Why is internal control important? The need for an integrated control framework. COSO Integrated framework. Evaluate the control environment.

Transcriptie

1 IBR seminarie INTERNE CONTROLE COSO SOX Juni 2009 Sources: - COSO ERM Framework - PwC IBR presentations COSO / SOX - E&Y Loi sécurité financière - CBFA Présentation du 12/6/ Why is internal control important? The need for an integrated control framework. COSO Integrated framework. Evaluate the control environment. Impact of Internal Controls on Audit Strategy. Coso en de Belgische praktijk SOX Loi Sécurité Financière Vernieuwd model interne en externe controle 2

2 1. Why is internal control important? Internal control serves different purposes: Management framework - Organisations are continuously faced with business risks. An adequate system of internal control helps the client in managing these risks and thus achieving business objectives. - Internal control impacts performance of organisations and shareholder value. Legal / Statutory / Prudential requirements - Corporate Governance recommendations - Management s responsibility for the financial statements Management is responsible for the preparation and the fair presentation of these financial statements. This responsibility includes: designing, implementing and maintaining internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud of error; selecting and applying appropriate accounting policies; and making accounting estimates that are reasonable in the circumstances Why is internal control important? Audit strategy Audit opinion Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with the legal requirements and the Auditing Standards applicable in Belgium, as issued by the Institute of Registered Auditors (Institut des Reviseurs d Entreprises / Instituut der Bedrijfsrevisoren). Those standards require that we plan and perform the audit to obtain reasonable assurance whether the financial statements are free from material misstatement, whether due to fraud or error. In accordance with the above-mentioned auditing standards, we considered the association s accounting system, as well as its internal control procedures. We have obtained from management and from the association s officials the explanations and information necessary for executing our audit procedures. We have examined, on a test basis, the evidence supporting the amounts included in the financial statements. We have assessed the appropriateness of accounting policies and the reasonableness of the significant accounting estimates made by the association as well as the overall financial statement presentation. We believe that these procedures provide a reasonable basis for our opinion. 4

3 1. Why is internal control important? 5 1. Why is internal control important? 6

4 1. Why is internal control important? - Impact of Internal Controls on Audit Strategy Balance the audit work with perceived risks: AR = IR * CR * DR AR = audit risk IR = inherent risk CR = control risk DR = detection risk Impact Incorrect opinion (incorrect assessment of Control Risk, high detection risk): α- risk Costly audit (too much work performed irt the control risk): β-risk Why is internal control important? Internal Control Myths and Facts MYTHS: Internal control starts with a strong set of policies and procedures. Internal control: That s why we have internal auditors! Internal control is a finance thing. Internal controls are essentially negative, like a list of thou-shalt-nots. FACTS: Internal control starts with a strong control environment. While internal auditors play a key role in the system of control, management is the primary owner of internal control. People at every level in the organization have responsibility for internal controls. Internal control is integral to every aspect of business. An integrated internal control system will not be effective without an entity-wide approach to corporate governance, risk management and compliance. Internal control makes the right things happen the first time. Internal controls take time away from our core activities of making products, selling, and serving customers. Internal control should be built into, not onto business processes. 8

5 2. The need for an integrated control framework Public embarrassment of some of the world s most respected organisations 9 2. The need for an integrated control framework Risk increasing factors in today s business environment 10

6 2. The need for an integrated control framework The case of rethinking internal controls: Management s reliance on hard controls is not sufficient to protect shareholder value (refer to limitations on internal controls). Soft controls and risk management mechanisms provide fundamentals to a sound system of internal control COSO Integrated framework Committee of Sponsoring Organizations of the Treadway Commission Treadway Commission formed in 1985 Treadway Commission issues report in 1987 calls for study to develop a common framework for internal control Coopers & Lybrand selected to conduct the study and author the report Report entitled Internal Control Integrated Framework is issued in September 1992 In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. 12

7 3. COSO Integrated framework Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management Integrated Framework Recent years have seen heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk. In 2001, COSO initiated a project, to develop a framework that would be readily usable by managements to evaluate and improve their organizations enterprise risk management. The period of the framework s development was marked by a series of high-profile business scandals and failures where investors, company personnel, and other stakeholders suffered tremendous loss. The Enterprise Risk Management Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. It is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it COSO Integrated framework ERM is about value Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day. The fundamental premise underlying the Enterprise Risk Management Integrated Framework is that all entities, whether for profit or not, exist to realize value for their stakeholders. The ongoing identification and mitigation of risks, as well as knowing what opportunities to seize, are critical to protecting and growing stakeholder value. Enterprise risk management supports value creation by enabling management to deal effectively with uncertainty, explicitly consider risk in investment decisions and minimize risks to achieving entity objectives. ERM supports value creation by enabling management to: Deal effectively with potential future events that create uncertainty. Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. No entity operates in a risk-free environment, and enterprise risk management does not create such an environment. Rather, enterprise risk management enables management to operate more effectively in environments filled with risks. Enterprise risk management provides management with enhanced capabilities to align risk appetite and strategy, link growth, risk and return, minimize operational surprises and losses, identify and manage cross-enterprise risks and rationalize capital. 14

8 3. COSO Integrated framework Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity s objectives. Enterprise risk management encompasses: Aligning risk appetite and strategy Management considers the entity s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. Enhancing risk response decisions Enterprise risk management provides the rigor to identify and select among alternative risk responses - risk avoidance, reduction, sharing, and acceptance. Reducing operational surprises and losses Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. Identifying and managing multiple and cross-enterprise risks Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response on the interrelated impacts, and integrated responses to multiple risks COSO Integrated framework Seizing opportunities By considering a full range of potential events, management is positioned to identify and proactively realize opportunities. Improving deployment of capital Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. These capabilities inherent in enterprise risk management help management achieve the entity s performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity s reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way. 16

9 3. COSO Integrated framework Driving forces behind ERM Investors Demand increased financial disclosure and regulatory compliance Market / Credit Analysts Require that management strenghthen its risk disclosure capabilities Organisation Stakeholders Demand that management adequately identify all material risks that impact cash flow, capital and mission Auditors Current protocols require organizations to report risks in a forward-looking context COSO Integrated framework Enterprise Risk Management Defined Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows: Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The definition reflects certain fundamental concepts. Enterprise risk management is: A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entity s management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories 18

10 3. COSO Integrated framework The COSO ERM Framework consists of 8 interrelated components and 4 objectives COSO Integrated framework 4 objectives Within the context of an entity s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an entity s objectives, set forth in four categories: Strategic high level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations Because objectives relating to reliability of reporting and compliance with laws and regulations are within the entity s control, enterprise risk management can be expected to provide reasonable assurance of achieving those objectives. Achievement of strategic objectives and operations objectives, however, is subject to external events not always within the entity s control; accordingly, for these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving towards achievement of the objectives. 20

11 3. COSO Integrated framework 8 components of Enterprise Risk Management Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are: Internal Environment The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity s mission and are consistent with its risk appetite. Event Identification Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management s strategy of objective-setting processes COSO Integrated framework 8 components of Enterprise Risk Management Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. 22

12 3. COSO Integrated framework Strategies Companies deploy multiple strategies from formulating strategic direction to complying with regulatory changes Strategy Assess Risk functions, including internal audit (with management), continually assess the evolving risk profile Evolving Risk Profile Multiple strategies generate risks and a continually evolging risk profile ASSESS Risk MONITOR Monitor Based on the risk assessment, management supported by risk functions performs monitoring activities to ensure processes are operating as designed, controls are effective and risks are managed Executing Embedded Processes Enhance Companies establish a series of processes to Process Management, working with the risk functions, help manage their implements identified changing risk profile enhancements ENHANCE COSO Integrated framework Levels of the organization ERM considers activities at all levels of the organization: Enterprise-level Division of subsidiary Business unit processes 24

13 3. COSO Integrated framework Volgens de definitie is enterprise risk management dus een proces waarbij alle werknemers betrokken zijn en dat als doel heeft om aan het management een redelijke zekerheid te geven dat de doelstellingen zullen worden gerealiseerd dankzij een goed beheer van de risico s waarmee de onderneming wordt geconfronteerd. Een aantal stappen moeten worden doorlopen en bovendien zijn er ook een aantal beïnvloedende factoren, zoals de interne omgeving, de informatie en communicatie en de evaluatie van het ERM-proces COSO Integrated framework Internal Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. 26

