Leveraging the COSO Framework to Meet Section 404

Leveraging the COSO Framework to Meet Section 404 Requirements The Institute of Internal Auditors Webcast Series on Sarbanes-Oxley Act July 8, 2003 1: 00 – 2: 30 pm Eastern Time

The IIA Webcast Moderator Jim Key, CIA Managing Partner Shenandoah Group, L. L. P

Disclaimer The views expressed in this web cast are solely those of the panelists and moderators and do not necessarily reflect the views or policies of the Institute of Internal Auditors or its directors, officers, employees, and members.

The Webcast Series on the Sarbanes-Oxley Act Series 1: Fostering Compliance with SOA: Internal Auditor’s Role – Four sessions archived on website and available on CD – To purchase contact Alex at Agoodman@theiia. org

Series 2: Emerging Trends and Best Practices in Implementing SOA • May 21 - Section 404 Readiness Review: How to document your system of internal control. (Archived) • June 10 - Helping your audit committee implement complaint handling. (Archived) • July 8 - Leveraging the COSO framework to meet Section 404 requirements • August 12 - Project Administration – Setting and revising priorities in the wake of the “Final 404 Rules” • September 9 - Internal Audit support of Audit Committees – What works best • September 30 - The Road Ahead – Meeting the challenges in complying with The Sarbanes-Oxley Act

Sarbanes-Oxley: Implications and Impact for Internal Audit • Seminar Offering: 2. 5 Days § § § § Chicago, July 30 Seattle, August 4 West Palm Beach, August 25 Phoenix, September 10 San Francisco, September 24 Orlando, December 10 New York, December 17

Other Resources • IIA Web Page www. theiia. org – Click on Guidance – Click on Tools and Resources for Corporate Governance § IIA Position Papers § Responses to exposure drafts § IIA Research Foundation Master Key Series § The Sarbanes-Oxley legislation § Stock listing exchanges key requirements

Management Assessment of Internal Controls (404) • Requires the SEC to prescribe rules to: – State the responsibility of management for establishing and maintaining adequate internal control structure and procedures for financial reporting, and – Contain an assessment of effectiveness of the internal control structure and procedures for financial reporting

SEC Final Rules • Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports • Release Date: June 5, 2003 (33 -8238) • Effective Date: August 14, 2003 • Evaluation of Internal Control over Financial Reporting within the context of COSO framework

Agenda 1: 00 1: 10 1: 20 1: 30 1: 45 2: 25 Welcome and Overview Soft Controls – Bruce Adamec Control Activities – Ray Lukas Monitoring – Andrew Bellenkes Break Questions and Answers – Panel Wrap up – Jim Key

Soft Controls Bruce Adamec, CPA, CIA Vice President and General Auditor United Stationers Inc.

Soft Controls • Control Environment • Risk Assessment • Information & Communication

The Goal is Reliable Financial Results and Safeguarding Assets – Are “Soft” Components Important? • Commissioner Paul S. Atkins, SEC, Rocky Mountain Securities Conference: Denver, Colorado, May 30, 2003 “A long standing risk management principle is the importance of corporate culture and “tone from the top”. A CEO’s tolerance, or lack of tolerance of ethical misdeeds and a CEO’s philosophy of business conveys a great deal throughout the organization. The role of directors is to monitor and oversee that situation on behalf of stockholders. “

The Goal is Reliable Financial Results and Safeguarding Assets – Are “Soft” Components Important? • Commissioner Cynthia Glassman, SEC, Federal Reserve Bank of Chicago May 9, 2003 “I can’t walk away from any discussion of corporate governance without stressing that the most important aspect of reform comes from market participants working proactively to foster an ethical culture in business. ”

Why We Should Care About Soft Controls – Even Without Sarbanes Oxley! • Howard Shilit, Smart Money, July 2003, “Bad people, in business model with a nice story, will somehow find a way to destroy the business…But with honest people running the company…they’ll be able to navigate through the tough times and the company won’t blow it. ”

404 Evaluation • Clear Understanding of Soft Components • Infrastructure Evaluation – “Hard” Activities for “Soft” Components • Evaluation of How Well The Soft Components Are Working to Ensure Financial Statement Reliability, Safeguarding Assets

What Do COSO Components Mean? • Control Environment – Organization’s Ethics, Tone At Top, Management Philosophy and Style, Commitment to Competence – Management Culture • Risk Assessment – How Organization Routinely ID’s and Manages Risks – Goals and Obstacles • Information and Communication – Identifying, Capturing, and Communicating Relevant Data in a Form and Time Frame To Meet Associates’, Investor, and Board of Director’s (Governance) Needs

