J-SOX Compliance Approach Best Practices for Foreign Subsidiaries November 8, 2007
|
|
- Darren Hawkins
- 7 years ago
- Views:
Transcription
1 J-SOX Compliance Approach Best Practices for Foreign Subsidiaries November 8, 2007
2 Protiviti Background Consulting firm dedicated to business and technology risk consulting, and internal audit services Formed in 2002 with 700 former "Big 5" professionals with risk consulting experience More than 2,900 professionals in 60 offices worldwide $543 million revenue, double-digit growth every year since inception U.S. clients include more than 25% of Fortune 500 Assisted over 800 companies with US SOX, including 40% of Japanese companies subject to US SOX Currently assisting 50+ Japanese companies with J-SOX compliance in Japan, U.S., Europe, and Asia 2007 Protiviti Inc. All right reserved. 2
3 Agenda Recap of J-SOX Requirements Recent Developments of J-SOX Regulation Best Practices in Documentation Suggested Approach for Business Process Control Testing Overview of IT General Control Evaluation Questions and Answers 2007 Protiviti Inc. All right reserved. 3
4 Recap of J-SOX Requirements 2007 Protiviti Inc. All right reserved. 4
5 Structure of J-SOX J-SOX requirements are defined by several laws and guidelines Financial Instruments and Exchange laws (6/2006) Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting (Finalized on 2/15/2007) FSA Questions and Answers (issued on 10/1/2007) Other literature for information purpose JICPA Guideline for audit of ICFR (Finalized on 10/24/2007) Guidance for IT control over financial reporting by Ministry of Economy, Trade, and Industry (METI) (2 nd supplementary edition draft was issued on 10/16/2007) 2007 Protiviti Inc. All right reserved. 5
6 The Requirements Effective for the fiscal year beginning 4/1/2008 or later A report must be prepared and audited every year thereafter The Parent Management must evaluate and prepare a report on the effectiveness of company s ICFR (internal control over financial reporting) The report must be prepared on a consolidated basis (must include major subsidiaries and affiliates) The report must be attested to by the same external auditor (of the parent company) who performs financial audit The Subsidiary If in scope, evaluate its ICFR based on directions from the parent If in scope, support the work of external auditors There is no legal requirements for reporting or audit at subsidiary level Parent auditor may request local auditor to review internal control of subsidiary 2007 Protiviti Inc. All right reserved. 6
7 Sample Timeline (for March year-end company) J-SOX Year 1 J-SOX Year 2 Assess (Select entity & business process) Parent Check approach with auditor Year 1 Audit Set foundation & organize team Foreign Subsidiary Assess (Select US entities & business processes) Document (Prepare FC & RCM) Evaluate (Identify & correct design gaps) Test critical controls Focus of Today s Webinar Test other controls and remediate gaps 2007 Protiviti Inc. All right reserved. 7
8 Recent Developments of J-SOX Regulations 2007 Protiviti Inc. All right reserved. 8
9 FSA Q&A Introduction On October 2, 2007, the Financial Service Agency issued Internal Control Reporting System Q & A The document provides answers to 20 frequently asked questions regarding the Internal Control Reporting System 2007 Protiviti Inc. All right reserved. 9
10 FSA Q&A Selection of Business Entities (Q6): Question: When selecting significant business units and locations in the United States, the aggregated amount in each significant account is derived first, in order to assess if it has reached a certain threshold (for example, 2/3 of the consolidated account balance). If it does not reach the threshold, more business units and locations are added to the scope. Do we select significant business units and locations in the same manner in Japan? Answer: We are aware of the method used in the United States. However, the Practice Standard states that it does not use this method Protiviti Inc. All right reserved. 10
11 FSA Q&A (continued) Coverage of Business Locations (Q10): Question: When selecting business locations to be included in the scope of assessment, an effective method (e.g., introducing a random sampling method) should be considered at the planning stage, bearing in mind that all business locations should be covered at least once within a certain period of time. Is this literally meant to cover all the business locations within a few years for the evaluation? Can we select the business locations by a sampling method after removing business units with minimal financial impacts? Answer: The use of a random sampling method or a method covering all business locations at least once within a certain period of time, are merely examples. An actual sampling method should be determined appropriately by each company s creative procedures. Instead of covering all business units within a certain period, you can select business units from the population of similar operations after removing those with minimal financial impact Protiviti Inc. All right reserved. 11
12 FSA Q&A Alternate for Segregation of Duties (Q20) Question: Practice Standard states that a smaller and less-complex company may not be able to establish proper segregation of duties, and therefore should search for possibilities for the implementation of alternate control apparatuses. What are the examples of alternative control apparatuses? Answer: The Practice Standard states that a smaller and less-complex company is expected to make an effort according to the given conditions. For example, a smaller and less-complex company may have difficulty maintaining appropriate segregation of duties due to a lack of adequate resources. In this case, management and employees from other departments may provide monitoring activities. They may also outsource the monitoring functions to specialists in order to mitigate risks. Thus, there are alternative ways to provide appropriate internal controls according to existing conditions Protiviti Inc. All right reserved. 12
13 The JICPA Guideline Introduction The Japanese Institute of Certified Public Accountants (JICPA) released Guideline for Audit Concerning Internal Control over Financial Reporting (draft 7/18/2007, final 10/24/2007) Contains audit procedures, consideration points, suggested wording for the auditor's report, and other information Designed to assist auditors to perform audit of internal control over financial reporting according to FSA Standards Japanese accounting firms are preparing their own guidelines for internal control audit based on this JICPA document 2007 Protiviti Inc. All right reserved. 13