14 3. COSO Integrated framework Internal Environment Risk Management Philosophy Risk Appetite Risk Culture Board of Directors Integrity and Ethical values Commitment to Competence Value Communicate in words and actions Value Qualitative Quantitative Linked to strategy Independent Active Involved Independent Active Involved Standards of behaviour Prerequisite CEO example Incentives Knowledge Skills Trade-offs Management Philosophy and Operating Style Organizational Structure Assignment of Authority and Responsibility Human Resource Policies and Practices Differences in Environment Formal vs. Informal Conservative vs. Aggressive Aligned Reporting lines Centralized / Decentralized Matrix / Function / Geography Empowerment Accountability Qualified Training Compensation Incentives and Discipline Management preferences Value judgments Management styles COSO Integrated framework Hard and soft controls Hard controls consist of organizational structure, assignment of authority and responsibility, and human resources policies and practices. All three are relatively traditional areas examined in most audits. Audit evidence for each should be readily available. Soft controls include ethics, commitment to competence, and management operating style. Such controls have traditionally been overlooked in audits because documented evidence of the audit condition is difficult to obtain and test. Rating If any one of the hard controls isn t functioning effectively in the area being audited, an unsatisfactory rating is warranted. On the other hand, proper behavior is assumed for soft controls. An unfavorable audit conclusion is reached only if improper behavior is observed. A satisfactory rating wouldn t be ruled out if the auditor finds no direct evidence that the "soft controls" are in place. Only if instances of unethical, incompetent, or improper management behavior are discovered should the auditor consider an unsatisfactory rating. The level of assurance provided by the auditor for soft controls is, therefore, much less than normally rendered. As techniques for testing soft controls improve, rating criteria may be revised to render more positive assurance. 28

15 3. COSO Integrated framework Evaluation of the control environment The control environment is one of the key components of an entity s internal control; it sets the tone of an entity, influences the control consciousness of people within an organization and is the foundation for all other components of the internal control system. Management is responsible for evaluation and reporting on a company s controls. The external auditors are responsible for auditing management s assertion and independently coming to their own conclusions about the company s internal control effectiveness. They must evaluate management s assessment and also perform their own, independent tests in many areas, including the control environment. The control environment has a pervasive structure that affects many business process activities. It includes elements such as management s integrity and ethical values, operating philosophy and commitment to organizational competence. Adding to the difficulty of the task is the fact that the control environment is not transaction-oriented. Tests of controls that auditors are accustomed to performing, such as walk-troughs or the reperformance of the control for a sample of items, will not be possible. And focusing solely on activity-level controls is inappropriate COSO Integrated framework Evaluation of the control environment Designing and performing tests at the control environment level will be a complex and challenging task for example, a company may point to its code of conduct as documenting its ethical values. Ultimately though, the mere existence of the documentation of a control is not sufficient to support a conclusion about its operating effectiveness. Management and auditors must do more that demonstrate that a code exists; they must evaluate the effectiveness of the code s implementation. For example, the entity s implementation procedures may include training sessions for management and employees on the company s code and the establishment of formal channels for the confidential communication of code violations to senior management. To determine whether the code of conduct has been implemented effectively, these questions need to be asked: How is the code communicated? Do the entity s employees and management follow the code? How is compliance with the code monitored? Does compliance with the code improve the effectiveness of other control policies and procedures? 30

16 3. COSO Integrated framework Tests of the control environment will consist of a combination of procedures, including a review of relevant documentation of the design, inquiries of management and employees and direct observation. Auditors will have to probe for understanding and awareness and try to understand the company s attitude toward internal control over financial reporting. They also should ask management for a self-assessment. Most companies have focused on the documentation, evaluation and testing of activity-level controls. For example, bank reconciliations, the matching of shipping documents to invoices and computerized checks of data entered into the accounting system all are examples of activity-level controls. As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, activity-level controls are just one component of internal control over financial reporting. In an evaluation of internal control, both management and the auditors need to consider all its components. If they focus exclusively on activity-level controls to draw a conclusion about all elements of internal control, they may reach inappropriate conclusions about internal control taken as a whole. For example, consider the entity that requires its board of directors to approve all significant decisions made by the CEO. Suppose, however, the philosophy of the CEO is that he or she alone knows what s best for the organization. Suppose, too, the CEO, through a committee he or she controls, is able to handpick the majority of the board members. And because the primary criterion for advancement within the organization is personal loyalty to the CEO, the information that senior management presents to the board is tightly controlled and presented in a way that makes ratification of the CEO s agenda o foregone conclusion. Focusing solely on the activity-level control is inappropriate. Read the minutes and you ll undoubtedly find the board approved all the transactions it should have. On the surface, internal control looks good. In reality it is not. Only by looking at the control environment directly as in management s philosophy and operating style and its commitment to competence does a true picture of the organization begin to emerge COSO Integrated framework The COSO framework provides criteria and information on the control environment, but this guidance is at a fairly high level since the framework was tailored for all organizations. For example, COSO identifies integrity and ethical values as important pieces of the entity s control environment and makes a compelling argument for why this is so. But the purpose of COSO is not to explain how to measure or evaluate whether an ethical climate is effective. Once management gathers information about the control and its design, it is left to them to decide how to determine and test its relative effectiveness. 32

17 3. COSO Integrated framework Summary of Internal Control Reliability Model Characteristics of reliability Reliability level Documentation Awareness and understanding Perceived value Control procedures Monitoring Initial Very limited Basic awareness Unformed Ad hoc, unlinked Informal Sporadic, inconsistent Understanding not communicated beyond management Controls are separate from business operations Intuitive, repeatable Systematic Comprehensive and consistent Formal communication and some training Controls integral to operations Formal, standardized Integrated Comprehensive and consistent Comprehensive training on controlrelated matters Control processes considered part of strategy Formal, standardized Periodic monitoring begins Optimized Comprehensive and consistent Comprehensive training on controlrelated matters Commitment to continuous improvement Formal, standardized Real-time monitoring COSO Integrated framework The internal control reliability model can be helpful in designing tests of a control environment s effectiveness. The overall reliability of the system depends on the characteristics that describe each level. Auditors should design the control environment tests to determine the relative reliability of each of these characteristics, as discussed below. In evaluating the design and operating effectiveness of the control environment, auditors tests will consist of a combination of procedures, including: A review of relevant documentation for example, the company s code of conduct. Inquiries of management and employees, either verbally, in writing or both. Direct observation. Here are some tips for designing these procedures: Start with a review of documentation relating to the control environment. The most likely sources of information include the company s Code of conduct Personnel policies Board of directors and audit committee charters Disclosure committee charter Other, informal communications from senior management about control environment matters such as ethics or management philosophy. Remember that documentation in only a start no the be-all and end-all. Ask management direct questions about the actions it took to assess how management or employees complied with, or violated, stated management philosophies or standards of behavior. Examples of such questions include Have you observed unacceptable behavior on the job? If so, what did you observe? If you were to report unacceptable or unethical behavior to senior management, what action do you think management would take. 34

18 3. COSO Integrated framework Probe for employees understanding and awareness. Do managers and other employees know the relevance and importance of their control-related activities? Do the board and the audit committee have a full appreciation of their oversight responsibilities? Try to understand the company s attitude toward internal control. Is it a necessary evil, or is it viewed as an integral part of the company s management? Suppose you asked senior management and the board the following questions about the company s code of conduct. What was the main reason for developing the company s code of conduct? How often is the code reviewed and updated? The answer to these questions may be revealing for example, a manager who says the code was developed because the lawyers recommended it and that it has not been reviewed or updated in the last 10 years tells you a great deal about the attitude of senior management toward the value of an effective control environment. Ask for a self-assessment. Direct questions can be quite effective. Ask management or operations personnel about how various control environment elements work: Do you believe the company has established standards of behavior that create an overall appreciation for and compliance with its documented control policies and procedures? How would you describe management s operating style and philosophy? What aspects of the company s culture or management policies contribute to or detract from your ability to perform your job responsibilities effectively? COSO Integrated framework Objective setting Objectives must exist before management can identify and assess risks and take steps to manage those risks. Forms the risk appetite of the entity a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. Strategic Objectives Related Objectives Selected Objectives Risk Appetite Risk Tolerance High-level goals Support mission / vision Strategic choices Operations Reporting Compliance Safeguarding of assets Align and support Management decision Growth, risk and return Resource allocation People, process and infrastructure Acceptable variance Unit of measure of objective 36

19 3. COSO Integrated framework Event identification Identification of potential events from internal or external sources that influence the achievement of objectives. Differentiates risks and opportunities. Events that may have a negative impact represent risks. Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting. Events can have negative impact, positive impact, or both. Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation. Management channels opportunities back to its strategy of objective-setting process, formulating plans to seize the opportunities. Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile COSO Integrated framework Event identification Events Factors Influencing Strategy and Objectives Methodology and Techniques Event Interdependencies Event Categories Risks and Opportunities Incident Positive and / or negative impacts Internal External Ongoing Periodic Past and future Supporting tools Triggering events Interrelate Common groupings Negative impact: risks Positive impact: opportunity; offsets to risks 38

