Process and controls SOX

training
May 2017
SOX training agenda

Topic Page number

SOX regulatory overview 3
SOX control framework 8
EY offerings 41
Questions 43

Page 2 Process and controls SOX training

Training objectives

► Discuss importance of the Internal Control Sarbanes-Oxley (SOX)

Section 404/COSO 2013 Framework (Framework)
► Level set expectations of the roles and responsibilities for various key
stakeholders involved in the SOX process
► Discuss the framework methodology and key outputs

Page 3 Process and controls SOX training

SOX regulatory overview

Page 4 Process and controls SOX training

Overview of regulatory requirements

Page 5 Process and controls SOX training

Background and overview of SOX

► Corporate and accounting scandals, involving a limited number of

large and prominent US companies, resulted in a significant loss of
public trust in corporate accounting and reporting practices.
► In response, the US Congress enacted the Sarbanes-Oxley Act of
2002 (SOX) to establish a higher corporate governance standard.
► The primary objectives of SOX are to:
► Restore public trust and confidence in the public securities market
► Improve corporate governance and promote ethical business practices
► Enhance transparency and completeness of financial statements and
disclosures
► Ensure that company executives are aware of material information
emanating from a well-controlled environment
► Hold Management accountable for material financial information
► Achieve new levels of corporate excellence

Page 6 Process and controls SOX training

History of COSO and SOX

r
13 be
20 ay

20 c t o
02

04

07
85

92

13
M

O
20

20

20
19

19
Committee of Sponsoring COSO released PCAOB releases Auditing PCAOB releases COSO PCAOB
Organizations of the Internal Control – Standard No. 2 – focused Auditing Standard No. 5 updates released Staff
Treadway Commission Integrated on ICFR coverage of – top-down, risk-based Internal Audit Practice
(COSO) formed to Framework financial statements approach Control – Alert No. 11 –
address fraudulent Integrated Considerations
financial reporting ► Sarbanes-Oxley Act signed Framework for audits of
internal controls
► Established Public Company Accounting Oversight Board (PCAOB)
over financial
► Section 302 – Executive Management certification of financial information reporting
accuracy
► Section 404 – generated the need to assess internal controls over financial
reporting (ICFR)
► Section 906 – penalties for fraudulent reporting

► American Institute of Certified Public Accountants (AICPA) ► Requires focus beyond just financial
► American Accounting Association (AAA) reporting to include non-financial
reporting
► Financial Executives International (FEI)
► Updated for impact of technology
► Institute of Internal Auditors (IIA)
► Codified 17 principles of internal control
► Institute of Management Accountants (IMA)

Page 7 Process and controls SOX training

Key SOX components

Key sections – requirements for Management

► Section 302

► Section 404

Section 302
► Officers must certify they are responsible for establishing and
maintaining internal controls and that these controls are designed to
provide material information to the officers.
Section 404
► Management is required to perform an annual assessment of internal
controls over financial reporting, including tests of the design and
operating effectiveness of controls.
► The external auditor is required to provide an opinion on the
effectiveness of internal controls over financial reporting, as well as
the financial statements

Page 8 Process and controls SOX training

SOX control framework

Page 9 Process and controls SOX training

Internal control framework

► The Framework was developed to:

► Provide SOX compliance program guidance to the company.
► Drive consistency among the company’s subsidiaries.
► The Framework outlines the SOX lifecycle to be performed by
Management at each entity, including:
► Planning and scoping
► Control design
► Operating effectiveness testing
► Evaluation and reporting

Page 10 Process and controls SOX training

Processes, risks and controls

Page 11 Process and controls SOX training

What is a process, risk and control?

A process is:
► A series of actions, changes or functions that transfer inputs into
outputs.
► The process owner is a person responsible for the process.

A risk is:
► The threat that an event, action, or non-action could adversely affect
an organization’s ability to achieve its business objectives and
execute its strategies successfully.

A controls is:
► A control is defined as any action taken to mitigate or manage risk
and increase the probability that the business/process will achieve its
goals and objectives.

Page 12 Process and controls SOX training

IT general controls

IT General Controls ensure the proper development and implementation of IT infrastructure as well as
the integrity of programs, data files and computer operations
Category Objective Examples

► Changes are Authorized

To provide reasonable assurance that only ► Changes are Tested
Change
appropriately authorized, tested, and approved ► Changes are Approved
Management changes are made to in-scope systems ► Changes are Monitored
► Duties are appropriately segregated

► General Systems Security Settings

► Password Configuration
To determine that only authorized persons have ► Systems User Administration
Logical Access access to data and applications and that they can ► Privileged Users
perform only specifically authorized functions ► User Access Reviews
► Segregation of Incompatible Duties (SOD)
► Backup and Recovery
IT Operations To determine that the critical data is properly ► Job Scheduling
(Backup and Recovery, Job backed-up so that it can be accurately and ► Problem and Incident Management
scheduling, Problem and completely recovered if there is a system outage or ► Data Center Walkthrough
Incident Mgt., Vendor Mgt.) data integrity issue ► Physical Access

Applicable IT Environment
Applications Network and Operating Systems (OS) Interfaces Database Management Systems (DMBS)

Page 13 Process and controls SOX training

Identify and understand information
produced by the entity (IPE)
► Large amounts of information may be generated by an entity for use
in managing the business, and for analyzing and preparing financial
information.
► IPE is often provided in the form of a “report” which may be either
system-generated, manually-prepared, or a combination of both.
► Examples of IPE relevant to general IT controls include:
► System Change Listing
► Listing of Users with Privileged Access
► Terminated User Listing
► Password Configuration Report
► Periodic Access Review Listing
► Listing of Users with Data Center Access

