How to Maximize Your Internal Controls Program. June 15, 2017 Atlanta, GA

Transcription

1 How to Maximize Your Internal Controls Program June 15, 2017 Atlanta, GA

2 Sarbanes-Oxley Update June 15, 2017

3 Rick Warren Principal Andres Leal Director 3

4 Agenda Topic IT Controls Leading practices for assessing IT controls Time 10 min Information Used Lessons learned regarding the focus on information used in a control 10 min Cyber Recent trends and considerations in cyber security 10 min Review Controls Enhancing management review controls 10 min New Standards Revenue recognition and leasing standards 10 min 4

5 PCAOB focus areas inspection cycle Recurring inspection issues (1) ICFR, with continuing concern over management review controls (2) Assessing and responding to risk of material misstatement, although they saw improvement with respect to the testing of system-generated reports (3) Accounting for estimates, including fair value, and (4) Related parties, given the new auditing standard. Audit areas impacted by economic trends and higher financial reporting risk and Risk assessments, with increased probing to understand the risks identified and how tests are designed to address those risks, including the risk of fraud. 5

6 Adverse ICFR Opinions Trend While the trend improved in 2016, this is still an area of focus for auditors and management. 6

7 Information technology controls

8 ITGCs and SOX 8

9 ITGC s Getting the most out of your ERP A B C Configurations key to monitoring automated controls Segregate, and if not who did what? Master analytics, test more transactions 9

10 Information used in a control

11 Audit Evidence Ideas for gaining assurance on reports Report Type Management s Procedures Independent Testing Procedures Standard Report canned Customized Report (subject to ITGCs) Customized Report (not subject to ITGCs) Benchmarking of reports Testing over the system implementation and/or change management. Changes subject to the company s ongoing change management controls and effective ITGC s. Initial user acceptance testing. Changes subject to the company s ongoing change management controls and effective ITGCs. Specific procedures to address the completeness and accuracy of queries each time they are extracted from the system and used in the execution of a control including but not limited to verification of the parameters used to run the query. Initial user acceptance testing. Changes subject to the company s ongoing change management controls and effective ITGCs. Validation that a report is a standard report including verification there were no changes to the report since system implementation. Verify the input parameters (e.g., date ranges) each time the report is used to support our testing. Testing of the completeness and accuracy of the report. Testing of ITGCs to support continued reliability of the report. Verify the input parameters (e.g., date ranges) each time the query is used to support our testing. Testing the completeness and accuracy of the report each time it is used to support our testing including but not limited to verification of the parameters used to run the query (controls or substantive). Testing the completeness and accuracy of the report. Testing ITGCs to support continued reliability of the report. Validating that no changes were made to the report. 11

12 Cyber considerations

13 Regulatory perspectives Cybersecurity risk evaluation should include consideration of risks impacting third-parties critical to the company s information system, not only a company s own systems. PCAOB 2016 Inspections staff has observed that some firms have provided guidance to their auditors to consider cybersecurity as similar to any other business and technology risk. This includes considering cybersecurity when performing risk assessment procedures and addressing risk in the audit of internal control over financial reporting and in the audit of the financial statements. - PCAOB

14 How cyber events might impact ICFR Cyber Risks It is important for auditors to consider whether there are cybersecurity risks that pose risks of material misstatement and, if so, whether modifications to the planned approach, including in testing Information Technology General Controls are necessary. Additionally, if cybersecurity incidents have occurred during the audit period, it is important for auditors to assess whether there are any effects on the financial statements, including disclosures, or implications for internal control over financial reporting. Inspections staff plans to continue to obtain and evaluate information in this area. Source: PCAOB Preview of Observations from 2015 Inspections of Auditors of Issuers Potential Response Document the specific risks to a company s ICFR resulting from cybersecurity, such as unauthorized access or changes to data and/or systems, inappropriate manual intervention or loss of data or inability to access data Identify controls implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the company s assets that could result in a material misstatement. Properly account for on registrants Financial Statement Disclosures costs related to cybersecurity incidents. 14

15 Management review controls

16 Regulatory perspectives Speech on 12/5/16 by the Deputy Chief Accountant, OCA - SEC staff has encouraged management, audit committees and auditors to engage in regular dialogue on ICFR assessments...icfr remains a significant area of focus at the Commission, including through OCA s coordinated efforts with the Divisions of Corporation Finance and Enforcement... Speech on 12/7/16 by Director, Division of Registration and Inspections, PCAOB Inspections staff continued to identify [in 2016] deficiencies related to testing the effectiveness of controls that include a review element.. While progress has been made, ongoing dialogue is necessary to continue making progress... Recent Enforcement Actions - In March 2016, the SEC settled charges against the company, senior executives, a consultant, and an outside auditor to a Texas-based oil company related to the improper evaluation of the severity of the company s internal control deficiencies - In January 2017, the SEC issued an enforcement action against General Motors, charging the Company with violating the Exchange Act by not devising and maintaining a system of internal accounting controls and ordered the Company to pay a $1,000,000 civil penalty. (SEC Release 79825) 16