20 3. COSO Integrated framework Internal factors Infrastructure Availability of assets Capability to capital Access to capital Complexity Mergers / acquisitions Personnel Employee capability Fraudulent activity Health and safety Judgment Malfeasance Security practices Sales practices Process Capacity Design Execution suppliers / dependencies Event categories Economic Capital availability Credit Issuance Default Concentration Liquidity Market Funding Cash flow Market Commodity prices Interest rate Unemployment Indices Exchange rate Equity valuation Real estate values External factors Technological Electronic commerce External data Emerging technology Natural environment Biodiversity Emissions, effluents and waste Energy Fire Natural disaster (earthquake, flood, etc.) Sustainable development Transport Water Political Governmental changes Legislation Public policy Regulation COSO Integrated framework Internal factors Technology Data Acquisition Maintenance Distribution Confidentiality Integrity Data and system availability Capacity System Selection Development Deployment Reliability Event categories Business Brand / trademark Competition Consumer behavior Counterparty Fraud Industry standards Ownership structure Publicity Product relevance External factors Social Demographics Corporate citizenship Environmental stewardship Privacy 40

21 3. COSO Integrated framework A Comprehensive View of Risk Risk Management (RM) Umbrella Strategic Risk Management Financial Risk Management Regulatory Risk Management Product / Market Risk Management Tax / Legal Risk Management Supply Chain Risk Management Other Risk Management Capital Management COSO Integrated framework Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: Likelihood Impact Employs a combination of both qualitative and quantitative risk assessment methodologies 42

22 3. COSO Integrated framework Risk Assessment Inherent and Residual Risk Likelihood and Impact Qualitative and Quantitative Methodologies and Techniques Correlation Before management actions After management actions Expected and unexpected Expected, worsecase, distribution Time horizon Unit of measure Observable data Qualitative Quantitative Inherent and residual basis Sequence of events Categories Stress testing Scenarios COSO Integrated framework Risk Response Identifies and evaluates possible responses to risk. Evaluates options in relation to entity s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and / or likelihood. Selects and executes response based on evaluation of the portfolio of risks and responses. 44

23 3. COSO Integrated framework Risk Response In selecting an appropriate risk response, management should consider which response best fits with the entity s risk appetite and tolerances: Avoidance: Exit the activity causing the risk Reduction: Take action to reduce the likelihood or impact of risk Sharing: Transfer or share the risk or portion of the risk with another party Acceptance: Risk accepted, no action is taken COSO Integrated framework Risk Response Identify Risk Responses Evaluate Possible Risk Responses Select Response Portfolio View Avoid Reduce Share Accept Impact Likelihood Cost versus benefit Innovative responses Management decision Entity level Business unit level Inherent and residual basis 46

24 3. COSO Integrated framework Control activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives and to manage down business risk to an acceptable level. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls COSO Integrated framework Control Activities Integration with Risk Response Types of Control Activities General Controls Application Controls Entity Specific Build directly into management processes Interrelate Policies Procedures Preventative Detective Manual Automatic Information technology management Information technology infrastructure Security management Software development and maintenance Completeness Accuracy Authorization Validity Entity specific strategies and objectives Operating environment Complexity of the entity 48

25 3. COSO Integrated framework Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders. Information is needed at all levels of the entity to identify, assess and respons to risks, and to otherwise run the business and achieve its objectives COSO Integrated framework Information and Communication Communicating accurate information, on time, to the right people is key to effective ERM. Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Timely and accurate access to information and communication is critical to the control process. Communication occurs in a broader sense, flowing down, across, and up the organization. Accuracy and timeliness of management information Identification of relevant internal and external information Organisational communications 50

26 3. COSO Integrated framework Information and communication Information Strategic and Integrated Systems Communication Internal External Manual Computerized Formal Informal Information systems architecture Strategic Operational Past and current Level of detail Timeliness Quality Internal External Entity-wide Expectations and responsibilities Framing Means of transmission COSO Integrated framework Monitoring Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board. Monitoring is a process that assesses the quality of the internal control system over time. All deficiencies should be reported to those in a position to take necessary action. Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities Separate evaluations A combination of the two. Monitoring is a continual process to assess control systems and activities. 52

27 3. COSO Integrated framework Monitoring Ongoing Separate Evaluations Reporting Deficiencies Real-time Built-in Day-to-day operations Scope Frequency Self-assessments / Internal auditors Extent of documentation Ongoing External parties Protocols Alternative channels COSO Integrated framework Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. Example: Risk Model Environmental Risks Capital availability Regulatory, Political, and Legal Financial Markets and Shareholders Relations Process Risks Operations Risks Empowerment Risk Information Processing / Technology Risk Integrity Risk Financial Risk Information for Decision Making Operational Risk Financial Risk Strategic Risk 54

28 3. COSO Integrated framework Determine Risk Appetite Risk appetite is the amount of risk on a broad level an entity is willing to accept in pursuit of value. Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation). Key questions: What risks will the organization not accept? (e.g. environmental or quality compromises) What risks will the organization take on new initiatives? (e.g. new product lines) What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?) COSO Integrated framework Identify Risk Responses Quantification of risk exposure Options available: Accept = monitor Avoid = eliminate (get out of situation) Reduce = institute controls Share = partner with someone (e.g. insurance) Residual risk (unmitigated risk e.g. shrinkage) 56

29 3. COSO Integrated framework Impact vs. Probability High Medium Risk High Risk I M P A C T Share Accept Low Risk Mitigate & Control Control Medium Risk Low PROBABILITY High COSO Integrated framework COSO ERM tekortkomingen 1. Geen eenduidig normenkader 2. Management buy-in 3. It is all or nothing: geen stappenplan 4. Geen garanties 58

30 4. Impact of Internal Control on Audit Strategy ISA 315 & 330 Applying the COSO sequence Impact of Internal Control on Audit Strategy ISA 315 & 330 Risk Based Auditing 60

31 ISA 330 The auditor s procedures in response to assessed risks Introduction: ISA 315 deals with the steps to be followed for the auditor to assess the risks of material misstatement at the financial statement and assertion levels ISA 330 deals with the auditor s response to these risks and design and perform further audit procedures 61 Situering ISA 315 en ISA 330 dienen gesitueerd binnen het AUDIT RISK MODEL vervat in de ISA s Dit ARM is geënt op het COSO-framework. Er wordt aangesloten bij de COSO-terminologie en filosofie. Twee kerngedachten: Verscherpt professioneel scepticisme Verscherpte documentatie-vereisten 62

32 International Standard on Auditing 315 Understanding the entity and its environment and assessing the risks of material misstatement Introduction 63 ISA The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures. Purpose: Obtain an understanding of the entity and its environment, including its internal control, sufficient to: assess the risk of material misstatement of the financial statements, whether due to fraud or error design and perform adequate audit procedures & identify adequate audit team It is the auditor s responsibility to determine overall responses and to design and perform further audit procedures whose nature, timing and extent are responsive to the risk assessments. The auditor considers whether the engagement team includes members with specific relevant knowledge and experience Requirements: Obtain an appropriate understanding of the entity and its environment, including its internal control Audit procedures (risk assessment procedures) to be performed by the auditor in order to obtain this understanding Discussion among the engagement team about the susceptibility of the entity s financial statements to material misstatement 64

33 ISA The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures. Requirements (cont d): Identify and assess the risks of material misstatement at the financial statement and assertion levels Identify risks by considering: The entity and its environment, including relevant controls; The classes of transactions Account balances Disclosures in the financial statements Relate the identified risks to what can go wrong at the assertion level Consider the significance and likelihood of the risks Evaluate the design of the entity s controls over such risks and determine whether they have been implemented Design audit procedures that do provide sufficient appropriate audit evidence 65 ISA The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures. ISA 315 bouwt voort op de begrippen: Inherent risico Inherent risico is de gevoeligheid van een jaarrekeningpost voor een onjuistheid die afzonderlijk of samen met onjuistheden in andere jaarrekeningposten van materieel belang kan zijn onder de veronderstelling dat daarop geen interne beheersmaatregelen van toepassing waren. Intern beheersingsrisico Intern beheersingsrisico is het risico dat een onjuistheid, die zich in een jaarrekeningpost kan voordoen en die afzonderlijk of samen met onjuistheden in andere jaarrekeningposten van materieel belang kan zijn, niet tijdig wordt voorkomen of ontdekt en hersteld door het stelsel van maatregelen van administratieve organisatie en interne beheersing Detectierisico Detectierisico is het risico dat de controlewerkzaamheden van de auditor een onjuistheid die voorkomt in een jaarrekeningpost en die afzonderlijk of samen met onjuistheden in andere jaarrekeningposten van materieel belang zijn, niet ontdekken. 66

