Case Study: Chris Stoneley Countrywide Financial Corporation First Vice President, Financial Compliance

Transcription

1 Case Study: Chris Stoneley Countrywide Financial Corporation First Vice President, Financial Compliance

2 Company Background Listed among the Fortune 5 and Standard & Poor s 5 Assets of $27 billion and shareholders equity of $4 billion as of June 3, 27 Market capitalization of $.3 billion as of September 2, 27 America s leading home lender () # mortgage originator # residential mortgage servicer # seller to Fannie Mae, #2 seller to Freddie Mac Countrywide Bank is the third largest Federal Savings Bank, with over $ billion in assets. (2) Capital markets business helps make Countrywide the largest MBS producer. (3) Balboa Insurance is a leading underwriter of lender-placed property insurance and homeowners insurance. (4) () Inside Mortgage Finance, for the six months ended June 3, 27 (2) SNL based on assets as of March 3, 27; Total assets as of July 3, 27 (3) Inside MBS & ABS, for the six months ended June 3, 27 (4) A.M. Best for full year 26

3 SOX Governance Structure EVP Accounting Governance st VP - SOX Compliance (IT Controls) st VP - SOX Compliance (Business controls) VP - SOX Compliance VP SOX Compliance AVP SOX Compliance Sr. Financial Analyst 2 business units and divisions, with separate SOX risk managers Documentation and testing is performed by business unit management Certus is the SOX tool for all documentation and testing

4 27 Status Too many: Processes approximately 2 IT environments 8 In-scope applications 8 Key controls approximately 2,5 Objectives/risks Testing samples, as controls were not risk-weighted all key controls were tested using the same sample sizes.

5 Control Rationalization Intention Streamline objectives according to risk assessment. Identify the right controls to address objectives/assertions: Reduce controls Identify gaps Identify and leverage direct entity-level controls. Risk-weight business and IT objectives and processes, with the end result of risk-weighted controls. Base testing approaches and sample sizes on risk assessment

6 Control Rationalization Business Processes Approach Identify in-scope general ledger accounts. Evaluate both quantitative and qualitative considerations. Risk-weight processes as high, medium, and low, based on: Magnitude financial impact (transaction volume, amount, etc.) Likelihood complexity, known issues, and changes Determine the appropriateness of control objectives/risks. Utilize Deloitte control objective benchmarks. Risk-weight control objectives/assertions as high, medium, and low, based on criticality to financial statements.

7 Control Rationalization Business Processes Approach (continued) Prepare a Control Rationalization Matrix. Control objective ranking was matrixed in with the process-level ranking. Objective ranking may increase or decrease depending on the process-level ranking. All key controls were assigned a risk rating of high, medium, or low, based on the matrix. Business units, with input from our consultants, determined what controls could be removed based on risk and coverage.

8 Control Rationalization Business Processes Matrix example Notes Payable/ Debt Freqency Borrowings are recorded accurately. All borrowings are recorded. Control Objectives Account #'s Borrowings are recorded in the appropriate period. All interest is accurately calculated and recorded in the appropriate period. Financial Statement Risk Ratings & Assertions H H M M L All repayments on borrowings are recorded. est Control Rating Assertions Validity M Recording H M M Cut-off M M Completeness H M L Valuation H Presentation Process Control ID Control Title Term Notes C-2543 Debt accounts are reconciled as of the end of the month, including month end cash transactions against the bank activity. Short Term C-2525 Each month, an analytical review of the ending commercial paper balances and the related interest expense balances is performed. SPE's C-4756 Journal Entries reviewed and approved by preparer supervisor (or higher level) M H H M L M H M M D M M

9 Control Rationalization IT Processes Current challenges: Documentation and testing was application-centric rather than process-centric. The IT environment is decentralized. Control Rationalization Approach The IT Governance Institute publication IT Control Objectives for Sarbanes-Oxley, 2 nd Edition, provided guidance for rationalizing IT objectives and controls. The above guidance was used to identify and risk-rank control objectives. COBIT references were reviewed and researched to ensure all components were addressed.

10 Control Rationalization IT Processes Approach (continued) Applications were identified and risk-ranked, based on: Magnitude how many processes and risk rating of processes in which the application is used (from business process documentation) Likelihood complexity, known issues, and changes Revised control objectives were compared to existing control objectives and related controls. Applications and servers were mapped to objectives. The risk rank of each control activity defaults to the same risk category as the corresponding objective with the highest risk rating. The objective ranking may increase/decrease depending on the application risk ranking. The right controls to address objectives were identified. Controls were reduced. Gaps were identified.

11 Control Rationalization - ITGC Matrix example

12 Control Rationalization Testing Approach There are different frequencies and sample sizes for testing, based on the risk level assigned to the control. One quarter of testing Two quarters of testing Four quarters of testing The sample sizes of our external auditor are taken into account, as is external auditor reliance on any low risk control.

