The Blue Sage Group. Sarbanes-Oxley. 404 Compliance Program. The Blue Sage Group

Transcription

1 The Blue Sage Group Sarbanes-Oxley 404 Compliance Program The Blue Sage Group

2 Agenda The Blue Sage Group 404 Compliance Challenges Meeting the 404 Challenges TBSG 404 Compliance Program Assessment and Program Design Methodology and Scope Program Resources Next steps 2004 The Blue Sage Group 2

3 Our Company The Blue Sage Group

4 The Blue Sage Group Who we are: An independent, impartial business consultancy comprised of seasoned business professionals who deliver corporate governance and performance management solutions Team members are former executives, CPA s, CIA s, CISA s with 18+ years of operational, financial and IT experience. What we do: Deliver consulting services that will decrease the workload of executives and their staffs Provide the expertise, people, process, tools & technology recommendations needed to implement a comprehensive, value-add compliance solution We manage the compliance so you can manage the business 2004 The Blue Sage Group 4

5 The Blue Sage Group Methodology Our team will utilize their skills and unique methodology to create a customized program that meets your requirements Best Practices SME A Team Industry and functional expertise Assessment & Education Planning Program Design Process Development Management & Implementation Training & Measurement Compliance plus more effective governance management processes 2004 The Blue Sage Group 5

6 TBSG 404 Services 404 Project and Program design and management Consulting executive sessions, board evaluations Internal controls documentation creation and review Customized tools Microsoft Office based, Access Database or TBSG 404 software All tools include content such as questionnaires, checklists, program plans, evaluation templates Training 404 Program and material design Internal Audit 404 testing Analysis and reporting Consolidation of multi-location results 2004 The Blue Sage Group 6

7 404 Compliance Challenges The Blue Sage Group

8 404 Program Challenges Implement program to meet deadlines Quickly and efficiently identify 404 Program requirements including processes for documenting and testing critical control activities Engage SME s with SOX and industry expertise Develop an efficient but standardized approach for documentation, validation and remediation for multiple locations that will allow information to be consolidated and summarized Complete the assessments, remediation and testing within the allocated timeframe and resource budget Develop a cost-efficient and -effective program and platform to support go-forward assertion and monitoring 2004 The Blue Sage Group 8

9 Meeting the 404 Challenges The Blue Sage Group

10 Take a Phased Approach: Phases I and II Form Steering committee and Create Program TBSG has successfully managed implementations and assisted in evaluation, remediation and testing programs. Design Training program and complete project plan TBSG has expertise to facilitate and manage the program rollout in the most effective and time efficient manner Get feedback and input from auditors and audit committee Implement Documentation and Testing Programs TBSG can assist with the documentation remediation, evaluation, identification of controls to test, test plan, creation of scripts testing, test results review, remediation and reporting 2004 The Blue Sage Group 10

11 Phase III Attestation, Monitoring and Transition Compile documentation per external auditor review requirements Report Management findings to Audit Committee Select document management and follow on strategy TBSG has various toolkits and tools that will enable your company to incorporate their 404 program into ongoing business processes Checklists, questionnaires, program plans, software tools 2004 The Blue Sage Group 11

12 TBSG 404 Compliance Program The Blue Sage Group

13 TBSG SOX Approach Utilize SOX and industry experienced team Utilize proven delivery approach and components Use standardized methodology that meets SEC and PCAOB requirements Follow COSO framework and leverage SOX best practices Use effective, tested tools Approach SOX from top down entity and risk assessment perspective 2004 The Blue Sage Group 13

14 TBSG 404 Delivery Components Initial assessment and evaluation Project and program design & management Custom designed tools and templates Training Documentation flow charts, narratives, control evaluations, test results Testing Plan script design and testing Analysis and reporting throughout process 2004 The Blue Sage Group 14

15 Sample 404 Program Determine the starting point Assessment, evaluation and documentation Planning, design and training 404 Compliance Program Methodology Program and scope Timeline Program Participants 2004 The Blue Sage Group 15

16 Determine The Starting Point Financial Reporting due diligence Review multiple documents including financial statements and management letter Interview sessions with management to gain insights into business Complete tone-at-the-top self evaluation Create documentation package SOX Materials, examples: inventory of company policies, organization chart, significant account to process and functional group map 2004 The Blue Sage Group 16

17 Planning, Design and Training Design program Develop tailored tools including templates, questioners, maps Review program with SOX Team, auditor, Audit Committee Run pilot program - review results Update total program if necessary Tailor training materials and train team 2004 The Blue Sage Group 17

18 TBSG Compliance Methodology Identify Significant Financial Statement Accounts and Disclosures Account Assertions Linked to Each Account and Control: Completeness Existence or Occurrence Rights and Obligations Valuation and measurement Presentation and Disclosure Identify Significant Processes Identify Assertion- Based Risks Inherent in Identified Processes Document Financial Reporting Controls Test and Document Testing of Financial Reporting Controls Document Conclusions and Remediation Plans Resulting from Testing Identify Significant Locations: Individually Important Important if Aggregated Significant Specific Risks COSO Elements Linked to Each Control: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Management s Overall Assertion on the Company s Internal Controls 2004 The Blue Sage Group 18

