The External Aditor may provide instructions on acceptable coverage at the company level (e.g. rule of 70% stating that 70% of the balance sheet / profit&loss statement / locations is covered by org units and processes in scope). Early collaboration with the External Auditor is essential for ensuring a timely 404 attestation.
Provide guidance on testing scope and procedures
The External Auditor may help management determine which controls are to be tested and how, considering key controls as well as other controls known to have a high risk exposure. The External Auditor may provide instructions for the testing of the specific control. Their expertise is based on collected experiences on the testing of the particular control during audits.
Perform process walk-throughs
The External Auditor perform process walk-throughs based on the documentation of processes stored in the MIC application.
Review remediation plans
The External Aditor may review the issues and the remediation plans resulting from management's assessment and testing of internal controls to form their opinion on the thoroughness of internal controls.
Perform testing of control effectiveness
The External Auditor may perform testing of internal control, document results and perform associated reporting within the tool.
Provide attest to 404 report
Prior to rendering the attestation, the External Auditor will
review management’s internal control documentation in the MIC
application, including testing procedures and results.
Define management requirements and project set-up
Management defines how the company implements the Sarbanes-OxleyrRequirements and what other aspects the company will cover (e.g. local laws and regulations). Another decision (which occurs outside the system) includes project set-up, timeline definition, methodology and responsibilities. Finally, the application is set up, defining global settings and building roles from available tasks.
Perform scoping
Scoping is the selection of organizational units and processes with a significant impact on financial reporting (404), on disclosure controls and procedures (302) or other aspects of internal control (other potential local requirements). Corporate takes the parameters defined in the previous step and applies them to the org. units and processes to determine which org units and processes must be covered in the MIC application.
Maintain organizational hierarchy
Based on identified
legal entities and reporting lines, org. units are entered into the
system; existing HR ORG structures, BW hierarchies may be
leveraged. Excel upload or manual maintenance are also supported
by the application.
Maintain central catalog of processes
Corporate defines a central catalog of processes. Only those
processes that have a material impact on financial reporting
(Section 404) or disclosure controls and procedures (Section 302)
or other legal, regulatory or operational aspects the company would
like to include are documented in the MIC applicaiton; not all
processes must be included.
Assign Processes to financial statement accounts
Processes in the central catalog of processes will be linked to the relevant financial statement accounts or account groups (intervals).
Assign control objectives and risks to processes
Control Objectives and Risks are defined for processes in the
Central Process Catalog in the MIC application. A Control Objective
is a statement that captures the purpose of controls within the
process. A risk is a potential event that adversely impacts the
desired outcome of control objectives.
Maintain catalog of management controls
Management controls (higher-level controls that support control
activities at the process step level) may be identified,
including Monitoring, Information and Communication, Risk
Assessment, and Control Environment, etc. Capturing such data is an
essential aspect of the COSO framework for internal control, which
has been recommended by the SEC in connection with SOA.
Perform sign-off and prepare 404 report/302 certification
Corporate reviews the
sign-off
resuts rolled up
along the organizational hierarchy and performs corporate sign-off
in the MIC application. The Sign-off indicates that all information
contained in the tool, e.g. processes and controls identified,
control ratings, are adequate and up-to-date. Issues and
remediation plans may still be open at the stage of Sign-off.
Sign-offs with outstanding red ratings require comments and may
prevent the CEO and CFO from submitting a clean 302 Certification /
404 Report. They would need to disclose those outstanding points to
the SEC / public.
The
404 Report
is a statement filed with the
SEC on an annual basis (for all filers) by the CEO and the CFO
relating to the effectiveness of internal control over financial
reporting. The 404 Report is not necessarily generated directly
from the MIC application, but will be supported by reports
available through the tool.
The
302 Certification
is a statement filed with
the SEC on a quarterly (large US-based filers) or annual (smaller
US and foreign-based filers) basis by the CEO and the CFO relating
to the existence and effectiveness of disclosure controls and
procedures. The certification itself does not occur within the MIC
application, but can be supported by sign-off to be required of
org. unit managers on a quarterly or annual basis and by pre-set
reporting generated to form a basis for the certification.
Assign relevant processes to org. units and define process steps
Individual org. units choose the processes that are applicable
and in scope for their org. unit from the central process
catalog.
Document control activities
Existing controls at the process step level are identified by
marking the respective process step as a control and by providing
further definitions / attributes.
Assign controls to risks
Controls documented by Org. Units within in-scope processes are assigned to the process risks they mitigate.
Perform assessment of control design at control level
Org. Units perform an assessment of control design in the selected areas of scope. This serves as a readiness assessment for 404 and/or 302 compliance by enabling management to identify and remediate control issues early on and ease the testing process, which occurs at a later stage.
Perform assessment of control efficiency at control Level
The Assessment of Control Efficiency is not required by Sarbanes-Oxley. However, org. units will be interested in performing this assessment for process improvement purposes. Issues that come up from the assessment will be recorded and resolution will be tracked.
Perform control design and efficency remediation
Issues (control shortcomings / opportunities for improvement)
resulting from the Control Design / Efficiency Assessments are
addressed by developing remediation plans with defined timeframes,
milestones, and accountability. Management tracks resolution of
remediation plans.
Perfom assessment of control design at process level
Upon reviewing control design efficiency and efficiency, the assessment is then done at an aggregated level, enabling management to provide additional commentary for the process as a whole. For example, management will consider whether controls occur in the right sequence, or whether there are missing or redundant controls.
