The Institute of Management Accountants St.

Louis Chapter

SOX LESSONS LEARNED

September 20, 2011

1050 N. Lindbergh Blvd. | St. Louis, Missouri 63132 | 314.983.1200 1551 Wall St., Ste. 280 | St. Charles, Missouri 63303 | 636.255.3000 1000 Broadway, Ste. 300 | Highland, IL 62249 888.279.2792 | www.bswllc.com 2011 Brown Smith Wallace All Rights Reserved

 2011 Brown Smith Wallace All Rights Reserved

Agenda
SOX

Background Control

Internal 2010

Sarbanes-Oxley Compliance Survey Research

Recent

Steps to Achieve SOX Efficiency

SOX & ERM

Integrating

2011 Brown Smith Wallace All Rights Reserved

SOX Background

2011 Brown Smith Wallace All Rights Reserved

Refresher
Sarbanes-Oxley

Act of 2002

Enacted January 23, 2002 Passed in response to financial scandals Enron, WorldCom, etc. Purpose - protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes. Administered by the Securities and Exchange Commission (SEC), which deals with compliance, rules and requirements. Created a new agency, the Public Company Accounting Oversight Board (PCAOB) which is in charge of overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies.

2011 Brown Smith Wallace All Rights Reserved

Refresher
Key

Sections of the Act

201 Prohibited Auditor Activities 302 CEO/CFO Responsibilities 404 Assessment of Controls

409 Real Time Disclosure

802 Penalties for altering documents 806 Whistleblower Protection 807 Penalties - Fraud

2011 Brown Smith Wallace All Rights Reserved

Section 404
Required

the SEC to develop and publish rules for a management assessment of Internal Controls over Financial Reporting (ICFR).

Completed in June 2003. Updated in June 2007.

Removed the requirement for external auditor to assess managements process for assessing the system of ICFR. Revised the definitions of significant deficiency and material weakness.

PCAOB

followed with AS 2 approved by the SEC in June 2004 and then replaced with AS 5 in March 2007.

2011 Brown Smith Wallace All Rights Reserved

Section 404
SEC

Rules and PCAOB standard require that:

Management perform a formal assessment of controls over financial reporting, including tests that confirm the design and operating effectiveness of controls. Management include in its annual report on Form 10-K an assessment of ICFR.

The external auditors provide two opinions as part of a single integrated audit of the company:

An independent opinion on the effectiveness of the system of ICFR. The traditional opinion on the financial statements.

2011 Brown Smith Wallace All Rights Reserved

Section 404
Managements

assessment:

Management is responsible for the system of internal control.

Not the internal or external auditor Responsibility of the CEO, CFO and senior executive team.

The assessment must be made using a recognized internal control framework.

Most U.S. companies have used the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. Some use Control Objectives for Information and related Technology (COBIT) framework as a supplement to COSO for IT controls.

The assessment is annual and as of year-end. The external auditor must perform specified work (AS 5) in relation to managements assessment.

2011 Brown Smith Wallace All Rights Reserved

Internal Control

2011 Brown Smith Wallace All Rights Reserved

What is an Effective System Per 404?

Scope

and quality of managements identification, assessment, and testing of key controls is sufficient to address all major risks to the integrity of the financial statements. material weaknesses are identified.

No

2011 Brown Smith Wallace All Rights Reserved

10

Who is Responsible?
Sections

302 and 404 make it clear that management specifically the CEO and CFO is responsible for the adequacy of internal controls. is provided by the Audit Committee. is normally provided by the CFO.

Oversight

Leadership Internal

Audit provides much of the support.

2011 Brown Smith Wallace All Rights Reserved

11

2010 SarbanesOxley Compliance Survey

2011 Brown Smith Wallace All Rights Reserved

12

2010 SOX Survey

Conducted

by Protivti.

Surveyed 400 executives and professionals. All industry segments represented.

Major

findings:

The cost of SOX compliance is down 50% when compared to year 1 costs. Most respondents indicated benefits now exceed costs. Most respondents believe external audit costs would decrease by as much as 30% if SOX was no longer required.

Nearly half perform all of their SOX compliance work in-house.

Outsourcing of SOX is highest during the initial years of compliance and falls steadily as an organization gains experience and confidence in its SOX compliance process.

2011 Brown Smith Wallace All Rights Reserved

13

2010 SOX Survey

Internal audit has the primary responsibility for SOX compliance, followed by executive management and the audit committee. In larger organizations, process owners and a project management organization (PMO) play an important role. SOX compliance program has matured across many organizations and has become more sustainable; consequently, reliance by external audits on SOX work performed internally has increased. There are opportunities to automate more controls. Nearly 40% of respondents have only automated 20%-50% of their controls. Most respondents indicated they have minimal plans to automate additional controls. The use of a risk-based testing approach, establishing process owner accountability and maximizing lessons learned from previous years/peers were employed by a majority of organizations.

