COMPANY LEVEL CONTROLS A PRACTICAL FRAMEWORK



Similar documents
ALLEGIANT TRAVEL COMPANY AUDIT COMMITTEE CHARTER

Internal Controls and Risk Management Report

February Sample audit committee charter

COSO 2013 Internal Control Framework

FERRARI N.V. AUDIT COMMITTEE CHARTER (Effective as of January 3, 2016)

CHANGYOU.COM LIMITED AUDIT COMMITTEE CHARTER

AUDIT COMMITTEE CHARTER

HALOZYME THERAPEUTICS, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS ORGANIZATION AND MEMBERSHIP REQUIREMENTS

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

Audit Committee Charter

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

Sparebanken Sør is a financial group consisting of the parent bank and subsidiaries.

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Risk Management Advisory Services, LLC Capital markets audit and control

The Procter & Gamble Company Board of Directors Audit Committee Charter

CHARTER FOR THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS SIGMA DESIGNS, INC. (As adopted by the Board of Directors effective as of May 2010)

Audit, Risk Management and Compliance Committee Charter

Charter of the Audit Committee of the Board of Directors of Novo Nordisk A/S

Quality Assurance Checklist

Inspection of Fazzari + Partners LLP Chartered Accountants (Headquartered in Vaughan, Canada) Public Company Accounting Oversight Board

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Report on Inspection of PricewaterhouseCoopers LLP. Public Company Accounting Oversight Board

COUPONS.COM INCORPORATED CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

MINNESOTA MUTUAL COMPANIES, INC. Guidelines of the Audit Committee of the Board of Directors

Audit Committee Charter Altria Group, Inc. In the furtherance of this purpose, the Committee shall have the following authority and responsibilities:

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

IMMUNOTEC INC. AUDIT AND DISCLOSURE POLICY MANAGEMENT COMMITTEE CHARTER AND WHISTLEBLOWER POLICY

Standards for the Professional Practice of Internal Auditing

Guidance for audit committees. The internal audit function

COSO 2013 Internal Control Integrated Framework FRED J. PETERSON, PARTNER MOSS ADAMS LLP

How to survive an Audit

A LAYPERSON S GUIDE INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR)

A Sarbanes-Oxley Roadmap to Business Continuity

Summary of Internal Control-Integrated Framework by COSO:

CHECKLIST OF COMPLIANCE WITH THE CIPFA CODE OF PRACTICE FOR INTERNAL AUDIT

OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING

RISK AND COMPLIANCE COMMITTEE CHARTER

Oceaneering International, Inc. Audit Committee Charter

The ADT Corporation. Audit Committee Charter. December 2014

Master Document Audit Program. Version 7.4, dated November 2006 B-1 Planning Considerations. Purpose and Scope

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014

Audit, Business Risk and Compliance Committee Charter. Spotless Group Holdings Limited ACN

Antifraud program and controls assessment grid*

Does Fraud Matter? ASIS Middle East Security Conference and Exhibition Dubai, February 16, Torsten Wolf, CPP Head of Group Security Operations

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF SERVICEMASTER GLOBAL HOLDINGS, INC.

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

BAHRAIN TELECOMMUNICATIONS COMPANY B.S.C. AUDIT COMMITTEE CHARTER

Fraud Risk Management Program Review

Ethical Maturity Index: Questionnaire Authors: Elena Demidenko and Patrick McNutt

International Standard on Auditing (UK and Ireland) 315

AUDIT COMMITTEE MANDATE

LafargeHolcim Ltd. Finance & Audit Committee Charter Review date: July 28, 2015

The primary purposes of the Audit Committee shall be to:

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

GENERAL MILLS, INC. AUDIT COMMITTEE CHARTER

Notion VTec Berhad (Company No D) Board Charter

SunTrust Banks, Inc. Audit Committee of the Board of Directors Charter

AMERICAN AIRLINES GROUP INC. AUDIT COMMITTEE CHARTER

SALESFORCE.COM, INC. CHARTER OF THE AUDIT AND FINANCE COMMITTEE OF THE BOARD OF DIRECTORS. (Revised September 11, 2012)

February Audit committee performance evaluation

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

The Importance of IT Controls to Sarbanes-Oxley Compliance

MARLIN MIDSTREAM GP, LLC AUDIT COMMITTEE CHARTER

How quality assurance reviews can strengthen the strategic value of internal auditing*

Internal Control Strategies. A Mid to Small Business Guide

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

Governing Body 322nd Session, Geneva, 30 October 13 November 2014

Annual Assessment of the External Auditor

Control Environment Questionnaire

Fraud Risk Management Procedures

Risk Assessment Standards Toolkit. Practical Guidance in Implementing SFAS

MANDATE OF THE AUDIT COMMITTEE FOUNDERS ADVANTAGE CAPITAL CORP.

Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-SOX

the role of the head of internal audit in public service organisations 2010

January Sample audit committee charter

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Continuous Monitoring?

Audit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee

DTE ENERGY COMPANY AUDIT COMMITTEE CHARTER

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

AUDIT COMMITTEE BEST PRACTICES CHECKLIST

CITY OF BURLINGTON COSO FRAMEWORK & COMPLIANCE

Master Document Audit Program. Version 1.8, dated November B-01 Planning Considerations

POLICY SUBJECT: EFFECTIVE DATE: 5/31/2013. To be reviewed at least annually by the Ethics & Compliance Committee COMPLIANCE PLAN OVERVIEW

Sarbanes/Oxley Act: Accounting/Corporate Governance Reform

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

Report on Inspection of PricewaterhouseCoopers LLP (Headquartered in New York, New York) Public Company Accounting Oversight Board

HEWLETT-PACKARD COMPANY BOARD OF DIRECTORS AUDIT COMMITTEE CHARTER

The Role of Internal Audit In Business Continuity Planning

Performance Measures for Internal Auditing

Transcription:

COMPANY LEVEL CONTROLS A PRACTICAL FRAMEWORK During the past two years a group of internal control specialists of large Dutch companies listed in the USA have held regular meetings to share experiences and to think of best practices for compliance with the Sarbanes Oxley regulations. In this article, a task force of that group presents a practical framework for Company Level s which the group considers to be best practice. IIA SOX platform In 2003 most large Dutch USA listed firms have started a program or project to get their internal processes compliant with the new Sarbanes Oxley ( SOx ) legislation. SOx section 404 requires management to make an assessment of a company s internal control over financial reporting. The need was felt to have some kind of a platform, which offers the opportunity to meet with colleagues of other companies to discuss the SOx related issues. As a consequence, the Dutch Institute of Internal Auditors (IIA) took the initiative to organise a discussion platform. The main objectives of this group are to share knowledge and experience in implementing SOx in order to develop best practices and to support discussions with external auditors. The following companies have regularly sent a representative to the meetings: ABN AMRO, Ahold, AKZO Nobel, Arcadis, ASMI, ASML, Buhrman, KLM, KPN, Reed Elsevier, Shell, TNT, Van der Moolen and VNU. Company Level s One of the topics that has lead to discussions and differences of opinion is related to Company Level s. Relevant rulemaking bodies have not issued detailed guidance, other than stressing the importance of Company Level s. External auditors also have only published limited guidance. As a consequence, the IIA SOx platform formed a task force, composed of representatives of four companies, with the objective to develop a common standard for Company Level s. This standard should comprise a practical framework and a list of controls which can easily be used to assess Company Level s in the various companies. Participants of the platform were willing to share their documentation, and the task force was able to use this as a basis to develop a framework. The results were presented regularly during platform meetings and lead to ample discussions and exchange of opinions. This resulted in the set-up of a framework of twenty nine key controls in the area of Company Level s. In the following paragraphs we will present this practical framework. What are Company Level s? After the May 2005 roundtable with key SOx stakeholders, both the SEC and the PCAOB commented on the strong criticism resulting from the experiences with year one SOx compliance. The comments directed focus of SOx compliance to a top down risk based approach, with a strong emphasis on Company Level s instead of a focus on transactional controls. What are Company Level s? The PCAOB gives some examples, although it did not come up with a definition. We regard Company Level s as controls that have the following characteristics: they exist on a higher level than transactional controls; and, set positive conditions and boundaries for the transactional controls; and, are the internal control infrastructure.