14 The JICPA Guideline Highlights Relationship between the internal control audit and the financial audit Once J-SOX becomes effective, auditors are to assess the adequacy of management s assessment of the internal control design and operating effectiveness. Therefore, during the financial statement audit, the external auditor is expected to rely on the results of the internal control audit. Use of the work of internal auditors and others The external auditor may use the work performed by an internal auditor and others as audit evidence for the management s assessment provided they have evaluated the quality and effectiveness of the work. In high risk areas, the use of the work of an internal auditor must be evaluated carefully. In an audit of lower risk areas such as routine transactions that occur daily, an auditor may utilize samples selected by internal auditors Protiviti Inc. All right reserved. 14
15 The JICPA Guideline Highlights Evaluation of the assessment of company-level controls The evaluations of CLC are often performed before the year-end. When management operates a monitoring system that detects changes to internal controls in a timely and appropriate manner, the external auditor will evaluate the effectiveness of the monitoring system. If the monitoring system is not effective, it significantly increases the effort of both auditors and management to complete the year-end CLC evaluation. Evaluation of the assessment of process-level controls Management is required to perform additional procedures when the evaluation of operating effectiveness is performed before the year-end and when there is an important change to internal controls by the yearend. These additional procedures will depend on the timing of the interim testing, the results of the testing and whether there have been changes in internal controls since the interim testing Protiviti Inc. All right reserved. 15
16 The JICPA Guideline New Items Added in the Final Version Different fiscal year-end between the parent and the subsidiary When a subsidiary has a different fiscal year-end from the parent company, significant changes in internal controls must be evaluated for the period between a subsidiary and the parent company s fiscal year ends Exclusion of low volume transaction patterns When there are various transaction patterns for the selected major account, an insignificant transaction may be removed from the scope Management is expected to make reasonable decisions in regards to the scope of assessments in consideration of the materiality of quantitative and qualitative impacts on financial reporting annually. JICPA recommends that the management Assess the financial impacts from the excluded transaction patterns to the selected major account in the business unit, and/or Assess the financial impacts from the excluded transaction patterns to the consolidated major account balance annually 2007 Protiviti Inc. All right reserved. 16
17 Best Practices in Documentation 2007 Protiviti Inc. All right reserved. 17
18 Best Practices in J-SOX Documentation Determination of Key Controls Document only what affects financial reporting risks Evaluate risk first before documenting control no need to document control when the risk is not material Document only key (primary) controls identify secondary controls only when the key control fails Effective company-level control can reduce the need for certain process-level controls look for ways to mitigate risks by a combination of company-level and process-level controls Pilot Documentation Prepare a set of documentation for one process to obtain an agreement on the level of detail from the parent, and obtain feedback from parent auditor and/or subsidiary auditor Use Pilot project to gain better understanding of the project among your team members 2007 Protiviti Inc. All right reserved. 18
19 Best Practices in J-SOX Documentation Document Format Organize or format documents so you don t need to document same risks or controls on multiple documents or sections Describe controls accurately - Incomplete and incorrect documentation will significantly increase the time requirements of testing phases Project Team If available, select employees with the knowledge of financial reporting and internal control as core members of the project. This allows the company to Focus its evaluation effort on higher risk items Reduce the needs and costs of outside service Documentation requires a sound knowledge of accounting and internal controls it s important for the company to own J-SOX process, but don t ask every process owner to document their processes 2007 Protiviti Inc. All right reserved. 19
20 Best Practices in J-SOX Documentation Coordination with the parent company Coordinate closely with your parent in terms of scope, approach (including understanding their flexibility), and timing Don t follow parent s direction blindly when it does not make sense, ask when you have better ideas, suggest alternatives If the parent requests you to complete an extensive check lists (check sheets), evaluate the relevance and importance of each item Required level of control is different for each company based on company s nature, size, culture, etc. Copying document from sister company does not serve the purpose Coordination with the external auditor Involve the external auditor early on to gain concurrence to avoid rework requests from them later on 2007 Protiviti Inc. All right reserved. 20
21 Best Practices in J-SOX Documentation Perform walkthroughs as the final step of documentation Use to identify inconsistencies between the documentation and reality Use to confirm whether the controls is actually placed in operation Identify operational gaps before formal testing 2007 Protiviti Inc. All right reserved. 21
22 Suggested Approach for Business Process Control Testing 2007 Protiviti Inc. All right reserved. 22
23 Testing Approach Two Types of Testing There are two aspects of controls that must be evaluated: 1. How they are DESIGNED 2. How they are OPERATING Important to assess the control DESIGN effectiveness before performing any tests of OPERATING effectiveness If deficiencies are identified from evaluation of DESIGN, the deficiencies must be corrected before their OPERATION can be tested 2007 Protiviti Inc. All right reserved. 23
24 Testing Approach Project Team for Testing The person who tests operational effectiveness Should be independent of the business operations being assessed Is required to maintain objectivity Must be familiar with the design and assessment of internal controls External auditors generally put more reliance on tests performed by more qualified and more independent party Process owners may have an indirect participation in testing if Control Self Assessment (CSA) program is properly implemented. CSA can be more cost effective solution than independent testing for some processes and for some organizations CSA requires an education of process owners It may be difficult to implement CSA program in the initial year due to lack of knowledge by project team and process owners 2007 Protiviti Inc. All right reserved. 24
25 Testing Approach Evaluation of Design Evaluation of DESIGN is more subjective process than Evaluation of OPERATION Evaluation of DESIGN generally requires a judgment by a person with adequate knowledge of internal control and financial reporting If performed by an experienced person, evaluation of DESIGN can be performed at the same time the risk and control matrix is prepared 2007 Protiviti Inc. All right reserved. 25
26 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Select key controls for testing A set of several controls can be tested at the same time if they occur at the same time Consider effect of entity-level controls Define roles and responsibilities for planning and execution Hold a kick off meeting with process owners to explain the process Work with process owners to schedule tests 2007 Protiviti Inc. All right reserved. 26
27 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Select testing methods (Inquiry, Observation, Inspection, Reperformance) Define the population Ascertain the test period Determine sampling method and size Define the deviation conditions Document testing plan Develop information request to process owners Parent company may provide guideline for the above 2007 Protiviti Inc. All right reserved. 27
28 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Send Information Request to process owners, or select sample according to plan Execute tests according to plan Validate exceptions with process owners 2007 Protiviti Inc. All right reserved. 28
29 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Evaluate sample results Review the nature and cause of the exceptions with process owner and determine next steps Increase or adjust the samples? Identify and test different control? Formulate interim testing conclusions Document test results and organize evidence need to satisfy external auditors Parent company may provide guidelines for exception handling 2007 Protiviti Inc. All right reserved. 29
30 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Retest controls that failed initial testing after the remediation effort is complete Perform refresh test close to the compliance date (fiscal year end) if the initial testing is performed in the middle of fiscal year Define sample sizes so that the total number of samples from the initial and refresh test meets sample size requirements Perform test in two phases in order to secure enough time to correct operational gaps Perform test in two phases in order to avoid year-end rush 2007 Protiviti Inc. All right reserved. 30
31 Testing Approach Remediation of Deficiencies Remediation of gaps require knowledge, time, team work, discipline, and commitment If the team focuses on this activity in several weeks, the total time expended would be much less than the unfocused effort that spans over several months Consider a use of the following techniques Strong project manager Mandatory weekly meeting of process owners Participation of executive sponsors Use of visual aides Incentives Outside advisor with expertise in control optimization 2007 Protiviti Inc. All right reserved. 31
32 Testing Approach Testing Do s and Don ts Things Things To To Do Do Test plans according to guidance from the parent Execute tests as designed Evaluate test results Obtain evidence that the control works Validate failure results Practice professional skepticism Things Things to to Avoid Avoid Auditing by conversation inquiry is never enough Gaming in sampling (i.e., adding items to a sample until the results are satisfactory ) Writing gratuitous or emotional comments Not involving appropriate process experts 2007 Protiviti Inc. All right reserved. 32
33 Overview of IT General Control Evaluation 2007 Protiviti Inc. All right reserved. 33
34 ITGC Evaluation Overview The process is similar to Business Process Evaluation 1. Select IT applications that support financial reporting 2. For selected applications and related IT infrastructures, obtain understanding of current processes related to System Development and Program change control System Operations (back up/recovery, data center operation, etc.) Security Administration (physical and logical security, internal and external) Contracted service management 3. Identify risks for each process 4. Identify one or more controls that mitigate each identified risk 5. If the design of control is not effective, remediate 6. Once design deficiency is remediated, perform test using similar methods as business process testing 7. Document the methods and the results of the test 8. If the control is not operated effectively, remediate 9. Once operational deficiency is remediated, test again 2007 Protiviti Inc. All right reserved. 34
35 ITGC Evaluation Tips for Planning / Scoping FSA Standard suggests companies to evaluate ITGC for each IT infrastructure that supports financial reporting If one IT group is supporting all application systems that support financial reporting, it is likely that you have only one IT infrastructure There is no need to prepare a different set of documents, nor perform different set of tests for each application as long as the way you maintain or operate these applications are identical Some parent companies are asking subsidiaries to complete a form to collect information on subsidiaries application systems and infrastructure, primarily for scoping purpose For many, this is the first time the parent is taking an inventory of IT systems at foreign subsidiary For some, this is the first time subsidiary is taking an inventory of its own IT systems Make use of the information collected for purposes other than J-SOX (i.e. standardization of software) 2007 Protiviti Inc. All right reserved. 35