2011 Brown Smith Wallace All Rights Reserved

14

2010 SOX Survey

Key inefficiencies that exist in many companies include:

High dependency on spreadsheets for data accumulation to record accounting transactions, prepare manual journal entries or support financial disclosures. General ledger close-cycle exceeding five days.

Majority of respondents reported that regardless of market capitalization, public companies should not be exempt from Section 404(a) compliance.

2011 Brown Smith Wallace All Rights Reserved

15

Recent Research

2011 Brown Smith Wallace All Rights Reserved

16

Recent Research
Article in the September 2011 issue of the Journal of Accountancy titled Highlights of Corporate Governance Research points related to post-SOX implementation:

Companies with adverse 404 opinions had CFOs with weaker accounting qualifications and were more likely to receive better SOX 404 opinions after hiring new CFOs with more accounting knowledge. The audit committee is more involved:

Meet with auditors over 6 times per year compared to 2-3 times per year before SOX. Auditors report more questions and discussions of accounting and auditing issues. Independence and expertise have increased. Internal auditor now reports more frequently to the Audit Committee.

Management certification has had a positive impact on the integrity of financial statements.

2011 Brown Smith Wallace All Rights Reserved

17

Steps to Achieve SOX Efficiency

2011 Brown Smith Wallace All Rights Reserved

18

 2011 Brown Smith Wallace All Rights Reserved

19

Efficiency
1.

Operating management must processes and documentation.

take

ownership

of

their

2.

Operating management must update all processes and control documentation promptly throughout the year as changes occur.

3.

A change management process must be in place that includes a timely assessment of process changes for their impact on key controls.
Operating management must be committed to assess and remediate all control deficiencies promptly.

4.

2011 Brown Smith Wallace All Rights Reserved

20

Efficiency
5.

The fewer the controls to test, the lower the cost. A top down, risk-based approach should be used to identify key controls.

Management must be confident that identified key control are truly key. The design of the related processes should be reviewed to determine if changes can result in fewer and more effective controls. Rely more on automated controls or on high-level controls (continuous monitoring, detailed reconciliations, etc.)

2011 Brown Smith Wallace All Rights Reserved

21

Efficiency
6.

Management of the Section 404 program should be at a high level within the organization to:

Influence operating responsibilities.

management

relative

to

completion

of

their

Communicate effectively with executive management on progress and potential issues. Negotiate as needed with the external auditor to:

Increase reliance on management testing. Agree on key controls early. Address concerns as they arise.

2011 Brown Smith Wallace All Rights Reserved

22

Efficiency
7.

Optimize the use of internal resources (internal auditors) to perform testing or to validate testing performed by management. Work to optimize management testing. reliance of external auditor on

8.

9.

Ensure the external auditor is following a top-down, risk based approach as required by AS 5.

2011 Brown Smith Wallace All Rights Reserved

23

Efficiency
10.

Create a detailed project plan that:

Includes a walk-through of all significant processes early in the year. Ensures all key controls are tested by mid-year, with additional testing to update the results scheduled closer to year-end. Includes all key activities required to complete the project, such as fraud risk assessment, consideration of IT issues, assessment of SAS 70 (SSAE 16) reports from service providers, etc. Details all required resources, including specialists, so they can be scheduled early. Includes regular reporting to senior management that focuses on key metrics and issues.

2011 Brown Smith Wallace All Rights Reserved

24

Efficiency
11.

Communicate and coordinate with all service providers to ensure that a SAS 70 (SSAE 16) report will be available at the appropriate time and that early warning is provided of potential issues identified during the SAS 70. Assess the Section 404 program for effectiveness on a continuing basis to ensure it is improved as the organization learns from experience and benefits from changes in regulations and interpretations.

12.

2011 Brown Smith Wallace All Rights Reserved

25

Integrating SOX & ERM

2011 Brown Smith Wallace All Rights Reserved

26

ERM Defined

ERM = Enterprise Risk Management ERM is a continuous process that identifies, mitigates, and monitors potential events that create uncertainty for an organizations achievement of its objectives.

2011 Brown Smith Wallace All Rights Reserved

27

The Link Between SOX & ERM

Investments in SOX compliance can be leveraged. Attention to control enterprise risk efforts. issues provide a foundation for

SOX focus is on financial reporting risk. ERM goes further to focus on the following objectives:

Strategic high-level goals supporting the organizations mission and vision. Operations effective and efficient use of resources. Reporting reliable reports (not just financial). Compliance compliance with laws and regulations.

2011 Brown Smith Wallace All Rights Reserved

28

Q&A

2011 Brown Smith Wallace All Rights Reserved

29

Ron Steinkamp, CPA, CIA, CFE Principal, Risk Advisory Services

Brown Smith Wallace LLC

314.983.1238 Direct 314.302.1382 Cell rsteinkamp@bswllc.com 1050 N. Lindbergh Blvd. | St. Louis, MO 63132 www.bswllc.com

2011 Brown Smith Wallace All Rights Reserved

30