PCAOB section 53 Audit standard 2 of the PCAOB gives guidance to auditors on how to assess controls as part of an audit of internal control over financial reporting. Section 53 (see frame) gives examples of Company Level s. These examples cover all five components of the COSO framework. Therefore, we based our framework on COSO, taking into account the guidance from Section 53. PCAOB AS2, section 53 Company-level controls are controls such as the following: - s within the control environment, including tone at the top, the assignment of authority and responsibility, consistent policies and procedures, and company-wide programs, such as codes of conduct and fraud prevention, that apply to all locations and business units (See paragraphs 113 through 115 for further discussion); - Management's risk assessment process; - Centralized processing and controls, including shared service environments; - s to monitor results of operations; - s to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; - The period-end financial reporting process; and - Board-approved policies that address significant business control and risk management practices. Company level control framework The framework (fig. 1) visualizes the posistion of Company Level s and the nature and focus of Company Level s within the COSO framework. It shows that the basis for Company Level s are in the, the tone set by the top of the organization which has a pervasive effect on the control consciousness and effectiveness of controls in an organization. Another important aspect of Company Level s is ; i.e. the procedures a company uses to ensure that controls throughout the organization work according to plan. Information and Communication is crucial in implementing Company Level s; top-down information streams help company management to ensure that their (strategic) management decisions lead to appropriate action on the operating level. Bottom up information provides management with insight on how their strategies are being dealt with on operating level and provides information top management uses for their Risk Assessments. Based on the assessment of risks, are implemented to ensure that management s objectives are met.

External factors External demands Business: Market demands Compliance: Sox / Tabaksblat performance Regulators Company hierarchy Internal response Company Level s communication Risk assessment environment : activities communication Supervisory board Audit committee Executive board Group mgt Opco mgt Process owners Fig. 1 The standard set of Company Level s We have identified a set of 29 controls which fits in this framework and which forms in our view, the best practise set of Company Level s. In some instances individual companies may identify more topics based on their own organizational structure. However, we do not believe it is feasible that companies have less 1. The best practise Company Level s are listed below: # Relevant item Category Most appl. COSO element 1 Manual (existence, availability, authorization, changes discussed and approved) Communication 2 Mandatory training plan for accounting personnel (monitoring of progress) 3 Senior management periodically reviews an overview of accounting, reporting and internal control issues. (progress is monitored and reported in management meetings) 4 Senior Management ensures that certain high risk processes and related significant accounts are only processed and recorded at or via the corporate level. (e.g. (deferred) tax, goodwill and other intangibles, investments in subsidiaries). 1 This has been confirmed by meetings with representatives of the big four audit firms.

5 Bill of Authority/ Authorization table - procuration at the top / senior level (delegation of authorization) (availability, periodic update and authorization) Assignment of Authority 6 Senior Management consciously and willingly sets and maintains an appropriate Tone at the Top. (e.g. communication throughout the year and behavior examples set by senior management). 7 Code of Conduct and disciplinary actions in case of violations. (availability, confirmation of compliance, follow up of deviations) 8 Fraud Risk assessment, appropriate anti fraud programs and reporting on fraud instances. (availability, authorized and monitored) 9 Corporate management exercises oversight on litigation and communication with (financial) regulators. 10 Periodically divisional/ operating company review meetings by the Corporate Management Team are held. (consistency of Corporate and Division objectives, Actual divisional/business unit/operating company results are compared to budget) Business Planning and Performance 11 Self assessment of Audit Committee on its own performance. (assessment performance against charter, relationship / performance of inen external auditor, activities and competencies of Audit Committee members) Corporate Governance 12 The Audit Committee exercises appropriate oversight on internal control matters by the Audit Committee. (open communication with senior financial management, in- and external audit) Corporate Governance 13 Audit Committee ensures that open communication with in- and external auditors is established and maintained (approval audit plan, active participation in meetings, private meetings) Corporate Governance 14 The department reviews the organisational design and the availability of job descriptions. (key financial positions) 15 A pre-employment screening procedure is in place. (implementation instructions, define for which functions screening is required) 16 Realistic targets are set and used in performance measurement (undue pressure, mixed (finance, compliance)) 17 resource policies available (adequacy of hiring, retention and promotion process)

