Documente Academic
Documente Profesional
Documente Cultură
Disclosure Copyright 2003 by Institute of Internal Auditors - Research Foundation, Inc. 247 Maitland Avenue, Altamonte Springs, Florida 32701. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means -- electronic, mechanical, photocopying, recording, or otherwise -- without prior written permission of the publisher. This document was created and intended for the use of members of The Institute of Internal Auditors and the management and boards of the companies that they serve. IIA members may reproduce and distribute copies for use within their organizations. The IIARF publishes this document for informational and educational purposes. This document is intended to provide information, but is not a substitute for legal or accounting advice. The IIA does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document. When legal or accounting issues arise, professional assistance should be sought and retained. The Professional Practices Framework for Internal Auditing (PPF) was designed by The IIA Board of Directors' Guidance Task Force to appropriately organize the full range of existing and developing practice guidance for the profession. Based on the definition of internal auditing, the PPF comprises Ethics, Standards, Practice Advisories, and Development and Practice Aids, and paves the way to world-class internal auditing. This guidance fits into the Professional Practices Framework under the heading Development and Practice Aids.
ALLTELs process also has attributes which will not be in every companys certification process: Coverage of all three COSO objectives of internal control, not just financial reporting and disclosure controls. Process designed and administered by internal audit. Use of facilitated CSA workshops. Use of an activity-level CSA survey similar to entity-wide questionnaires used by some other companies.
ALLTELs robust CSA process involves much more effort from the units than SarbanesOxley requires. Internal audit sells this process for its inherent value rather than as a compliance requirement. They have found management at all levels to be very supportive, willing to make the effort involved, and appreciative of the results. At the time of this writing, ALLTEL had conducted more than 60 CSA projects and had just completed a major revision of their process. They expect further enhancements as they continue to use the process. How The Process Works 1. Workshop participants are usually the supervisor, manager, director level, and sometimes the VP. Internal audit has a one-hour meeting with participants 2-3
weeks before the workshop. In this meeting, they explain the process (in effect, train the participants) and get buy-in for the process. 2. Before the workshop, participants: Complete the Internal Control System Survey. Prepare or update a flowchart of the process (when applicable). Define the business objectives of the process.
3. During the 4 hour workshop, participants: Discuss the Internal Control System Survey results. This is usually brief, with the survey results serving as background for the detailed assessment that follows. The group will discuss any unusual results (e.g., statements for which there is significant disagreement). After the workshop, internal audit enters the survey results into a Control and Risk Knowledgebase, together with the results of the detailed analysis from the Control and Risk (CAR) Assessment Report. Individual workshop results then aggregate into results for ALLTEL as a whole and support the Section 302 and 404 certifications. Survey results are especially meaningful when aggregated. They may indicate pervasive issues for which upper management develops action plans. Identify the controls that help accomplish the business objectives. Identify the threats (i.e., risks) to accomplishing the objectives. The order of the analysis is unusual and worth considering. The usual order is objectives-riskscontrols. ALLTEL finds that objectives-controls-risks is a more positive approach, and participants are more likely to identify important controls that contribute to the overall control environment rather than to a specific threat. Later in the analysis, when they map controls to threats and assess the level of each threat, they identify any risk-mitigating controls that may have been missed. Assess the unmitigated level of each threat to the process as high-medium-low (i.e., the inherent level of each threat, without taking controls that mitigate the threat into account). Map controls to threats and identify additional controls when applicable. Identify the primary controls. Assess the effectiveness of each control (subjectively, based on the knowledge and consensus of the group).
Assess the mitigated (i.e., actual or residual) impact and probability of each threat and determine overall risk score (i.e., residual risk). Develop action plans to improve controls where necessary.