Infrastructure Evaluation “Hard Activities For Soft Components” • Management Culture – Code of Ethics, Human Resources Practices • Goals and Obstacles – Objectives, Financial Planning and Analysis, Hard-Coded Response Systems (Law, Finance, HR Department) • Communication & Information – Clear Authority/Responsibility Lines, Standard Financial Close/Reporting Practices, Disclosure Controls, Whistleblower Process, “Open Door” Policies

What Do COSO Components Mean? • Control Environment – Organization’s Ethics, Tone At Top, Management Philosophy and Style, Commitment to Competence – Management Culture • Risk Assessment – How Organization Routinely ID’s and Manages Risks – Goals and Obstacles • Information and Communication – Identifying, Capturing, and Communicating Relevant Data in a Form and Time Frame To Meet Associates

Infrastructure Evaluation “Hard Activities For Soft Components” • Management Culture – Code of Ethics, Human Resources Practices • Goals and Obstacles – Objectives, Financial Planning and Analysis, Hard-Coded Response Systems (Law, Finance, HR Department) • Communication & Information – Clear Authority/Responsibility Lines, Standard Financial Close/Reporting Practices, Disclosure Controls, Whistleblower Process, “Open Door” Policies

Evaluation of How Well the “Soft” Components Are Working Possible Methods • Internal Control Questionnaires • Control Self Assessments • Survey Employees, Management Assesses Survey Results

Awareness f Direct o d r ors Boa Company-wide Framework l Control Sy a n ste r e m Int Surveys Control Self Assessments Complete Continuous Monitoring 404 Certifications Interviews Knowledgeable Fact-based Assertions Action Plans Identification

More Information on Survey Method • “Internal Reflections”, The Internal Auditor, December 2002, Pp. 56 -63 • “Internal Audit’s Role in Corporate Governance: Sarbanes Oxley Compliance”, IIA Website (IIARF Master Key) – ALLTel Control and Risk Assessment – El Paso Internal Control Assessment Survey

Control Activities Ray Lukas, CPA Director , Global Risk Management Solutions Pricewaterhouse. Coopers

Control Activities • Policies and procedures that ensure management directives are carried out. • Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Integration With Risk Assessment • Along with assessing risks, management should identify the actions needed to address identified risks. • These actions serve to focus attention on the control activities needed to ensure that such actions are appropriately carried out in a timely manner

Integration With Risk Assessment • Control activities are the means by which an enterprise strives to achieve its stated business objectives – Control activities serve as the primary mechanism used by management to monitor performance to achieve business objectives, and – Control activities are more effective when built directly into the management process

Types of Control Activities • Numerous types of control activities, including: – – – Preventative controls Detective controls Manual controls Computer controls, and Management controls • Control activities usually involve two distinct elements: – Policy that establishes “what should be done”, and – Procedures that entail specific actions to be taken to comply with the policy Essential element of control activities/procedures performed is that issues identified as a result of such procedures be investigated and appropriate corrective actions taken

Types of Control Activities • Control Activities are performed by personnel at various levels in the organization – Top Level Review – Actual performance to budget and forecast – Direct Functional or Activity Management – daily, weekly an/or monthly review of performance by direct reports (supervisors & managers) – Information Processing – controls designed to check accuracy, completeness and authorization of transactions

Types of Control Activities • Control Activities are performed by personnel at various levels in the organization (continued) – Physical Controls – Physical security and periodic counting of hard assets (Cash, Inventory, equipment, etc. ) – Performance Indicators – Analytical reviews, where differences are investigated and corrective actions taken, and – Segregation of Duties – Incompatible duties are separated among different people to reduce risk of error or inappropriate actions

Application to Sarbanes 404 Unreliable Informal - Unpredictable environment where control activities are not designed or in place - Control activities are designed and in place but are not adequately documented Standardized - Control activities are designed, in place and are adequately documented Monitored - Standardized controls with periodic testing for effective design and operation with reporting to management Optimized - Integrated internal controls with real time monitoring by management and continuous improvement Level 1 – Unreliable • Unpredictable environment where control activities are not designed or in place Level 2 – Informal • Disclosure Activities and Controls are designed and in place but are not adequately documented • Controls mostly dependent on people • No formal training or communication of control activities Level 3 – Standardized • Control activities are designed and in place • Control activities have been documented and communicated to employees • Deviations from control activities will likely not be detected Management 404 Internal Control Assertion Level 4 – Monitored • Standardized controls with periodic testing for effective design and operation with reporting to management • Automation and tools may be used in a limited way to support control activities Level 5 – Optimized • An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise Wide Risk Management) • Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed

Application to Sarbanes 404 BUSINESS PROCESS FOCUS AREA Invoicing Control Noted Control Objective Completeness of Input: All appropriate data are entered into the system and accepted for processing. Data rejected by the system are reported, investigated, corrected and re-entered. Control? Y What ensures that a service invoice is generated for service provided? Control Activities/Procedures Every night there is a manual reconciliation of the number of Service Appointments that day to the number of appointments invoiced. This is part of the balancing procedures performed by the data center over nightly batch jobs. Approximately 70% of these invoices are transmitted to the customers electronically via EDI. A manual reconciliation is done to check that all invoices sent to EDI were received by EDI customers must acknowledge that they have received invoices. If customer acknowledgements are not received, the analysts follow up with the customers. The remaining 30% of the invoices are sent through regular mail. What ensures that a services provided cannot be invoiced twice? Accuracy of Input: All errors in data are detected when recorded, accepted by the system, or converted to system-readable format. Y What ensures that the fee and amount of the services provided are correct? N What ensures that the invoice represents the actual services provided? N There is a programmed procedure that will only allow to invoice a customer for the services described on the bill. An invoice will not be generated for that appointment until the services on the bill agree to the service on the schedule logging system. Through a programmed procedure, invoices are priced using the contract assigned to that customer or the default price assigned to that customer in the customer contract pricing database. However, anyone that can manually enter a service provider can manually enter a different fee, thus overriding the contracted fee arrangement. There is a programmed procedure that will only allow to invoice a customer for the services on the bill. However, there is no control to ensure that all services provided were logged on to the service invoice.

Monitoring Andrew Bellenkes, CPA Senior Auditor VF Corporation

COSO Model Monitoring Component Ongoing Monitoring - Management, supervisory, and other monitoring activities in the ordinary course of operations that assess the quality of internal controls Separate Monitoring - Evaluation focusing directly on system effectiveness with a scope and frequency dependent on the assessment of risks, and ongoing monitoring Reporting Deficiencies - Upstream reporting of internal control deficiencies, with certain matters reported to top management and the board

SEC Final Ruling Monitoring Points of Focus. . . • Recognized control framework must be used as the basis of evaluation • Sufficient procedures to evaluate the design and the test of internal controls over financial reporting • Evidentiary matter must be maintained • Quarterly evaluation of changes to internal controls over financial reporting • Certifications mandated by Sections 302 and 906 of the Sarbanes-Oxley Act as exhibits to annual, semi-annual and quarterly reports must be filed

Monitoring Component COSO Model VF Hybrid Model • Goals & Objective Setting • Risk Assessment • Monitoring & Assessment • Monitoring

Essential Elements of Effective Monitoring • Scope Changes • Evidentiary Support - SEC Rules - Archiving, Record Retention, Rollover to the Next Period • Training • Internal Audit’s Role • Extent/Vigor of Quarterly Assessments

Roles in Monitoring Controls Project Office Internal Audit Asian Business Units Domestic & Americas European Business Units Corporate Controller’s Office

Roles in Monitoring Controls … Project Office/Internal Audit/Corporate Controller’s Office Project Office • Corporate Communication • Training • Systems Administration (for internal controls documentation database used) Internal Audit • Review of Self-Testing by the Business Units • Coordination and Performance of Testing (for external audit reliance, except for exempt areas)

Roles in Monitoring Controls … Project Office/Internal Audit/Corporate Controller’s Office • Policies and Procedures Statements • Internal Control Design and Implementation • Technical Guidance

Roles in Monitoring Controls … the Organization VF Risk Committee Corporate CFO - Chair *Issue resolution: Ownership of final accounting determinations Project Office General Auditor, Corporate Controller, Internal Audit, Finance External Advisory VF Intimates VF Corporate VF Jeanswear BU Owner BU Coordinator VF Outdoor VF ASIA /GSO BU Owner BU Coordinator VF Services FI/HR BU Owner BU Coordinator VF Europe BU Owner BU Coordinator VF IS/IT VF Imagewear BU Owner BU Coordinator Acquisition(s)?

Roles in Monitoring Controls … VF Europe VF Risk Committee Corporate CFO - Chair Project Office General Auditor, Corporate Controller, Internal Audit, Finance VF Europe BU Owner BU Coordinator UK Location Coordinator Belgium Italy Location Coordinator Germany Poland Malta Location Coordinator

Ongoing Monitoring … VF Methodology • Ongoing Business Unit testing • Integrated internal audit approach to test Business Unit compliance with Section 404 vs. Stand- alone audits of Accounting and Financial Reporting internal controls • Quarterly certifications from Business Unit CFOs and CIOs

Summary • Analysis and assessment of soft controls is as critical as analysis and assessment of hard controls. • Need for evaluation controls that span all five components of COSO. • Business unit management owns the monitoring function.