34 4. Impact of Internal Control on Audit Strategy ISA 315 & 330 Impact of Internal Control on audit strategy Impact of Internal Control on Audit Strategy ISA 315 & 330 Audit risk Objective: balance the audit work with perceived risks: AR = IR * CR * DR A correct assessment of IR and CR is needed, in order to avoid: An incorrect opinion (incorrect assessement of Control Risk, high detection risk) : α- risk A costly audit (too much work performed irt the control risk) : ß-risk 68

35 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Importance: Obtaining an understanding of the entity and its environment, including its internal controls sufficient to a) identify risks of material misstatement and b) design and perform further audit procedures, is an essential aspect of performing an audit in accordance with ISAs: This understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgement about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit Extent of the understanding required The auditor uses professional judgement to determine the extent of the understanding required of the entity and its environment, including its internal control: Is the understanding sufficient to assess the risks of material misstatements of the financial statements and to design and perform adequate audit procedures? The depth of this understanding that is required by the auditor in performing the audit is less than that possessed by management in managing the entity. 69 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Continuous process Obtaining an understanding of the entity and its environment, including its IC, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit. Risk assessment procedures Inquiries of management and others within the entity Analytical procedures Observation and inspection Other audit procedures 70

36 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of relevant a) Industry conditions Competitive environment Supplier and customer relationships e.g. long-term contracts Technological developments a) Regulatory environment Legal environment Political environment The applicable financial reporting framework Environmental requirements affecting the industry and the entity a) Other external factors General economic conditions 71 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the b) Nature of the entity Ownership and governance In order to determine whether related party transactions have been identified and accounted for appropriately Operations Types of investments the entity is making and plans to make The way the entity is structured (subsidiaries, multiple locations) Consolidation issues Allocation of goodwill Special-purpose entities Inter-company transactions The way the entity is financed 72

37 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should b) w.r.t. the entity s selection and application of accounting policies: 1. obtain an understanding; Methods used to account for significant and unusual transactions The effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus Of changes in the entity s accounting policies Of how the entity will adopt new financial reporting standards and regulations 2. consider whether they are appropriate for its business; 3. consider whether they are consistent with the applicable financial reporting framework and accounting policies used in the relevant industry; 4. consider whether the presentation of financial statements w.r.t. adequate disclosure of material matters is in conformity with the applicable financial reporting framework ISA pays specific attention to the disclosure - issue 73 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the c) objectives and strategies and the related business risks that may result in a material misstatement of the financial statements Management defines objectives, which are the overall plans for the entity Strategies are the operational approaches by which management intends to achieve its objectives Business risks result from significant conditions, events, circumstances, actions or inactions that could adversely affect the entity s ability to achieve its objectives and execute its strategies or through the setting of inappropriate objectives and strategies, e.g. Development of new products that fails Flaws resulting in liabilities and reputational risk 74

38 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the c) objectives and strategies and the related business risks that may result in a material misstatement of the financial statements Impact on financial statements Immediate risk of material misstatement Longer-term consequences, which the auditor considers when assessing the appropriateness of the going concern assumption How is the auditor s understanding obtained? Evaluation of Risk assessment process set up by management In absence of a risk assessment process, inquiries of management and observation by the auditor Wat is het impact van de afwezigheid van een R.A.P. 75 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the d) measurement and review of the entity s financial performance Performance measures, whether external or internal, create pressures on the entity that, in turn, may motivate management to take action to improve the business performance or to misstate the financial statements Obtaining an understanding of the entity s performance measures assists the auditor in considering whether such pressures result in management actions that may have increased the risks of material misstatement. Sources of information: internal & external Internal: key performance indicators (financial and non-financial), budgets, variance analysis, segment information, comparison of performance with that of competitors External: analysts reports and credit rating agency reports 76

39 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the d) measurement and review of the entity s financial performance When the auditor intends to make use of the performance measurement, produced by the entity s information system, for the purpose of the audit (f.e. for ARP), the auditor considers whether the information related to management s review of the entity s performance provides a reliable basis and is sufficiently precise for such a purpose. If making use of performance measures, the auditor considers whether they are precise enough to detect material misstatements. 77 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the e) internal control relevant to the audit What is internal control? IC is the process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the entity s objectives wrt - reliability of financial reporting - effectiveness and efficiency of operations - compliance with laws and regulations It follows that IC is designed and implemented to address identified risks that threaten the achievement of any of these objectives 78

40 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the e) internal control relevant to the audit Components of internal control? Control environment The entity s risk assessment process The information system, including the related business processes, relevant to financial reporting Control activities Monitoring of controls 79 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Components of internal control? Control environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure. The auditor s evaluation of the design of the entity s control environment includes considering whether the strengths in the control environment elements provide an appropriate foundation for the other components of internal control. Changes in control environment may affect the relevance of information obtained in prior audits. The nature of an entity s control environment is such that is has a pervasive effect on assessing the risks of material misstatement and influences the nature, timing and extent of the further audit procedures. 80

41 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Components of internal control? Control environment The control environment in itself does not prevent, or detect and correct a material misstatement in classes of transactions, account balances and disclosures and related assertions. Audit evidence may not be available in documentary form Elements of control environment Communication and enforcement of integrity and ethical values Commitment to competence Participation by those charged with governance Management s philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices 81 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Components of internal control? Control environment Concerns about the integrity of the entity s management may be so serious as to cause the auditor to conclude that the risk of management misrepresentation in the financial statements is such that an audit cannot be conducted. 82

42 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Components of internal control? The entity s risk assessment process An entity s RAP is its process for identifying and responding to business risks and the results thereof The auditor should obtain an understanding of the entity s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks and the results thereof. Risks can arise or change due to circumstances such as Changes in operating environment New personnel New information systems Rapid growth New technology New business models, products, activities Corporate restructurings Expanded foreign operations New accounting pronouncements 83 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Components of internal control? The entity s risk assessment process Evaluation of the design and implementation of the RAP: How does management identify business risks How does management estimate the significance of the business risks How does management assess the likelihood of their occurrence How does management decide upon actions to manage business risks 84

43 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Components of internal control? Information system, including the related business processes relevant to financial reporting The auditor should obtain an understanding wrt the following areas: The classes of transactions that are significant to the financial statements The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed and reported in the financial statements The related accounting records, supporting information and specific accounts in the financial statements in respect of initiation, recording, processing and reporting transactions How the information system captures events and conditions other than classes of transactions, that are significant to the financial statements The financial reporting processes used to prepare the entity s financial statements, including significant accounting estimates and disclosures 85 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Components of internal control? Control activities Control activities are the policies and procedures that help ensure that management directives are carried out Authorization Performance reviews Information processing Physical controls Segregation of duties Monitoring of controls An important management responsibility is to establish and maintain internal controls on an ongoing basis Monitoring of controls is a process to assess the quality of internal control over time; it involves: Assessing the design and operation of controls on a timely basis Taking necessary corrective actions 86

44 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the e) internal control relevant to the audit Components of internal control? Auditors may use different terminology or frameworks to describe the various aspects of internal control and their effect on the audit, than those used in this ISA, provided all the components described in this ISA are addressed. 87 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control The auditor should obtain an understanding of the e) internal control relevant to the audit Internal controls relate to: Relevant to an audit - Financial reporting IC wrt financial statements for external purposes Professional judgement wrt relevance of an IC -Operations If IC pertains to data the auditor evaluates and uses in applying audit procedures - Compliance If IC pertains to data the auditor evaluates and uses in applying audit procedures, f.e. detecting noncompliance with laws and regulations that may have an effect on the financ statements 88

45 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Depth of understanding of internal control 1. Evaluation of design of the control 2. Test operating effectiveness of the control Manual controls: operating effectiveness during the period under audit is to be tested Automated controls: due to inherent consistency of IT processing, validation of implementation may serve as a test of that control s operating effectiveness Inquiry alone is not sufficient to evaluate the design of a control relevant to an audit and to determine whether it has been implemented. 89 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Understanding the entity and its environment, including its internal control Limitations of internal control Errors and mistakes Collusion 90

