minutes and you'lI undoubtedly find the board approved all the transactions it should have. On the surface, internal controllooks good. In reality it is not. Only by looking at the con trol environment directly - as in management's philosophy and operating style and its commitment to competence - does a true picture of the organization begin to emerge.
The COSO framework provides criteria and information on the contral environment, but this guidance is at a fairly high level since the framework was tailored for all organizations. For example, COSO identifies integrity and ethical values as important pieces of the entity's control environment and makes a compelling argument for why this is so. But the purpose of COSO is not to explain how to measure or evaluate whether an ethical climate is "effective". Once management gathers information about the control and its design, it is left to them to decide how to determine and test its relative effectiveness.
Summary of Internal Control Reliability Model
Characteristics of reliability
Reliability Documentation Awareness and Perceived Control Monitoring level understanding value procedures
Initial Very limited Basic awareness Unformed Ad hoc, unlinked
Informal Sporadic, Understanding not Controls are Intuitive, inconsistent communicated separate from repeatable
beyond business management operations
Systematic Com prehensive Formal Controls integral Formal, and consistent communication and to operations standardized
some training
Integrated Com prehensive Com prehensive Con trol Formal, Periodic and consistent training on control- processes standardized monitoring
related matters considered part begins of strategy
Optimized Com prehensive Com prehensive Commitment to Formal, Real-time and consistent training on control- continuous standardized monitoring
related matters improvement
I
The internal control reliability model can be helpful in designing tests of a control environment's effectiveness. The overall reliability of the system depends on the characteristics that describe each level. Auditors should design the con trol environment tests to determine the relative reliability of each of these characteristics, as discussed below.
In evaluating the design and operating effectiveness of the control environment, auditors' tests will consist of a combination of procedures, including:
A review of relevant documentation - for example, the company's code of conduct.
Inquiries of management and employees, either verbally, in writing or both.
Direct observation.
Here are some tips for designing these procedures:
Start with a review of documentation relating to the control environment. The most likely sources of information include the company's
Code of conduct
Personnel policies
Board of di rectors and audit committee charters
Disclosure committee charter
Other, informal communications from senior management about control environment matters such as ethics or management philosophy.
Remember that documentation in only a start - no the be-all and end-all. Ask management direct questions about the actions it took to assess how management or employees complied with, or violated, stated management philosophies or standards of behavior. Examples of such questions include
~~ Have you observed unacceptable behavior on the job? If so, what did you observe?
If you were to report unacceptable or unethical behavior to senior management, what action do you think management would take.
Probe for employees' understanding and awareness. Do managers and other employees know the relevance and importance of their control-related activities? Do the board and the audit committee have a full appreciation of their oversight responsibilities?
Try to understand the company's attitude toward internal control. Is it a "necessary evil", or is it viewed as an integral part of the company's management? Suppose you asked senior management and the board the following questions about the company's code of conduct.
What was the main reason for developing the company's code of conduct?
How often is the code reviewed and updated?
The answer to these questions may be revealing - for example, a manager who says the code was developed because the lawyers recommended it and that it has not been reviewed or updated in the last 10 years tells you a great deal about the attitude of senior management toward the value of an effective control environment.
Ask for a self-assessment. Direct questions can be quite effective. Ask management or operations personnel about how various control environment elements work:
Do you believe the company has established standards of behavior that create an overall appreciation for and compliance with its documented control policies and procedures?
How would you describe management's operating style and philosophy?
What aspects of the company's culture or management policies contribute to or detract from your ability to perform your job responsibilities effectively?
Objective setting
Objectives must exist before management can identify and assess risks and take steps to manage those risks.
Forms the risk appetite of the entity - a high-level view of how much risk management and the board are willing to accept.
Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
Strategie Related Objeetives Seleeted Objeetives Risk Appetite Risk Toleranee Objeetives
High-level goals Operations Align and support Growth, risk and Acceptable
Support mission I Reporting Management return varianee
vision Compliance decision Resource Unit of measure of Strategie choices Safeguarding of allocation objective
assets People, process and infrastructure
identification
Identification of potential events from internalor external sources that influence the achievement of objectives.
Differentiates risks and opportunities.
Events that may have a negative impact represent risks.
Events th at may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
Events can have negative impact, positive impact, or both. Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation. Management channels opportunities back to its strategy of objective-setting process, formulating plans to seize the opportunities.
Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.
Addresses how internal and external factors combine and interact to influence the risk profile.
Event identification
Events Factors Methodology Event Inter- Event Risks and Influencing and Techniques dependencies Categories Opportu nities
Strategy and Objectives
Incident Internal Ongoing Triggering Common Negative
Positive and / External Periodic events groupings im pact: risks
or negative Past and future Interrelate Positive impacts Supporting impact:
tools opportunity; offsets to risks
Event categories
Infrastructure Economic Tech nolog ical
Availability of assets Capital availability Electronic commerce
Capability to capital Credit External data Access to capital Issuance Emerging technology
Complexity Default
Mergers / acquisitions "- Concentration Natural environment
Liquidity Biodiversity Personnel Market Emissions, effluents and waste
Employee capability Funding Energy
Fraudulent activity Cash flow Fire Health and safety Market Natural disaster (earthquake, flood, Judgment Commodity prices etc.)
Malfeasance ""- Interest rate Sustainable development
Security practices Unemployment Transport
Sales practices Indices Water
Exchange rate
Process Equity valuation Political
Capacity Real estate values Governmental changes
Design Legislation
Execution Public policy
suppliers / dependencies Regulation
Event categories
iH""H'''''.! <'acton;;
Technology Business Social Data Brand / trademark Demographics
~ Acquisition Competition Corporate citizenship
Maintenance Consumer behavior Environmental stewardship
Distribution Counterparty Privacy
Confidentiality Fraud
Integrity Industry standards
Data and system availability Ownership structure
Capacity Publicity
System Product relevance
Selection _. Development
Deployment
Reliability
cu .~
..c E :J -~ -...... i E (I)
.... 0) cu t: cu :& .:.::: en. ö2
Strategie Risk Management
Financial Risk Management
Regulatory Risk IY1anagement j"'C ,
Product I Market Risk ·Management
.. ···'faxlLegaIRisk ··M~nagement
. SuppJy Chain Ris~ IY1anagem,nt (T"""'" ,
UOther" Risk M;!tnagement
(") D)
"C _. -D)
3: D) :l D)
(,Q ('I)
3 ('I) :l -
Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.
Allows an entity to understand the extent to which potential events might impact objectives.
Assesses risks from two perspectives: Likelihood Impact
Employs a combination of both qualitative and quantitative risk assessment methodologies
Risk Assessment
Inherent and Likelihood and Qualitative and Correlation Residual Risk Impact Quantitative
Methodologies and Techniques
Before management Expected, worse- Qualitative Sequence of events actions case, distribution Quantitative Categories After management Time horizon Inherent and Stress testing actions Unit of measure residual basis Scenarios Expected and Observable data unexpected
Response
Identifies and evaluates possible responses to risk.
Evaluates options in relation to entity's risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and / or likelihood.
Selects and executes response based on evaluation of the portfolio of risks and responses.
I. HIGH RISK. MlmATE'" C:C\~TROL
In selecting an appropriate risk response, management should consider which response best fits with the entity's risk appetite and tolerances:
Avoidance: Exit the activity causing the risk
Reduction: Take action to reduce the likelihood or impact of risk
Sharing: Transfer or share the risk or portion of the risk with another party
Acceptance: Risk accepted, no action is taken.
