J-SOX Compliance Approach Best Practices for Foreign Subsidiaries November 8, 2007

Transcription

1 J-SOX Compliance Approach Best Practices for Foreign Subsidiaries November 8, 2007

2 Protiviti Background Consulting firm dedicated to business and technology risk consulting, and internal audit services Formed in 2002 with 700 former "Big 5" professionals with risk consulting experience More than 2,900 professionals in 60 offices worldwide $543 million revenue, double-digit growth every year since inception U.S. clients include more than 25% of Fortune 500 Assisted over 800 companies with US SOX, including 40% of Japanese companies subject to US SOX Currently assisting 50+ Japanese companies with J-SOX compliance in Japan, U.S., Europe, and Asia 2007 Protiviti Inc. All right reserved. 2

3 Agenda Recap of J-SOX Requirements Recent Developments of J-SOX Regulation Best Practices in Documentation Suggested Approach for Business Process Control Testing Overview of IT General Control Evaluation Questions and Answers 2007 Protiviti Inc. All right reserved. 3

4 Recap of J-SOX Requirements 2007 Protiviti Inc. All right reserved. 4

5 Structure of J-SOX J-SOX requirements are defined by several laws and guidelines Financial Instruments and Exchange laws (6/2006) Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting (Finalized on 2/15/2007) FSA Questions and Answers (issued on 10/1/2007) Other literature for information purpose JICPA Guideline for audit of ICFR (Finalized on 10/24/2007) Guidance for IT control over financial reporting by Ministry of Economy, Trade, and Industry (METI) (2 nd supplementary edition draft was issued on 10/16/2007) 2007 Protiviti Inc. All right reserved. 5

6 The Requirements Effective for the fiscal year beginning 4/1/2008 or later A report must be prepared and audited every year thereafter The Parent Management must evaluate and prepare a report on the effectiveness of company s ICFR (internal control over financial reporting) The report must be prepared on a consolidated basis (must include major subsidiaries and affiliates) The report must be attested to by the same external auditor (of the parent company) who performs financial audit The Subsidiary If in scope, evaluate its ICFR based on directions from the parent If in scope, support the work of external auditors There is no legal requirements for reporting or audit at subsidiary level Parent auditor may request local auditor to review internal control of subsidiary 2007 Protiviti Inc. All right reserved. 6

7 Sample Timeline (for March year-end company) J-SOX Year 1 J-SOX Year 2 Assess (Select entity & business process) Parent Check approach with auditor Year 1 Audit Set foundation & organize team Foreign Subsidiary Assess (Select US entities & business processes) Document (Prepare FC & RCM) Evaluate (Identify & correct design gaps) Test critical controls Focus of Today s Webinar Test other controls and remediate gaps 2007 Protiviti Inc. All right reserved. 7

8 Recent Developments of J-SOX Regulations 2007 Protiviti Inc. All right reserved. 8

9 FSA Q&A Introduction On October 2, 2007, the Financial Service Agency issued Internal Control Reporting System Q & A The document provides answers to 20 frequently asked questions regarding the Internal Control Reporting System 2007 Protiviti Inc. All right reserved. 9

10 FSA Q&A Selection of Business Entities (Q6): Question: When selecting significant business units and locations in the United States, the aggregated amount in each significant account is derived first, in order to assess if it has reached a certain threshold (for example, 2/3 of the consolidated account balance). If it does not reach the threshold, more business units and locations are added to the scope. Do we select significant business units and locations in the same manner in Japan? Answer: We are aware of the method used in the United States. However, the Practice Standard states that it does not use this method Protiviti Inc. All right reserved. 10

11 FSA Q&A (continued) Coverage of Business Locations (Q10): Question: When selecting business locations to be included in the scope of assessment, an effective method (e.g., introducing a random sampling method) should be considered at the planning stage, bearing in mind that all business locations should be covered at least once within a certain period of time. Is this literally meant to cover all the business locations within a few years for the evaluation? Can we select the business locations by a sampling method after removing business units with minimal financial impacts? Answer: The use of a random sampling method or a method covering all business locations at least once within a certain period of time, are merely examples. An actual sampling method should be determined appropriately by each company s creative procedures. Instead of covering all business units within a certain period, you can select business units from the population of similar operations after removing those with minimal financial impact Protiviti Inc. All right reserved. 11