46 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Assessing the risk of material misstatement The auditor should identify and assess the risks of material misstatements at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures Impact of Internal Control on Audit Strategy ISA 315 & 330 For all significant processes identify points wihtin the flow of transactions or process stream where there can be failures to achieve the following assertions: Assertion Authorization Completeness and accuracy Description Management has defined and communicated criteria for recognizing economic events and authorizing transactions. All transactions and other events and circumstances that occurred during a specific period and should have been recognized in that period, have, in fact, been recorded or considered. Therefore, these are not unrecorded assets, liabilities or transactions and no omitted disclosures. All, and only economic events meeting management s criteria are converted to transactions accurately and accepted for processing on a timely basis. All accepted transactions are processed accurately in accordance with management s policies and on a timely basis. Events affecting more than ore system result in transactions that are reflected by each system in the same accounting period. Evaluation of balances Recorded transactions represented economic events that actually occurred during a stated period of time. Assets, liabilities, revenues and expenses are recorded at appropriate amounts in accordance with relevant accounting principles. Report and database contents are periodically evaluated. Evaluation involves judgmental determinations of value. Provide reasonable assurance that reported information can be reconciled with reality. 92

47 4. Impact of Internal Control on Audit Strategy ISA 315 & 330 For all significant processes identify points wihtin the flow of transactions or process stream where there can be failures to achieve the following assertions: Assertion Presentation, classification and disclosure Access to assets Substantiation of balances Rights and obligations Description The captions, disclosures and other items in the financial statements are properly described and classified as well as fairly presented in conformity with generally accepted accounting principles. Physical safeguards should permit access to assets only in accordance with management s authorization. Report and database contents should be periodically substantiated. Substantiation is an independent check of processing results, and is most effective if completed in an environment in which there is segregation of incompatible duties. There is reasonable assurance that reported information can be reconciled with reality. Assets and liabilities reported on the balance sheet are bona fide rights and obligations of the entity as of that point in time. Management should clearly identify the personnel who have primary custodial responsibility for each category of assets, critical forms and records, processing areas and processing procedures. To the extent possible, responsibility for the physical custody of an asset should be vested in employees who have no responsibility for, and are denied access to, accounting for the asset and vice versa. 93 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Assessing the risk of material misstatement The auditor should identify and assess the risks of material misstatements at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures 4 step approach Identify risk Relate risk to potential error at the assertion level Determine the magnitude of the potential error Consider the likelihood of the potential error 94

48 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Assessing the risk of material misstatement The auditor should identify and assess the risks of material misstatements at the financial statement level and at the assertion level for classes of transactions, account balances and disclosures 4 step approach - voorbeeld Identify risk: Kortingen toegekend in de retailsector Relate risk to potential error at the assertion level Bestaan: zijn de gerapporteerde kortingen effectief verworven Volledigheid: zijn alle kortingen gerapporteerd Timing: zijn de kortingen gerapporteerd in de juiste periode Rubricering: mogen de kortingen in resultaat genomen worden of dienen zijn geheel of ten dele te worden aangerekend op voorraad Determine the magnitude of the potential error Consider the likelihood of the potential error 95 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Significant risks that require special audit consideration Identification of significant risks Professional judgement Significant risks often relate to significant non-routine transactions Greater management intervention to specify the accounting treatment Greater manual intervention for data collection and processing Complex calculations or accounting principles The nature of non-routine transactions, which may make it difficult for the entity to implement effective controls over the risks and judgmental matters Required judgment may be subjective, complex or require assumptions about the effects of future events 96

49 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Significant risks that require special audit consideration Identification of significant risks For significant risks, the auditor should evaluate the design of the entity s related controls, including relevant control activities and determine whether they have been implemented 97 ISA Obtain an appropriate understanding of the entity and its environment, including its internal control Risks for which substantive procedures alone do not provide sufficient appropriate audit evidence Revision of risk assessment In circumstances where the auditor obtains audit evidence that tends to contradict the audit evidence on which the auditor originally based the risk assessment, the auditor revises the assessment and modifies the further planned audit procedures accordingly. 98

50 ISA 330 The auditor s procedures in response to assessed risks Purpose: Establish standards and provide guidance on determining overall responses and designing and performing further audit procedures to respond to the assessed risks of material misstatement at the financial statement and assertion levels in a financial statement audit. Requirements: This ISA requires the auditor to: Determine overall responses to address risks of material misstatement at the financial statement level Design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risks of material misstatement at the assertion level. Evaluate whether the risk assessment remains appropriate and conclude whether sufficient appropriate audit evidence has been obtained. Document his work. 99 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level The auditor should design and perform audit procedures whose nature, timing and extent are responsive to the assessed risks of material misstatement at the assertion level Provide clear linkage between nature, timing and extent of the further audit procedures and the assessed risks of material misstatement at the assertion level Elements to consider Significance of the risk Likelihood that a material misstatement will occur Characteristics of the class of transactions, account balance or disclosure involved Nature of specific controls used by the entity (manual / automated) 100

51 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level The auditor s assessment of the identified risks at the assertion level provides a basis for considering the appropriate audit approach: Test of controls versus Substantive procedures No effective controls, relevant to the assertion, were identified Testing the operating effectiveness of controls would be inefficient Often a combined approach, using both tests of the operating effectiveness of controls and substantive procedures, is an effective approach When performing only substantive procedures for the relevant assertion, the auditor needs to be satisfied that these procedures are effective in reducing the risk of material misstatement to an acceptably low level. 101 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Considering the nature, timing and extent of further audit procedures Nature Purpose Test of controls versus Substantive procedures Type Inspection (bvb nazicht van journalen, facturen, contracten ) Observation Inquiry (bvb bevraging van management) Confirmation Recalculation Reperformance Analytical procedures 102

52 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Considering the nature, timing and extent of further audit procedures Nature Selection is based on the assessment of risk Risk assessment / high: more substantive procedures; the higher the risk, the more reliable and relevant is audit evidence sought by substantive procedures The nature of the audit procedure is the most important consideration Increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk 103 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Considering the nature, timing and extent of further audit procedures Timing Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies Extend Extend includes the quantity of a specific audit procedure to be performed The extend of an audit procedure is determined by the judgement of the auditor after considering the materiality, the assessed risk and the degree of assurance the auditor plans to obtain. 104

53 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Considering the nature, timing and extent of further audit procedures Extend The use of computer-assisted audit techniques (CAAT s) may enable more extensive testing of electronic transactions and account files. 105 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls The auditor is required to perform tests of controls when The auditor s risk assessment includes an analysis of the operating effectiveness of controls Substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level The entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system Purpose of the test is to obtain sufficient appropriate audit evidence that: The controls, for which the auditor has determined that they are suitably designed to prevent, detect and correct a material misstatement in an assertion (key controls), were operating effectively At relevant times during the period under audit 106

54 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls When performing tests of the operating effectiveness of controls, the auditor obtains audit evidence that controls operate effectively; this includes obtaining audit evidence about: How controls were applied at relevant times during the period under audit The consistency with which they were applied By whom or by what means they were applied 107 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls Nature of tests of controls The auditor should perform other audit procedures in combination with inquiry to test the operating effectiveness of controls, since inquiry alone is not sufficient. The type of audit procedure is influenced by the nature of the control to be tested (e.g. is there documentation wrt the control available) Misstatements that the auditor detects by performing substantive procedures are considered by the auditor when assessing the operating effectiveness of related controls. A material misstatement detected by the auditor s procedures that was not identified by the entity ordinarily is indicative of the existence of a material weakness in internal control. 108

55 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls Timing of tests of controls The timing of test of controls determines the period of reliance on those controls. The timing depends on the objective of the test: is evidence required as to the effectiveness at a particular point in time OR throughout a period. Test at a particular time: audit evidence is obtained that the controls operated effectively at that time (this might be sufficient for audit purposes, f.e., when testing controls over the entity s physical inventory counting at the period end) Test throughout a period: audit evidence is obtained that the controls operated effectively during that period 109 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls Timing of tests of controls When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period the auditor should determine what additional audit evidence should be obtained for the remaining period, since evidence obtained as to the OE of controls at an interim period should be supplemented by additional evidence for the remaining period. If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in prior audits, the auditor: should obtain audit evidence about whether changes in those specific controls have occurred subsequent to the prior audit (inquiry combined with observation or inspection); If the auditor plans to rely on controls that have changed since they were last tested, the auditor should test the operating effectiveness of such controls in the current audit If the auditor plans to rely on controls that have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least every third year 110