Risk Response
Identify Risk Evaluate Possible Select Response Portfolio View Responses Risk Responses
Avoid Impact Management Entity level
Reduce Likelihood decision Business unit level
Share Cost versus benefit Inherent and Accept Innovative residual basis
responses
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure th at necessary actions are taken to address risks to achievement of the entity's objectives and to manage down business risk to an acceptable level. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Policies and procedures th at help ensure that the risk responses, as weil as other entity directives, are carried out.
Occur throughout the organization, at all levels and in all functions.
Include application and general information technology controls.
Integration with Risk Response
Build directly into management processes
Interrelate
Types of Control Activities
Policies
Procedures
Preventative
Detective
Manual
Automatic
Activities
General Controls
Information technology management
Information technology infrastructure
Security management
Software development and maintenance
Application Controls
Completeness
Accuracy
Authorization
Validity
Entity - Specific
Entity specific strategies and objectives
Operating environment
Complexity of the entity
Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as weil as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.
Information is needed at all levels of the entity to identify, assess and respons to risks, and to otherwise run the business and achieve its objectives.
Communicating accurate information, on time, to the right people is key to effective ERM.
Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.
Timely and accurate access to information and communication is critical to the control process.
Communication occurs in a broader sense, flowing down, across, and up the organization.
Accuracy and timeliness of management information Identification of relevant internal and external information Organisational communications
Information communication
Information Strategie and Integrated Systems Communication
Internal
External
Manual
Com puterized
Formal
Informal
Information systems arehiteeture
Strategie
Operational
Past and eurrent
Level of detail
Timeliness
Quality
Internal
External
Entity-wide
Expeetations and responsibilities
Framing
Means of transmission
Internal control systems need to be monitored--a process th at assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.
Monitoring is a process that assesses the quality of the internal control system over time.
All deficiencies should be reported to those in a position to take necessary action.
Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities Separate evaluations A combination of the two.
Monitoring is a continual process to assess control systems and activities.
Real-time
Built-in
Ongoing
Day-to-day operations
itoring
Separate Evaluations
Scope
Frequency
Self-assessments Iinternal auditors
Extent of documentation
Reporting Deficiencies
Ongoing
External parties
Protocols
Alternative channels
Assess Risk
Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.
Example: Risk Mode!
Environmental Risks
Capital availability
Regulatory, Political, and Legal
Financial Markets and Shareholders Relations
Process Risks
Operations Risks
Empowerment Risk
Information Processing / Technology Risk
Integrity Risk
Financial Risk
Information for Decision Making
Operational Risk
Financial Risk
Strategie Risk
Determine Appetite
Risk appetite is the amount of risk - on a broad level - an entity is willing to accept in pursuit of value.
Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
Key questions:
What risks will the organization not accept?
(e.g. environmental or quality compromises)
What risks will the organization take on new initiatives?
(e.g. new product lines)
What risks will the organization accept for competing objectives?
(e.g. gross profit vs. market share?)
Identify Risk Responses
Quantification of risk exposure
Options available:
Accept = monitor
Avoid = eliminate (get out of situation)
Reduce = institute controls
Share = partner with someone (e.g. insurance)
Residual risk (unmitigated risk - e.g. shrinkage)
Impact vs. Probability
High Medium Risk High Risk
Share Mitigate & Control
I M
P Low Risk I Medium Risk A
C
T Accept IControl
Low PROBABILITY High
c co Cl.. c
..... Q)
Q) Cl.. "'0 Cl.. co co ~ -c
Cl)
Q) c E Q)
..... c Q)
0 ... 0)
c >-.2> ::l
0)
:2 ..c .~ Cl) - ..c .S!2
::l C -0 -"'0 Q) C
c E c CO
Q) ..... .....
Q) Q) 0 CO
I 0) 0)
:ie c CO CO c Q) c
0:: Q) CO .!!2 Q)
w (9 ~ Q)
== (9
0 en 0 u
the l;U::;U sequence
Establish organ.isational objectives ) -~/ I
,I
Assess Risk
Determine controls required
Soul"ce : David McNamee, George Selim - The Next Step in Risk Management -Internal Auditor June 1999
Based Auditing
Establish .~ Organisational / Objectives
What are the steps in the business process?
What is the logical sequence of steps the auditabie unit must take to reach its objectives or purposes1 Practically speaking, these steps are usually combined or grouped so that the total does not exceed 12-15 steps.
Assess Risk
Wh at are the risks?
What is the essentiaf elements of risk in each step of business process? Errors, omissions. delays, and fraud are the most common types or risks.
Manage Risk
How are risk managed?
What techniques mitigate the risks identified in column 81, lt is sound practice not only to identify how the risks are managed, but also to document the evidence for those actions, so that an audit programme can be derived quickly and accurateiv
Souree : David McNamee. GeorQe Selim - Tile Next step in Risk Management - Intemal Auditor June 1999
Introd
ISA 315 deals with the steps to be followed for the auditor to assess the risks of material misstatement at the financial statement and assertion levels
ISA 330 deals with the auditor's response to these risks and design and perform further audit procedures
ISA 315 en ISA 330 dienen gesitueerd binnen het AUDIT RISK MODEL vervat in de ISA's
Dit ARM is geënt op het COSO-framework. Er wordt aangesloten bij de COSO-terminologie en filosofie.
Twee kerngedachten:
.~. Verscherpt professioneel scepticisme
Verscherpte documentatie-vereisten
-co c: o --~ CO c: ~
Q) ~
c: -
Cf)Q)+-' +-'..c C .- +-' Q) ""C 0) E C C Q) CO ._ +-' ~Cf)CO
+-,Cf)+-' Q) Cf) .-+-'
C Q) Q)
Cf) .~
~ E ..c""Cco +-' C ·C O)COQ) C+-,+-' .- C CO -gQ)E coE~
+-' C 0 ~ 0 Cf) Q) .~ ~
""C > Cf) C C ·C ~ Q)
c o .-+-' () :::J
"'0 o s....
+-' C -
N
Obtain an understanding of the entity and its environment, including its internal contra!. sufficient to:
assess the risk of material misstatement of the financial statements, whether due to fraud or error
'" design and perform adequate audit procedures & identify adequate audit team
It is the auditor's responsibility to determine overall responses and to design and perform further audit procedures whose nature, timing and extent are responsive to the risk assessments.
The auditor considers whether the engagement team includes members with specific relevant knowledge and experience
Obtain an appropriate understanding of the entity and its environment, including its internal control
@ Audit procedures (risk assessment procedures) to be performed by the auditor in order to obtain this understanding
@ Discussion among the engagement team about the susceptibility of the entity's financial statements to material misstatement
(confd): Identify and assess the risks of material misstatement at the financial statement and assertion levels
@ Identify risks by considering: - The entity and its environment, including relevant controls;
The classes of transactions
Account balances
Disclosures in the financial statements
Relate the identified risks to what can go wrong at the assertion level
$ Consider the significance and likelihood of the risks
Evaluate the design of the entity's controls over such risks and determine whether they have been implemented
<' Design audit procedures that do provide sufficient appropriate audit evidence
ISA 315 bouwt voort op de begrippen: Inherent risico
% Inherent risico is de gevoeligheid van een jaarrekeningpost voor een onjuistheid die afzonderlijk of samen met onjuistheden in andere jaarrekeningposten van materieel belang kan zijn onder de veronderstelling dat daarop geen interne beheersmaatregelen van toepassing waren.