36 ITGC Evaluation Tips for Documentation Some companies request subsidiaries to complete a check list. Most check lists are designed to validate whether each subsidiary has specific CONTROLs in place (not RISKs) Your subsidiary may not need all controls as related risks may not exist >> Understand the risks before documenting controls The parent may request you to complete separate checklist for each company, each application or each layer of infrastructure However, the control may be common across different systems >> consider ways to combine documents Reduce the number and the volume of documents Protiviti considers Risk and Control Matrix as the most effective Avoid additional documentation unless they serve other purposes When identifying controls Consider a combination of controls that mitigate the identified risks Use company level controls to mitigate risk Document only key controls 2007 Protiviti Inc. All right reserved. 36
37 ITGC Evaluation Tips for Documentation (continued) There may be identical controls for multiple processes and multiple systems. In order to reduce documentation of duplicate controls, organize Risk and Control matrix by 1. Four major processes defined in FSA standard 2. Risks 3. Systems (if there are different controls for different systems) If you are using experienced resources for documentation, evaluate the effectiveness of design during the documentation phase Don t complete documentation phase until you collect and review evidence of control Process owners often describe what they are supposed to be doing rather than what they actually do It will require more time if you find discrepancies during operational testing process 2007 Protiviti Inc. All right reserved. 37
38 ITGC Evaluation Tips for Testing Conduct a formal kick off meeting to explain the approach and requirements In order to obtain cooperation, the communication is key Prepare a formal information request and distribute the request in advance ITGC evidence tends to require more time to compile than business process control evidence Consider the cost of data gathering when selecting testing methods Organize the test plan and results in consistent manner 2007 Protiviti Inc. All right reserved. 38
39 Questions and Answers 2007 Protiviti Inc. All right reserved. 39
40 Thank you Paul Sachs Managing Director 400 South Hope Street Suite 900 Los Angeles, CA Direct: Mobile: Fax: Aki Tohyama Managing Director 400 South Hope Street Suite 900 Los Angeles, CA Direct: Mobile: Fax: Protiviti Inc. All right reserved. 40
41 At Protiviti, we believe the companies that most effectively understand and manage their risk are the companies that most often succeed. Or as we like to say 2007 Protiviti Inc. All right reserved. 41
Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-SOX
FLASH REPORT Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and On February 15, 2007, the Business Accounting Council of the
More informationAUDIT EFFICIENCIES: IS YOUR RELIANCE STRATEGY WORKING FOR YOU? Kyleen Wissell, CRISC, PHR, RCC
AUDIT EFFICIENCIES: IS YOUR RELIANCE STRATEGY WORKING FOR YOU? Kyleen Wissell, CRISC, PHR, RCC Today s Agenda Background: Audit Standard #5 adopted by PCAOB and approved by the SEC in 2007 was intended
More informationHow To Audit A Company
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 www.pcaobus.org STAFF AUDIT PRACTICE ALERT NO. 11 CONSIDERATIONS FOR AUDITS OF INTERNAL CONTROL OVER FINANCIAL
More informationAuditing Standard 5- Effective and Efficient SOX Compliance
Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the
More informationHow To Ensure Internal Control Of Financial Reporting In India
PROTIVITI FLASH REPORT New Internal Control Requirements for Companies with Operations in India November 9, 2015 In the aftermath of major global financial frauds, several countries enacted legislation
More informationOn the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal
(Provisional translation) On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting (Council Opinions) Released on
More informationGuide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions
Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationCOSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP
COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP Disclaimer The material appearing in this presentation is for informational purposes only and should not be construed
More informationOBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES
More informationCOSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting
in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 SIGNIFICANT CHANGES AFFECTING INTERNAL CONTROL
More informationAN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN
More informationIFRS in Asia 2008 Driving the Capital Markets of Tomorrow 10-11 October 2008, Beijing, China
International Accounting Standards Committee Foundation, Ministry of Finance (PRC), and Shulun Pan Certified Public Accountants IFRS in Asia 2008 Driving the Capital Markets of Tomorrow 10-11, Beijing,
More informationAudit Firms Monitoring Policy for Fiscal Year 2015 (On-site Monitoring and Inspection)
April 7, 2015 Certified Public Accountants and Auditing Oversight Board Financial Services Agency, Japan Audit Firms Monitoring Policy for Fiscal Year 2015 (On-site Monitoring and Inspection) The Certified
More informationAuditor Attestation of Internal Control Over Financial Reporting: What You Can Expect. A Smaller Public Company Perspective
Auditor Attestation of Internal Control Over Financial Reporting: What You Can Expect A Smaller Public Company Perspective Smaller public companies were required to comply with the management assertion
More informationINTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404
INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404 OF THE U.S. SARBANES-OXLEY ACT OF 2002 May 26, 2004 Copyright 2004 by, 247 Maitland Avenue, Altamonte Springs, Florida, 32701-4201, USA Internal Auditing
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationCOSO Internal Control Integrated Framework (2013)
COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)
More informationGuide to the Sarbanes-Oxley Act:
Guide to the Sarbanes-Oxley Act: internal Control Reporting Requirements Frequently Asked Questions Regarding Section 404 Fourth Edition Table of Contents Page No. Introduction... 1 Applicability of Section
More informationSarbanes-Oxley Compliance Workbook. From Zero to SOX. Sarbanes-Oxley Compliance Workbook. sensiba san filippo www.ssfllp.com sox@ssfllp.