56 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls Timing of tests of controls If the auditor plans to rely on controls that have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least every third year Professional judgement wrt - reliance or not on audit evidence obtained in prior audits - the length of time period between between retesting When there are a number of controls for which the auditor determines that it is appropriate to use audit evidence obtained in prior audits, the auditor should test the operating effectiveness of some controls each audit - No: all controls on which the auditor relies are tested in on single audit period with no testing in subsequent 2 audit periods - Yes: a sufficient portion of the controls are tested in each audit period and, at a minimum, each control is tested at least every third audit 111 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls Timing of tests of controls If the auditor plans to rely on controls that have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least every third year Elementen die het tijdsinterval tussen de testen verminderen: - zwakke interne controle-omgeving - personeelsverloop - zwakke algemene IT-controles - gewijzigde omstandigheden die wijzen op de noodzaak van wijzigingen in de controles 112

57 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls Timing of tests of controls When: An assessed risk of material misstatement is determined to be a significant risk And the auditor plans to rely on the operating effectiveness of controls intended to mitigate that significant risk The auditor should obtain the audit evidence about the operating effectiveness of those controls form tests of controls performed in the current period. 113 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Test of controls Extent of tests of controls Test of controls are designed to obtain sufficient audit evidence that the controls operated effectively throughout the period of intended reliance. Elements to consider in determining the extent of the tests of controls: Frequency of the performance of the control by the entity during the period The length of time during the audit period that the auditor is relying in the operating effectiveness of the control The relevance and reliability of the audit evidence to be obtained The extend to which audit evidence is obtained from tests of other controls related to the assertion The extend to which the auditor plans to rely on the operating effectiveness of the control (and thereby reduce substantive procedures based on the reliance of such control) 114

58 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Substantive procedures Irrespective of the assessed risk of material misstatement, the auditor should design and perform substantive procedures for each material class of transactions, account balance and disclosure The auditor always performs substantive procedures for each material class of transactions, account balance and disclosure. This requirement reflects: The fact that the auditor s assessment of risk is judgmental The fact that there are inherent limitations to internal control including management override Accordingly, while the auditor may determine that the risk of material misstatement may be reduced to an acceptably low level by performing only tests of controls for a particular assertion related to a class of transactions, the auditor always performs substantive procedures for each material class of transactions, account balance and disclosure 115 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Substantive procedures The auditor s substantive procedures should include the following audit procedures related to the financial statement closing process: Agreeing the financial statements to the underlying accounting records Examining material journal entries and other adjustments made during the course of preparing the financial statements 116

59 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Substantive procedures When the auditor determined that an assessed risk is a significant risk, the auditor should perform substantive procedures that are specifically responsive to that risk 117 ISA 330 The auditor s procedures in response to assessed risks Audit procedures responsive to risks of material misstatement at the assertion level Substantive procedures Nature of substantive procedures Substantive analytical procedures Appropriate for large volume of transactions / predictable over time Test of details More appropriate for certain assertions, e.g. existence and valuation In some situations, the auditor may determine that performing only substantive analytical procedures may be sufficient to reduce the risk of material misstatement to an acceptable low level. 118

60 ISA 330 Synthetic overview Significant risks Not significant risks Assessment of risks of material misstatement at financial Determine overall responses to adress risks of material misstatement at the financial statement level. Assessment of risk of material misstatement at assertion level Tests of operating effectiveness of controls Mandatory Mandatory when: Misstatements that the auditor detects by performing substantive procedures are considered by the auditor when assessing the operating effectiveness of related controls. Substantive procedures - the auditor's assessment of risks of material misstatement at the assertion level includes an expectation that controls are operating effectively; - the auditor has determined that it is not possible to reduce the risk of material misstatement through substantive tests alone. Inquiry is not sufficient to determine the operating effectiveness of controls (description, walk through to validate understanding, test of effectiveness) Otherwise optional. Often a combined approach (test of OE of controls & substantive procedures) is an effective approach. Substantive procedures alone may be sufficient, when no effective controls, relevant to the assertion, were identified or when testing the OE of controls would be inefficient. When performing only substantive procedures for the relevant assertion, the auditor needs to be satisfied that these procedures are effective in reducing the risk of material misstatement to an acceptably low level. Mandatory Irrespective of the assessed risk of material misstatement, the auditor should design and perform substantive procedures for each material class of transactions, account balance and disclosure. This requirement reflects the fact that a) the auditor's assessment of risk is judgmental and b) that there are inherent limitations to internal control including management override. When a significant risk has been identified at the assertion level, substantive procedures should be performed that are specifically responsive to that risk. Substantive procedures should always include * agreeing the financial statements to the underlying records * examining material journal entries and other adjustments made during the cours of preparing the financial statements. * the auditor should perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related disclosures, are in accordance with the applicable financial reporting framework. Extend The higher the risk, the more reliable and relevant is audit evidence sought by substantive procedures COSO en de Belgische praktijk Algemene controlenormen De bedrijfsrevisor zal zijn oordeel onder meer steunen op het onderzoek van het systeem van interne controle, waarvan hij de doeltreffendheid zal nagaan door middel van steekproeven. Indien de interne controle op afdoende wijze werkt, kan het onderzoek van de bedrijfsrevisor worden beperkt tot aangepaste steekproeven. In geval van vaststelling van ernstige leemten, dient hij echter zijn controlewerkzaamheden aan te passen en een meer diepgaande controle uit te voeren. Onder geen beding kan of mag de externe controle het systeem van interne controle vervangen. De algemene controlenormen worden op nuttige wijze aangevuld door ISA 315 dat nauwer aansluit bij het COSO ERM framework. 120

61 5. COSO en de Belgische praktijk Wet van 17 december 2008 De wet van 17 december 2008 voerde de verplichting in voor genoteerde vennootschappen en financiële ondernemingen om een auditcomité op te richten. Tot de belangrijkste taken van het auditcomité behoren volgens het door artikel 15 van de wet van 17 december 2008 ingevoerde artikel 526bis, 4 van het Wetboek van vennootschappen: a) monitoring van het financiële verslaggevingsproces; b) monitoring van de doeltreffendheid van de systemen voor interne controle en risicobeheer van de vennootschap; c) indien er een interne audit bestaat, monitoring van de interne audit en van zijn doeltreffendheid; d) monitoring van de wettelijke controle van de jaarrekening en de geconsolideerde jaarrekening, inclusief opvolging van de vragen en aanbevelingen geformuleerd door de commissaris en, in voorkomend geval, door de bedrijfsrevisor die instaat voor de controle van de geconsolideerde jaarrekening; e) beoordeling en monitoring van de onafhankelijkheid van de commissaris en, in voorkomend geval, van de bedrijfsrevisor die instaat voor de controle van de geconsolideerde jaarrekening, waarbij met name wordt gelet op de verlening van bijkomende diensten aan de vennootschap COSO en de Belgische praktijk Wet van 17 december 2008 Aansluitend bepaalt de Wet van 17 december 2008 dat: a) De commissaris bevestigt jaarlijks schriftelijk zijn onafhankelijkheid aan het auditcomité; b) meldt jaarlijks aan het auditcomité alle verrichte bijkomende diensten; c) voert overleg met het auditcomité omtrent bedreigingen voor zijn onafhankelijkheid en de genomen veiligheidsmaatregelen hieromtrent. De Wet van 17 december 2008 bepaalt eveneens dat de Commissaris verslag uitbrengt omtrent belangrijke zaken die bij de uitoefening van zijn wettelijke controle van de jaarrekening aan het licht zijn gekomen, en meer bepaald over ernstige tekortkomingen in de interne controle met betrekking tot de financiële verslaggeving. 122

62 5. COSO en de Belgische praktijk Verder vereist artikel 526bis, 2 van het Wetboek van vennootschappen voortaan dat: Het auditcomité is samengesteld uit niet-uitvoerende leden van de raad van bestuur. Tenminste één lid van het auditcomité is een onafhankelijk bestuurder ( ), en beschikt over de nodige deskundigheid op het gebied van boekhouding en audit.. Uit bovenvermeld wetsartikel kan men afleiden dat de wetgever verwacht dat twee karakteristieken belangrijkzijn opdat auditcomités de taken vermeld in artikel 526bis, 4 van het Wetboek van vennootschappen naar behoren zouden uitvoeren: 1) auditcomité onafhankelijkheid; en 2) auditcomité deskundigheid COSO en de Belgische praktijk Corporate governance - Auditcomité In 1998 werden de eerste aanbevelingen inzake het auditcomité bekrachtigd in de drie eerste Corporate Governance codes, uitgewerkt door de Brusselse Beurs, de Commissie voor het Bank- en Financiewezen en het Verbond van Belgische Ondernemingen. In 2004 werden gedetailleerde aanbevelingen inzake het auditcomité vastgesteld in de Belgische Corporate Governance Code. De Code 2004 raadt de raad van bestuur aan om een auditcomité op te richten teneinde hem bij te staan in de uitoefening van zijn verantwoordelijkheden op het vlak van de opvolging inzake de controle. Verder dient de raad van bestuur het reglement van het comité, waarvan hij de rol en de samenstelling uitvoerig beschrijft, te bepalen. De Belgische Corporate Governance Code bevat niettemin een aantal aanbevelingen die hetzij een aantal wettelijke maatregelen verduidelijken, hetzij verder gaan dan de wetsbepalingen. Deze aanbevelingen zouden op grond van hun flexibiliteit en soepelheid de doeltreffendheid van de werking van het auditcomité moeten verbeteren. Hierna volgt een overzicht van de bepalingen van de Code omtrent Corporate Governance: 124