12 FSA Q&A Alternate for Segregation of Duties (Q20) Question: Practice Standard states that a smaller and less-complex company may not be able to establish proper segregation of duties, and therefore should search for possibilities for the implementation of alternate control apparatuses. What are the examples of alternative control apparatuses? Answer: The Practice Standard states that a smaller and less-complex company is expected to make an effort according to the given conditions. For example, a smaller and less-complex company may have difficulty maintaining appropriate segregation of duties due to a lack of adequate resources. In this case, management and employees from other departments may provide monitoring activities. They may also outsource the monitoring functions to specialists in order to mitigate risks. Thus, there are alternative ways to provide appropriate internal controls according to existing conditions Protiviti Inc. All right reserved. 12

13 The JICPA Guideline Introduction The Japanese Institute of Certified Public Accountants (JICPA) released Guideline for Audit Concerning Internal Control over Financial Reporting (draft 7/18/2007, final 10/24/2007) Contains audit procedures, consideration points, suggested wording for the auditor's report, and other information Designed to assist auditors to perform audit of internal control over financial reporting according to FSA Standards Japanese accounting firms are preparing their own guidelines for internal control audit based on this JICPA document 2007 Protiviti Inc. All right reserved. 13

14 The JICPA Guideline Highlights Relationship between the internal control audit and the financial audit Once J-SOX becomes effective, auditors are to assess the adequacy of management s assessment of the internal control design and operating effectiveness. Therefore, during the financial statement audit, the external auditor is expected to rely on the results of the internal control audit. Use of the work of internal auditors and others The external auditor may use the work performed by an internal auditor and others as audit evidence for the management s assessment provided they have evaluated the quality and effectiveness of the work. In high risk areas, the use of the work of an internal auditor must be evaluated carefully. In an audit of lower risk areas such as routine transactions that occur daily, an auditor may utilize samples selected by internal auditors Protiviti Inc. All right reserved. 14

15 The JICPA Guideline Highlights Evaluation of the assessment of company-level controls The evaluations of CLC are often performed before the year-end. When management operates a monitoring system that detects changes to internal controls in a timely and appropriate manner, the external auditor will evaluate the effectiveness of the monitoring system. If the monitoring system is not effective, it significantly increases the effort of both auditors and management to complete the year-end CLC evaluation. Evaluation of the assessment of process-level controls Management is required to perform additional procedures when the evaluation of operating effectiveness is performed before the year-end and when there is an important change to internal controls by the yearend. These additional procedures will depend on the timing of the interim testing, the results of the testing and whether there have been changes in internal controls since the interim testing Protiviti Inc. All right reserved. 15

16 The JICPA Guideline New Items Added in the Final Version Different fiscal year-end between the parent and the subsidiary When a subsidiary has a different fiscal year-end from the parent company, significant changes in internal controls must be evaluated for the period between a subsidiary and the parent company s fiscal year ends Exclusion of low volume transaction patterns When there are various transaction patterns for the selected major account, an insignificant transaction may be removed from the scope Management is expected to make reasonable decisions in regards to the scope of assessments in consideration of the materiality of quantitative and qualitative impacts on financial reporting annually. JICPA recommends that the management Assess the financial impacts from the excluded transaction patterns to the selected major account in the business unit, and/or Assess the financial impacts from the excluded transaction patterns to the consolidated major account balance annually 2007 Protiviti Inc. All right reserved. 16

17 Best Practices in Documentation 2007 Protiviti Inc. All right reserved. 17

18 Best Practices in J-SOX Documentation Determination of Key Controls Document only what affects financial reporting risks Evaluate risk first before documenting control no need to document control when the risk is not material Document only key (primary) controls identify secondary controls only when the key control fails Effective company-level control can reduce the need for certain process-level controls look for ways to mitigate risks by a combination of company-level and process-level controls Pilot Documentation Prepare a set of documentation for one process to obtain an agreement on the level of detail from the parent, and obtain feedback from parent auditor and/or subsidiary auditor Use Pilot project to gain better understanding of the project among your team members 2007 Protiviti Inc. All right reserved. 18

19 Best Practices in J-SOX Documentation Document Format Organize or format documents so you don t need to document same risks or controls on multiple documents or sections Describe controls accurately - Incomplete and incorrect documentation will significantly increase the time requirements of testing phases Project Team If available, select employees with the knowledge of financial reporting and internal control as core members of the project. This allows the company to Focus its evaluation effort on higher risk items Reduce the needs and costs of outside service Documentation requires a sound knowledge of accounting and internal controls it s important for the company to own J-SOX process, but don t ask every process owner to document their processes 2007 Protiviti Inc. All right reserved. 19

20 Best Practices in J-SOX Documentation Coordination with the parent company Coordinate closely with your parent in terms of scope, approach (including understanding their flexibility), and timing Don t follow parent s direction blindly when it does not make sense, ask when you have better ideas, suggest alternatives If the parent requests you to complete an extensive check lists (check sheets), evaluate the relevance and importance of each item Required level of control is different for each company based on company s nature, size, culture, etc. Copying document from sister company does not serve the purpose Coordination with the external auditor Involve the external auditor early on to gain concurrence to avoid rework requests from them later on 2007 Protiviti Inc. All right reserved. 20

21 Best Practices in J-SOX Documentation Perform walkthroughs as the final step of documentation Use to identify inconsistencies between the documentation and reality Use to confirm whether the controls is actually placed in operation Identify operational gaps before formal testing 2007 Protiviti Inc. All right reserved. 21

22 Suggested Approach for Business Process Control Testing 2007 Protiviti Inc. All right reserved. 22

23 Testing Approach Two Types of Testing There are two aspects of controls that must be evaluated: 1. How they are DESIGNED 2. How they are OPERATING Important to assess the control DESIGN effectiveness before performing any tests of OPERATING effectiveness If deficiencies are identified from evaluation of DESIGN, the deficiencies must be corrected before their OPERATION can be tested 2007 Protiviti Inc. All right reserved. 23

24 Testing Approach Project Team for Testing The person who tests operational effectiveness Should be independent of the business operations being assessed Is required to maintain objectivity Must be familiar with the design and assessment of internal controls External auditors generally put more reliance on tests performed by more qualified and more independent party Process owners may have an indirect participation in testing if Control Self Assessment (CSA) program is properly implemented. CSA can be more cost effective solution than independent testing for some processes and for some organizations CSA requires an education of process owners It may be difficult to implement CSA program in the initial year due to lack of knowledge by project team and process owners 2007 Protiviti Inc. All right reserved. 24

25 Testing Approach Evaluation of Design Evaluation of DESIGN is more subjective process than Evaluation of OPERATION Evaluation of DESIGN generally requires a judgment by a person with adequate knowledge of internal control and financial reporting If performed by an experienced person, evaluation of DESIGN can be performed at the same time the risk and control matrix is prepared 2007 Protiviti Inc. All right reserved. 25

26 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Select key controls for testing A set of several controls can be tested at the same time if they occur at the same time Consider effect of entity-level controls Define roles and responsibilities for planning and execution Hold a kick off meeting with process owners to explain the process Work with process owners to schedule tests 2007 Protiviti Inc. All right reserved. 26

27 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Select testing methods (Inquiry, Observation, Inspection, Reperformance) Define the population Ascertain the test period Determine sampling method and size Define the deviation conditions Document testing plan Develop information request to process owners Parent company may provide guideline for the above 2007 Protiviti Inc. All right reserved. 27

28 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Send Information Request to process owners, or select sample according to plan Execute tests according to plan Validate exceptions with process owners 2007 Protiviti Inc. All right reserved. 28

29 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Evaluate sample results Review the nature and cause of the exceptions with process owner and determine next steps Increase or adjust the samples? Identify and test different control? Formulate interim testing conclusions Document test results and organize evidence need to satisfy external auditors Parent company may provide guidelines for exception handling 2007 Protiviti Inc. All right reserved. 29

30 Testing Approach Evaluation of Operating Effectiveness Define Test Scope Build Test Plan Execute Testing Analyze Test Results Update Testing Retest controls that failed initial testing after the remediation effort is complete Perform refresh test close to the compliance date (fiscal year end) if the initial testing is performed in the middle of fiscal year Define sample sizes so that the total number of samples from the initial and refresh test meets sample size requirements Perform test in two phases in order to secure enough time to correct operational gaps Perform test in two phases in order to avoid year-end rush 2007 Protiviti Inc. All right reserved. 30

31 Testing Approach Remediation of Deficiencies Remediation of gaps require knowledge, time, team work, discipline, and commitment If the team focuses on this activity in several weeks, the total time expended would be much less than the unfocused effort that spans over several months Consider a use of the following techniques Strong project manager Mandatory weekly meeting of process owners Participation of executive sponsors Use of visual aides Incentives Outside advisor with expertise in control optimization 2007 Protiviti Inc. All right reserved. 31