From Zero to SOX Zero to SOX An Overview The goals of a program to meet SOX 404 requirements go far beyond compliance. The process of building a sustainable, comprehensive internal control environment
More informationSarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers
Sarbanes-Oxley Section 404: Compliance s for Foreign Private Issuers Table of Contents Requirements of the Act.............................................................. 1 Accelerated Filer s...........................................................
More informationDATA AUDIT: Scope and Content
DATA AUDIT: Scope and Content The schedule below defines the scope of a review that will assist the FSA in its assessment of whether a firm s data management complies with the standards set out in the
More informationReport on. 2010 Inspection of PricewaterhouseCoopers LLP (Headquartered in New York, New York) Public Company Accounting Oversight Board
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8433 www.pcaobus.org Report on 2010 (Headquartered in New York, New York) Issued by the Public Company Accounting
More informationAssessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures. December 2005
Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures December 2005 Copyright 2005 Investment Company Institute. All rights reserved. Information may be abridged and therefore
More informationRisikobaseret tilgang til revision
Risikobaseret tilgang til revision Hvordan får vi egentlig forholdt os praktisk til ISA 315? v/henrik Nørgaard & Thomas Kühn Structure of the Global Audit Methodology September 2013 Page 2 Phase 1 Planning
More information) ) ) ) ) ) ) ) ) ) ) ) OBSERVATIONS ON AUDITORS' IMPLEMENTATION OF PCAOB STANDARDS RELATING TO AUDITORS' RESPONSIBILITIES WITH RESPECT TO FRAUD
1666 K Street, NW Washington, D.C. 20006 Telephone: (202 207-9100 Facsimile: (202862-8430 www.pcaobus.org OBSERVATIONS ON AUDITORS' IMPLEMENTATION OF PCAOB STANDARDS RELATING TO AUDITORS' RESPONSIBILITIES
More informationAudit of the Policy on Internal Control Implementation
Audit of the Policy on Internal Control Implementation Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada February 18, 2013 1 TABLE OF
More informationReport on. 2009 Inspection of PricewaterhouseCoopers LLP. Public Company Accounting Oversight Board
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8433 www.pcaobus.org Report on 2009 (Headquartered in New York, New York) Issued by the Public Company Accounting
More information4 Testing General and Automated Controls
4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn
More informationG24 - SAS 70 Practices and Developments Todd Bishop
G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS
More informationCOSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE
COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,
More informationPerforming Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
Performing Audit Procedures in Response to Assessed Risks 1781 AU Section 318 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Supersedes SAS No. 55.)
More informationRe. Request for feedback on Assurance on <IR> Introduction & Exploration of Issues
Chartered Professional Accountants of Canada 277 Wellington Street West Toronto ON CANADA M5V 3H2 T. 416 977.3222 F. 416 977.8585 www.cpacanada.ca Comptables professionnels agréés du Canada 277, rue Wellington
More informationSARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners
SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners The Institute of Internal Auditors
More informationApplication controls testing in an integrated audit
Application controls testing in Application controls testing in an integrated audit Learning objectives Describe types of controls Describe application controls and classifications Discuss the nature,
More informationHow To Audit A Company
INTERNATIONAL STANDARD ON AUDITING 315 IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT (Effective for audits of financial statements for
More informationCorporate governance report
Corporate governance report HMS s Board and management team work to ensure that the company lives up to the requirements that NASDAQ OMX, shareholders and other stakeholders have on the company. The Board
More informationPRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions
PRACTICE GUIDE Formulating and Expressing Internal Audit Opinions 2 of 23 Table of Contents 1. Executive Summary... 1 2. Introduction... 2 3. Planning the Expression of an Opinion... 3 3.1 Expressing an
More informationIn-Depth Guide to Public Company Auditing: The Financial Statement Audit
In-Depth Guide to Public Company Auditing: The Financial Statement Audit Why an In-Depth Guide to Public Company Auditing? The foundation for confidence in U.S. capital markets is strengthened through
More informationUsing COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister
Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.
More informationAboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.
Aboriginal Affairs and Northern Development Canada Internal Audit Report Audit of Internal Controls Over Financial Reporting Prepared by: Audit and Assurance Services Branch Project #: 14-05 November 2014
More informationThe Importance of IT Controls to Sarbanes-Oxley Compliance
Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers
More informationin THE WAKE OF FIRST-YEAR FILINGS FOR SECTION 404 a guide to Section 404 project management
S A RB A N E S - OX LE Y: A SPE C IAL R E P O RT As organizations look toward year two of Sarbanes-Oxley, there are several steps they can take to ensure a more effective and efficient documentation process.
More informationSolvency II Data audit report guidance. March 2012
Solvency II Data audit report guidance March 2012 Contents Page Introduction Purpose of the Data Audit Report 3 Report Format and Submission 3 Ownership and Independence 4 Scope and Content Scope of the
More informationChecklist for Operational Risk Management
Checklist for Operational Risk Management I. Development and Establishment of Comprehensive Operational Risk Management System by Management Checkpoints - Operational risk is the risk of loss resulting
More informationHow To Audit A Government Contractor
Activity Code 17740 Version 6.11, dated November 2015 B-1 Planning Considerations Preaward Survey of Prospective Contractor Accounting System Audit Specific Independence Determination Members of the audit
More informationINTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS CONTENTS
INTERNATIONAL STANDARD ON AUDITING 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS (Effective for audits of financial statements for periods beginning on or after December 15, 2009) CONTENTS Paragraph Introduction
More informationInternal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned
Internal Controls over Financial Reporting Integrating in Business Processes & Key Lessons learned Introduction Stephen McIntyre, CA, CPA (Illinois) Senior Manager at Ernst & Young in the Risk Advisory
More informationAn Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements
Examination of an Entity s Internal Control 1403 AT Section 501 An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Source:
More informationINTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315
INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315 IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT (Effective for audits of financial
More information1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
More informationThe Information Systems Audit
November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated
More informationFraud and Role of Information Technology. September 2008
Fraud and Role of Information Technology September 2008 Agenda IT Value Proposition Slide 2 Prior Interpretations of Internal Control Structure Have Addressed Three Separate Parts Which Were Audited Somewhat
More informationInternational Forum of Independent Audit Regulators Report on 2014 Survey of Inspection Findings March 3, 2015
International Forum of Independent Audit Regulators Report on 2014 Survey of Inspection Findings March 3, 2015 Executive Summary In 2014, the International Forum of Independent Audit Regulators (IFIAR)
More informationPlan for the audit of the 2011 financial statements
INTERNATIONAL TRAINING CENTRE OF THE ILO Board of the Centre 73rd Session, Turin, 3-4 November 2011 CC 73/5/2 FOR INFORMATION FIFTH ITEM ON THE AGENDA Plan for the audit of the 2011 financial statements
More informationINTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS
INTERNATIONAL STANDARD ON AUDITING 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING (Effective for audits of financial statements for periods beginning on or after December 15, 2004) CONTENTS Paragraph Introduction...
More informationChapter 5. Planning the Audit Engagement
Chapter 5 Planning the Audit Engagement A. Purpose for Planning the Engagement Engagement planning is performed to provide a means for developing an understanding of the business objectives of the auditee,
More informationSarbanes-Oxley Section 404: Management s Assessment Process
Sarbanes-Oxley Section 404: Management s Assessment Process Frequently Asked Questions ADVISORY Contents 1 Introduction 2 Providing a Road Map for Management 3 Questions and Answers 3 Section I. Planning
More informationModule 2 IS Assurance Services
Module 2 IS Assurance Services Chapter 2: IS Audit In Phases Phase 2: Part: 2 of 3 CA A.Rafeq 1 Chapter 2: Agenda Chapter 2: IS Audit in Phases Phase1: Plan Phase 2: Execute Phase 3: Report 2 Phase 2:
More informationPerforming Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained
Performing Audit Procedures in Response to Assessed Risks 327 AU-C Section 330 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained Source: SAS No. 122.
More informationInspection Observations Related to PCAOB "Risk Assessment" Auditing Standards (No. 8 through No.15)
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org Inspection Observations Related to PCAOB "Risk Assessment" Auditing Standards (No. 8 through
More informationLEGAL SERVICES CORPORATION OFFICE OF INSPECTOR GENERAL FINAL REPORT ON SELECTED INTERNAL CONTROLS RHODE ISLAND LEGAL SERVICES, INC.