Intern beheersingsrisico Intern beheersingsrisico is het risico dat een onjuistheid, die zich in een jaarrekeningpost kan voordoen en die afzonderlijk of samen met onjuistheden in andere jaarrekeningposten van materieel belang kan zijn, niet tijdig wordt voorkomen of ontdekt en hersteld door het stelsel van maatregelen van administratieve organisatie en interne beheersing
.~ Detectierisico Detectierisico is het risico dat de controlewerkzaamheden van de auditor een onjuistheid die voorkomt in een jaarrekeningpost en die afzonderlijk of samen met onjuistheden in andere jaarrekeningposten van materieel belang zijn, niet ontdekken.
Impact on audit ~fr.:llfo
AUDIT RISK
Inherent Risk
Control Risk
Detection Risk
t
Material errors
~ Yes
1 Caught by controls ?
1 No 1
Uncovered by audit procedures?
I
No '" Wrong opinion
Audit risk
Objective: balance the audit work with perceived risks:
AR = IR * CR * OR
AR = "audit risk"
IR = "inherent risk"
CR = "control risk"
DR = "detection risk"
A correct assessment of IR and CR is needed, in order to avoid:
An incorrect opinion (incorrect assessement of Control Risk, high detection risk) : arisk
A costly audit (too much work performed irt the control risk) : B-risk
Obtaining an understanding of the entity and its environment, including its internal controls sufficient to a) identify risks of material misstatement and b) design and perform further audit procedures, is an essential aspect of performing an audit in accordance with ISAs:
* This understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgement about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit . .
Ing requi The auditor uses professional judgement to determine the extent of the understanding required of the entity and its environment, including its internal control:
Is the understanding sufficient to assess the risks of material misstatements of the financial statements and to design and perform adequate audit procedures? The depth of this understanding that is required by the auditor in performing the audit is less than that possessed by management in managing the entity.
Obtaining an understanding of the entity and its environment, including its IC, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit.
U Inquiries of management and others within the entity
" Analytical procedures
Observation and inspection
Other audit procedures
ntity e n
The auditor should obtain an understanding of relevant
a) Industry conditions Competitive environment
Supplier and customer relationships
e.g. long-term contracts
Technological developments
a) Regulatory environment Legal environment
Political environment
The applicable financial reporting framework
Environmental requirements affecting the industry and the entity
@ a) Other external factors ~~ General economie conditions
u inte The auditor should obtain an understanding of the
® b) Nature of the entity Ownership and governance
In order to determine whether related party transactions have been identified and accounted for appropriately
Operations
Types of investments the entity is making and plans to make
The way the entity is structured (subsidiaries, multiple locations)
Consolidation issues
Allocation of goodwill
Special-purpose entities
I nter-com pany transactions
The way the entity is financed
, In
The auditor should @ b) W.r.t. the entity's selection and application of accounting policies:
1. obtain an understanding;
Methods used to account for significant and unusual transactions
The effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus
Of changes in the entity's accounting policies
Of how the entity will adopt new financial reporting standards and regulations
2. consider whether they are appropriate for its business;
3. consider whether they are consistent with the applicable financial reporting framework and accounting policies used in the relevant industry;
4. consider whether the presentation of financial statements w.r.t. adequate disclosure of material matters is in conformity with the applicable financial reporting framework
ISA 315 - 29 pays specific attention to the disclosure - issue
n
The auditor should obtain an understanding of the c) objectives and strategies and the related business risks th at may result in a material misstatement of the financial statements
Management defines objectives, which are the overall plans for the entity
Strategies are the operational approaches by which management intends to achieve its objectives
Business risks result from significant conditions, events, circumstances, actions or inactions that could adversely affect the entity's ability to achieve its objectives and execute its strategies or through the setting of inappropriate objectives and strategies, e.g.
Development of new products that fails
Flaws resulting in liabilities and reputational risk
nd nt, incl
The auditor should obtain an understanding of the c) objectives and strategies and the related business risks that may result in a material misstatement of the financial statements
Impact on financial statements
Immediate risk of material misstatement
Longer-term consequences, which the auditor considers when assessing the appropriateness of the going concern assumption
How is the auditor's understanding obtained ?
Evaluation of Risk assessment process set up by management
In absence of a risk assessment process, inquiries of management and observation by the auditor
Wat is het impact van de afwezigheid van een RA.P.
me
The auditor should obtain an understanding of the d) measurement and review of the entity's financial performance
Performance measures, whether externalor internal, create pressures on the entity that, in turn, may motivate management to take action to improve the business performance or to misstate the financial statements
Obtaining an understanding of the entity's performance measures assists the auditor in considering whether such pressures result in management actions that may have increased the risks of material misstatement.
Sources of information: internal & external
Internal: key performance indicators (financial and non-financial), budgets, variance analysis, segment information, comparison of performance with th at of competitors
External: analysts' reports and credit rating agency reports
The auditor should obtain an understanding of the d) measurement and review of the entity's financial performance
When the auditor intends to make use of the performance measurement, produced by the entity's information system, for the purpose of the audit (f.e. for ARP), the auditor considers whether the information related to management's review of the entity's performance provides a reliable basis and is sufficiently precise for such a purpose.
- If making use of performance measures, the auditor considers whether they are precise enough to detect material misstatements.
u ntity ,
envi
The auditor should obtain an understanding of the e) internal control relevant to the audit
What is internal control ?
IC is the process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity's objectives wrt
- reliability of financial reporting
- effectiveness and efficiency of operations
- compliance with laws and regulations
It follows that IC is designed and implemented to address identified risks that threaten the achievement of any of these objectives
The auditor should obtain an understanding of the e) internal control relevant to the audit
Components of internal control ? Control environment
The entity's risk assessment process
" In
The information system, including the related business processes, relevant to financial reporting
Control activities
Monitoring of controls
its nt, i u
Components of internal control ? @ Control environment
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure.
The auditor's evaluation of the design of the entity's control environment includes considering whether the strengths in the control environment elements provide an appropriate foundation for the other components of internal contro!.
Changes in control environment may affect the relevanee of information obtained in prior audits.
The nature of an entity's control environment is such that is has a pervasive effect on assessing the risks of material misstatement and influences the nature, timing and extent of the further audit procedures.
u ,
ntity nVI
Components of internal control ? Control environment
The control environment in itself does not prevent, or detect and correct a material misstatement in classes of transactions, account balances and disclosures and related assertions.
\' Audit evidence may not be available in documentary form
Elements of control environment Communication and enforcement of integrity and ethical values
Commitment to competence
Participation by those charged with governance
Management's philosophy and operating style
Organizational structure
Assignment of authority and responsibility
- Human resource policies and practices
ntitya ronm rnal
Components of internal control ? * Control environment
'" Concerns about the integrity of the entity's management may be so serious as to cause the auditor to conclude that the risk of management misrepresentation in the financial statements is such that an audit cannot be conducted.
e nt, incl
Components of internal control ? " The entity's risk assessment process
~~ An entity's RAP is its process for identifying and responding to business risks and the results thereof
The auditor should obtain an understanding of the entity's process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks and the results thereof.