19 TBSG Program Scoping Methodology Documentation and testing will be limited to areas of significance and of greatest risk of financial misstatement when measured from a consolidated or enterprise-wide perspective. Focus will be on detecting control deficiencies that may have more than an inconsequential or a material impact upon the accounts and disclosures. Program will identify each of the following (from a consolidated perspective): Significant Accounts Significant Locations Significant Concentrations of Control Activities Specific Risks of Misstatement 2004 The Blue Sage Group 19

20 Scoping Methodology Significant Accounts Identify Financial Statement Accounts and Disclosures from Financial Statements Map Accounts and Disclosures to Business Processes. Using Processes, define inherent risks related to Assertions not being met for all Accounts and Disclosures Evaluate each Financial Statement Account and Disclosure to determine if significant Is the Financial Statement Account significant? Yes Associate each Significant Account, Disclosure and Assertion with Business Processes No Evaluate the components of each Financial Statement Account or Disclosure to determine if significant Account/Disclosure classified as insignificant. Account/Disclosure scoped out of testing. No Is the account or disclosure component significant? Yes Assertion- Based Processes In Scope END 2004 The Blue Sage Group 20

21 Scoping Methodology Location Activity Significance Control activity will be evaluated for each significant location to determine which processes are to be included in the documentation and testing scope. Metrics will be assigned to determine measurement for value and transaction volume. Both quantitative and qualitative information will be used to determine risks. Process Revenue Payroll Account Metric Value metrics -Annual Gross Sales and Revenue Transaction Metrics - # Customers, Servers Value Metric -Annual Payroll Expense (Cost of Sales + SGA Expense Portions) Transaction Metric - # Time & Material transactions, # employees See sample on right 2004 The Blue Sage Group 21

22 Control Selection Methodology Will Follow SEC Requirements Registrant Requirements from SEC Final Rule : The assessment of a company s internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment include, but are not limited to: Controls over initiating, recording, processing and reconciling account balances, classes of transactions and disclosure and related assertions included in the financial statements. Controls related to the initiation and processing of nonroutine and non-systematic transactions. Controls related to the selection and application of appropriate accounting policies. Controls related to the prevention, identification, and detection of fraud The Blue Sage Group 22

23 Suggested 404 Program Overview 1. Conduct Entity assessment and identify risk areas to develop risk based program 2. Use risk and entity assessment to identify significant accounts and relevant assertions and map to significant business process 3. Document processes in a manner that can be repeated, reported and facilitate control evaluation and testing 4. Select Key Controls that mitigate the risks in financial reporting that link to the disclosures in the company s financial statements 5. Select locations/units that require documentation and subsequent testing 6. Select controls to be tested 7. Report testing results 2004 The Blue Sage Group 23

24 Sample Project Details Map significant accounts to business process and related assertions Create business process and control documentation Identify inherent process risks related to relevant assertions Identify control objectives that mitigate risks Evaluate control design Produce documentation, review and remediate Select controls for testing, design scripts, test Evaluate control operational effectiveness - report Remediate - Retest - Report Create management assertions 2004 The Blue Sage Group 24

25 Standard Timeline Required for Compliance Phase I 404 Design, Plan and Pilot Time requirement to complete 1-3 months Timeframe 12 months prior to year end Phase II Documentation, Remediation and Testing Average timeframe 6-9 months Timeframe - completed 6 months prior to year end Phase III Program Completion/Attestation Ongoing Maintenance and Monitoring Average timeframe 6 months Timeframe 2 months prior to year end 2004 The Blue Sage Group 25

26 404 Program Participants Steering Committee Executive team and/or Disclosure Team Project Management Team-PMO Functional Groups that own or participate in processes including IT External Auditors Audit Committee 2004 The Blue Sage Group 26

27 Conclusion TBSG can assist in any or all elements of your 404 Program from development to implementation, documentation and testing TBSG has intellectual property and tools that can be tailored to meet both your requirements and those of your audit firm TBSG has industry specific expertise to design, facilitate and implement a successful, sustainable 404 program TBSG can facilitate a cost-effective and time-efficient SOX program by taking a top down integrated approach 2004 The Blue Sage Group 27

28 Critical Success Factors Engage SOX SME s with Industry experience TBSG has assisted emerging and established companies that range from Life Sciences to High Tech with the design and execution of their 404 programs Implement a SOX program tailored to meet your resource, time and budgetary requirements TBSG has a proven track record with programs that leverage internal resources while utilizing TBSG project plans to create low cost 404 programs. Create sustainable program by utilizing repeatable process and training programs that include materials TBSG has the intellectual property, tools, training materials, experience and expertise to create a tailored repeatable program for both the initial program and management of ongoing 404 compliance 2004 The Blue Sage Group 28

29 Next Steps Commit and schedule resources to complete 404 documentation project Run Pilot Program for one cycle/process documentation Review results with Steering Committee, External Auditors, Audit Committee Train program participants Complete process documentation 2004 The Blue Sage Group 29

30 Every action or lack of action has an impact on the bottom line. TBSG provides the ability to control, track and measure the impact by creating effective business processes. Ethics Governance Organization Decisions/ Behavior Results The Blue Sage Group The Blue Sage Group 30