LEGAL SERVICES CORPORATION OFFICE OF INSPECTOR GENERAL FINAL REPORT ON SELECTED INTERNAL CONTROLS RHODE ISLAND LEGAL SERVICES, INC. RNO 140000 Report No. AU 16-05 March 2016 www.oig.lsc.gov TABLE OF CONTENTS
More informationAnnual Assessment of the External Auditor
Annual Assessment of the External Auditor TOOL FOR AUDIT COMMITTEES January 2014 ENHANCING AUDIT QUALITY AUDIT COMMITTEES iii Table of Contents Introduction 1 1. Determine the scope, timing and process
More informationAudit of Occupational Safety and Health (OSH)
National Research Council Canada Audit of Occupational Safety and Health (OSH) Internal Audit, NRC SEPTEMBER 2010 1.0 Executive Summary and Conclusion Background This report presents the findings of the
More informationThe Committee of Sponsoring Organizations of the Treadway Commission
The Committee of Sponsoring Organizations of the Treadway Commission Request for Proposal to Develop Additional Application Guidance on Monitoring, Including Tools and Techniques October 17, 2006 The Committee
More informationISSAI 1300. Planning an Audit of Financial Statements. Financial Audit Guideline
The International Standards of Supreme Audit Institutions, ISSAI, are issued by the International Organization of Supreme Audit Institutions, INTOSAI. For more information visit www.issai.org. Financial
More informationPwC. Bill 198 Overview September 2004
PwC Bill 198 Overview September 2004 Agenda Welcome and overview Regulatory environment and background Three rules: 52-109 Strategies for implementing the CEO/CFO certification process 52-110 Requirements
More informationUnderstanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Understanding the Entity and Its Environment 267 AU-C Section 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Source: SAS No. 122; SAS No. 128. Effective
More informationCHAPTER 7 PLANNING THE AUDIT: IDENTIFYING AND RESPONDING TO THE RISKS OF MATERIAL MISSTATEMENT
A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 7 PLANNING THE AUDIT: IDENTIFYING AND RESPONDING TO THE
More informationINTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS
INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 530 AUDIT SAMPLING AND OTHER MEANS OF TESTING CONTENTS Paragraph Introduction... 1-2 Definitions... 3-12 Audit Evidence... 13-17 Risk Considerations
More informationTHE AUDITOR S RESPONSES TO ASSESSED RISKS
SINGAPORE STANDARD ON AUDITING SSA 330 THE AUDITOR S RESPONSES TO ASSESSED RISKS This revised Singapore Standard on Auditing (SSA) 330 supersedes SSA 330 The Auditor s Procedures in Response to Assessed
More informationHow to survive an Audit
How to survive an Audit Eric Tan PwC Harshul Joshi PwC Objectives Preparation - You can never prepare enough; Mock audit - Running a mock audit Documentation to prove the processes and controls - Documentation
More informationState and District Monitoring of School Improvement Grant Contractors in California FINAL AUDIT REPORT
State and District Monitoring of School Improvement Grant Contractors in California FINAL AUDIT REPORT ED-OIG/A09O0009 March 2016 Our mission is to promote the efficiency, effectiveness, and integrity
More informationPOLICY MANUAL. Responsibility: Approved by: Last Approval Date:
Page: 1 of 6 Section: SECTION F - Mandates Name: ATCO Audit & Risk Committee Responsibility: Approved by: Last Approval Date: Chair ATCO Audit & Risk ATCO Audit & Risk Committee February 23, Committee
More informationIdentifying and Assessing. Understanding the Entity
Issued June 2009; revised July 2010, July 2012 Effective for audits of financial statements for periods beginning on or after 15 December 2009* Hong Kong Standard on Auditing 315 Identifying and Assessing
More informationEffective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions
Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions Plan Advisory The AICPA EBPAQC is a firm-based, volunteer membership center created with the goal of promoting quality employee
More informationAdministrative Guidelines on the Internal Control Framework and Internal Audit Standards
Administrative Guidelines on the Internal Control Framework and Internal Audit Standards GCF/B.09/18 18 February 2015 Meeting of the Board 24 26 March 2015 Songdo, Republic of Korea Agenda item 24 Page
More informationRisk Management Advisory Services, LLC Capital markets audit and control
Risk Management Advisory Services, LLC Capital markets audit and control November 14, 2003 Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C., 20006-2803
More informationNORTHERN MICHIGAN LAW ENFORCEMENT TRAINING GROUP AUDITED FINANCIAL STATEMENTS YEAR ENDED DECEMBER 31, 2009
NORTHERN MICHIGAN LAW ENFORCEMENT TRAINING GROUP AUDITED FINANCIAL STATEMENTS YEAR ENDED DECEMBER 31, 2009 NORTHERN MICHIGAN LAW ENFORCEMENT TRAINING GROUP TABLE OF CONTENTS Independent Auditor s Report...
