A Sarbanes-Oxley dilemma: apply the 80-20 rule to legal entities covered or detail all ISO 9000-like entities? That is the question.IAN IAN Interactive Affiliate Network IAN i am nothing IAN Instrumentation & Automation News IAN Ianuarius (Latin: January) IAN Instituto Agronomico Nacional (Paraguay) IAN Incident Area Network IS THE DIRECTOR OF AUDIT for NewMedTech (NMT (Nordic Mobile Telephone) An analog cellular phone system deployed in more than 40 countries in Europe. Launched in the Scandinavian countries in 1979, NMT was the first analog cellphone system. Both 450 MHz and 900 MHz versions are available. See cellular generations. ) Inc., a privately held biotechnology firm with revenues around US$200 million. Based in upstate New York Upstate New York is the region of New York State north of the core of the New York metropolitan area. It has a population of 7,121,911 out of New York State's total 18,976,457. Were it an independent state, it would be ranked 13th by population. , NMT also has three legal entities it consolidates: NMT-International, the international sales arm; NMT-Research, the "think tank"; and NMT-Hungary, where some off-shore production occurs. NMT is preparing for its initial public offering (IPO (Initial Public Offering) The first time a company offers shares of stock to the public. While not a computer term per se, many founders, employees and insiders of computer companies have found this acronym more exciting than any tech term they ever heard. ) on NASDAQ NASDAQ in full National Association of Securities Dealers Automated Quotations U.S. market for over-the-counter securities. Established in 1971 by the National Association of Securities Dealers (NASD), NASDAQ is an automated quotation system that reports on next year, and its preparations include establishing an audit committee, forming an internal audit department, and complying with the U.S. Sarbanes-Oxley Act See SOX. of 2002. The company's chief executive officer (CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. ), chief financial officer (CFO See Chief Financial Officer. ), operations team, new director of internal auditing, and the audit committee are struggling to define the scope of the plan to comply with Sarbanes-Oxley Section 404, the company's attestation on the control environment. Moreover, several of them have different opinions about how to meet the legislation's minimum requirements. The CEO and operations team are arguing to keep the scope limited to issues reminiscent of those that led to the collapse of Enron and material for investors, which means the accounting and consolidation groups only. However, because accounting relies on operational processes to ensure accurate and timely maintenance of the financial systems, the IPO consultant and the CFO want an "ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 9000-like" process implemented throughout every level of operations. The audit committee wants to use the 80-20 rule (20 percent of the results will involve 80 percent of the effort) on legal entities covered, which allows a company to mitigate a disproportionately large amount of risk using relatively few resources, but the external auditors would like to see the detailed "ISO 9000-like" processes rolled out fully with coverage of all entities. Ian is concerned that too much time and too many resources are being focused on this debate, and he is trying to provide firm direction on Section 404 while refocusing the team on the entire compliance initiative. As a new addition to the company, however, he is not sure he is fully included in the decision-making process. How should Ian proceed? AMBER E. MILLER, CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). , CFIRS Vice President, General Audit Department JP Morgan Chase & Co. In the wake of corporate scandals, regulators will be highly focused on Sarbanes-Oxley compliance. The audit department should definitely be involved in the firm's efforts to comply with Section 404, but the external auditors--who are actually signing off on the financials--will have a huge say in what they want to see from a materiality, testing, and documentation perspective. The external auditors need to be around the table now. With that said, the internal audit department should not be responsible for executing the work itself and should instead focus on independently validating the firm's efforts and ensuring compliance with the chosen methodology. This includes evaluating and opining o·pine v. o·pined, o·pin·ing, o·pines v.tr. To state as an opinion. v.intr. To express an opinion: opined on the defendant's testimony. on the effectiveness of project governance The term Project governance is used in industry, especially in the information technology (IT) sector (see Information technology governance), to describe the processes that need to exist for a successful project. Project Governance is an active rather than just a controlling role. and reviewing documentation and test results. Section 404 states that "significant" controls must be documented, assessed, and tested. The company must first define a methodology for meeting the legislation's minimum requirements and then identify the significant financial reporting areas and legal entities that will be affected. The 80-20 rule is one option, but other thresholds could also be considered, such as the percentage of revenue. Although the CEO and the operations team are right in that issues within the accounting and consolidation groups are likely to become "material for investors," other groups should not be ignored. There is always a chance that material weaknesses exist in the control structure within other areas that could ultimately lead to the misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state  ment n. of financials. Additionally, in determining NMT's
methodology, controls around market risk, credit risk, corporate
reporting, and technology infrastructure should not be forgotten.
