B S R & Co. LLP Reporting on Internal Controls over Financial Reporting An Overview Sarbanes Oxley Act (SOX) 28 December 2013
Agenda Sarbanes Oxley Key Sections COSO Framework Management Approach to ICOFR Audit Approach to ICOFR
What does Sarbanes-Oxley address? The legislation addresses the following key areas: Internal Controls over Financial Reporting (ICOFR) Auditor independence Corporate responsibility and independence Enhanced financial disclosures Conflicts of interest Branch of SEC, Public Company Accounting Oversight Board (PCAOB) was created to oversee accounting for public companies Corporate tax returns Fraud and accountability penalty enhancements New standards for corporate accountability! 3
Applicability and enforcement Applicable to issuer of a security listed on the Securities and Exchange Commission (SEC). Consequently, it applies to Indian Companies Listed on Exchanges regulated by the SEC On July 30, 2002 Sarbanes Oxley Act 2002 became a law in the United States 4
Sarbanes Oxley Key Sections (1) Form 20-F filed by a Foreign Private Issuer with the Securities and Exchange Commission ( SEC ) contains an internal control report which states management s responsibility for maintaining proper internal control structure for financial reporting; and contains an assessment as at the end of most recent financial year on the effectiveness of the internal control structure Management (CFO and CEO) have to sign on the internal control report External auditors will have to attest internal control reporting (PCAOB Standard No. 5) Interpretation: In 404, the focus is more on Internal control over financial reporting and it requires management to benchmark controls evaluation against a control framework (e.g. COSO, as it is the most widely used control framework) 5
Sarbanes Oxley Key Sections (2) Management Responsibilities Accept responsibility for the effectiveness of the company s internal control over financial i reporting Evaluate the effectiveness of the company s internal control over financial reporting using suitable control criteria Support its evaluation with sufficient evidence, including documentation Present a written assessment about the effectiveness of the company s internal control over financial reporting as of the end of the company s most recent fiscal year Independent auditor must attest on the internal controls over financial reporting in accordance with the standards d issued by the PCAOB Inadequate documentation of the design of internal control or evidence to support management s assessment could also represent a material weakness, which would require the auditor to issue an adverse opinion 6
Sarbanes Oxley Key Sections (3) S 302: Principal executive officer/s and principal financial officers or person performing similar functions are required to in each annual or quarterly report under 13(a) and 15(d) of SEC Act, mention that: signing officer has reviewed the report; based on officers knowledge, the report does not contain any untrue statement; financial statements are fairly presented in all material respects; the officers are responsible for maintaining i i internal controls and they have evaluated the effectiveness of internal control as of the balance sheet date. 7
Sarbanes Oxley Key Sections (4) The officer has disclosed to the auditor and the Audit Committee, all weaknesses in design and operation of internal controls Disclose details of any frauds whether significant or not in which management, officers or other employees having significant role in internal control are involved Subsequent changes to the internal controls which might have possible adverse impact in future is to be disclosed. Signing officer to also state the remedial action to mitigate the risk Interpretation: In 302, the focus is more on disclosure controls and it deals with management responsibility statement 8
Agenda Sarbanes Oxley Key Sections COSO Framework Management Approach to ICOFR Audit Approach to ICOFR
COSO s Control Components Control Environment the control environment sets the tone of an organization, influencing the control consciousness of its people Risk Assessment every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level Control Activities these policies and procedures help ensure management directives are carried out Information and Communication pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components Monitoring i internal control systems need to be monitored a process that assesses the quality of the system s performance over time Section 404 addresses internal control over financial reporting 10
Definition of Internal Control In the US, the most common reference is to COSO s report, Internal Control Integrated Framework Internal control is a process effected by an entity s board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories: reliability of financial reporting; effectiveness and efficiency ce cy of operations; o and compliance ce with applicable laws and regulations Focus is on reliability of financial reporting COSO provides detailed internal control criteria and defines five components of internal control control environment risk assessment control activities information and communication monitoring 11
Control Categories Entity-level controls. These include: controls related to the control environment, including controls over management override the company s risk assessment process centralized processing and controls, including shared service environments controls to monitor results of operations controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs controls over the period-end financial reporting process, and policies that address significant business control and risk management practices. Business cycle controls controls over data entry across lines of business Application Controls IT General Controls 12
Agenda Sarbanes Oxley Key Sections COSO Framework Management Approach to ICOFR Audit Approach to ICOFR
Illustrative road map to SOX compliance 1 Plan & Scope the Evaluation Establish internal control evaluation process. Determine significant controls and locations/ business units to be included. Define project approach, milestones, timeline, and resources. Launch project. 2 Document Controls Document design of significant controls for all significant locations and business units. 3 Evaluate Design & Operating Effectiveness Evaluate design and operating effectiveness of internal control over financial reporting and document results of evaluation. 4 Identify & Correct Deficiencies Identify, accumulate and evaluate design and operating control deficiencies; communicate findings and correct deficiencies. 5 Report on Internal Control Prepare management s written assertion on the effectiveness of internal control over financial reporting. 6 Independent Audit of Internal Control Prepare for independent auditor to conduct the internal control audit. 14
Key decisions to be made by the company Will this effort focus on pure compliance or will it be viewed as a transformational initiative? Who should lead/participate? CFO/Controller Internal Audit Risk Management External resources What documentation ti standards d will be used? Format Automated tool vs. paper-based Flow Diagrams, control, matrices, narratives, other What business units/ locations need to be documented and evaluated? Who completes the documentation? Who performs the evaluation procedures? What training is needed? What major initiatives process changes, system changes, acquisitions will impact the 404 project plan? What processes, systems and functions are included within the scope of internal controls over financial reporting? Is the process sustainable? 15
Agenda Sarbanes Oxley Key Sections COSO Framework Management Approach to ICOFR Audit Approach to ICOFR
Some key definitions.. A deficiency in ICOFR exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions to prevent or detect misstatements on a timely basis. Deficiencies in a company s internal control may rise to a significant deficiency or a material weakness. A material weakness is a deficiency, or a combination of deficiencies, in ICOFR such that there is a reasonable possibility that a material misstatement of the company s annual or interim financial statements will not be prevented or detected on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in ICOFR that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company s financial reporting. 17
Strong indicators that a material weakness exists Identification of fraud of any magnitude on the part of senior management; Significant deficiencies that have been communicated to management and the audit committee that remain uncorrected after some reasonable period of time; restatement of previously issued financial statements to reflect the correction of a material misstatement; Identification by the auditor of material misstatements in the financial statements not initially identified by the company's internal controls; Ineffective oversight of the company s external financial reporting and internal control over financial reporting by the company s audit committee 18
Audit Approach to control test work Two audit opinions Financial Statements audit and Report on Internal Controls over Financial Reporting at the year end Concept of Integrated Audit Our audit of controls is a 2 step process Evaluation of design Testing of operating effectiveness We audit using controls approach. We do not adopt 100% substantive testing approach on any area Opinion is on controls as at year end. Subsequently remediated control deficiencies still result in reporting Controls deficiencies are evaluated and classified into: Material weakness Significant deficiency Control deficiency 19
Audit Approach to control test work (continued) Steps in control testing Evaluating the design and implementation of company-wide controls. Understanding the relevant accounting And Reporting activities for each audit objective. For transactions processing, We look for significant risk points places where errors could occur Evaluating and testing any Antifraud controls you have implemented. Evaluating selected controls over the significant risk points where material misstatements may occur. Performing a walk-through test, tracing a transaction through the accounting activities and selected controls, to confirm that we understand how your accounting activities and controls work. Testing the operating effectiveness of Selected controls. 20
Thank You