~ Risks can arise or change due to circumstances such as
Changes in operating environment
New personnel
New information systems
Rapid growth
New technology
New business modeis, products, activities
Corporate restructurings
Expanded foreign operations
New accounting pronouncements
Unde .
nVI
Components of internal control ? % The entity's risk assessment process
Evaluation of the design and implementation of the RAP:
How does management identify business risks
How does management estimate the significanee of the business risks
How does management assess the likelihood of their occurrence
How does management decide upon actions to manage business risks
ntity udi ntrol
Components of internal control ? {} Infarmatian system, including the related business pracesses relevant
ta financial reparting The auditor should obtain an understanding wrt the following areas:
The classes of transactions that are significant to the financial statements
The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed and reported in the financial statements
The related accounting records, supporting information and specific accounts in the financial statements in respect of initiation, recording, processing and reporting transactions
How the information system captures events and conditions other than classes of transactions, that are significant to the financial statements
The financial reporting processes used to prepare the entity's financial statements, including significant accounting estimates and disclosures
ntity di
Components of internal control ? Control activities
Control activities are the policies and procedures th at help ensure th at management directives are carried out
Authorization
Performance reviews
Information processing
Physical controls
Segregation of duties
Monitoring of controls An important management responsibility is to establish and maintain internal controls on an ongoing basis
Monitoring of controls is a process to assess the quality of internal control over time; it involves:
Assessing the design and operation of controls on a timely basis
Taking necessary corrective actions
Und ,
nVI m
The auditor should obtain an understanding of the e) internal control relevant to the audit
Components of internal control ? Auditors may use different terminology or frameworks to describe the various aspects of internal control and their effect on the audit, than those used in this ISA, provided all the components described in this ISA are addressed.
ntity
The auditor should obtain an understanding of the % e) internal control relevant to the audit
Internal controls relate to: Relevant to an audit
- Financial reporting IC wrt financial statements for Professional judgement wrt relevanee external purposes of an IC
Operations If IC pertains to data the auditor evaluates and uses in applying audit procedures
Compliance If IC pertains to data the auditor evaluates and uses in applying audit procedures, f.e. detecting non-compliance with laws and regulations that may have an effect on the financ statements
-----
u . nVI
Depth of understanding of internal control ,. 1. Evaluation of design of the contral
~ 2. Test operating effectiveness of the control
nt, i
Manual controls: operating effectiveness during the period under audit is to be tested
Automated controls: due to inherent consistency of IT processing, validation of implementation may serve as a test of th at control's operating effectiveness
Inquiry alone is not sufficient to evaluate the design of a control relevant to an audit and to determine whether it has been implemented.
0 L..
~ +"" c ~ 0 ~ () c
Cl) CO CD C ...::.::: L.. CO <D +-'
+"" Cl)
c E '+- ""0 0 C C
CIJ CO 0 C Cl) Cl)
0 "- :::J 0 :.;::::; "- 0 CO "-
~ UJ ()
E .- % 1'J
....J
The auditor should identify and assess the risks of material misstatements at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures
significant processes identify points wihtin the flow of transactions or process stream where there can be failures to achieve the following assertions:
Assertion
Authorization
Completeness and accuracy
Evaluation of balances
Description
Management has defined and communicated criteria for recognizing economie events and authorizing transactions.
All transactions and other events and circumstances that occurred during a specific period and should have been recognized in that period, have, in fact, been recorded or considered. Therefore, these are not unrecorded assets, liabilities or transactions and no omitted disclosures.
All, and only economie events meeting management's criteria are converted to transactions accurately and accepted for processing on a timely basis. All accepted transactions are processed accurately in accordance with management's policies and on a timely basis. Events affecting more than ore system result in transactions that are reflected byeach system in the same accounting period.
Recorded transactions represented economie events that actually occurred during a stated period of time.
Assets, liabilities, revenues and expenses are recorded at appropriate amounts in accordance with relevant accounting principles.
Report and database contents are periodically evaluated. Evaluation involves judgmental determinations of value. Provide reasonable assurance that reported information can be reconciled with reality.
For all significant processes identify points wihtin the flow of transactions or process stream where there can be failures to achieve the following assertions:
Assertion Description
Presentation, The captions, disclosures and other items in the financial statements are properly described classification and and classified as weil as fairly presented in conformity with generally accepted accounting disclosure principles.
Access to assets Physical safeguards should permit access to assets only in accordance with management's authorization.
Substantiation of Report and database contents should be periodically substantiated. Substantiation is an balances independent check of processing results, and is most effective if completed in an environment
in which there is segregation of incompatible duties. There is reasonable assurance that reported information can be reconciled with reality.
Rights and Assets and liabilities reported on the balance sheet are bon a fide rights and obligations of the obligations entity as of that point in time.
Management should clearly identify the personnel who have primary custodial responsibility for each category of assets, critical forms and records, processing areas and processing procedures. To the extent possible, responsibility for the physical custody of an as set should be vested in employees who have no responsibility for, and are denied access to, accounting for the asset and vice versa.
I
Assessi k The auditor should identify and assess the risks of material misstatements at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures
© 4 step approach -- Identify risk
Relate risk to potential error at the assertion level
Determine the magnitude of the potential error
Consider the likelihood of the potential error
the o~o The auditor should identify and assess the risks of material
misstatements at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures
4 step approach - voorbeeld Identify risk:
Kortingen toegekend in de retailsector
~o Relate risk to potential error at the assertion level
Bestaan: zijn de gerapporteerde kortingen effectief verworven
Volledigheid: zijn alle kortingen gerapporteerd
Timing: zijn de kortingen gerapporteerd in de juiste periode
Rubricering: mogen de kortingen in resultaat genomen worden of dienen zijn geheel of ten dele te worden aangerekend op voorraad
Determine the magnitude of the potential error
Consider the likelihood of the potential error
, Ig that
Identification of significant risks Professional judgement
'" Significant risks aften relate to significant non-routine transactions
it
Greater management intervention to specify the accounting treatment
Greater manual intervention for data collection and processing
Complex calculations or accounting principles
The nature of non-routine transactions, which may make it difficult for the entity to implement effective controls over the risks
and judgmental matters
Required judgment may be subjective, complex or require assumptions about the effects of future events
at udit Identification of significant risks
For significant risks, the auditor should evaluate the design of the entity's related controls, including relevant control activities and determine whether they have been implemented
Ri it n
In circumstances where the auditor obtains audit evidence that tends to contradict the audit evidence on which the auditor originally based the risk assessment, the auditor revises the assessment and modifies the further planned audit procedures accordingly.
Establish standards and provide guidance on determining overall responses and designing and performing further audit procedures to respond to the assessed risks of material misstatement at the financial statement and assertion levels in a financial statement audit.
This ISA requires the auditor to: " Determine overall responses to address risks of material misstatement
at the financial statement level
" Design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risks of material misstatement at the assertion level.
" Evaluate whether the risk assessment remains appropriate and conclude whether sufficient appropriate audit evidence has been obtained.
" Document his work.
