Title: The Finance Role in Corporate Governance
1The Finance Role in Corporate Governance
2Finance Role in Corporate Governance
- Agenda
- Introduction/Ground Rules
- Governance - Overview
- COSO Framework
- Case Study
- Sarbanes-Oxley
- Overview of Act
- 302/404 Detail
- Implementation at ABC Company
- Wrap-up
3Finance Role in Corporate Governance
- Introductions
- Name
- Current Position/Company
4Finance Role in Corporate Governance
- General Ground Rules
- Breaks - Please return on time
- Everyone is expected to share ideas
- Be respectful
- Ask questions
- Express disagreements
5Finance Role in Corporate Governance
- Course Objectives
- Develop a common understanding of what corporate
governance means at ABC Company - Gain a practical understanding of the COSO model
for internal controls - Be able to apply COSO to business processes
- Understand the main requirements of the
Sarbanes-Oxley Act of 2002 - Gain an awareness of how ABC Company will address
the requirements of the Act
6Finance Role in Corporate Governance Related
Courses
Risk Controls Fundamentals Course Objectives
- Understand risk and how it applies to business
- Communicate using a common risk language
- Identify, source and measure risk
- Introduce a risk assessment tool
- Apply internal controls to help achieve business
objectives - Understand the application of risk management
strategies in day-to-day operations
7Finance Role in Corporate Governance Related
Courses
Business Process Improvement Course Objectives
- Understand the basic quality principles
underlying process improvement and process
maintenance - Identify opportunities to improve existing
processes and develop new processes - Use appropriate tools and techniques to
understand current process and develop a new
process - Learn some tools and techniques for planning and
managing a process improvement opportunity - Learn how to communicate and gain commitment from
others to implement the new or improved process - Understand measurement to determine success of
the new process
8Finance Role in Corporate Governance Related
Courses
- Consider Risk Controls course
- Consider Business Process Improvement course
9Finance Role in Corporate Governance
- Corporate Governance at ABC Company
- ABC Company has always held ourselves to high
standards - ABC Company finance has a heritage of control
discipline - Many good governance practices are already in
place at ABC Company
10Finance Role in Corporate Governance
- What are the components of good Corporate
Governance?
11Finance Role in Corporate Governance
- Some components of good Corporate Governance
- Code of Conduct
- This We Believe
- Independent (external) audits
- Ethical culture
- Good internal control environment
- Independent Board
- Transparency in financial reporting
- Well documented processes
- Competence (training and education)
12Finance Role in Corporate Governance
- One good definition of Corporate Governance is. .
. - A hefty-sounding phrase that really just means
oversight of a companys management - making sure
the business is run well and investors are
treated fairly.
From The Wall Street Journal (article by Judith
Burns)
13Internal Controls - Myth or fact?
14Internal Controls - Myth or fact?
- 1) Internal control starts with a strong set of
policies and procedures. - Myth or Fact?
- Myth
- FACT Internal control starts with a strong
control environment.
15Internal Controls - Myth or fact?
- 2) Management is the owner of internal controls.
- Myth or Fact?
Fact
16Internal Controls - Myth or fact?
Myth FACT Internal controls should be built
into, not onto, business processes.
- 3) Internal controls are a necessary evil. They
take time away from our core activities - making
and selling products, and serving customers. - Myth or Fact?
17Internal Controls - Myth or fact?
- 4) Effective internal controls provide
reasonable, but not absolute, assurance that the
organizations objectives will be achieved. - Myth or Fact?
Fact
18Internal Controls - Myth or fact?
- 5) With downsizing and empowerment, we need
different forms of control. - Myth or Fact?
Fact
19Internal Control - Key Concepts
- Internal control is a process. Its a means to
an end, not an end in itself. - Internal control is effected by people. Its not
simply policy manuals and forms, but people at
every level of an organization. - Internal control can be expected to provide only
reasonable assurance, not absolute assurance, to
an entitys management and board. - Internal control is geared to the achievement of
objectives.
20Committee of Sponsoring Organizations (COSO)
- Widely respected authority on internal controls
- Self-regulation by industry
- Created a framework for developing and evaluating
internal controls the COSO model - This framework can be used to demonstrate
compliance with the Sarbanes-Oxley act
21Committee of Sponsoring Organizations (COSO)
- COSO Definition of Internal Control
- A process, effected by the Companys board of
directors, management and other employees,
designed to provide reasonable assurance that
objectives will be achieved in the following
categories - effectiveness and efficiency of operations
- reliability of decision making information,
including financial reporting - compliance with applicable laws and regulations
22COSO Model
One common way to illustrate the five components
of COSO is as a pyramid, with the fifth
component, information and communication, being
done at all levels.