Note: Participants do not categorize objectives and controls by COSO during the workshop. One of the facilitators monitors the control components during the workshop to ensure adequate coverage and does the categorization behind the scenes or later. 4. After the workshop: Participants test each control identified during the workshop and complete the Control and Risk Assessment Test of Controls worksheet. Internal audit tests a sample of the primary controls and documents their testing and conclusions in the audit workpapers. Internal audit completes the Control and Risk (CAR) Assessment Report. Most of the fields in this report are self-explanatory. Here are some explanatory notes for those that might not be: Internal audit completes the last row of the General Information section as the last step in the evaluation. They use stoplight colors (green, yellow, red) to rate each COSO Component. They also rate the overall process risk, given the current state of controls: first the Impact, then an overall Score which includes Impact and Probability. In the Business Objectives section, internal audit categorizes each objective as Financial, Operational, or Compliance. Workshop participants estimate the percentage of resources they devote to each objective. In the Threat Identification section, internal audit assigns each threat identified in the workshop to a Threat Category and Threat Source. These classifications are found in the Control and Risk Assessment Supplement. The Objective Threat RatingUnmitigated is the participants rating of the level of risk each threat would pose to achieving the process objective if it were not mitigated by controls. In the Control Identification and Assessment section, internal audit classifies each control according to its COSO Component and Control Component (ALLTELs modification of the COSO Factors, see the Control and Risk Assessment Supplement). For the Participant Control Rating and IA Control Rating, they use the four-point scale in the Control and Risk Assessment Supplement. The owners rate every control. When the CSA is stand-alone, internal audit only rates the controls they tested. When the CSA is done within an audit project, internal audit tests and rates the primary controls.
In the Current Risk Exposure and Control Improvement section, they describe each Current Risk Exposure (i.e., control weakness). They assess the Impact, Probability, and combined Score of each exposure, using the Risk Level Grid in the Control and Risk Assessment Supplement, as well as the action plan, owner, and action date for completion. When the CAR Report is complete, the process owner signs it, certifying the results. Internal audit tracks the progress of all control improvements rated moderate or above.
5. At year end: All process owners complete a Control Self-Assessment Acknowledgement stating whether any material changes have occurred within the process and/or environment since the last CAR assessment. If changes have occurred, they update the CAR. They also certify that controls are in place and working effectively or action plans have been put in place to ensure effectiveness as of the year-end date.
Notes on the Process ALLTEL has an audit staff of 15. Two auditors are assigned to CSA full time and the rest of the audit staff participate in the CSAs during assigned audits and as needed. About 15% of the departments time is devoted to CSA. ALLTEL focused on Finance and Accounting initially and completed CSAs for approximately 60 sub-processes in 2 months. They will expand into operational areas and facilitate approximately 200 CSAs in total by the end of 2003. The participants time commitment varies, but is expected to be around 40 hours for the entire process, including 6-10 hours for controls testing. The preparation of the flowchart has been the largest expenditure of time, but this should become more efficient in future years. The COSO coding enables internal audit to roll results up to higher levels and upper management to develop action plans to improve high-level controls. The Threat Categories and Threat Sources serve a similar purpose. ALLTEL also has an external reporting department that has documented the disclosure process, and external audit tests this process fully. Internal audit reviews and tests the disclosure controls and procedures on a quarterly basis. ALLTEL anticipates that external audit will use the control documentation for the Section 404 testing which should impact the engagement fees.
Control Environment
1 2 3 4 5 6 7 8 Management and employees demonstrate commitment to integrity and ethics. Employees are aware of the ethics policies of the company. Performance targets in my business unit are realistic and obtainable. Employees in my work group have the knowledge, skills and training to perform their jobs adequately. The assignment of responsibility and delegation of authority provide a basis for accountability and control. Personnel turnover has NOT impacted my work unit's ability to effectively perform its function. Integrity of financial and operational results always takes priority over reporting acceptable performance targets. Job descriptions are documented and provided to the employees in my work group.
Risk Assessment
9 Management establishes business objectives consistent with company objectives and strategic plans. 10 Management establishes goals consistent with the business objectives and strategic plans of the company. 11 Goals are formally defined and monitored on a periodic basis. 12 Goals are effectively communicated to employees. 13 Management performs and documents a risk analysis periodically to identify and consider the implications of relevant risks at both the entity and the activity level. 14 Mechanisms are in place to identify and react to change that can impact the business objectives of the entity. 15 Sufficient resources, tools and time are available to accomplish my business objectives.
Control Activities
16 Policies and procedures are documented and communicated to the employees. 17 Control activities are in place to mitigate risks to the company. 18 Management periodically reviews the functioning of control activities and modifies as needed to meet changing needs. 19 Employees who steal from the company (I.e., physical property, money, information, time) will be discovered. 20 Policies and procedures for my work group allow employees to do their jobs effectively.