The auditor should design and perform audit procedures whose nature, timing and extent are responsive to the assessed risks of material misstatement at the assertion level
" Provide c1ear linkage between _0 nature, timing and extent of the further audit procedures and
_0 the assessed risks of material misstatement at the assertion level
" Elements to consider Significance of the risk
_0 Likelihood that a material misstatement wil! occur
~ Characteristics of the class of transactions, account balance or disclosure involved
Nature of specific controls used by the entity (manuall automated)
@ The auditor's assessment of the identified risks at the assertion level provides a basis for considering the appropriate audit approach:
Test of controls versus
Substantive procedures No effective contrais, relevant to the assertion, were identified
Testing the operating effectiveness of contrals would be inefficient
Often a combined approach, using both tests of the operating effectiveness of controls and substantive procedures, is an effective approach
-- Wh en performing only substantive procedures for the relevant assertion, the auditor needs to be satisfied that these procedures are effective in reducing the risk of material misstatement to an acceptably low level.
rtio Considering the nature, timing and extent of further audit procedures
Nature Purpose
Test of controls versus
Substantive procedures
Type
Inspection (bvb nazicht van journalen, facturen, contracten ... )
Observation
Inquiry (bvb bevraging van management)
Confirmation
Recalcu lation
Reperformance
Analytical procedures
Considering the nature, timing and extent of further audit procedures
$ Nature - Selection is based on the assessment of risk
Risk assessment / high: more substantive procedures; the higher the risk, the more reliable and relevant is audit evidence sought by substantive procedures
The nature of the audit procedure is the most important consideration
Increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk
Considering the nature, timing and extent of further audit procedures
Timing .~ Timing refers to when audit procedures are performed or the period or date to
which the audit evidence applies
Extend Extend includes the quantity of a specific audit procedure to be performed
The extend of an audit procedure is determined by the judgement of the auditor after considering
the materiality,
the assessed risk and
the degree of assurance the auditor plans to obtain.
Considering the nature, timing and extent of further audit procedures
Extend The use of computer-assisted audit techniques (CAAT's) may enable more extensive testing of electronic transactions and account files.
level Test of contrals
ijl The auditor is required to perform tests of controls when The auditor's risk assessment includes an analysis of the operating effectiveness of controls
Substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level
The entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system
% Purpose of the test is to obtain sufficient appropriate audit evidence that:
~~ The controls, for which the auditor has determined th at they are suitably designed to prevent, detect and correct a material misstatement in an assertion (key controls), were operating effectively
- At relevant times during the period under audit
Test of contrals When performing tests of the operating effectiveness of controls, the auditor obtains audit evidence that controls operate effectively; this includes obtaining audit evidence about:
How contrals were applied at relevant times during the period under audit
The consistency with which they were applied
By whom or by what means they were applied
Test of contrals Nature of tests of contrals
The auditor should perform other audit procedures in combination with inquiry to test the operating effectiveness of controls, since inquiry alone is not sufficîent.
The type of audit procedure is influenced by the nature of the control to be tested (e.g. is there documentation wrt the control available)
Misstatements that the auditor detects by performing substantive procedures are considered by the auditor when assessing the operating effectiveness of related controls.
A material misstatement detected by the auditor's procedures that was not identified by the entity ordinarily is indicative of the existence of a material weakness in internal control.
Test of controls Timing of tests of contrals
The timing of test of controls determines the period of reliance on those controls. The timing depends on the objective of the test: is evidence required as to the effectiveness at a particular point in time OR throughout a period.
Test at a particular time: audit evidence is obtained that the controls operated effectively at that time (this might be sufficient for audit purposes, f.e., when testing controls over the entity's physical inventory counting at the period end)
Test throughout a period: audit evidence is obtained that the controls operated effectively during that period
Test of contrals Timing of tests of contrals
When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period the auditor should determine what additional audit evidence should be obtained for the remaining period, since evidence obtained as to the OE of controls at an interim period should be supplemented by additional evidence for the remaining period. If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in prior audits, the auditor:
should obtain audit evidence about whether changes in those specific controls have occurred subsequent to the prior audit (inquiry combined with observation or inspection); If the auditor plans to rely on controls th at have changed since they were last tested, the auditor should test the operating effectiveness of such controls in the current audit If the auditor plans to relyon controls th at have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least every third year
Test of controls Timing of tests of contrals
If the auditor plans to rely on controls that have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least every third year
Professional judgement wrt
- reliance or not on audit evidence obtained in prior audits
- the length of time period between between retesting
When there are a number of controls for which the auditor determines that it is appropriate to use audit evidence obtained in prior audits, the auditor should test the operating effectiveness of some controls each audit
- No: all controls on which the auditor relies are tested in on single audit period with no testing in subsequent 2 audit periods
- Yes: a sufficient portion of the controls are tested in each audit period and, at a minimum, each control is tested at least every third audit
m
Test of contrals '" Timing of tests of contrals
If the auditor plans to rely on controls that have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least every third year
Elementen die het tijdsinterval tussen de testen verminderen:
- zwakke interne controle-omgeving
- personeelsverloop
- zwakke algemene IT -controles
- gewijzigde omstandigheden die wijzen op de noodzaak van wijzigingen in de controles
Test of controls @ Timing of tests of contrals
When:
An assessed risk of material misstatement is determined to be a significant risk
And the auditor plans to rely on the operating effectiveness of controls intended to mitigate that significant risk
The auditor should obtain the audit evidence about the operating effectiveness of those controls form tests of controls performed in the current period.
misstate Test of controls
® Extent of tests of contrals Test of controls are designed to obtain sufficient audit evidence that the controls operated effectively throughout the period of intended reliance. Elements to consider in determining the extent of the tests of controls:
Frequency of the performance of the control by the entity during the period The length of time during the audit period that the auditor is relying in the operating effectiveness of the control The relevance and reliability of the audit evidence to be obtained The extend to which audit evidence is obtained from tests of other controls related to the assertion The extend to which the auditor plans to rely on the operating effectiveness of the control (and thereby reduce substantive procedures based on the reliance of such con trol)
nl Substantive procedures
" Irrespective of the assessed risk of material misstatement, the auditor should design and perform substantive procedures for each material class of transactions, account balance and disclosure
The auditor always performs substantive procedures for each material class of transactions, account balance and disclosure. This requirement reflects:
The fact that the auditor's assessment of risk is judgmental
The fact that there are inherent limitations to internal control including management override
Accordingly, while the auditor may determine that the risk of material misstatement may be reduced to an acceptably low level by performing only tests of controls for a particular assertion related to a class of transactions, the auditor always performs substantive procedures for each material class of transactions, account balance and disclosure
Substantive procedures " The auditor's substantive procedures should include the following audit
procedures related to the financial statement closing process: Agreeing the financial statements to the underlying accounting records
Examining material journal entries and other adjustments made during the course of preparing the financial statements
Substantive procedures
ks I
When the auditor determined that an assessed risk is a significant risk, the auditor should perform substantive procedures th at are specifically responsive to that risk
Substantive procedures Nature of substantive procedures
Substantive analytical procedures
Appropriate for large volume of transactions I predictabie over time
Test of details
More appropriate for certain assertions, e.g. existence and valuation
In some situations, the auditor may determine that performing only substantive analytical procedures may be sufficient to reduce the risk of material misstatement to an acceptable low level.
.9 'g '" " ., ,., .0 -0
~ 'ê l' '" ~ ~ 0.
" > . Ë~
Assessment of risks of materlal misstatement at financlal
Assessment of risk of material misstatement at assertion level
Tests of operating effectiveness of contrals
~~ -§S UJ '0 Substantlve procedures ~2
H .go ~~ ,.,,, .0 c 2l'!l ,,'" " " -" "'" -0"
~§ => '" '" ~ ,,0. ",,0
::~ :5~ E .~ " '" E " " ~ ~~ ~i
Significant risks Not significant risks
Detemline overall responses to adress risks of material misstatement at the financial statement level.