63 5. COSO en de Belgische praktijk Corporate governance - Auditcomité Hierna volgt een overzicht van de bepalingen van de Code omtrent Corporate Governance: COSO en de Belgische praktijk Corporate governance - Auditcomité Hierna volgt een overzicht van de bepalingen van de Code omtrent Corporate Governance: 126

64 5. COSO en de Belgische praktijk COSO en de Belgische praktijk 128

65 5. COSO en de Belgische praktijk COSO en de Belgische praktijk Representatiebrief Mede ingevolge de evolutie van de internationale controlestandaarden (International Standards on Auditing, ISA s) werd de controleaanbeveling Bevestiging door de leiding (goedgekeurd door de Raad op 6 juni 1997) grondig herwerkt en geactualiseerd. De geactualiseerde controlenorm (in werking getreden voor de controle van financiële overzichten over boekjaren die afgesloten zijn op of na 31 december 2006) voorziet als één van de bevestigingen door de bedrijfsleiding de erkenning van haar verantwoordelijkheid voor de opzet en implementatie van de interne controle gericht op het bereiken van de door de entiteit vooropgestelde doelstelling inzake financiële verslaggeving, inclusief de opzet en implementatie van interne controlemaatregelen gericht op het voorkomen en het ontdekken van fraude en van gemaakte fouten. 130

66 5. COSO en de Belgische praktijk Ten aanzien van deze bevestiging volgende opmerkingen: Volgens de huidige redactie erkent de bedrijfsleiding haar verantwoordelijkheid ten aanzien van opzet en implementatie van de interne controle, doch geeft zij geen bevestiging ten aanzien van het afdoend functioneren ervan over de rapporteringsperiode. De huidige tekst van de ontwerp representatiebrief sluit niet aan bij de exposure draft ISA 580 Written Representations die duidelijk veel verder gaat: The auditor shall request relevant parties to provide a written representation that they acknowledge and understand their responsibility for designing, implementing and maintaining internal control relevant to preparing and presenting financial statements that are free from material misstatement, whether due to fraud or error, and whether they believe that the internal control they have maintained is adequate for that purpose. We ontkennen niet dat er op heden geen verplichting bestaat voor de bedrijfsleiding om een publieke verklaring inzake het functioneren van de interne controle af te leggen; de motieven ingeroepen in de controleaanbeveling om het recht van de commissaris op het vragen van een representatiebrief te onderbouwen, verzetten zich evenwel evenmin tegen het vragen van een appreciatie vanwege de bedrijfsleiding van het functioneren van de interne controle over de controleperiode. In die zin oordelen wij dat de bedrijfsrevisor het recht heeft de representatiebrief op dit punt aan te vullen COSO en de Belgische praktijk In de huidige redactie van de representatiebrief beperkt de bedrijfsleiding zich tot het erkennen van haar verantwoordelijkheid ten aanzien van de interne controle. Zelfs in deze afgezwakte vorm dient erop gewezen dat: de draagkracht van deze bevestiging wordt gehypothekeerd door het feit dat ze gebeurt zonder verwijzing naar enig referentiekader. het begrip interne controle, zoals bevestigd door de bedrijfsleiding, is gefocused op financiële verslaggeving en staat op deze wijze ver af van de globale en geïntegreerde aanpak van het COSO internal control framework en nog verder van het ERM framework; 132

67 5. COSO en de Belgische praktijk Jaarverslag De huidige redactie van artikel 96 Wetboek Vennootschappen voorziet dat het jaarverslag moet bevatten: 1 ten minste een getrouw overzicht van de ontwikkeling en de resultaten van het bedrijf en van de positie van de vennootschap, alsmede een beschrijving van de voornaamste risico s en onzekerheden waarmee zij geconfronteerd wordt. Dit overzicht bevat een evenwichtige en volledige analyse van de ontwikkeling en de resultaten van het bedrijf en van de positie van de vennootschap die in overeenstemming is met de omvang en de complexiteit van dit bedrijf. 8 wat betreft het gebruik door de vennootschap van financiële instrumenten en voor zover zulks van betekenis is voor de beoordeling van haar activa, passiva, financiële positie en resultaat: de doelstellingen en het beleid van de vennootschap inzake de beheersing van het risico, met inbegrip van haar beleid inzake hedging van alle belangrijke soorten voorgenomen transacties, waarvoor hedge accounting wordt toegepast, alsook het door de vennootschap gelopen prijsrisico, kredietrisico, liquiditeitsrisico, en kasstroomrisico COSO en de Belgische praktijk Terecht wijst de nieuwe controlenorm Controle van het jaarverslag over de (geconsolideerde) jaarrekening erop dat: Er is door de wetgever geen referentiestelsel vastgesteld dat het bestuursorgaan en dus ook de commissaris toelaat de aangelegenheden bedoeld door artikel 96, 1, onder meer inzake de beschrijving van de voornaamste risico s en onzekerheden, de nietfinanciële prestatie-indicatoren, en de informatie betreffende milieu- en personeelsaangelegenheden, te toetsen; In verband met de aspecten beschrijving van de voornaamste risico s en onzekerheden waarmee zij geconfronteerd wordt, bedoeld in het hieronder geciteerde artikel 96, 1 van het Wetboek van vennootschappen, is de notie voor zover ze niet van die aard zijn dat ze ernstig nadeel kunnen berokkenen aan de vennootschap, zoals vermeld in artikel 96, 3 van het Wetboek van vennootschappen, niet hernomen in het gewijzigde artikel 96, 1 van het Wetboek van vennootschappen, zodat het bestuursorgaan van de vennootschap zich hierop niet kan beroepen. 134

68 5. COSO en de Belgische praktijk Verwijzend naar het ERM Framework, dient de vraag gesteld of de kwalificatie voornaamste refereert naar de waarschijnlijkheid dat een risico zich zal voordoen (likelihood) of het impact indien een risico zich voordoet (impact), dan wel een combinatie van beide. Uit de redactie van artikel 96 menen wij te mogen afleiden dat: de geviseerde risico s en onzekerheden deze zijn die uit de combinatie van waarschijnlijkheid en impact als belangrijk te kwalificeren zijn; de beoordeling van de belangrijkheid van de risico s op niveau van het inherent risico gebeurt, dus zonder het impact van management acties tot risicocontrole en beheersing in rekening te brengen COSO en de Belgische praktijk Tot slot dient de vraag gesteld hoe dient gehandeld indien het bestuursorgaan nalaat een beschrijving van de voornaamste risico s en onzekerheden op te nemen in het jaarverslag. Volgende mogelijkheden zijn te onderscheiden. Hierbij gaan we uit van de assumptie dat elke onderneming geconfronteerd wordt met risico s en onzekerheden. Performant ERM Rapportering in jaarverslag Verklaring Jaarverslag Going concern Waardering balansposten Ja Ja Ja Nee V 0 0 Nee Ja 0 / V (1) V V Nee Nee V V V (1) In de huidige redactie van de verklaring spreekt de commissaris zich niet uit over de beschrijving van de voornaamste risico s en onzekerheden. Inconsistenties met de informatie waarover de commissaris beschikt dienen daarentegen wél gerapporteerd. 136

69 6. Sarbanes Oxley Act of July 2002 What is Sarbanes-Oxley? Legislation introduced by US Government in response to Corporate Governance failures Applicable to all companies with a NY Stock Exchange listing Signed into law on 30 th July Most significant reform in the securities law since Securities & Exchange Commission (SEC) was created Results in fundamental change in how Audit Committees, Management and Auditors interact and carry out responsibilities Sarbanes Oxley Act of July 2002 The Sarbanes Oxley Act ( SOA ) of July 2002 Title I Title II Title III Title IV Title V Title VI Title VII Title VIII Title IX Title X Title XI Public Company Accounting Oversight Board Auditor Independence Corporate Responsibility Enhanced Financial Disclosures Analyst Conflicts of Interest Commission Resources and Authority Studies and Reports Corporate and Criminal Fraud Accountability White Collar Crime Penalty Enhancements Corporate Tax Returns Corporate Fraud and Accountability 138