Page 14 Process and controls SOX training

IPE testing elements

Consider the following elements of IPE, as applicable:

Source data Report logic Report parameters
► The Information from ► The computer code, ► Report parameters allow
which IPE is created. algorithm, or formulas for the user to look at only
This may include data transforming, extracting, the information that is of
maintained in the IT or loading the relevant interest to them.
system or external to the source data and creating Common uses of report
system (e.g., data the report. Report logic parameters including
maintained in an Excel may include defining the report
spreadsheet or manually standardized report structure, specifying or
maintained) programs, user-operated filtering the data used in
tools (e.g., query tools the report or connecting
and report writers) or the related reports (data
Excel spreadsheets or output) together

Page 15 Process and controls SOX training

Control activities – Key vs. non-key controls

► Key controls:
► A key control is a control that, if it fails, will result in at least a reasonable likelihood
that a material error in the financial statements would not be prevented or detected
on a timely basis.
► Key controls are the controls that Management relies on most for the integrity of
financial statements and are designed to reasonably detect or prevent a material
misstatement.
► Key controls are designed in such a manner that they mitigate multiple risks or
prevent/detect significant errors in financial statements.
► Non-key controls:
► Non key controls are additional controls that provide comfort that the risk is
mitigated.
► They could be specific to business operations, but do not have a high impact on
financial transaction processing and financial reporting.
► As part of scoping, Management determine which controls in each process
are defined as “key” or “non-key” controls.
► Only key controls are in-scope for testing.

Page 16 Process and controls SOX training

Phase 1 – Planning and scoping

Page 17 Process and controls SOX training

Overview and purpose

► Purpose is to identify, quantify and analyze the risk of financial

misstatement, as well as potential magnitude of such misstatement
considering both quantitative and qualitative factors.
► Phase 1 includes a 6 level approach to determine SOX scope and
adequacy of coverage

Risk Assessment

1 2 3 4 5 6

Determination of in- Determination of Identification of Determination of Identify the relevant Map business
scope location significant accounts, related sub-processes financial statement Financial Statement processes/cycles and
disclosures and line item coverage Assertions and sub-processes/
classes of information cycles to applicable
transactions processing objectives` information systems

Page 18 Process and controls SOX training

Phase 2 – Understanding of business
processes

Page 19 Process and controls SOX training

Phase 2 – Understanding of business
processes
► Conduct meetings with business process and sub-process owners to
get an end-to-end understanding of the process. The purpose is to:
► Understand the flow of transactions related to relevant assertions
► Verify key risk points have been identified
► Identify controls in place to mitigate the key risks
► Assess whether controls identified cover the financial statement
assertions mapped to each account during Phase 1.
► Key output:
► Narratives and process flowcharts

Page 20 Process and controls SOX training

Phase 3 – Evaluating controls

Page 21 Process and controls SOX training

Phase 3 – Evaluating controls

► Key controls identified in Phase 2 are documented within the Risk

and Control Matrix based on the following criteria:
► The control addresses the control objectives associated with the financial
statement assertions and information processing objectives for the
significant financial statement account.
► Level of reliance on the control considers points at which errors and/or
fraud could occur, nature of the control, significance of the control in
achieving objectives, and the risk the control may not be operating
effectively.
► Consideration of the nature and reliability of the control, including whether
the control is manual/automated, frequency of the control,
knowledge/experience of individuals performing the control, adequacy of
segregation of duties, reliability of information used in performance of the
control, and the period covered by the control.
► Key output:
► Risk and Control Matrix

Page 22 Process and controls SOX training

Phase 4 – Walkthroughs

Page 23 Process and controls SOX training

Phase 4 – Walkthroughs
Design evaluation

► Walkthroughs provide evidence to:

► Confirm the understanding of the process flow of transactions
► Confirm the understanding of the design of controls identified
► Confirm the understanding that a process is complete
► Evaluate the effectiveness of the design of controls
► Confirm whether controls have been placed in operation
► Key output:
► Walkthrough documentation

Page 24 Process and controls SOX training

Phase 5 – Operating effectiveness
assessment

Page 25 Process and controls SOX training

Phase 5 – Operating effectiveness
assessment
► Testing is performed to determine whether the control:
► Operated as we understood
► Was applied throughout the period of reliance
► Was applied on a timely basis
► Encompassed all applicable transactions
► Information/data used to assess the control is reliable
► Documentation is retained/evidence of operation
► Resulted in a timely detection/escalation of any errors
► Testing is leveraged to support quarterly and annual certifications on
internal controls over financial reporting.
► Key output:
► Testing template

Page 26 Process and controls SOX training

Phase 5 – Operating effectiveness
assessment
► Nature of tests to be used:
► Inquiry – Includes asking questions about controls. This type of test provides the least amount
of comfort and is not sufficient on its own to adequately evidence and support a conclusion on
the effectiveness of controls.
► Observation – Includes observing the performance of control activities and is an appropriate
testing method where there is no documentation available to support the operation of a control.
Provides a higher level of evidential matter than inquiry alone.
► Inspection – Includes examining supporting evidence.
► Re-performance – Typically includes a combination of inquiry, observation and examination of
evidence.

Reperformance

Level of Examination
Comfort
Observation

Inquiry

Page 27 Process and controls SOX training

Phase 5 – Operating effectiveness
assessment
► Nature of tests to be used:
► Risk ranking of controls assists in determining the type of testing which is
appropriate to gain comfort over the operating effectiveness, given the
nature of tests vary in level of comfort provided.