More informationAudit of the Test of Design of Entity-Level Controls
Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents
More informationengage ERM ADVISORY Insurer Management Risk Committee Practices
engage ERM ADVISORY Insurer Management Risk Committee Practices 2012 There are three major organizational steps that insurers with significant Enterprise Risk Management programs usually consider: the
More informationBuilding Sustainable Audit Quality. June 2014
Building Sustainable Audit Quality June 2014 The Issue The results of the Canadian Public Accountability Board s (CPAB) most recent inspections cycle have shown that the trend in audit quality is positive.
More informationOF CPAB INSPECTION FINDINGS
PROTOCOL FOR AUDIT FIRM COMMUNICATION OF CPAB INSPECTION FINDINGS WITH AUDIT COMMITTEES CONSULTATION PAPER NOVEMBER 2013 The Canadian Public Accountability Board ( CPAB ) is requesting comments on the
More informationMaster Document Audit Program. Version 7.4, dated November 2006 B-1 Planning Considerations. Purpose and Scope
Activity Code 24010 B-1 Planning Considerations Estimating System Survey (ICR) Purpose and Scope The major objectives of this audit are to: Evaluate the adequacy of and the contractor s compliance with
More informationGuide to Internal Control Over Financial Reporting
Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).
More informationAssurance at Country Level: External Audit of Grant Recipients. Eastern Europe and Central Asia Regional Report. GF-OIG-13-037 20 August 2013
Assurance at Country Level: External Audit of Grant Recipients Eastern Europe and Central Asia Regional Report 20 August 2013 TABLE OF CONTENTS A. EXECUTIVE SUMMARY... 2 B. MESSAGE FROM THE EXECUTIVE DIRECTOR
More informationThe Impact of the SarbanesOxley Act and Similar Legislation: Lessons Learned and Considerations for the Future
The Impact of the SarbanesOxley Act and Similar Legislation: Lessons Learned and Considerations for the Future Protiviti, together with the input of the Singapore Accountancy Commission, has developed
More informationCOMPANY LEVEL CONTROLS A PRACTICAL FRAMEWORK
COMPANY LEVEL CONTROLS A PRACTICAL FRAMEWORK During the past two years a group of internal control specialists of large Dutch companies listed in the USA have held regular meetings to share experiences
More informationInternal Control over Financial Reporting Guidance for Smaller Public Companies
Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked Questions Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked
More information[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06]
SECURITIES AND EXCHANGE COMMISSION 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting
More informationAudit Evidence and Documentation AN AUDIT: SUMMARY CHAPTER PCAOB ONE-UP S THE AICPA MANAGEMENT S ASSERTIONS
Audit Evidence and Documentation CHAPTER 5 AN AUDIT: SUMMARY Plan the engagement: Identify risks and areas where internal controls may be relied upon NET : Nature, extent and timing of audit procedures
More informationFREQUENTLY ASKED QUESTIONS ABOUT THE LOCAL CHURCH AUDIT
FREQUENTLY ASKED QUESTIONS ABOUT THE LOCAL CHURCH AUDIT Updated 2014 Local Church Audit Frequently Asked Questions What is an audit? The Book of Discipline defines a local church audit is an independent
More informationCOSO 2013 Internal Control Framework
COSO 2013 Internal Control A Guide to Implementation July 24, 2014 Justin Adamson Agenda COSO Background Changes to the Roadmap to Implementation Implementation Considerations & Lessons Learned 2 1 Who/What
More informationPreparing for Unannounced Inspections from Notified Bodies
Preparing for Unannounced Inspections from Notified Bodies Europe has introduced further measures for unannounced audits of manufacturers by notified bodies. With this in mind, James Pink, VP Europe-Health
More informationAuditing Treasury Activities. Devina Rankin Assistant Treasurer
Auditing Treasury Activities Devina Rankin Assistant Treasurer Overview of the Treasury Function Making sure the right amount of cash is in the right accounts on a daily basis Day-to-day cash management
More informationAccounting 408 Test 3b Section Row
Accounting 408 Test 3b Name Section Row Multiple Choice. (2 points each) Read the following questions carefully and indicate the one best answer to each question by placing an X (do not circle) over the
More informationInternal Audit Report. Toll Operations Contract Management TxDOT Office of Internal Audit
Internal Audit Report Toll Operations Contract Management TxDOT Office of Internal Audit Objective To determine whether the Toll Operations Division (TOD) contract management structure is designed and
More informationUpdate for Audit Committee Members
Headquarters Office: 1250 Headquarters Plaza West Tower, 7 th Floor Morristown, NJ 07960 Government Affairs Office: 1825 K Street, NW Suite 510 Washington, D.C. 20006 www.financialexecutives.org 877.359.1070
More informationGuide to Understanding SAS 70 Reports
Guide to Understanding SAS 70 Reports Authors: Norm Parkerson, Business Advisory Services Executive Director and Brett Williams, Business Advisory Services Partner In today s global economy, service organizations
More informationSarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers
Sarbanes-Oxley Section 404: Compliance s for Foreign Private Issuers As of March 14, 2005 Table of Contents Requirements of the Act.............................................................. 1 Accelerated
More information