Mandatory Mandatorywhen:
~ the auditor's assessment of risks of material misstatement at the assertion level includes an expectation that controls are operating effectively;
- the auditor has deterrnined that It is not possible to reduce the risk of material misstatement through substantive tests alone.
Inquiry is not sufficient to determine the operating effectiveness of controls (description, walk through to validate understanding, test of effectiveness)
Otherwise optional.
Often a combined approach (test of OE of controls & substanUve procedures) is an effective approach. Substantive procedures alone may be sufficient, when no effective controls, relevant to the assertion, were identified or when testing the OE of controls would be inefficient.
When performing only substantive procedures for the relevant assertion, the auditor needs to be satisfied that these procedures are effective in reducing the risk of material misstatement to an acceptably Iow level.
Mandatory
Irrespective of the assessed risk of material misstatement, the auditor should design and perform substantive procedures for each materiat class of transactions, account batance and dlsctosure. This requirement reflects the fact that a) the auditor's assessment of risk isjudgmental and b) that there are inherent limitations to intemal controt including management override.
When a significant risk has been identified at the assertion level, substantlve procedures should be perforrned that are specifically responsive to that risk.
Substantive procedures should always include
* agreeing the tinancial statements to the underlying records
* examining material journal entries and other adjustments made during the cours of preparing the financial statements.
* the auditor should perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related disclosures, are in accordance with the applicable financial reportlng framework.
Extend
The higher the risk, the more reliable and relevant is audit evidence sought by substantive procedures.
Algemene controle normen
De bedrijfsrevisor zal zijn oordeel onder meer steunen op het onderzoek van het systeem van interne controle, waarvan hij de doeltreffendheid zal nagaan door middel van steekproeven. Indien de interne controle op afdoende wijze werkt, kan het onderzoek van de bedrijfsrevisor worden beperkt tot aangepaste steekproeven. In geval van vaststelling van ernstige leemten, dient hij echter zijn controlewerkzaamheden aan te passen en een meer diepgaande controle uit te voeren. Onder geen beding kan of mag de externe controle het systeem van interne controle vervangen.
De algemene controlenormen worden op nuttige wijze aangevuld door ISA 315 dat nauwer aansluit bij het COSO ERM framework.
Corporale govemance code d auditcomité
Minstens éénmaal per jaar onderzoekt het auditcomité de systemen voor interne controle en risicobeheer die werden opgezet door het uitvoerend management, teneinde zich ervan te verzekeren dat de voornaamste risico's (met inbegrip van de risico's die verband houden met de naleving van bestaande wetgeving en reglementering) behoorlijk worden geïdentificeerd, beheerd en haar ter kennis gebracht.
Het auditcomité kijkt de verklaringen na inzake interne controle en risicobeheer die in het jaarverslag worden opgenomen.
Representatiebrief
Mede ingevolge de evolutie van de internationale controlestandaarden (International Standards on Auditing, ISA's) werd de controleaanbeveling "Bevestiging door de leiding" (goedgekeurd door de Raad op 6 juni 1997) grondig herwerkt en geactualiseerd.
De geactualiseerde controlenorm (in werking getreden voor de controle van financiële overzichten over boekjaren die afgesloten zijn op of na 31 december 2006) voorziet als één van de bevestigingen door de bedrijfsleiding de erkenning van haar verantwoordelijkheid voor de opzet en implementatie van de interne controle gericht op het bereiken van de door de entiteit vooropgestelde doelstelling inzake financiële verslaggeving, inclusief de opzet en implementatie van interne controlemaatregelen gericht op het voorkomen en het ontdekken van fraude en van gemaakte fouten.
Ten aanzien van deze bevestiging volgende opmerkingen:
$ Volgens de huidige redactie erkent de bedrijfsleiding haar verantwoordelijkheid ten aanzien van opzet en implementatie van de interne controle, doch geeft zij geen bevestiging ten aanzien van het afdoend functioneren ervan over de rapporteringsperiode. De huidige tekst van de ontwerp representatiebrief sluit niet aan bij de exposure draft ISA 580 "Written Representations" die duidelijk veel verder gaat: The auditor shall request relevant parties to provide a written representation that they acknowledge and understand their responsibility for designing, implementing and maintaining internal con trol relevant to preparing and presenting financial statements that are free from material misstatement, whether due to fraud or error, and whether they believe that the internal control they have maintained is adequate for that pur pose. We ontkennen niet dat er op heden geen verplichting bestaat voor de bedrijfsleiding om een publieke verklaring inzake het functioneren van de interne controle af te leggen; de motieven ingeroepen in de controleaanbeveling om het recht van de commissaris op het vragen van een representatiebrief te onderbouwen, verzetten zich evenwel evenmin tegen het vragen van een appreciatie vanwege de bedrijfsleiding van het functioneren van de interne controle over de controleperiode. In die zin oordelen wij dat de bedrijfsrevisor het recht heeft de representatiebrief op dit punt aan te vullen.
In de huidige redactie van de representatiebrief beperkt de bedrijfsleiding zich tot het erkennen van haar verantwoordelijkheid ten aanzien van de interne controle. Zelfs in deze afgezwakte vorm dient erop gewezen dat:
de draagkracht van deze bevestiging wordt gehypothekeerd door het feit dat ze gebeurt zonder verwijzing naar enig referentiekader.
het begrip interne controle, zoals bevestigd door de bedrijfsleiding, is gefocused op financiële verslaggeving en staat op deze wijze ver af van de globale en geïntegreerde aanpak van het COSO internal control framework en nog verder van het ERM framework;
Jaarverslag
De huidige redactie van artikel 96 Wetboek Vennootschappen voorziet dat het jaarverslag moet bevatten:
10 ten minste een getrouw overzicht van de ontwikkeling en de resultaten van het bedrijf en van de positie van de vennootschap, alsmede een beschrijving van de voornaamste risico's en onzekerheden waarmee zij geconfronteerd wordt. Dit overzicht bevat een evenwichtige en volledige analyse van de ontwikkeling en de resultaten van het bedrijf en van de positie van de vennootschap die in overeenstemming is met de omvang en de complexiteit van dit bedrijf.
80 wat betreft het gebruik door de vennootschap van financiële instrumenten en voor zover zulks van betekenis is voor de beoordeling van haar activa, passiva, financiële positie en resultaat:
~ de doelstellingen en het beleid van de vennootschap inzake de beheersing van het risico, met inbegrip van haar beleid inzake hedging van alle belangrijke soorten voorgenomen transacties, waarvoor hedge accounting wordt toegepast, alsook
@ het door de vennootschap gelopen prijsrisico, kredietrisico, liquiditeitsrisico, en kasstroom risico.
Terecht wijst de nieuwe controlenorm "Controle van het jaarverslag over de (geconsolideerde) jaarrekening" erop dat:
@ Er is door de wetgever geen referentiestelsel vastgesteld dat het bestuursorgaan en dus ook de commissaris toelaat de aangelegenheden bedoeld door artikel 96, 10
, onder meer inzake de beschrijving van de voornaamste risico's en onzekerheden, de nietfinanciële prestatie-indicatoren, en de informatie betreffende milieu- en personeelsaangelegenheden, te toetsen;
$ In verband met de aspecten "beschrijving van de voornaamste risico's en onzekerheden waarmee zij geconfronteerd wordt", bedoeld in het hieronder geciteerde artikel 96, 10
van het Wetboek van vennootschappen, is de notie "voor zover ze niet van die aard zijn dat ze ernstig nadeel kunnen berokkenen aan de vennootschap", zoals vermeld in artikel 96,3 0 van het Wetboek van vennootschappen, niet hernomen in het gewijzigde artikel 96, 10 van het Wetboek van vennootschappen, zodat het bestuursorgaan van de vennootschap zich hierop niet kan beroepen.