Control risk
L M H
Direct Testing through Direct Testing through Direct Testing through
H Reperformance/ Reperformance/ Reperformance/Exami
Business Sub-
process Risk

Examination Examination nation

Direct Testing through
Observation and Observation and
M Reperformance/Exami
Examination Examination
nation
Observation and
L Observation/Inquiry Observation/Inquiry
Examination

Page 28 Process and controls SOX training

Phase 5 – Operating effectiveness
assessment
► Extent of testing:
► When testing, sample sizes are dependent on the frequency with which
the key controls occur, the competence and authority of the person that
performs the control, the persuasiveness of the evidence produced by the
control, the expected deviation from the control and prior experience in the
control.
Retesting
Assumed
population of Original # of
Frequency control sample # of Additional exceptions in Additional
of control occurrences size exceptions sample size 2nd sample sample size
Annual 1 1 1 Control Fails
Quarterly 4 2 1 Control Fails
Monthly 12 3–5 1 Control Fails
Weekly 52 8 – 15 1 Control Fails
Daily 250 25 – 40 1 25 to 40 1 Control Fails
Multiple
times a day Over 250 45 – 60 1 45 to 60 1 Control Fails

Page 29 Process and controls SOX training

Phase 5 – Operating effectiveness
assessment
► Timing of procedures:
► Testing must be performed over a period of time adequate enough to determine whether the
controls are operating effectively. The period of time varies with the nature and frequency of
controls.
► Testing should be spread across the accounting period to evidence operating effectiveness of
controls and satisfy Generally Accepted Auditing Standards (GAAS).
► Testing should be performed closer to the “As of” date for controls over significant non-routine
transactions, highly subjective accounts/processes and recording of period-end adjustments.

Interim Testing Rollforward Year

Testing End Testing

Beginning of Mid-year Report date

“As of” Date
period ► Significant non-routine
transactions
► Accounts/process with high
subjectivity or judgment
► Period end reporting
► Controls that failed at an interim or
rollforward date

Page 30 Process and controls SOX training

Phase 5 – Operating effectiveness
assessment
► Testing exceptions:
► Test exceptions should be evaluated to determine whether they represent a control
deficiency. If exceptions are identified during testing:
► Understand the nature and root cause of the exception
► Assess the impact/magnitude of the finding to the process, department and organization
as a whole.
► Evaluate fraud considerations.
► Understand the potential effect on risk coverage.
► Determine if the exception is systemic or a one-time occurrence.
► Determine if the exception applies to the whole population or particular segments.
► Evaluate whether the exception is the result of a performance issue or a lack of
documentation.
► Solicit Management’s thoughts about issue resolution.
► Confirm factual accuracy of issues/findings with Management.
► Perform testing of compensating or secondary controls (if applicable).
► Testing exceptions, as well as Management responses to the exception, should be
documented in the test plan.

Page 31 Process and controls SOX training

Phase 6 – Update and remediation testing

Page 32 Process and controls SOX training

Phase 6 – Update and remediation testing
Update testing

► When is it performed?
► If controls have been tested at an Interim Date, Rollforward Testing must be
performed for the remaining period through the "As Of" date.
► What should be considered?
► The results of controls testing prior to the “As Of” date.
► Length of remaining period (the longer the untested period, the more robust the
testing)
► Possibility of significant changes.
► How should it be performed?
► Using a risk-based approach, a combination of the following are to be performed;
► Inquiries
► Scanning reconciliations performed in the process
► Reviewing annotated copies of reports and/or follow up communications
► Additional walkthroughs
► Selecting more important controls to independently test

Page 33 Process and controls SOX training

Phase 6 – Update and remediation testing
Remediation testing

Required to validate/test the effectiveness of remediation prior to closure.

When is it performed?
► If controls that were tested at an interim time were determined to have deficiencies (either in Design
or Operational Effectiveness).
What should be considered?
► Inquire whether the appropriate remediation has been put in place and document inquiry in testing
template.
► Test a sample using sample size guidelines.

How should it be performed?

► Determine appropriate minimum period using below sample size guidelines.

Minimum tine period/number

of times of operation for remediated
controls as of the Minimum number of items to be
Frequency of control end of Fiscal year tested for remediated controls
Quarterly 2 quarters 2
Monthly 3 months 3
Weekly 8 weeks 8
Daily 25 days 25
Multiple times a day 45 times over a multiple day period 45

Page 34 Process and controls SOX training

Phase 6 – Update and remediation testing

After a control fails, adequate population and re-testing time is required before control can
be deemed adequate and issue is closed
Sample monthly control remediation testing timeline

Monthly control tested and ► Control retested 1/20

found inadequate and no exceptions
found
► Control adequate
Action Plan Action Plan ► Issue closed Jan 20
established completed

Waiting period:
3 months (for monthly control)

Sept 30 Oct 7 Oct 20 Jan 20

Discusses and documents

issue within one week of Issue stays open until re-testing is successfully completed
discovery

Page 35 Process and controls SOX training

Phase 7 – Evaluation of deficiencies

Page 36 Process and controls SOX training

Phase 7 – Evaluation of deficiencies

At the conclusion of testing, all deficiencies not remediated at year end will be to determine their
nature and impact.
What is a deficiency?
► When the design or operation of a control does not allow management or employees, in the
normal course of performing their assigned functions, to prevent or detect and correct
misstatements on a timely basis. There can be both design and operating deficiencies.
What is a significant deficiency (SD)?
► A deficiency or combination of deficiencies in internal control that results in the reasonable
possibility that a significant misstatement of the company’s annual or interim financial statements
will not be prevented or detected. Significant deficiencies need to be disclosed to the audit
committee.
What is a material weakness (MW)?
► A deficiency which gives rise to a situation, such that there is a reasonable possibility that a
material misstatement of the company’s annual or interim financial statements will not be
prevented or detected on a timely basis. Material weaknesses need to be disclosed in the
financial statements.
In order to evaluate deficiencies and classify the deficiency as SD or MW a few considerations need
to be considered including dollar amount of deficiency at aggregate level, nature of the deficiency
and the further management knowledge and judgment.

Page 37 Process and controls SOX training

Phase 7 – Evaluation of deficiencies

► Deficiencies in internal controls that are not remediated are evaluated by

Management, individually and in the aggregate and reported as follows:
Deficiency Likelihood of Potential magnitude of
classification misstatement misstatement
Control deficiency Remote OR Inconsequential
Significant deficiency More than remote AND More than inconsequential
Material weakness More than remote AND Material

► Deficiencies are aggregated to determine if, in the aggregate, they rise to the
level of either a SD or a MW. Aggregation may be done by the process,
location, activity or nature of deficiency. Aggregation should be considered at
intervals throughout the year, so as to identify any Significant Deficiencies or
Material Weaknesses as early as possible in order to be able to address them
in an appropriate timeframe.
► Key Output:
► Summary of Aggregated Deficiencies (SAD)

Page 38 Process and controls SOX training

Phase 8 – Reporting the results

Page 39 Process and controls SOX training

Phase 8 – Reporting the results

► Results of SOX 404 compliance testing may be reported through the

following:
► Recurring status meetings with management
► Quarterly communications on remediation efforts
► Communication of results of SOX testing to the external auditors.
► Annual Management report on effectiveness of each entity’s internal
control environment to local Management and the holding company.

► Key output:
► Periodic communication to the Audit Committee of SOX Program status
including:
► Summary of new, significant issues identified
► Summary of items not remediated in a timely manner or past target date
► Summary of repeat/recurring control deficiencies
► Status of remediation plans of issues previously identified

Page 40 Process and controls SOX training

EY offerings

Page 41 Process and controls SOX training

EY offerings

Current state, future

Controls
SOX program state and target Robotics and Testing Co-source, including
Offering implementation operating model
Rationalization and
Automation offshoring
Optimization
design
► Define SOX Understand current ► Identify and reduce ► Across the testing ► Across the SOX
implementation state, identify gaps, risks and controls life cycle, identify program life cycle,
vision; operating deliver a structure for a not relevant to ICFR robotics and identify offshoring
model SOX targeting ► Identify redundant automation opportunities
► Planning and risk operating model and insignificant opportunities ► Design and
assessment considering maturity controls ► Select a process implement
model and leading that is material to processes to
► Scoping ► Identify
practices around the the organization for offshore SOX
► Identification and opportunities to
following: proof of concept testing
documentation of centralize controls
► Testing processes or activities in ► Build and implement ► Verify sustainability
processes and
Key activities controls ► Governance and multiple locations pilots of offshored SOX
organizational ► Identify control ► Prepare roadmap testing
► Develop and
structure automation for automation for
execute test plans
► Technology and opportunities the rest of
► Reporting and
infrastructure population
remediation
supporting testing
► Vendor oversight
processes
► Cross functional
integration

SOX implementation Design and structure Updated inventory of Blueprint and Enablement of
plan for target operating key controls roadmap for offshore SOX testing
Output Process and control model automation Use of
documentation robotics for testing
(pilot)

Page 42 Process and controls SOX training

Questions?

Page 43 Process and controls SOX training

Appendix

Page 44 Process and controls SOX training

Process and controls SOX campaign
committee

Page 45 Process and controls SOX training

Process and controls SOX campaign
committee
Derrick Steele
P&C SSL Leader

Karen Modena Jessica Rodgers

P&C Campaign Leader P&C Partner

Christina Ostran Diana Lie Ella Zhou

Sr. Manager, P&C Sr. Manager, P&C Sr. Manager, P&C

Maria Velez Basantes Anna Hunter

Manager, P&C Manager, P&C

Priyanka Anand
Senior, P&C

Page 46 Process and controls SOX training

Appendix A

Page 47 Process and controls SOX training

Example responsibilities of key oversight
groups
Key oversight groups Roles and responsibilities
Country Head/CEO ► Having an objective and periodic evaluation of the control environment, through updates
(Corporate and Local)
► Gaining an understanding of the implementation of all the agreements and action plans
adopted to mitigate and correct internal control weaknesses, and providing challenge as
necessary
► Ensuring appropriate ownership of relationships with authorities and regulators.
► Providing visible support via company-wide communications and meetings with personnel
for the corporate internal control framework
Division Directors ► Active participation in the Corporate/Local Internal Control Committee established for
each unit
► Keeping division internal control model updated, following the corporate guidelines
explained in this guide
CEO and CFO ► Required to assess effectiveness of internal control over financial reporting and reports
thereon (both design and operating effectiveness)
► Provide executive support for the SOX program to ensure the other stakeholder groups
are owning their responsibilities
► Participate in periodic update on SOX program to include, among other items, discussion
of deficiencies and project issues for which your support is needed.

Page 48 Process and controls SOX training

Example: Responsibilities of key oversight
groups
Key oversight groups Roles and responsibilities
Corporate SOX ► Propose to the Board of Directors approval or modification of the internal control model
Internal Control ► Assist CEO and CFO in management of the SOX Internal Control Framework
Department (part of ► Manage the Internal Control Committee, presenting a US-wide picture of control
the Finance, environment
Accounting and ► Define, implement and keep indicators methodology updated, including the technical
Management Control
support
Division)
► Coordinate, together with other divisions, the implementation of documentation
methodology
► Prepare Group/Unit Internal Control evaluation report so that it is signed by Unit/Group’s
CEO and CFO (at a group level, also the CAO certifies)
► Report SOX program during execution and progress for remediation of deficiencies to the
Executive Committee, Disclosure Committee and Audit Committee quarterly
► Capture, facilitate, and inform stakeholders relevant control weaknesses, aggregation of
deficiencies and potential financial impact to the Organization
► Assess mitigating factors and controls initially identified by Management
► Aggregate deficiencies onto the Summary of Aggregated Deficiencies
► Capture, validate and monitor mitigation plans for identified Control deficiencies and
potential concerns
► Approval and monitoring of critical plans with respect to control aspects required by the
Regulator and Audit
► Take part in defining and monitoring action plans

Page 49 Process and controls SOX training

Example: Responsibilities of key oversight
groups
Key oversight groups Roles and responsibilities
Internal Audit ► Attend the Corporate/Local Internal Control Committee with frequency established for
each unit
► Review the documentation of the internal control model
► Provide Corporate Internal Control with the control weaknesses found by their audits and
inform them about the fulfilment of the action plan
Audit Committee ► Receive updates about the SOX program and challenge status and process as
appropriate
► Stay informed about significant deficiencies, material weaknesses, other notable
deficiencies, and any changes to the control environment that could materially impact the
internal controls over financial reporting

Page 50 Process and controls SOX training

Appendix B

Page 51 Process and controls SOX training

Example: Planning and scoping – Identification of
relevant sub-processes and activity groupings

Qualitative risk
factors Description High Moderate Low
Degree of estimation This score represents A high risk score is A moderate score is A low risk score is
the degree to which the assigned to areas that assigned where the assigned for areas that
sub-process requires require substantial degree of estimation is do not require
judgment or the use of judgment or place high reasonable and places judgment or involve
estimates reliance on the use of moderate reliance on little use of estimates
estimates the use of estimates
Volume or This score represents A high risk score is A moderate risk score A low risk score is
homogeneity of the number, size, and assigned to an sub- is assigned to an sub- assigned to an sub-
transaction homogeneity of process where there process where there process where there
transactions included in are very few are few transactions, are few transactions,
the sub-process, as transactions, each each unique and for a each unique and for a
well as changes from unique and for a large moderate percentage moderate percentage
the prior period in percentage of the of the overall balance of the overall balance
account or disclosure overall balance in the in the account, and in the account, and
characteristics account, and where where there have not where there have not
there have been many been many changes been many changes
changes from the prior from the prior year from the prior year
year

Page 52 Process and controls SOX training

Example: Planning and scoping – Identification of
relevant sub-processes and activity groupings

Qualitative risk
factors Description High Moderate Low
Volatility and error This score represents Higher scores were A moderate score is A low score is assigned
experience the degree to which the assigned if there were assigned to a sub- to a sub-process if
sub-process is volatility and many process if there was there was no volatility
susceptible to volatility historical errors of minimal volatility and and no historical errors
and error or historical significance few errors of
findings (such as significance
significant IA findings,
adjustments due to
external auditor
findings, or financial
statement
restatements)
Complexity and This score represents A high risk score is A moderate risk score A low risk score is
degree of change in the complexity and assigned for areas in is assigned where assigned when
the supporting frequency of change to which the supporting supporting processes supporting processes
processes and the supporting processes and and systems have and systems are not
systems processes and systems are complex minimal complexity and complex and the
systems used to record and change frequently frequency of change frequency of change is
financial transactions low
related to this account
or disclosure

Page 53 Process and controls SOX training

Example: Planning and scoping – Identification of
relevant sub-processes and activity groupings

Qualitative risk
factors Description High Moderate Low
Degree of This score represents A high risk score is A moderate risk score A low risk score is
centralization of the degree to which the assigned for highly is assigned where assigned for highly
process process is centralized decentralized there is a mix of centralized processes
processes centralized and
decentralized
processes
Fraud susceptibility This score represents A high risk score is A moderate risk score A low risk score is
the degree to which the assigned to a sub- is assigned to a sub- assigned to a sub-
sub-process is process if there have process if there have process if there has
susceptible to fraud been a history of been some history of been no known history
fraudulent entries fraudulent entries of fraud, and limited
associated with the associated with the inherent risk of fraud in
accounts and/or the accounts and/or there the area
inherent risk of fraud is is inherent risk of fraud
high

Page 54 Process and controls SOX training

Example: Planning and scoping – Identification of
relevant sub-processes and activity groupings

Qualitative risk
factors Description High Moderate Low
Control deficiencies This score represents Currently possesses in Currently possesses Currently does not
the degree to which the aggregate deficiencies control deficiencies possess control
process level control that contributed to a with a quantification deficiencies
deficiencies were noted significant deficiency net exposure of at least Internal Audit reports
in the past Internal Audit reports $1m and up to $16m did not note any
noted deficiencies and Internal Audit reports deficiencies or areas
"unsatisfactory" grades noted deficiencies and for improvement
for areas reviewed "needs improvement"
grades for areas
reviewed
Level of automation This score represents Sub-processes with a Sub-processes with a Sub-processes with a
the level of automation high risk score are moderate risk score low risk score are
in the process area those where one or are those where one or entirely automated
more of these more of these (including transaction
components components initiation, valuation or
(transaction initiation, (transaction initiation, calculation, and feed to
valuation or calculation, valuation or calculation, the general ledger) and
and feed to the general and feed to the general place no reliance on
ledger) are manual ledger) are partially end-user computing
processes and which manual processes and
place high reliance on which place moderate
end-user computing, reliance on end-user
particularly for complex computing
calculations

Page 55 Process and controls SOX training

Appendix C – Offshoring

Page 56 Process and controls SOX training

Why shared services?

With current economic conditions

forcing a re-evaluation of existing
operational models and cost
structures, shared services is a
viable option to streamline
processes, set the foundation for
long-term operational excellence and
increase long-term profitability. The
strongest shared services value
proposition in banking involves the
creation of highly efficient and cost-
effective operations centers that go
beyond simple accounting and HR
processes to support other core
business functions across the
business.

Page 57 Process and controls SOX training

Industry themes

Page 58 Process and controls SOX training

Industry themes

We see common challenges and solution themes across the industry driven by the need to reduce cost, increase
capability, deliver against regulatory demands and better partner with the business
Efficient Effective

► Centralization of reporting ‘production’ ► Redefining Finance’s role in the

► Simplified standardised processes business
► Alignment of various processes ► Developing Finance people and
► Organisation streamlining and delayering increasing ‘bench strength’
► Process automation including robotics ► Enabling Finance to challenge and
advise
► Formalising standards for financial data
Efficient, effective and
well controlled Finance Well controlled Reports accurately
function that reports ► Formalising the financial control framework ► Moving towards a simplified and faster
accurately and provides ► Ensuring effective oversight and period end close
forward looking insight governance ► Enabling consistent reporting through
► Automation of controls e.g., reconciliations centralisation of data sources and
to the business to ► Extending control discipline to the business controls
support decision making ► Alignment of financial and regulatory
view

Forward looking Provides insight

► Improving planning and budgeting ► Freeing up key Finance and Actuarial

processes professionals to focus on insights
► Utilising driver based forecasting ► Emphasising profitability analytics
► Emphasising regular rolling forecasts ► Finance’s role moving to being a
► Improve capability to educate the business trusted adviser in decision making
on planning

Page 59 Process and controls SOX training

Challenges

The financial services industry faces challenges, including cost, capability, quality, time to
report and the challenge from the business to be a better business partner
► Many have offshored ‘roles’ but not processes and have yet to standardise and achieve
integrated E2E processes across locations
► Finance Strategy/Service Proposition has not been linked through to the capability and
support model (for shared services)
► Lack of ‘service’ based approach, with offshore teams not able to support multiple
locations
► Systems and data challenges/lack of investment means difficult to drive standard
operating model across multiple locations
► Need to rationalise Finance support locations – lack of integration and ability to drive
common processes and change
► Duplicative checking of off/near-shore output, not addressing quality at source and lack
of MI/KPIs to inform improvement
► Expensive resource performing low-value tasks (e.g., actuarial) and tasks performed
offshore which should be automated
► Need to explore automation and robotics to remove inefficiencies, help standardise
processes and improve control

Page 60 Process and controls SOX training

Evolution of finance shared services
locations (SSL)
Leading organizations are moving on from disparate, regional SSLs to global SSL networks and global processing

Key Trends Globally harmonized regional SSLs Key considerations

► Consolidation of existing ► Infrastructure and corporate
centers within regions footprint more often
considered
► Establishment of new regional
or global centers in high ► Labor costs and capability
growth markets (Asia, Latin key focus
America, Middle East)
► Professional skills
► Regional transaction and languages are a “must”
processing centers for:
► Increasing concentration in
► The Americas Regional SSLs supported by a global hub few global centers is pushing
wage inflation
► Europe and the Middle East
► Leverage ‘global day’
► Asia Pacific
► Strong focus in high growth
► Hybrid model of both global
areas in Latin America and
transactional processing
Asia Pacific (e.g., India,
centers and regional centers
China and Brazil)
of excellence

Page 61 Process and controls SOX training

Evolution of finance shared services
locations
By 2020 we expect further activities to be moved out to captive and outsourced shared services, thereby reducing local
finance teams. In addition, a number of larger companies are looking to extend the capability in their low cost locations
such as the Philippines, India, Slovakia and Poland for even greater cost optimisation

Captive shared services locations Location of finance and actuarial functions Outsource shared services locations
Percent of respondents1
100% 75% 50% 25% 0% 0% 25% 50% 75% 100%

Transaction processing

Accounts payable and expense reimbursement

Actuarial reserving and valuation

Cost management

Fixed asset accounting

General accounting

Payroll

Revenue accounting

Taxes

Treasury

Reporting

Internal and external reporting

Communications

Decision support

Planning, budgeting and forecasting

Performance analysis and decision support

Capital management

Controls

Policy, procedures an controls

Internal audit

Finance function management

Finance HR

Finance IT

Location performed in 2014 Location expected in 2020

Page 62 Process and controls SOX training

Changed focus

The industry focus is now moving on from initial labour arbitrage gains to integrated, service based shared service
models
Market trends Key enablers for change and focus for Global Insurer
A number of Global bank’s peers have embarked on more
► Clarity on role of Finance against key strategic
strategic ‘second generation’ shared service programmes. From
objectives
our experience of working with these organisations, the common Finance Service ► Linking this back to capability across all aspects of
levers to optimise shared services locations are typically around Proposition the Finance Operating Model
the following themes: ► Clear plan to achieve

► Long term view on capability and support model

► Rationalise and centralise core capabilities and
Process and systems
are globally consistent
Strategy
based on increasing
Location Strategy processes (e.g., Operational Accounting/Report
with a high degree of scope, standardisation Production)
automation and and scalability is central
common data structures to the business case

► Focus key E2E processes, managing quality at

People and Functional scope Automation, robotics source and removing duplicative checking roles
organisation is extended to give the
and process ► Targeted robotics solutions to standardise and
Talent programmes and Finance FSSL greater control
accelerate processes and remove EUCs
incentives are deployed
to retain the best staff Shared
over end-to-end
operations
improvement
and recognise great
customer service Service
Centre
Locations ► Targeted IT investment in automation and data
Governance is Global scope sourcing (which drives much of the downstream
professionalised with
common SLAs and
is extended to ensure
a consistent approach is
Technology Roadmap Finance issues)
performance reporting. deployed across all regions
Controls are optimised to with harmonisation across
mitigate risk and locations
inefficiency Retained function
refocused onto high
value business
partnering activities ► Long term view on skills, experience and capabilities
to enable improved
insight and decision required and the best locations for these
making People ► Training and development to support drive for
continuous improvement

Page 63 Process and controls SOX training

Appendix D – Robotics

Page 64 Process and controls SOX training

Why robotics?

► Accounting and other back office functions across the organizations are
facing a disruptive revolution. Automation is changing the way corporations
work.
► Robotics Process Automation (RPA) technology mindset is now part of the
global economy transforming how businesses are increasingly moving to
automation.
► The technology is developing fast and can be described by three categories
depending on the level of “intelligence”:
► Rule-based automation – Robots that follow a set of pre-defined rules that describe
tasks
► Enhanced/intelligent process automation – Robots that can understand
unstructured data, human communication (e.g., voice or email) and draw
conclusions from data cross-checking
► Cognitive platforms – Robots that learn from experience in the same way as
humans do in order to perform complex tasks without human interference
► EY has been building up competencies and established proof of concept
designs across the globe to be ahead of the market.

Page 65 Process and controls SOX training

Robotics process automation (RPA)

Page 66 Process and controls SOX training

RPA – Next major revolution

► There are a number of vendors providing RPA solutions, each of them having different strengths
and weaknesses

RPA targets key indicators Leading providers offering Robots are already working Success stories were
of Shared services location automation solutions for companies such as: already reported

Large utility firm

$ Cost reduction ► 25% less customer

complaints
► 60% FTEs redeployed*

► 200% 1yr ROI

Quality
Large telecom operator
increase
► 50% fewer errors

► 50% freed-up
resources
Faster ► 650% to 800% 3-Yr
processes ROI
Global insurer
► 25% freed-up
resources
► 51% cost reduction
for delivery of high-
frequency tasks
Overview of Robotics in
Banking – some used cases PLAY

Page 67 Process and controls SOX training

RPA – An obvious opportunity

Managing huge manual workloads and increasing transaction volumes

► High transaction volumes, manual handling of documents, invoice processing, manual data entries across myriad
1 business systems such as ERPs, e-approval system and other employee portals leading to duplication, erroneous inputs
and elongated processing times
► Four key areas in financial accounting where robotics use can reliably replace large amounts of manual work: accounts
payables, accounts receivables, general ledger and fixed assets
Less intelligent automated solutions leaving room for manual intervention
► Most organizations have already invested in ERP, self services and reporting, yet they are still searching for ways to

2 streamline and automate the manual process flows, exceptions, and approvals
► For companies that have spent millions on ERP systems, the frustrating reality is that it often throws up as many
problems as it resolves. Even SAP, after a lengthy finance transformation, found itself still handling more than 20,000
manual tasks in the Record to Report process each month end
Ineffective tracking and monitoring systems
3 ► Lack of an effective tracking, monitoring and reporting system for KPI management and performance based incentive
handling
► With shared services locations, organizations are unable to track resource productivity and real time transaction status,
creating difficulty in equal distribution of work among users

Compliance and audit readiness

4 ► Ensuring compliance with accounting standards and policies
► Streamlining audit cycles for faster and compliant audits

Training strategy and talent management

5 ► The increasing need for cost reduction and optimization is strengthening the case for shared service centres in pharma
industry. Recruiting and training the right talent is critical to success of a SSL

SSL: Shared services locations

ERP: Enterprise resource planning
SAP: Systems, applications, products

Page 68 Process and controls SOX training

Appendix E – Impact on internal audit

Page 69 Process and controls SOX training

Impact on internal audit

► SOX Section 404 requires the company and its Subsidiaries’ Management
(Management), as well as its External Auditor to report on the adequacy of
the company’s Internal Control Over Financial Reporting (ICFR).
► Testing of ICFR occurs throughout the year.
► Management is required to follow the 2013 COSO framework for internal
controls and extensive documentation of controls.
► Management is required to conduct quarterly certifications (Section 302 and
404) of the nature and effectiveness of internal controls and the quality of
information contained in the Forms 10Q and Form 10K.
► External Auditor must also test ICFR as part of their annual audit procedures
and issue a separate statement in their opinion on the adequacy of ICFR.
► It is important to note that while Management’s assessment of ICFR to
comply with Section 404 is based on the state of ICFR as of December 31, it
is expected that the controls are in place and functioning the entire year.