23COSO Model
- Control Environment Sets the tone for the
organization. Includes integrity, ethical
values, managements philosophy and operating
style. - Risk Assessment Includes setting clear
objectives and identification of risks, both
internal and external, that will prevent a
company from achieving its objectives. - Control Activities Process steps taken to
achieve objectives, and include many typical
controls such as segregation of duties, approval
and authorizations, system controls, and
reconciliations. - Monitoring ongoing reviews, separate
evaluations, reporting and correcting
deficiencies. - Information and communication Ensuring that
timely, adequate information is captured and
communicated, and fostering open communications
up, down, and across the organization.
24COSO Model - Hard/Soft Controls
25Application of COSO Model
- Example New Product Development Process
Stage-gate reviews, tracking against MEAs
Project team meetings, management updates
MEAs, A162s, stage-gate approvals
Development of success criteria
Company culture
26Internal Control
COSO Component
- Bank Reconciliations
- Financial Policies
- Risk Management
- Standards of Conduct
- Budgets
- Project Success Criteria
- Strategic Planning
- Segregation of Duties
- Weekly sales reports
- Internal audits
- Control Activity
- Control Environment
- Risk Assessment
- Control Environment
- Monitoring
- Risk Assessment
- Risk Assessment
- Control Activity
- Information Communication
- Monitoring
27Finance Role in Corporate GovernanceCASE STUDY
- Four roles in case sales, finance, credit,
planning - Discuss as a group
- What controls are present
- What risks remain
- What controls should be added to mitigate risks
- Write needed controls on flipcharts identify
COSO category - Present to class
28Sarbanes-Oxley Overview - Why?
- Governments around the world are enacting
legislation to enhance financial accountability - Sarbanes-Oxley Act - U.S. (2002)
- Cromme Code - Germany (2003)
- Loi de Sécurité Financière - France (2003)
- King Code 2 - South Africa (2002)
- Multilateral Instrument 52-109 - Canada (2004)
- Sarbanes-Oxley Act
- Applies to all public companies.
- Requires the CEO and CFO to certify that the
financial statements are a complete and accurate
representation of the condition of the business. - Requires an annual internal control report,
certified by management, stating that the
internal control structure and procedures are
sound, as verified through testing. - Requires the external auditor to attest to the
soundness of the internal control structure to
ensure that the financial results of the company
are properly reported.
29As a private company, we have elected to comply
with selected provisions of Sarbanes-Oxley.
- Why has ABC Company elected to comply?
- It is good business practice.
- Increasingly, lenders and investment bankers are
using the acts provisions as a due-diligence
gold standard some Chicago banks are requiring
CFOs and CEOs to certify financial statements in
their loan covenants with private companies. - Anticipate that this will become a minimum
standard requirement impacting banking and Merger
Acquisition decisions.
30Sarbanes Oxley Act
ABC Company will implement the following sections
31Sarbanes Oxley Act Section 201
32Sarbanes Oxley Act Section 201
- External Auditor Independence
- Prevents external auditors from performing nine
services - Bookkeeping services
- Appraisals or valuation services
- Actuarial services
- Financial information systems design and
implementation - Management functions or HR services
- Internal Audits
- Broker-dealer, investment advisor, or
investment banking services - Legal services
- Expert services unrelated to auditing
- Other services determined by PCAOB regulations
33Sarbanes Oxley Act Section 201 at ABC Company
- External Auditor Independence
- All subsidiaries will ensure external auditor
independence. This is effective July, 2003 - The Corporate Controller has sent out guidelines
for the services our external auditors can and
can not do for our company - Corporate Tax gives guidance to subsidiaries
identifying what types of tax services our
auditors can provide, and when we need to hire
other advisors - The audit partner can only be assigned to ABC
Company for 5 years - This assures that the auditors (EY) maintain an
unbiased position and are not influenced by other
commercial dealings with ABC Company
34Sarbanes Oxley Act Section 301
35Sarbanes Oxley Act Section 302
36Sarbanes Oxley Act Section 302
- What is required of the CEO and CFO?
- Each annual and quarterly report must be reviewed
by both the CEO and CFO - They must certify that the reports do not contain
any falsehoods or misleading statements or omit
any material facts - They must certify that the reports are a fair
representation of the financial condition and the
results of the companys operations - The CEO and CFO must state that they are
responsible for establishing and maintaining
disclosure controls and procedures, evaluating
the effectiveness of the controls within the last
90 days, and have presented their conclusions to
the effectiveness of those controls and
procedures - The CEO and CFO must have disclosed to the
external auditors and the Audit Committee all
significant deficiencies in the design or
operation of internal controls and any fraud,
material or not, that involves management or
other employees who have a significant role in
the companys internal controls - The CEO and CFO must indicate whether or not
there has been any significant change in internal
controls since the previous report
37Sarbanes Oxley Act Section 302 at ABC Company
- All subsidiaries will certify their financial
results annually. This was effective July, 2003. - Each General Manager and Financial Director signs
a statement indicating the reported annual
financial results are a true picture of their
companys financial position. - All ABC Company operations are required to
certify their results.