In cases like this, organizations with robust self-assessment processes are a step ahead. The Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) ) framework, Internal Control--Integrated Framework provides a mechanism for identifying gaps, highlighting deficiencies, and documenting corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or plans from a firm, legal entity, and line-of-business perspective. Self-assessments are a great starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the for determining major risk areas and provide standard consistency across all business lines. Strong self-assessments would also help to pinpoint underlying control weaknesses in smaller business lines that could have a down-stream impact on the financials. As the director of audit, Ian needs to get the external auditors around the table as soon as possible. He should focus on ensuring that NMT management works diligently with the outside auditors to create and adopt a methodology and a plan of action as well as the necessary tools for monitoring progress toward total Sarbanes-Oxley compliance. He should recommend and aggressively push for the adoption of the COSO framework, not just for Sarbanes-Oxley compliance but for the betterment of the organization as a whole. J. SPENCER FEREBEE Vice President--Internal Audit Toys "R" Us Toys "R" Us (currently typeset as ToYsЯuS in the logo) is a toy store chain based in the United States, Canada, Australia,The Netherlands, South Africa, Hong Kong and the United Kingdom. Inc. Ian finds himself in a difficult but not uncommon situation, as the viewpoints on how to proceed with an appropriate response to Section 404 are highly divergent. This is an opportunity for Ian to establish credibility for both himself and his department with a proactive approach. Ian has an excellent opportunity to establish internal audit as a visible and critical function by taking the lead and defining the scope of the company's Section 404 coverage and compliance approach. Because the company is still private, Ian is not yet bound to the Sarbanes-Oxley deadlines and can help put into place a year-one compliance program. As he develops that program, it is critical that he meet with the external auditors to discuss a reasonable approach. Because it is unlikely that their existing clients were able to cover all aspects of the business, Ian should explore what was covered first and what's considered reasonable for NMT's particular circumstances. He should also do some benchmarking with other companies and audit directors. Working with the CFO and the head of accounting, Ian should establish a Section 404 steering committee steer·ing committee n. A committee that sets agendas and schedules of business, as for a legislative body or other assemblage. steering committee Noun and include the external auditors. This group should define the scope of coverage appropriate for the company in year one. At the end of the day, Ian must get his external auditors to agree to the scope of the company's coverage, as they will not only evaluate the adequacy of the controls, but also management's approach to its evaluation of the company's controls over financial reporting. KAREN M. MILLER, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. Director, Internal Audit Medco Health Solutions Medco Health Solutions, Inc. (NYSE: MHS) is a leading pharmacy benefit manager (PBM) company based in Franklin Lakes, New Jersey. The current chairman is David Snow. The company formed in August 2003 as a spinoff from Merck & Co.. Inc. Ian must ensure his Sarbanes-Oxley project role does not impair the objectivity of the internal audit function. As the director of internal audit, he must avoid the "decision-maker" role, which is management's responsibility. Rather, Ian should support management in carrying out its responsibilities through assurance and consulting. The suggested scope approaches indicate a lack of understanding of Section 404 requirements. In his consulting role, Ian should facilitate bringing the parties together to educate them on the minimum requirements. This briefing could be conducted by an independent consultant so that any weaknesses with the previous approaches can be freely addressed. Specifically: * The suggested approach to limit the scope to Enron-level issues would not provide sufficient testing for management to opine on internal controls over financial reporting. The scope is too narrow and must include the processes or cycles that generate significant accounts and disclosures in the financial reporting process. * The implementation of an "ISO 9000-like" process throughout all operational levels would be unnecessarily broad. It would be more efficient to focus the company's limited resources on documenting and testing only internal controls over financial reporting, rather than internal controls over operational activities or compliance controls, which are not within the scope of Section 404. * The 80-20 rule on legal entities covered may not be appropriate because the objective in selecting locations is to ensure that the controls are assessed and tested at the level at which they are performed. This may be inconsistent with the legal entity structure and will need to be assessed. Next, Ian should emphasize to management the need for a more comprehensive means to determine the Section 404 project scope, as it is a critical objective for successful project execution. To do this, the company should consider Staff Accounting Bulletin No. 99 (SAB 99). The company should analyze the financial statements to identify the significant accounts and disclosures and to determine the processes or cycles that generate them. The locations to be tested should include: locations and business units with relative financial significance and the risk of material misstatement (e.g., less than 5 percent annual revenue); remaining locations or businesses with specific risks that, by themselves, could create a material misstatement; and other locations or business units that, when aggregated, represent a group with a level of financial significance that could create a material misstatement. Once the proposed scope has been determined, it should be presented to the audit committee and the external auditors for their concurrence CONCURRENCE, French law. The equality of rights, or privilege which several persons-have over the same thing; as, for example, the right which two judgment creditors, Whose judgments were rendered at the same time, have to be paid out of the proceeds of real estate bound by them. Dict. de Jur. h.t. . To comment on this article, e-mail the editor at evanwijk@theiia.org. BY CHRIS SCHMIDT, CIA, CMA CMA - Concert Multithread Architecture from DEC. EDITED BY EELCO R. VAN WIJK |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion