1 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation.

1

Dave Richards, CIA, CPA

Director, Internal Auditing

FirstEnergy Corporation

2

Looking ahead: How upcoming rules and legislation might expand and alter

internal auditing's roles

Looking ahead: How upcoming rules and legislation might expand and alter

internal auditing's roles

The Institute of Internal Auditors

Webcast Series on Sarbanes-Oxley

Session #4 - April 15, 2003

3

The Webcast Series on Sarbanes-Oxley’s Impact on

Internal Auditing

The Webcast Series on Sarbanes-Oxley’s Impact on

Internal Auditing• January 28 - Disclosure Controls*

• March 3 - Annual Certification of Internal Controls*

• April 1 - Coordination of Internal & External Audit Work*

• April 15 - Looking Ahead to Future Changes Impacting Internal Auditing*

*Available on CD Rom and online archive for one year r

4

1:00 - 1:10 Introduction & Overview of SOA areas not covered in Webcasts thus far – Dave Richards

1:10 - 1:20 SEC SOA Actions – Status Update –Greg Faucette

1:20 - 1:30 Future for External and Internal Auditors –Andy Dahle

1:30 - 1:40 Future for Others Impacted by the SOA – Jim DeLoach

1:45 - 1:50 Break

1:50 - 2:25 Questions & Answers – Panel

2:25 - 2:30 Concluding Remarks – Dave Richards

AgendaAgenda

5

• Audit Committees:• Independence• Financial Expert• Direct Responsibility for External Auditor• Code of Conduct complaints• Engage advisors• Reporting requirements• Annual Assessment of performance

• Management: • Certification of quarterly and annual financials• Assessment of Disclosure Controls• Annual Assessment of internal controls• Penalties for false or misleading information• Code of Ethics for Senior Officers

SOA AreasSOA Areas

6

• External Auditor• Prohibited services• Independence requirements & disclosures• Quality assurance disclosures to audit

committee• Attestation opinion on annual internal

control assessment• Public Company Accounting Oversight

Board (PCAOB)• Audit partner rotation every 5 years

SOA AreasSOA Areas

7

Handling the FutureHandling the Future• “As the present reflects the past, so will

the future reflect the present”• Actions we can take to prepare:

1. Knowledge of changes (stay in front)2. Share your knowledge3. Prepare for what you know is coming4. Be proactive with your management and

the audit committee5. Prepare internal audit department staff for

changes (e.g., focus on internal controls and financial issues)

8

Handling the FutureHandling the Future• Actions we can take:

6. Partner with your external auditors & third party providers to build the most flexible team

7. Don’t be afraid to fail!!8. Listen to your internal customers9. Develop a strategy (vision) of what you

want to become10.Take advantage of opportunities (find

someone looking for help and help them)

9

• Internal auditing as a proactive function• Staying in touch with changes• Focus on financial auditing theory• Staff skills & qualifications• Scope of work for internal auditing• Working relationship with external auditors• Audit committee support & involvement• Training needs for audit committee, internal audit,

and management• Resources for internal audit department• Willingness to change• Having the right strategic plan

IssuesIssues

10

AgendaAgenda1:00 - 1:10 Introduction & Overview of SOA areas not

covered in Webcasts thus far – Dave Richards




1:45 - 1:50 Break



11

SEC SOA Actions –Status Update

SEC SOA Actions –Status Update

Gregory A. Faucette

Professional Accounting Fellow

Office of the Chief Accountant

Securities and Exchange Commission

12

DisclaimerDisclaimer

The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. Therefore, the views expressed today are my own, and do not necessarily reflect the views of the Commission or the other members of the staff of the Commission.

13

Sarbanes-Oxley Act of 2002Sarbanes-Oxley Act of 2002

Components of the SOA– Title I – Public Company Accounting

Oversight Board– Title II – Auditor Independence– Title III – Corporate Responsibility

• Certifications• Audit committee standards• Improper influence of auditors• Insider trading during pension fund blackouts• Conduct standards for attorneys

14


Components of the SOA - Continued– Title IV – Enhanced Financial Disclosures

• MD&A disclosures• Non-GAAP financial measures• Reporting on internal controls• Disclosures about code of ethics• Disclosures of audit committee financial expert• Accelerated reporting deadlines

– Title V – Analysts Conflict of Interest• Regulation Analyst Certification (Reg AC)

15


Components of the SOA - Continued– Title VI – Commission Resources and

Authority– Title VII – Studies and Reports– Title VIII – Corporate and Criminal Fraud and

Accountability– Title IX – White Collar Crime Penalty

Enhancements– Title X – Corporate Tax Returns– Title XI – Corporate Fraud Accountability

16

Remaining SOA RequirementsRemaining SOA Requirements

• Declare the PCAOB functional (April 26, 2003)• Complete a study on principle based accounting system

(July 30, 2003)• GAO to complete a study on mandatory auditor rotation

(July 30, 2003)• Complete rulemaking on improper influence on conduct

of audits (April 26, 2003) • Complete a study on SPE use and related financial

reporting (October 7, 2004)• Complete rulemaking on management assessment of

and auditor reporting on internal controls• Additional rulemaking on analyst conflicts of interest by

either Commission or SROs (July 30, 2003)

17

Other Related “To Dos”Other Related “To Dos”• Recognize an accounting standard setting body• Complete rulemaking on procedure for filing Section

302 and Section 906 certifications• Consider further rulemaking on professional conduct of

attorneys practicing before the Commission• Complete rulemaking on mandated electronic filing and

website posting for Forms 3, 4, and 5• Consider rulemaking as necessary for disclosure on a

“rapid and current basis”• Complete rulemaking on MD&A disclosure of critical

accounting policies

18

Possibilities?Possibilities?

Rulemaking on material correcting adjustments identified by auditors

19

Thoughts for Internal AuditorsThoughts for Internal Auditors

• Uniquely positioned within organizations to effect improved internal control, financial reporting and corporate governance

• Possible role in compliance with Section 404 certification process

• Monitor other developments from the trickle-down effect of Sarbanes-Oxley

20






1:45 - 1:50 Break



21

Andrew J. Dahle, CIA, CPA, CISA, CFEPartner, Internal Audit Services

PricewaterhouseCoopers

Andrew J. Dahle, CIA, CPA, CISA, CFEPartner, Internal Audit Services

PricewaterhouseCoopers

Future for Externaland Internal AuditorsFuture for External

and Internal Auditors

22

Looking Ahead to Future Changes Impacting Internal

Auditing

Looking Ahead to Future Changes Impacting Internal

Auditing

23

Future for External Auditors

Future for External Auditors

• Increased focus on risks and controls• Enhanced perceived value of internal

control assurance - impacts cost also• Focus on quality• PCAOB impact• COSO is being embraced by clients like

never before• Enhanced respect for hard decisions

24

Future for Internal Audit-Near Term

Future for Internal Audit-Near Term

• Expectations: The bar is rising• Resources: Cannibalization or augmentation? • Coordination: More coordination between

external and internal auditor• Focus: Current swing towards financial• Objectivity: More is better• Testing: Scope requires judgment• Significance of issues: Where is the line?• Quality: Standards require

25

Evolving Approaches to Internal Audit Involvement with SOA

Certification

Evolving Approaches to Internal Audit Involvement with SOA

Certification

• The top-down assurance model

• The separate evaluation model

• The blended model

Links to Controls Maturity

26

Potential Internal Audit RolesPotential Internal Audit Roles

ReviewEvaluate what is there

RecommendChanges and

improvements

RepairHelp improve

Report (1)On effectiveness

of changes

Not operate

Note (1): External reporting role mandated to the external auditor

27

Future for Internal AuditFuture for Internal Audit

• Internal audit quality• Internal audit impact on governance• Enterprise wide risk management - optimized

internal control maturity• Internal controls over non-financial measures • An integrated approach to 302 and 404• Sustaining SOA controls assessments• Fraud risk management• Mandatory requirements for internal audit

28

The Bar is Rising on Internal Audit Expectations

The Bar is Rising on Internal Audit Expectations

29






1:45 - 1:50 Break



30

Future for OthersImpacted by the SOA

Future for OthersImpacted by the SOA

James DeLoach Managing Director

Protiviti

31

What We Can ExpectWhat We Can Expect

• SOA is here to stay

• Continuation of expectations gap

• More SEC rule making and new exchange listing requirements

• More aggressive, less forgiving regulators

• Increasingly demanding shareholder activists

• Market premium for increased transparency and restoring investor confidence

32

Trends: Senior ManagementTrends: Senior Management

• The raised bar will drive emphasis on restoring trust in the investing community

• Controls more repeating, defined and managed

• Improve entity-level analytics and monitoring

• Emphasis on keeping disclosure process fresh

• Enterprise-wide risk management builds upon disclosure controls and procedures

• Renewed focus on ethical behavior and responsible business practices

33

Trends: Board of DirectorsTrends: Board of Directors• Reevaluate independence standards and

restructure board committees• Increased attention on senior management

compensation and loans• Become more anticipatory and proactive• Hold more executive sessions and increase

influence of independent directors• Increase focus on business risk • Increase emphasis on corporate performance • Review board and director performance

34

Trends: Audit CommitteesTrends: Audit Committees

• More aggressive and assertive

• Inclusion of financial experts

• Increased need for independent advisors

• Pay close attention to feedback from “whistleblowers” and the complaint process

• Oversee 302 and 404 compliance processes

• Broadening of risk focus

35

Trends: Unit ManagementTrends: Unit Management

• Support of and provide resources to 404 compliance

• Increased accountability for effects of decisions and change on:– Internal control structure– Public reporting

• Increased focus on developing more robust business plans

36

Trends: Process OwnersTrends: Process Owners

• Document and support control design and assume accountability for control operation

• Timely follow-up on implementing control improvements

• Self-assessment will become common practice

• Balancing responsibility for monitoring processes at entity and process levels

• Opportunity to broaden focus to compliance and operational controls

37

Trends: External AuditorsTrends: External Auditors

• No reward for under-scoping and risk-taking• Higher audit fees • Expect:

– Less tolerance for errors, omissions and exceptions– Increased skepticism and insistence on supporting

evidence– More probing questions– The unexpected

• Increased emphasis on appearance of independence

38






1:45 - 1:50 Break



39






1:45 - 1:50 Break



40






1:45 - 1:50 Break



41

Webcast SummaryWebcast Summary• Webcast #1: SOA 302 Disclosure

Controls– Disclosure controls identification– Disclosure controls testing within 90 days of

Certification– Disclosure committee participation– Certification process flow– Sub-certification process & need for

guidance in preparing documentation to support opinion statement

42

Webcast SummaryWebcast Summary• Webcast #2 - SOA 404 - Annual Assessment of

Internal Controls– New attestation standards – FDICIA assessment process (1991)– Process for doing 404 assessment– Use of CSA as a tool for assessment supplemented

by testing– Use of COSO model to serve as benchmark for

control assessment

43

Webcast SummaryWebcast Summary• Webcast #3 - External / Internal Auditors

Relationship– Options for relationship– Reliance on internal audit for 404 work– Material weakness and control deficiency

definitions– Impact of SOA on internal audit annual plan– Audit committee changing expectations of

external and internal auditor coordination and responsibilities

44

Webcast SummaryWebcast Summary

• Webcast #4 - The Future Impacts of SOA– The need for proactive involvement by

internal audit – SEC actions still pending as a result of SOA– PCAOB impact on external audit future– External providers of services partner for

success– Overview of other sections of SOA where

internal audit should be active

45

Webcast SummaryWebcast Summary• Key internal audit takeaways :

– Cannot sit back and wait– Need to partner with external auditors– Need to be proactive with management– Work closely with audit committee to help

drive closure on issues impacting the audit committee

– Lead control awareness, assessment, testing, and reporting

– Stay involved in the quarterly disclosure controls assessment

46

In Short:

Internal Auditing needs

to develop a strategy on how

it wants to be involved in the many

aspects of SO to further their efforts

to add value to their organization.

Opportunity is Knocking - will you answer?

47

Thank you for your participation!

Thank you for your participation!

Don’t miss our next Webcast series beginning

May 6, 2003

1 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation.

Documents

Transcript of 1 Dave Richards, CIA, CPA Director, Internal Auditing FirstEnergy Corporation.