Perform process design remediation
Issues (control shortcomings / opportunities for improvement)
resulting from the Control Design Assessment at the Process Level
are addressed by developing remediation plans with defined
timeframes, milestones, and accountability. Management tracks the
resolution of these remediation plans.
Perform assessment of management controls
Org. Units and Process Groups perform their assessments along predefined criteria similar to completing a survey and providing comments / evidence (text). The survey structure is based on a corporate catalog of company-wide Management Controls.
Perform management control remediation
Issues (control shortcomings / opportunities for improvement)
resulting from the Assessment of Management Controls are addressed
by developing remediation plans with defined timeframes,
milestones and accountability. Management tracks the resolution of
these remediation plans.
Perform testing of control effectiveness
A testing plan is created based on the testing scope and
required timeframe for completion. The testing plan details which
controls are to be tested, how they are to be tested (based on
control documentation information), milestones / deadlines and
responsibility for testing execution. Control Effectiveness Testing
to support the preparation of the 404 report and/or 302
certification is performed. Many procedures may be used to test
controls outside the MIC application, e.g. via inquiry,
observation, reperformance. The occurrence of exceptions (negative
testing outcomes) is documented in the MIC application and results
in a rating (adequate, deficient, or significantly deficient).
Resulting from the above control effectiveness testing, control
shortcomings / opportunities for improvement are identified and
documented.
Perform control effectiveness remediation
Issues (control shortcomings / opportunities for improvement) resulting from the Control Effectiveness Testing are addressed by developing remediation plans with defined timeframes and accountability. Management tracks the resolution of these remediation plans.
Perform org. unit review and sign-off
Org. Unit Managers perform remediation progress tracking
and analyze assessment / testing results. Finally, they perform
sign-off for the respective Org. Unit in the MIC application. The
Sign-off indicates that all information contained in the tool, e.g.
processes and controls identified, control ratings, etc. are
adequate and up-to-date.
This Business Scenario
Map is designed to show how four types of business partners - an
external auditor, corporate and individual organizational units, as
well as an external control testing specialist - work together on a
Management of Internal Controls project, which has as its goal the
company's compliance with the Sarbanes-Oxley Act, Sections 302/404.
This map illustrates the benefits of collaboration. Initially,
organizational structures and processes within the project scope
are centrally documented by corporate, assisted by the external
auditor. The responsibility for internal control documentation,
assessment and remediation is then cascaded down to the individual
organizational units. External control testing specialists provide
testing results via XI interfaces into the central repository,
triggering any necessary remediation activities. Finally, the
results are rolled up to support corporate during the preparation
of the 302 Certification/404 report.
Show Document Flow
Business Benefits
Improved transparency of internal control
Centralization of documentation
External Control Scheduling / Testing Tool
External Auditor
Corporate
Organizational Unit
Send Control Testing Results to MIC via XI Interface
Provide guidance on scoping
Provide guidance on testing scope and procedures
Perform process walk-throughs
Review remediation plans
Perform testing of control effectiveness
Provide attest to 404 report
Define management requirements and project set-up
Perform scoping
Maintain organizational hierarchy
Maintain central catalog of processes
Assign Processes to financial statement accounts
Assign control objectives and risks to processes
Maintain catalog of management controls
Perform sign-off and prepare 404 report/302 certification
Assign relevant processes to org. units and define process steps
Document control activities
Assign controls to risks
Perform assessment of control design at control level
Perform assessment of control efficiency at control Level
Perform control design and efficency remediation
Perfom assessment of control design at process level
The Management of
Internal Controls application helps your company move toward
Sarbanes-Oxley compliance. The application captures and structures
the documentation, assessments, and test results that are part of
your company's internal control relative to Sections 302/404. It
helps you document internal controls by organizational unit/process
and assessments at the control activity, process, process group,
and organizational unit levels. In addition, this application's
scheduling features manage your internal control testing
procedures. Senior executives can use rich reporting capabilities
to keep themselves updated on the status of controls and issues
throughout the organization. A sophisticated rules-based engine and
workflow integration capabilities track the progress of
the Sarbanes-Oxley 302/404 internal project at your company and
supports sign-off procedures to meet the important disclosure
requirements.
You can use the
application in the following phases of your Sarbanes-Oxley 302/404
project:
·
Scoping and Project Set-up
· Creation and maintenance of roles from a list of pre-defined
tasks as part of the application’s innovative role & task
concept
· Creation/upload and maintenance of organizational unit hierarchy
and cascading-down assignment of persons to roles
· Creation/upload and maintenance of the Central Process
Catalog
· Assignment of processes to financial statement accounts
· Definition of control objectives and risks for processes in the
Central Process Catalog
· Creation and maintenance of the Central Catalog of Management
Controls
· Assignment of processes from the Central Catalog to
individual organizational units and cascading-down assignment of
persons to roles
· Documentation of organizational unit-specific process steps
· Initial Documentation of Internal Controls
· Identification of process steps that represent controls
· Maintenance of control-specific attributes
· Internal Control Assessment and Remediation
(workflow-supported)
· Control design assessment at the control level
· Control efficiency assessment at the control level
· Control design assessment at the process level
· Assessment of management controls at the process
group/organizational unit level
· Identification of issues
· Validation of assessments
· Remediation of issues
· Progress tracking and analysis
· Testing of Control Effectiveness
(workflow-supported)
· Documentation of control effective testing by multiple
testers
· Identification of issues
· Remediation of issues
· Progress tracking and analysis
· Reporting and Sign-off
(workflow-supported)
· Analysis overviews including change reports to be used in the
subsequent years of your Sarbanes-Oxley project
· Management reports
· Sign-off supporting 404 Reporting/302 Certification