18 Agreement on future system development and ongoing IT projects. (IT strategic plan aligned to the business plan for development of information systems) Information Management 19 Independent reporting line from Internal Audit to Audit Committee Internal Audit 20 Periodic report from Internal Audit to the Audit Committee on performance. (staffing, progress of the audit plan, the effectiveness of Internal Audit, approval of Internal Audit charter) Internal Audit 21 Senior Management monitors the outcome of the periodic process regarding Letters of Representation (or in-control statements) issued by divisions / business units / operating companies. (accounting standards, code of conduct, control standards, signoff structure) Compliance / Internal Function Communication 22 of the status of identified control issues via a control remediation progress reporting. (among others: number, nature, remediation, progress) Compliance / Internal Function 23 Management performs risk assessment and assesses likelihood and impact. (analyze, plan, do, check, act) Risk Management Risk Assessment 24 The Supervisory Board reviews corporate strategy and approves the annual budget. (non-executive board) Strategic planning 25 The audit committee ensures existence, availability, appropriateness and communication of the Whistle-blower procedure. (independent reporting, anonymity, performance reporting to Audit Committee on reported instances and resolution) Whistle-blower 26 Budget process in place (related to strategy, quantifies goals, regular reporting reviews) Business Planning and Performance 27 Design of bonus plans ensure no incentive exists that could lead to improper financial reporting. (incentives are based both on financial and non-financial goals, long term development of the company, senior/executive personnel) 28 Ensure disclosure meeting is held quarterly to discuss details of PL/BS with Finance, Legal and Management 29 New business meetings with board, group control, legal and IT to discuss the impact on financial reporting, legal implication and IT when the new business is implemented. Risk Management Risk Assessment To elaborate on the relevant control items stated above, the following three examples are given. These examples provide more insight in the required documentation and evidence. The examples also give detailed information on what testing should include. Testing of Company Level s is characterized by the fact that the control description is in many cases focused on the existence of formal documentation such as authorized policies, agenda of meetings, minutes of

meetings, reports on performance. The test work programs will therefore to a large extent focus on the documentation identified already in the control descriptions, the implementation of relevant policies and the actual operation of the policies and procedures. Evidence and documentation Testing considerations CLC nr 1: Manual Ensure existence of: Availability of the Accounting & manual, including communication plan; Documented comments of internal / external auditors, including follow up; Approval by senior management; Change procedures for Accounting & manual. Verify whether: Reviews of the Accounting & Manual are done regularly to ensure timely updates to changes in applicable GAAP; documentation of these reviews exist; Changes to the Accounting & Manual are formally approved by senior management prior to release and distribution; Applicable finance staff has access to most recent Accounting & Manual (effectiveness of communication). CLC nr 7: Code of Conduct Ensure existence of: Authorized Code of Conduct is made publicly available (e.g. on company website); Annual confirmation on compliance with Code of Conduct is being organized; Annual evaluation of deviations from the Code of Conduct (e.g. Letter of Representation, ethics committee) by appropriate management; Periodic reporting on instances, remediation and action plan of deviations for the Code of Conduct. CLC nr 12: Self assessment of Supervisory Board on its own performance Verify, based on interviews with a number of employees at various levels in the company, whether they are aware of the Code of Conduct and that the code is frequently addressed by Senior Management in communications, e- mails, etc.; Verify annual confirmation for a sample of employees; Check whether the current version of the Code of Conduct is published on the intranet; Verify the existence of formal reporting procedures regarding violations of the Code of Conduct; Verify, based on the minutes of meetings, that deal with the violations, whether all violations reported are discussed, disciplinary actions defined and follow-up actions are initiated. Ensure existence of: Supervisory Board Charter, including a description of profiles and competencies of Supervisory Board members; Self assessment scheduled (agenda) by Supervisory Board; A questionnaire or other tool that ensures that the self assessment is done in a structured way and that all relevant matters are addressed; Result of self-assessment is formally documented and is agreed by Supervisory Board. Verify whether: Written evidence of these self-assessments exists (agenda, minutes and summarized questionnaire); The self-assessment is guided by the questionnaire and conclusions are established; All members of the Supervisory Board participate; Agendas and minutes of the meetings and, if applicable, follow-up actions are formally identified and results of previous actions are evaluated.

IIA platform going forward The Sarbanes Oxley act of 2002 has kept companies very busy over the past few years. Because of the complexity of the subject, the (Dutch) IIA initiative to organize a SOx-platform group proved and still proves to be a very valuable initiative. We will continue to meet, and we might share some of our thinking in this magazine. Our framework for Company Level s is in our view a good example of how the IIA can contribute to improved governance and enhanced internal controls in The Netherlands. We welcome readers of this article to provide their comments in order to improve the practical framework. About the authors: The IIA SOx networking Group is open for project leaders of US listed companies, located in the Netherlands. Drs. Ronald Bouman RA has experience with SOx at TNT and is currently interim SOx consultant at Van Der Moolen. Next to SOx he is focussing on Basel II and Solvency II. Drs. Jaap Gerkes RA has gained Internal and Risk Management experience at VNU. Currently he is a senior manager in the Dutch office of Protiviti, Independent Risk Consulting. Drs. Wilbert Jan van der Werf RA is employed at the Koninklijke Ahold N.V. in the SOx area. Drs. Heiko van der Wijk RA CIA gained SOx experience at KPN (till 2005) and is presently employed at KLM in the SOx area. He is also a board member of the IIA.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information