Page 70 Process and controls SOX training

Key benefits

Areas Key benefits

Financial ► Heightened credibility provided to all stakeholders, whether they be owners,
reporting employees, customers, lenders or vendors
► Better information to manage the business
► Reduced risk of errors or irregularities
Operational ► Clarity in the roles and responsibilities of both Management and employees
► Greater controls over the management of business growth
► Reduced costs obtained from greater operating efficiency
► Maximized operating performance
Regulatory ► Decreased risk of litigation or business disruption, thanks to the focus on
compliance
► Lowered risk employee or customer litigation
► Increased credibility with regulatory bodies
► More credibility in contractual relationships with vendors and customers

Page 71 Process and controls SOX training

Appendix F – Roles and responsibilities

Page 72 Process and controls SOX training

Process/control owner responsibilities

► Process owners are responsible for the following:

► Understanding and defining the risk associated with the business process
or activity being performed, as well as related internal controls
► Taking ownership for defining and updating policies and procedures
reflective of the processes in place
► Providing comprehensive and accurate detail on changes to in-scope
SOX processes
► Executing processes and control procedures in line with the
understanding of associated risk and proactively communicating gaps or
exceptions
► Understanding the end-to-end flow of processes, including roles and
responsibilities before and after the performance of each step and related
to “handoff risks”
► Providing input to the deficiency assessment and aggregation process
► Remediating control deficiencies

Page 73 Process and controls SOX training

Control supervisor responsibilities

► Control supervisors are responsible for the following:

► Understanding and communicating roles and responsibilities of the Control
Owners
► Ensuring compliance with internal policies and regulatory requirements
► Ensuring Control Owners are providing detailed input on changes to SOX
processes to facilitate SOX documentation maintenance
► Monitoring the ongoing effectiveness of internal controls
► Re-evaluating controls to ensure ongoing achievement of Management’s
objectives in the most effective and efficient manner
► Providing input, as needed, to the assessment and aggregation of
deficiencies
► Identifying and implementing best practices from other areas of the
organization or similar external groups

Page 74 Process and controls SOX training

Appendix G – COSO internal control
framework

Page 75 Process and controls SOX training

COSO Internal Control Framework overview

COSO has developed the following cube representing the integrated components of the
internal control structure in organizations.
Effectiveness and Efficiency
3 Objective Categories of Operations
Relates to an entity’s basic business
objectives, including operational and
financial performance goals and
safeguarding assets against loss.

Reliability of Reporting
Relates to the internal and external
financial and non-financial reporting and
may encompass reliability, timeliness,
transparency, or other terms as set forth
by the regulators, recognized standard
5 Interrelated setters, or the company’s policies.
Components
Compliance With Laws
and Regulations
Relates to complying with those laws and
regulations to which the entity is subject.

Internal control is designed to provide reasonable assurance regarding the achievement of objectives

Page 76 Process and controls SOX training

Approach for COSO compliance

► Each entity can map existing control documentation to meet the requirements
set in the 2013 COSO framework guidance. This process includes:
► Determining if the 5 components of a system of internal controls (control
environment, risk assessment, control activities, information and communication,
and monitoring activities) are operating together in an integrated manner.
► Assessing and documenting severity of control deficiencies or combination of
deficiencies when aggregated across components.
► Evaluating each individual internal control component by assessing whether every
principle tied to each component is present and functioning, as well as
documenting and evaluating control deficiencies resulting from a lack of presence
and operating effectiveness of principles tied to internal control components.
► Updating SOX documentation to support relevant principles.
► Key output:
► COSO Assessment

Page 77 Process and controls SOX training

Appendix H – Additional information on SOX
Framework

Page 78 Process and controls SOX training

Phase 4 – Walkthroughs
Sample operational control questions

► Who performs the control and what is their level of experience?

► Have there been any changes to the control from prior period
► Who performs the control in absence of control owner?
► Has the control owner ever been asked to override the control?
► What constitutes an exception/error, has the control previously
identified exceptions/errors, and how were these resolved?

Page 79 Process and controls SOX training

Phase 4 – Walkthroughs
Sample review control questions

► How does the reviewer set expectations to critically challenge assumptions,

methodologies, results and other relevant items before performing the review?
► What procedures are performed as part of the review? Are there specific items that
receive additional attention?
► What quantitative or qualitative threshold is used to perform the review?
► What triggers the reviewer to request the preparer to perform additional follow-up
procedures?
► What is the nature of questions resulting from the review, the subsequent follow-up and
the types of adjustments or changes that result from the review? Were the adjustments
or changes made timely? (If no errors have been detected by the control, consider
whether this indicates that the control is not designed at a sufficient level of precision.)
► What evidence exists reflecting the nature of questions resulting from the review and
follow-up actions performed?
► If prospective financial information (PFI) is used, what procedures are performed by the
control owner to challenge the PFI and the related key assumptions?

Page 80 Process and controls SOX training

Phase 5 – Operating effectiveness
assessment
► Test plans are developed considering:
► Nature of tests to be used – type of test to be performed based on the level of risk
determined for each control.
► Extent of testing – number of samples selected and tested based on the frequency
and assumed population.
► Control risk rating – considering factors such as nature and materiality of
misstatement the control is intended to prevent/detect, frequency, inherent risk,
complexity, etc.
► Population definitions – whether a control has multiple instances or more than one
individual performing the control.
► Control frequency – how often the control is performed.
► Information produced by the entity (IPE) – level of reliance on information to
perform the control.
► Timing – period over which the control was performed
► Extent of evidence/documentation – level of documentation available to support
performance of the control.

Page 81 Process and controls SOX training

EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world
over. We develop outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play a critical role
in building a better working world for our people, for our clients and
for our communities.

EY refers to the global organization, and may refer to one

or more, of the member firms of Ernst & Young Global Limited, each
of which is a separate legal entity. Ernst & Young
Global Limited, a UK company limited by guarantee, does not
provide services to clients. For more information about our
organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of

Ernst & Young Global Limited operating in the US.

© 2017 Ernst & Young LLP.

All Rights Reserved.

1704-2286204
ED None

This material has been prepared for general informational purposes

only and is not intended to be relied upon as accounting, tax or other
professional advice. Please refer to your advisors for specific advice.

ey.com