17 Where companies are struggling Limited transparency and evidence provided to support the control activities as they are executed and waiting until the process is complete and all control activities have operated Understanding and evidencing the design of the control including exactly what the control operator does in performing each control activity Identifying information used in the control and understanding and evidencing management s controls over the completeness and accuracy of the information Understanding and evidencing the level of precision of the control Evidencing that the control operated as designed including the steps involved in developing expectations and identifying, investigating and resolving differences from expectations Evaluating potential contrary evidence over the effectiveness of the control, including the identification of errors Evaluating control deficiencies based on potential misstatements that would not be detected in light of the control deficiency (the could factor ) rather than actual errors 17

18 Business case for improving review activities Establishing a mutual expectation of the level of evidence needed to demonstrate the appropriate operation of review controls Reduction in last minute surprises from auditors Less time spent by management on providing documentation to auditors at the back end of the audit process More effective and efficient for both management and auditors 18

19 Revenue recognition and lease accounting standards update

20 Revenue Recognition 20

21 Revenue recognition Objective One Model Enhanced disclosures Robust framework Clear principles Comparability across industries 21

22 Steps to apply the new revenue recognition standard Step 1: Identify the contract(s) with the customer Step 2: Identify the separate performance obligations in the contract(s) Step 3: Determine the transaction price Step 4: Allocate the transaction price Step 5: Recognize revenue when (or as) a performance obligation is satisfied 22

23 Controls considerations overview Technology enabled revenue solutions vary greatly (highly-customized off-the-shelf solution, internally developed solutions or spreadsheet solutions) these solutions capture, store and maintain key information and must be controlled. The following are the primary control areas that management should consider: Controls Framework 1. Interfaces Conversion and Interface Control Strategy Conversion Control Standards Interface Security and Control Specifications Data Integrity Analysis Monitoring and Reconciliation Procedures Testing and Validation Revenue Solution Legacy/Linked Systems 2. Application Security & Controls Security Strategy Design Security Administration Change Control Management Workflow Configuration Reporting & Query Security Security Administration Forms and Procedures Testing & Validation Restricted access and SOD 3. Business Process Controls Business Process Control Objectives Operational Control Requirements Business Process Controls Design Business Continuity Planning Audit Compliance IT Infrastructure Business Processes Company s Control Environment 4. Technical Infrastructure Security Strategy Design Security Administration Information System Management Controls Design Security and Control Objectives and Techniques Third Party Security Products Disaster Recovery Planning IT General Controls Testing & Validation 23

24 Lease Accounting 24

25 Key topics Leasing (ASC 842): the new standard is ready, are you? Systems may facilitate compliance 25

26 What s top of mind? We surveyed over 500 accounting and financial reporting professionals to understand current state of preparedness and anticipated difficulties in implementing ASC 842. Over 70% rated data and systems needs as areas of expected difficulties 66% are unsure that current systems will be adequate 70% of respondents assessed the impact of ASC 842 in % of respondents primarily use spreadsheets to account for leases 26

27 Hotspots 27

28 GAAP Change: overlapping project plans 28

29 Final thoughts

30 IT Controls Information Used Cyber Review Controls New Standards 30

31 Where do you want to be? s SOX program maturity model Cost effectiveness Reactive Ad hoc Predictable Informal A reactive approach based on incidents incurring within an organization leads to core SOX program elements being unpredictable or uncontrolled Proactive Standardized An informal approach brings predictability to core SOX program elements; however, this approach is not standardized across the organization Measured Advanced A standardized approach delivers a proactive approach to SOX program elements, which are tailored based on organization standards Sustainable Dynamic A forward-looking approach provides effective SOX program elements which are measured and controlled Long-term strategies, agile leading practices and a culture of continuous improvement enables the delivery of an effective and efficient, sustainable SOX program over the long-term Quality 31

32 Five attributes of SOX excellence Clear vision A clear vision and SOX strategy focuses on sustainability of a quality-driven, cost effective program over the long-term Integrated structure A formal structure integrates multiple stakeholders together to execute SOX strategy effectively, and where applicable, other compliance activities Flexible talent model The talent model balances the expertise and fluctuating resource demands (e.g. peaks and valleys) required to deliver quality at the lowest cost of compliance Risk focus A top-down focus on risks of material financial statement misstatement throughout the SOX lifecycle enables a right-sized scope and approach Innovative technology Technology and innovation is used as an enabler of SOX compliance activities, drives efficiency, provides greater insight and lowers the total cost of compliance 32

33 2017. All rights reserved. In this document, "" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 33