13 Control Rationalization Testing Approach (continued) Control Quarter Year Frequency Risk Ranking Q Q2 Q3 Q4 Totals Multiple times per day (from Q2, Q3 or Q4)** 2 Daily (from Q2, Q3 or Q4)** 7 Weekly (from Q2, Q3 or Q4)** 2 Monthly 4 2 (from Q2, Q3 or Q4)** Quarterly (from Q3 or Q4) 2 (from Q2 or Q3) (from Q2 or Q3) Annually (from the quarter in which occurs) (from the quarter in which occurs) (from the quarter in which occurs) System or Application Control / User-Developed Application Event: Controls that are performed if an event occurs should be evaluated where possible for the frequency throughout the year. This frequency should be used to base the control testing schedule on the next nearest match, where samples allow. ** Preferably from Q2 or Q3 to allow time for remediation of any identified deficiency.

14 Control Rationalization Results Phase I Business Processes,6 controls reduced to, (38% reduction) Control risk rankings 47% 46% 7% IT Processes 7 controls reduced to 3 (57% reduction) 8 ITGC environments reduced to 2 Control risk rankings 65% 33% 2% Gaps that needed to be addressed in 27 were identified. Overall reduction:, controls (43% reduction)

15 ITGC drill-down Initial decisions sometimes the hardest Reaching a standard set of Control Objectives Risk Ranking Applications Compiling a Matrix Filling in the gaps Rolling it all out Other considerations

16 ITGC drill-down Initial decisions Do we throw the baby out with the bath water? Can we evolve from our bottom up approach? Is this a re-write or an edit? How much reliance do we place on our External Auditor s expectations? Do we continue to use the ITGI guidance? Any other special ITGC requirements?

17 ITGC drill-down Reaching a standard set of Control Objectives Started with the Activity-level IT Controls from Appendix C of the ITGI publication Consider external audit s ITGC set Assess each Control Objective individually 5% weighting given to ITGI publication 2% complexity of operations 2% significant changes % HR & Organizational Structure Arrive at an overall risk ranking for each Objective

18 ITGC drill-down Risk Ranking Applications Identify which Applications are in scope Use the business process analysis to lead this Assess the application s Magnitude Financial Impact est Risk Business Process Number of Business Processes In-scope automated or system controls Any existing Internal Audit risk ranking Likelihood Complexity of Operations Known Issues Significant Changes

19 ITGC drill-down Risk Ranking Applications (continued) Likelihood Magnitude Out-of-Scope Out-of-scope while the application may support some business processes, the application is not of sufficiently high magnitude or likelihood to warrant complete coverage with ITGCs.

20 ITGC drill-down Compiling a Matrix Horizontal List all risk ranked applications Ensure infrastructure elements are included Consolidate controls where similar controls meet the same objective but for different sets of applications Vertical Start with new risk ranked objectives Map existing objectives & controls Eliminate redundant controls by focusing on the new objective At the intersection point Identify the highest risk objective met by a given control Correlate with the risk ranked application Arrive at an overall risk ranking for the control

21 ITGC drill-down Compiling a Matrix (continued) Application Risk Assessment Objective Risk Assessment Resulting matrix Control rationalization in three dimensions st Horizontally can one control address many/all applications? 2 nd Vertically can one consolidated or selected control address one (or more) high level objective(s)? 3 rd Testing can we perform less testing of that rationalized control Identification of any gaps Clear identification of any cross function or cross group reliance

22 ITGC drill-down Filing in the gaps Some of the scenarios you may encounter Application omitted altogether Application not included in control Application included redundantly Database controls presumed or not clearly documented Reliance on presumed controls Network level termination controls Physical Security controls Infrastructure controls not clear Objectives that have never been met

23 ITGC drill-down Rolling it all out Buy off from the Business Units sometimes a challenge Not always easy to hit a moving target Set manageable milestones Finalized matrices Gaps closed out with control references or modifications Executive buy off Integration with SOX tool Ongoing maintenance

24 ITGC drill-down Other considerations Don t forget the process for new additions Must be repeatable / re-performable Change policies as required Consideration of other compliance initiatives Provision of COBIT references assists i.e. CMM There will always be surprises New processes or tools implemented New SEC / PCAOB requirements Consideration of Industry trends Other regulatory requirements Document Once Test Once Satisfy Many

25 Control Rationalization Progress Fourth Quarter 27 Remediation of identified gaps. Obtained external auditor input on matrices. Ensured approach enables external auditor to maintain/decrease fees. Educated business units on next steps. First Quarter 28 Distribute Results Throughout Company Updating the SOX Tool is manually intensive and time consuming. Provide library of Objectives and best-in-class controls. Second Quarter 28 Complete testing using the rationalized control set Phase II (28 29) Identify/develop direct entity-level controls. Increase effective controls. Increase automated controls.

26 Control Rationalization Lessons Learned It is difficult to identify and leverage direct entity-level controls to reduce process-level controls. Control rationalization is an art, not a science there are many different opinions. Consider the impact of reducing controls and testing on external auditors reliance on management testing. It will take longer and cost more than expected for a full overhaul. Obtain external auditor input and buy-in upfront, and agree on how they will be involved in the process. Even when you think you have all the bases covered, you can be surprised

27 Questions?