70 6. Sarbanes Oxley Act of July 2002 What is the purpose of Sarbanes-Oxley? Restore public trust and confidence in the public securities market Improve corporate governance and promote ethical business practices Enhance transparency and completeness of financial statements and disclosures Ensure that company executives are aware of material information emanating from a wellcontrolled environment Hold company management accountable for material information that is filed with the SEC and released to investors Achieve new levels of corporate financial reporting Sarbanes Oxley Act of July 2002 When trust reduces, the need for transparency, control increases 140

71 6. Sarbanes Oxley Act of July 2002 The objectives Upgrade disclosures S302 management s quarterly certifications S401 off-balance sheet disclosure requirements S404 attestation on internal controls S409 real-time disclosure of material changes S906 CFO and CEO certification of compliance with filing requirements Sarbanes Oxley Act of July 2002 The objectives Upgrade disclosures Strengthen Corporate Governance S204 increased communication between auditors and audit committee S301 rules governing audit committees S402 prohibits future loans to officers and directors S407 requirements and disclosures of financial expert in audit committee 142

72 6. Sarbanes Oxley Act of July 2002 The objectives Upgrade disclosures Strengthen Corporate Governance Expand insider accountability S303 rules on management ethics S306 rules on insider trading during pension blackout periods S403 requires accelerated S406 code of ethics disclosures S806 makes it illegal to retaliate against whistleblowers Sarbanes Oxley Act of July 2002 The objectives Upgrade disclosures Strengthen Corporate Governance Expand insider accountability Increase oversight S101/2 rules for public accounting firms S103 rules governing public accounting firms S108/9 issuers may be charged with fees for the FASB S408 expanded SEC review of 10Q and 10K S307 requires lawyers to report evidence of a material security law violation 144

73 6. Sarbanes Oxley Act of July 2002 The objectives Upgrade disclosures Strengthen Corporate Governance Expand insider accountability Increase oversight Broaden sanctions S304 rules on CFO / CEO forfeiture of bonus S804 extends statute of limitations on fraud allegations S1102 establishes broader criminal penalties S105/802 increased penalties for accountants Sarbanes Oxley Act of July 2002 The objectives Upgrade disclosures Strengthen Corporate Governance Expand insider accountability Increase oversight Broaden sanctions Heighten auditor independence S201 prohibits auditor from providing specific non-audit services S202 requires pre-approval from the audit committee of all non-audit fees engaged with the auditor S203 requires lead and concurring audit partner rotation S206 requires cooling-off period for auditors can work at audit clients 146

74 6. Sarbanes Oxley Act of July 2002 The objectives Upgrade disclosures Strengthen Corporate Governance Expand insider accountability Increase oversight Broaden sanctions Heighten auditor independence Increase trust in auditors Title 1 establishment of PCAOB Sarbanes Oxley Act of July 2002 Requirements of S404 Internal control over financial reporting SOX provision 404 requires a company to report annually on the adequacy of the design and effectiveness of internal control over financial reporting; To be ultimately signed by CEO and CFO and independently attested by the external auditors (under PCAOB standards); To be filed in conjunction with Annual Report (SEC s Form 20-F), for the fiscal year of 2005 and onwards; Non US-based companies compliance has been postponed until

75 6. Sarbanes Oxley Act of July 2002 Requirements of S404 Requires the Management to annually: State their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting Conduct an assessment of the effectiveness of the company s internal controls and procedures for financial reporting Requires the independent external Auditor to provide two opinions: An assessment of management s evaluation of the company s internal control over financial reporting Its own independent evaluation based on its review and testing of the company s internal control over financial reporting Sarbanes Oxley Act of July 2002 Achieving S404 compliance Practical terms Document Management document those key controls relevant to the financial reporting of material processes Evaluate Management evaluate the effectiveness of the key controls through testing Management assess and report the results of that evaluation Assess & Report Ext. Review & Attest Embed External auditors review management s attestation and supporting process and attest to its reliability The evaluation is embedded as an ongoing process which is reviewed and updated during each reporting period 150

76 6. Sarbanes Oxley Act of July 2002 Internal control maturity levels Level 1 Unreliable Unpredictable environment without controls fixed or set up Level 2 Informal Controls are fixed and set up but not adequately documented Level 3 Standardised Controls are fixed, set up and well documented; lack of tests Level 4 Supervised Standard controls and periodical tests on the controls efficiency Level 5 Optimised Integrated internal controls, supervised in real time by the management and continously improved For compliance with S404, a maturity level of 3 4 is required Material deficiencies must be disclosed Sarbanes Oxley Act of July 2002 Requirements of S302 Section 302 quarterly evaluation of disclosure controls and procedures (DC&P) and disclosures of conclusions regarding effectiveness of DC&P Quarterly / annual disclosure in 302 certification of material changes in internal control over financial reporting Evaluation date is as of the end of the period covered by the report Section 302 certifications files as exhibits to all applicable SEC reports Latitude for issuers in determining which internal controls over financial reporting are included in the Company s inventory of disclosure controls and procedures under Section

77 6. Sarbanes Oxley Act of July 2002 Section 404 SEC final rule Compliance date Most domestic clients: for fiscal years ending on or after 15 November 2004 Foreign private issuers: for fiscal years ending on or after 15 July 2006 Definition of Internal control over financial reporting Encompasses internal controls addressed in the COSO Report that pertain to financial reporting objectives Includes controls over safeguarding assets Management s report to include statements of: Management s responsibility for establishing and maintaining adequate internal control over financial reporting Management s assessment of the effectiveness of such controls Identification of the framework used to evaluate effectiveness Attestation made by external auditor Sarbanes Oxley Act of July 2002 SOx compliance roadmap 154

78 6. Sarbanes Oxley Act of July 2002 Internal Control over Financial Reporting - definition Process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP and includes policies and procedures that: Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company s assets that could have a material effect on the financial statements Sarbanes Oxley Act of July 2002 How do controls link to significant accounts and financial statement assertions? 156

79 6. Sarbanes Oxley Act of July 2002 Section 404 SEC final rule Management s responsibilities Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment and testing of both design and operating effectiveness. Section 404 SEC final rule Documentation guidance Guidance on controls subject to management s assessment: Controls over initiation, recording, processing and reconciling accounts, transactions, and disclosure and related assertions in financials Controls related to the initiation and processing of non-routine and non-systematic transactions Controls related to the selection and application of appropriate accounting policies Controls related to the prevention, identification, and detection of fraud Reiteration of guidance regarding auditor independence: Auditors may assist management in documenting internal controls Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor The registered public accounting firm s attestation report must be filed as part of the annual report Sarbanes Oxley Act of July 2002 Management s documentation requirements The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statement all five components, including the control environment and company-level controls. Information about how significant transactions are initiated, authorized, recorded, processed and reported. Sufficient information about the flow of transactions to identify where material misstatements due to error or fraud could occur. Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties. Controls over the period-end financial reporting process. Controls over safeguarding of assets. The results of management s testing and evaluation. 158

80 6. Sarbanes Oxley Act of July 2002 Section 404 SEC final rule Management s responsibilities Management s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness. Inquiry alone will generally not provide an adequate basis for assessment. Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment and testing of both design and operating effectiveness Sarbanes Oxley Act of July 2002 What CEO & CFO require A documented internal control structure that includes all relevant policies, procedures and operating principles A structure that is robust and able to deal with the changes of a dynamic organisation A structure designed to be kept current on a real time basis An infrastructure to support the internal control structure that facilitates communication, reporting, training, incident identification and issues management An infrastructure that facilitates rollup certifications, acknowledgements and monitoring An infrastructure that facilitates management s ability to have confidence that the control structure is effective and one that can be tested An infrastructure that can support monitoring the completion of applicable control procedures on a real time basis A dashboard confirming ability to sign certification 160

81 6. Sarbanes Oxley Act of July 2002 What registrants should demonstrate Sarbanes-Oxley and other internal control regulations require companies to demonstrate: Documented, presentable and auditable business processes and process controls over all major activities within an entity Process for updating control systems and documentation continuously Process for monitoring and testing internal control effectiveness Ability to demonstrate performance of internal control effectiveness assessment Sarbanes Oxley Act of July 2002 Roles & responsibilities 162

82 6. Sarbanes Oxley Act of July 2002 Roles & responsibilities Loi Sécurité Financière 164

83 7. Loi Sécurité Financière Loi Sécurité Financière 166