1 / 31

Balancing SOX with Risk Based Audit Planning

Balancing SOX with Risk Based Audit Planning. The Institute of Internal Auditors March 9, 2004. Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation. Balancing SOX with Risk Based Audit Planning. Introduction & Overview Dave Richards, FirstEnergy

Jims
Download Presentation

Balancing SOX with Risk Based Audit Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Balancing SOX with Risk Based Audit Planning The Institute of Internal AuditorsMarch 9, 2004 Dave Richards, CIA, CPADirector, Internal AuditingFirstEnergy Corporation

  2. Balancing SOX with Risk Based Audit Planning • Introduction & Overview • Dave Richards, FirstEnergy • Finding the Balance • Brian Appleton, National Penn Bancshares • Year 2 Audit Planning • Carl Balderson, Pinnacle West Capital • Balancing Issues for Large Shops • Peg Weir, United States Postal Service • Break • Q & A

  3. Key Balancing Issues 1. Involvement in SOX 404 Work 2. Expectations of AC & Sr. Mgt 3. Risk Model Impacts 4. Emphasis on Financial Audits 5. Increased IT General Controls Topics 6. Using 404 Results to Drive Audits 7. Dealing with SOX Issues 8. Impact on External Auditor Relationship & Work Support

  4. Key Balancing Issues 9. Using 404 Model for Operational & Compliance Topics 10. Staff Productivity Enhancements 11. IAD Tools for Control Assessments 12. Rotation of Audit Topics??? 13. Building on SOX 404 Work 14. IAD Customer Relationships 15. Impact on Audit Contingency 16. Internal Control Opinions in Audits

  5. Finding the Balance Brian T. Appleton, CIA, MBA,CDP Executive Vice President Director of Internal Audit National Penn Bancshares

  6. Overview of Company • Company Size • Audit Division • Client Focused Philosophy • Process Owner Class

  7. Status of 404 • Tone at the top • How 404 is implemented makes a difference • High level risk-assessment completed • Documentation phase in progress

  8. Balance • Identify the coordinating scheme • Complement, not supplement • Be flexible and creative • Focus your scope • Standardize the documentation • Take a closer look at opportunities • Management • Audit

  9. Impact on Internal Clients • Creates a more sophisticated clientele • Fosters uniformity in structure • Increases accountability for results • Promotes process ownership by management

  10. Impact on Audit Approach • Enhance auditor knowledge • Career growth opportunity • Role of auditors as facilitators • Expansion of skill set to educator • Springboard effect • Operational and compliance audits • Control Self Assessment • Enterprise Risk Management

  11. Benefit to Audit Committee • Stronger assurance of controls • Create new metrics • Published accountability through sign-offs

  12. Summary • Identify the changes, find a balance • Allocate resources early • Sell the benefit to the company • Find and publish the positives • Think of SOX 404 as complementing audit coverage

  13. Year 2 Audit Planning Carl Balderson, CIA, CPA, CFEDirector of Audit Services Pinnacle West Capital Corporation

  14. Re-balancing is continued evolution Changed audit committee expectations Changed management expectations Driving Change

  15. Increase management awareness of internal controls Audit customer responsiveness Greater emphasis on IT auditing Verify quarterly review for IC changes Impacts of SOX

  16. Risk based planning with pre-SOX methodology What we Think is needed for SOX Follow-up open issues Test changed process documentation Test Key controls Integrate to avoid duplication Alternate depth of efforts with future years Allocate available resources Planning Steps

  17. Automated Work Papers Productive Time Targets Emphasize Project Budgets In-house and Local Training Productivity Initiatives

  18. Small number of hours unallocated Renewed emphasis on “Stop & Go” auditing Administrative assistant/secretary vs. para-professional auditor Be more selective in what we address Contingency Planning

  19. Integrate SOX compliance and risk management processes Examine risk management processes for efficiency Documentation of new systems Integrate SOX documentation with business resumption plans Utilize documentation for training Driving Long-Term Value

  20. Balancing Issues for Large Shops Margaret (Peg) Weir Manager, Internal Control Group United States Postal Service

  21. Independent government entity Self-sustaining Annual operating revenue +/- $70B Second largest civilian employer 38,000 Post Offices Office of Inspector General United States Postal Service

  22. Internal Control Group • CFO vision • Established ICG organization • Complements OIG function • “End-to-end” process • Looks for efficiencies and risks of inefficiencies

  23. Internal Audit-Internal Control“Policy vs. Process” • Internal Audit - Financial Statements fairly represent operations • Monies • Expenses • Work hours • Assets • Internal Control - Reasonable Assurance – achievement of fundamental business goals • Reliability • Exist, effective, efficient • Compliance with laws/regulations

  24. Internal Control Group • Identify risk through data and process analysis • Partner with process owner to mitigate prioritized risk • Analyze trends and indicators • Conduct internal control reviews • Develop improved controls to meet goals and objectives

  25. Sarbanes-Oxley Act • Voluntarily adopting parts of Section 404 • Makes good business sense

  26. Internal Control Group • Senior management provides direction and oversight • Focus based on: • Guidance • Risk analysis • Risk prioritization • Resources support mandate

  27. Internal Control Group • Enterprise-wide from corporate to local • Interdependencies vs. stovepipes • Partnership with process owners • Data driven • Targeted reviews • Standardized approach using COSO framework • Root causes • Meaningful recommendations to improve controls • Reasonable assurance goals & objectives will be met

  28. Internal Control Group Status • Implemented preliminary activities of COSO framework • Adjusted as lessons learned • Developing additional training • Enhancing the analytical & reporting tool

  29. Internal Control Group • Internal Control Group complements internal audit process • Internal Control Group supports performance-based culture • Internal Control Group establishes foundation for long-term enterprise-wide improvements and efficiencies • Internal Control Group is dynamic & evolving

  30. Conclusions • SOX 404 WILL IMPACT what we do • What impact it has must be managed • Upfront drivers for impact must be understood • Changes in approach, scope, & results expectations must be communicated • AC, Sr. Mgt. & IAD Customers must recognize the impact on identifying & performing work • IAD must be more productive to meet this challenge • External Auditor relationship must be managed

  31. Next Webcast April 13, 2004 “Strategies for Internal & External Relationships” See you at our next webcast!

More Related