32 Testing Approach Testing Do s and Don ts Things Things To To Do Do Test plans according to guidance from the parent Execute tests as designed Evaluate test results Obtain evidence that the control works Validate failure results Practice professional skepticism Things Things to to Avoid Avoid Auditing by conversation inquiry is never enough Gaming in sampling (i.e., adding items to a sample until the results are satisfactory ) Writing gratuitous or emotional comments Not involving appropriate process experts 2007 Protiviti Inc. All right reserved. 32

33 Overview of IT General Control Evaluation 2007 Protiviti Inc. All right reserved. 33

34 ITGC Evaluation Overview The process is similar to Business Process Evaluation 1. Select IT applications that support financial reporting 2. For selected applications and related IT infrastructures, obtain understanding of current processes related to System Development and Program change control System Operations (back up/recovery, data center operation, etc.) Security Administration (physical and logical security, internal and external) Contracted service management 3. Identify risks for each process 4. Identify one or more controls that mitigate each identified risk 5. If the design of control is not effective, remediate 6. Once design deficiency is remediated, perform test using similar methods as business process testing 7. Document the methods and the results of the test 8. If the control is not operated effectively, remediate 9. Once operational deficiency is remediated, test again 2007 Protiviti Inc. All right reserved. 34

35 ITGC Evaluation Tips for Planning / Scoping FSA Standard suggests companies to evaluate ITGC for each IT infrastructure that supports financial reporting If one IT group is supporting all application systems that support financial reporting, it is likely that you have only one IT infrastructure There is no need to prepare a different set of documents, nor perform different set of tests for each application as long as the way you maintain or operate these applications are identical Some parent companies are asking subsidiaries to complete a form to collect information on subsidiaries application systems and infrastructure, primarily for scoping purpose For many, this is the first time the parent is taking an inventory of IT systems at foreign subsidiary For some, this is the first time subsidiary is taking an inventory of its own IT systems Make use of the information collected for purposes other than J-SOX (i.e. standardization of software) 2007 Protiviti Inc. All right reserved. 35

36 ITGC Evaluation Tips for Documentation Some companies request subsidiaries to complete a check list. Most check lists are designed to validate whether each subsidiary has specific CONTROLs in place (not RISKs) Your subsidiary may not need all controls as related risks may not exist >> Understand the risks before documenting controls The parent may request you to complete separate checklist for each company, each application or each layer of infrastructure However, the control may be common across different systems >> consider ways to combine documents Reduce the number and the volume of documents Protiviti considers Risk and Control Matrix as the most effective Avoid additional documentation unless they serve other purposes When identifying controls Consider a combination of controls that mitigate the identified risks Use company level controls to mitigate risk Document only key controls 2007 Protiviti Inc. All right reserved. 36

37 ITGC Evaluation Tips for Documentation (continued) There may be identical controls for multiple processes and multiple systems. In order to reduce documentation of duplicate controls, organize Risk and Control matrix by 1. Four major processes defined in FSA standard 2. Risks 3. Systems (if there are different controls for different systems) If you are using experienced resources for documentation, evaluate the effectiveness of design during the documentation phase Don t complete documentation phase until you collect and review evidence of control Process owners often describe what they are supposed to be doing rather than what they actually do It will require more time if you find discrepancies during operational testing process 2007 Protiviti Inc. All right reserved. 37

38 ITGC Evaluation Tips for Testing Conduct a formal kick off meeting to explain the approach and requirements In order to obtain cooperation, the communication is key Prepare a formal information request and distribute the request in advance ITGC evidence tends to require more time to compile than business process control evidence Consider the cost of data gathering when selecting testing methods Organize the test plan and results in consistent manner 2007 Protiviti Inc. All right reserved. 38

39 Questions and Answers 2007 Protiviti Inc. All right reserved. 39

40 Thank you Paul Sachs Managing Director 400 South Hope Street Suite 900 Los Angeles, CA Direct: Mobile: Fax: Aki Tohyama Managing Director 400 South Hope Street Suite 900 Los Angeles, CA Direct: Mobile: Fax: Protiviti Inc. All right reserved. 40

41 At Protiviti, we believe the companies that most effectively understand and manage their risk are the companies that most often succeed. Or as we like to say 2007 Protiviti Inc. All right reserved. 41