Monitoring
25 Ongoing monitoring activity occurs to assess the adequacy of the internal control systems. 26 Management is responsive to internal or external recommendations made by auditors or regulatory agencies to strengthen the internal control system. 27 Employee performance reviews are performed at appropriate intervals. 28 Management has enough information to monitor vendor performance. 29 Management has enough information to monitor customers' satisfaction or dissatisfaction (either internal or external). 30 Mechanisms are in place for capturing internal control deficiencies and reporting the deficiencies to upper management.
Risk Exposure:
Impact
Score
BUSINESS OBJECTIVES
Business Objective Business Objectives Number 1 End result statements of the business purpose of the process. These are ranked in order of importance. 2 3 4 Total 100% Process Activity From the high level process flow Objective Category F-O-C Estimated Percentage Total = 100%
THREAT IDENTIFICATION
Business Objective Number Threat ID Threats to Achieving Objectives 1 A A description of threats to the achievement of the business objective 1 Etc. 2 Threat Count B Etc. H 8 Control Number 1,3, etc. Threat Category See supplement for list Objective Threat Rating- Unmitigated High, Medium, Low Threat Source See supplement for list
X X
TEST OF CONTROLS
Controls Scope of Testing Testing Performed Conclusion Management
Authorization
Date
I hereby certify that I have taken appropriate steps and performed testing to validate that the internal controls identified above are operating effectively and as designed, except as otherwise noted above. Signed__________________________________________________________________________________ Dated___________________________________________________________________________________
Discussion: Business objectives can be written for all levels of the corporation. Usually, strategic objectives are stated in broad terms. Sub-process objectives are written in very specific terms. Sub-process objectives often represent how strategic goals will be accomplished. Strategic Objective: Maximize revenue assurance Process Objective 1: Maximize revenue assurance at the switch Sub-Process Objective 1: Improve revenue assurance regarding dropped calls Process Objective 2: Improve capture of CDR information in the billing system Sub-Process Objective 2: Ensure 3-way calls are captured in the billing system The sub-process objectives are ways the respective process objectives can be achieved. The process objectives are different aspects of how the strategic objective can be achieved. Please note that none of the objectives talk about procedures, only end results. Threat Identification and Assessment THREAT CATEGORY Strategic Objectives Compliance Financial Reporting External Fraud Business Environment Customer Technology Reputation Governance Management Reporting - Internal Safeguarding of Assets Operational Efficiency THREAT SOURCE Budgetary Constraints Contractual and Legal Relationships Employee behavior Fraud Industry Competition Knowledge and Skills Management activities and controls Natural events Political Circumstances Process Design Technology, technology issues
10
100 Control Environment Assignment of Authority and Responsibility Board of Directors/Audit Committee Commitment to Competence External/Specialist Reviews Human Resource Policies and Practices Integrity and Ethical Values Mgmt Philosophy and Operating Style Organizational Structure General Policies and Procedures Self-Assessment/Quality Assurance Review Supervision and Evaluation of Employee Performance 200 Risk Assessment Strategic Objectives Process Objectives Sub-Process Objectives Business Continuity Planning Change Management Threat Identification Risk Assessment Activities Planning and Budgeting
101 102 103 104 105 106 107 108 109 110 111 201 202 203 204 205 206 207 208
11
9/99
Medium 3 high
significant
Low 2
significant
PROBABILITY DEFINITIONS Almost certaincontrol design and execution indicate high probability of control failure likelycontrol design and execution is unreliable moderatecontrols mostly work as intended, but not always unlikelycontrol design and execution is consistent overall with few lapses rarecontrol design and execution are adequate and in place and working
extreme--would threaten the survival of the process high--would threaten the continued effective function of the process and require top level management intervention medium--the process could be subject to significant review and/or modification low--would threaten the efficiency or effectiveness of the process but would be dealt with internally negligible--impact would be dealt with by routine procedures CURRENT RISK RATING DEFINITIONS severe--must be managed by senior management with a detailed plan (e.g., CEO/CFO) high--detailed research and management planning required at senior levels (e.g., SVP/EVP) significant--management responsibility must be identified (e.g., VP) moderate--manage by specific monitoring or response procedures (e.g., Director/Manager) low--manage by routine procedures (e.g., Manager/Supervisor) very low/trivial--unlikely to need specific application of resources
Current risks rated moderate and above are included on the Monitoring report and tracked until control improvements have been successfully implemented.
Australian Risk Level Grid as modified by BellSouth. Used with permission.
12