Verwijzend naar het ERM Framework, dient de vraag gesteld of de kwalificatie "voornaamste" refereert naar de waarschijnlijkheid dat een risico zich zal voordoen (Iikelihood) of het impact indien een risico zich voordoet (impact), dan wel een combinatie van beide. Uit de redactie van artikel 96 menen wij te mogen afleiden dat:
w de geviseerde risico's en onzekerheden deze zijn die uit de combinatie van waarschijnlijkheid en impact als belangrijk te kwalificeren zijn;
de beoordeling van de belangrijkheid van de risico's op niveau van het inherent risico gebeurt, dus zonder het impact van management acties tot risicocontrole en -beheersing in rekening te brengen.
Tot slot dient de vraag gesteld hoe dient gehandeld indien het bestuursorgaan nalaat een beschrijving van de voornaamste risico's en onzekerheden op te nemen in het jaarverslag.
Volgende mogelijkheden zijn te onderscheiden. Hierbij gaan we uit van de assumptie dat elke onderneming geconfronteerd wordt met risico's en onzekerheden.
Verklaring
Performant Rapportering Jaarverslag Going concern Waardering ERM in jaarverslag balansposten
Ja Ja 0 0 0
Ja Nee V 0 0
Nee Ja o / V (1) V V
Nee Nee V V V
(1) In de huidige redactie van de verklaring spreekt de commissaris zich niet uit over de beschrijving van de voornaamste risico's en onzekerheden. Inconsistenties met de informatie waarover de commissaris beschikt dienen daarentegen wél gerapporteerd.
Legislation introduced by US Government in response to Corporate Governance failures
Applicable to all companies with a NY Stock Exchange listing
Signed into law on 30th July 2002.
Most significant reform in the securities law since Securities & Exchange Commission (SEC) was created
Results in fundamental change in how Audit Committees, Management and Auditors interact and carry out responsibilities
The Sarbanes
Title I Public Company Accounting Oversight Board
Title 11 Auditor Independence
Title III Corporate Responsibility
Title IV Enhanced Financial Disclosures
Title V Analyst Conflicts of Interest
Title VI Commission Resources and Authority
Title VII Studies and Reports
Title VIII Corporate and Criminal Fraud Accountability
Title IX White Collar Crime Penalty Enhancements
TitleX Corporate Tax Returns
TitleXI Corporate Fraud and Accountability
epngrsssman 'Oxle.y· and 'Sact:tane:6 oftne Financ~Commift_
What is purpose of Sarbanes-Oxley?
Restore public trust and confidence in the public securities market
Improve corporate governance and promote ethical business practices
Enhance transparency and completeness of financial statements and disclosures
Ensure that company executives are aware of material information emanating from a wellcontrolled environment
Hold company management accountable for material information that is filed with the SEC and released to investors
Achieve new levels of corporate financial reporting
The objectives
Upgrade disclosures ~
8302 - managernent's quarterly certifications 8401 - off-balanC9.sheet disclosure requirements 8404 ~ attestation oninternal contrars. . ..
,,' : i' ,
8409 - real-time disclosqre of materiall çhanges ..... .. 8906 - CFO and CEOcertlfication of cqmpUanc~'Vltith filing requirements
Upgrade disclosures
Strengthen Corporate Governance cu 8204 - increased communication between auditors and audit committee 8301 - rules governing audit committees .. .. ,I.... ..
.. 8402 - prohibits future loans to officers land directors 8407 - requirements and disclosures ~~ ffnancÎal expert in audit committee ....
objectives
Upgrade disclosures Strengthen Corporate Governance
Expand insider accountability ~
S30S'- rulas·on management ethjcs. . .. S306·".,. rules'on insider trading during pension. black. out period~.
!, "" ."
S403:....·requires accelerated I • ,,'
S40$·-codeofethics disclosureS . '.,..... i
S806 - makes it Ulegal to retaUat~agaif'lt:it:vyhistleblpwers
objectives
Upgrade disclosures
Strengthen Corporate Governance
Expand insider accountability
Increase oversight
<. ..~ ":5t01/2 - rules for public accounting firms
S1 O~ ,"":" rules ,Q()vep1inQ public acoountiflQ tjrms 610$/9 .... ·issy,ets::may be charged with fees tor the FASB S40$~iê~pandêdSEC review of 1 DQ and10K
"'S301=reqUJreslaWyers to, reportl evicl,~nce Qf a material'securlfyTawviQfatton '
The objectives
Upgrade disclosures
Strengthen Corporate Governance
Expand insider accountability
Increase oversight
Broaden sanctions ~
IS304 - rules on CFO I CEb forfeiturE:"of bonus' 5804 '"" extends statute of Iimitations.on fraud allegations · _. . 811.02--e.stablishes broader ctiminal.penalties 81-05/802 - increased penafties for accountants
The objectives
Upgrade disclosures
Strengthen Corporate Governance
Expand insider accountability
Increase oversight
Broaden sanctions
Heighten auditor independenee
~ 520t;" prohibits auditor from providing·Spe.cific non~audit servibes' , , ' S20~',=raqui.res",p.re-approval fromth,e,'audit,committeeofaJln~n~audiUees"."", engagedwith,the auditor I ,," ,', . 5203..,. r:eguires, lead and concurr~1'l9 a,udJt pÇlrtner rotation 5206'- requires !'cooling-off" periodfor aUdît(lrscarl, werk at auditclients
I ,,""" < /
The objectives
Upgrade disclosures
Strengthen Corporate Governance
Expand insider accountability
Increase oversight
Broaden sanctions
Heighten auditor independenee
Increase trust in auditors ~
Title·1 - estahli~hn:lentof PCAOB
Requirements of 5404
Internal control over financial reporting
SOX provision 404 requires a company to report annually on the adequacy of the design and effectiveness of internal control over financial reporting; To be ultimately signed by CEO and CFO and independently attested by the external auditors (under PCAOB standards); To be filed in conjunction with Annual Report (SEC's Form 20-F), for the fiscal year of 2005 and onwards; Non US-based companies compliance has been postponed until 2006.
Requirements
Requires the Management to annually:
State their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting
Conduct an assessment of the effectiveness of the company's internal controls and procedures for financial reporting
Requires the independent external Auditor to provide two opinions:
An assessment of management's evaluation of the company's internal control over financial reporting
lts own independent evaluation based on its review and testing of the company's internal control over financial reporting
Document
- Practical terms
Management document those key controls relevant to the financial reporting of material processes
Management evaluate the effectiveness of the key controls through testing
Management assess and report the results of that evaluation
External auditors review management's attestation and supporting process and attest to its reliability
The evaluation is embedded as an ongoing process which is reviewed and updated during each reporting period
Internal levels
For compliance with S404, a maturity level of 3 - 4 is required
Material deficiencies must be disclosed
rements
Section 302 - quarterly evaluation of disclosure controls and procedures (DC&P) and disclosures of conclusions regarding effectiveness of DC&P
Quarterly / annual disclosure in 302 certification of material changes in internal control over financial reporting
Evaluation date is as of the end of the period covered by the report
Section 302 certifications files as exhibits to all applicable SEC reports
Latitude for issuers in determining which intern al controls over financial reporting are included in the Company's inventory of disclosure controls and procedures under Section 302
final
Compliance date
Most domestic clients: for fiscal years ending on or after 15 November 2004
Foreign private issuers: for fiscal years ending on or after 15 July 2006
Definition of "Internal control over financial reporting"
Encompasses internal controls addressed in the COSO Report th at pertain to financial reporting objectives
Includes controls over safeguarding assets
Management's report to include statements of:
Management's responsibility for establishing and maintaining adequate internal control over financial reporting
Management's assessment of the effectiveness of such controls
Identification of the framework used to evaluate effectiveness
Attestation made by external auditor
Cl,) ::::3
§! (I')
ê "(/) ::::3
l:C
complianee roadmap
1. Plan and Scope
ofjn;mjaJ
rtporliFlQ
Pi'''-• Suppwling
6)'$Ilema
~ .. '." ... >~/ ,.:
2. Perform Risk Assessment
• fil"ol::allillllllUld inpaat t~ bUBi_
• !lil!I/colJ1)le>dty
A ...... . ..\
3.1dentffy Significant Acooun'IEIControls
• Awti!ll!tion conlroll.> O'iIIr initiRlirg, rooordlll1l. p!'OCeuinll DI1dl'1lporlinQ
on gUlllrä OO'Ilrolil
7
5. Evaluate: Co nt ral Design
• Mitigel!o colllfol lisktoan 8C08plilltfa IIMI
• PJncIlllltwd by U9''''
-:7 .... ',I
L <4. Document Control Design • PdiCYll'lllnBll • l'I'ooedUlllB ·IIIatJllliWil • RowchllJ'llj ·camgUJlll!ma • Au • .....".,.,! (JJ!I8IionnllÏTe$
8. Document Pnxess and Results
• ec.ordinRlicn.tth II1I1I110"" • Internalsi9'l-ofl' (302. 404} "~am A B~n'off("Ot) .,..,',
9. Bulld Sustalnability
• InlDrmllJ'a'àuatbn -Extom swlulllior • ~r
l l
t..;. , .... Ilfy IJ" Remedlate
\v S. EvaJuate
Operatlonal Effectlveness
.. Irmm I!ldit • T 8lllmilllll tll6ting -&lII-aoeealJllnt .Inqullj' • Aliloadims snel conmm
(annual)
D eflclencies ·Signifi~ant dafuiul1C)' +Mai;.lial-nees OR8medalion
SarbaneswOxfey Complianee
Source: www.erm.coso.org
over ~ definition
Process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes policies and procedures that:
.. ~ Pertain to the maintemmce of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company .
.. ~ Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company.
... Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company's assets that could have a material effect on the financial statements.
PurchasesfPayables flrocess .• Completeness
-Control A' -ControlS -Controle
-Accuracy -ControlD -C(mtroIE .COntrofF ~CóntrolG
.VaUcJity -Contról .. H -Controlr
,-Re~trjctédAcc.ss .~ritrorJ '-ControlK ~'ÀtróJl
Significant Process
accounts and fi
~I Consuiting ~I Expense
Management Financial Statement Assertions
Completeness
AccuracyNalidation
Completeness
Accounts Payable ~ Accuracy
Cutoff
PCAOB Linkage
Significant Account or Disclosure
Relevant Financial Statement Assertions
statement
»
l s: i-m
OQ. 0» 3 0 "CJC') ,$,G," "(1),1 .." "
00; 0:0 ='= ~ä sr.;;"
11)
ä "'il = (1),
è.
Linking Controls to Financial Statement Assertions
- Management's responsibi
Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment and testing of both design and operating effectiveness.
Section final - Documentation guidance
Guidance on controls subject to management's assessment: Controls over initiation, recording, processing and reconciling accounts, transactions, and disclosure and related assertions in financials
~ Controls related to the initiation and processing of non-routine and non-systematic transactions
-~~ Controls related to the selection and application of appropriate accounting policies Controls related to the prevention, identification, and detection of fraud
Reiteration of guidance regarding auditor independence: Auditors mayassist management in documenting internal controls Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor The registered public accounting firm's attestation report must be filed as part of the annual report
Management's documentation
The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statement - all five components, including the control environment and company-Ievel controls.
Information about how significant transactions are initiated, authorized, recorded, processed and reported.
Sufficient information about the flow of transactions to identify where material misstatements due to error or fraud could occur.
Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties.
Controls over the period-end financial reporting process.
Controls over safeguarding of assets.
The results of management's testing and evaluation.
Section rule - Management's responsibilities
Management's assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness. Inquiry alone will generally not provide an adequate basis for assessment.
Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment and testing of both design and operating effectiveness.
What
A documented internal control structure th at includes all relevant policies, procedures and operating principles
A structure th at is robust and able to deal with the changes of a dynamic organisation
A structure designed to be kept current on a real time basis
An infrastructure to support the internal control structure th at facilitates communication, reporting, training, incident identification and issues management
An infrastructure th at facilitates rollup certifications, acknowledgements and monitoring
An infrastructure th at facilitates management's ability to have confidence th at the control structure is effective and one th at can be tested
An infrastructure th at can support monitoring the completion of applicable control procedures on a real time basis
A dashboard confirming ability to sign certification
registrants
Sarbanes-Oxley and other internal control regulations require companies to demonstrate:
Documented, presentabie and auditable business processes and process controls over all major activities within an entity
Process for updating control systems and documentation continuously
.. ~ Process for monitoring and testing internal control effectiveness
Ability to demonstrate performance of internal control effectiveness assessment
Roles
CEO, CFO, Audit Committee
Location: Centralised (corporale)
SOA Project Leadership Team
Location: Centralisecl (corporale)
Business Unit SOA Champions
localion: Decentralised (business units)
Analysis and ~eporting: • High-level review of control assessment and testing results, ratings,
issues and remediation plans, as aggregated for the company • Drill-down capability to supporting detail as needed
Perform: • Sign-off on internal control report/certification for the company
Supervising and coordinating activities: • Set up of project scope, structure and methodology • Develop and distribute central project guidelines and documentation
requirements • Track progress on completion of SOA project and sign-offs
Analysis and ~eportlng: • Identify cross-organizational control issues and facilitate remediation
FaciJitate SOA Complianee at Business Unit Level • Ensure completeness and accuracy of control documentation and testing within business unit • Identification/review of issues and remediation plans • Sign-off on business unit controls
Roles
Intemal Audit
Location: Centralised (corporate)
External Auditors
Locations: Corporate & business units
Analysis and reporting: Control assessment/testing results Track control issues and remediation plans (consider leveraging existing Internal Control Web-Follow-Up Tooi)
Perform: • Support corporate and Entity/Branch management in the assessment and testing
of controls • Assist management in defining control maturity target ratings • Identify common contro! issues and facilitate coordination of remediation plans
Analysis and Reporting Review and confirm adequacy of management's intemal control report Review any material weaknesses and significant deficiencies
Perform Conduct process walkthroughs Conduct control assessmentsltests as necessary to obtain requisite level of
assurance Provide attestation to internal control report