38Sarbanes Oxley Act - Section 401
39Sarbanes Oxley Act - Section 404
40Sarbanes Oxley Act Section 404
- Each annual report must contain an internal
control report, which - States that management is responsible for
establishing and maintaining internal controls
over financial reporting - Legal compliance
- Efficiency and effectiveness of operations
- Assesses the effectiveness of such controls as of
the end of the most recent fiscal year - The companys external auditors must attest to
and report on managements assessment of its
internal controls
Not in scope
The internal control report, required by 404, is
what gives management the assurance they need to
complete the 302 assertions.
41Sarbanes-Oxley Section 404 at ABC Company
- Project SOAR
- Controls group within Global COE
- Implementation in
- conjunction with Global One.
- Implementation targeted to begin after year-end
2005/06.
42Sarbanes Oxley Attest Readiness (SOAR) Model
- PILLARS
- Local Work
- By Process
Control Framework Structure Content
- BRICKS
- Centralized
- One time work
Accounts/Processes/Systems/Locations Matrix
Materiality Thresholds
COSO Model
43Layer One The COSO Model
- The Control Activities layer of the COSO model
is key to controls developed for Sarbanes-Oxley
404 compliance.
PILLARS
Control Framework Structure Content
Materiality Thresholds
Accounts/Processes/Systems/Locations Matrix
COSO Model
44Layer Two Materiality Thresholds
External Testing Attestation
Control Framework Structure Content
Accounts/Processes/Systems/Locations
Materiality Thresholds
COSO Model
- Material Thresholds define the scope of work
- What work is required at which ABC Company
locations? - Which financial line items are large enough that
the auditors are concerned about controls?
45Materiality defined
Locations
Financial Statement Line Items
- Larger
- Comprise over 80 of annual Account Revenue and
Total Assets. - All entities are above 40mm in Account Revenue
- Using SAP
- All other
- Limited scope for Sarbanes-Oxley
- Special consideration
- Entity-level risk assessment
- Corporate finance business process risk
assessment - History of misstatement, errors, or control
breakdowns - Judgment of Corporate Controller and/or Director
of Audit - Locations that do not cross the materiality
threshold, but contribute more than 5 to the
consolidated balance of a material financial
statement line item
- Material
- A profit and loss or balance sheet line item
greater than 5 of Operating Profit - All other
- Not included for Sarbanes-Oxley
- Special consideration
- Additional qualitative factors, such as level of
dependency on judgment, estimates, or actuarial
assumptions
46Companies fall into two categories
ABC Company Locations
Larger
All Other
- Eurafne
- Portugal
- Turkey
- Greece
- Romania
- Norway
- Sweden
- Russia
- Ukraine
- Czech Republic
- Hungary
- Slovakia
- Egypt
- Saudi Arabia
- Kenya
- Ghana
- Nigeria
- Morocco
- Headquarters
- Holding Cos.
- Americas
- Venezuela
- Paraguay
- Uruguay
- El Salvador
- Costa Rica
- Ecuador
- Peru
- Chile
- Colombia
- North America
- Puerto Rico
- Barbados
- Dominican Republic
- Americas
- Mexico
- Brazil
- Argentina
- Asia-Pacific
- Japan (incl. Japan Trading)
- China
- Indonesia (JHHP)
- Korea
- Australia
- North America
- Canada
- ABC Company including
- US Consumer
- Headquarters
- Regional Staffs
- ABC Company Investments
- Eurafne
- Britain
- France
- Italy
- Germany
- Spain
- Benelux
- Belgium
- Netherlands
- Luxembourg
- Poland
- Britain Eurafne
- Frimley
- CMSE
- Regional Staff
- Europlant
- South Africa
- Switzerland
- Algeria
- Gulf Hub
- Bulgaria
- Croatia
- Denmark
- Asia - Pacific
- New Zealand
- India PPL
- India KAPL
- Taiwan
- Hong Kong
- Indonesia - SCJ
- Philippines
- Singapore
- Malaysia
- Pakistan
- Vietnam
- Thailand
Italics identify non GO-enabled entities.
All Other locations fall into two categories
those with SAP implemented and those on other
systems.
47What does it mean if my country is in one column
or the other?
- Large Subsidiaries
- Documentation, Flow Chart, and Controls for all
financially-significant sub-processes performed
locally. This includes any IT General Controls
for local systems (such as payroll). - All sub-processes will go through all four
pillars annually beginning after year-end
2005/06. - Complete work on documentation for Payroll,
Benefits, Local Taxes and budgets in 2005/06. - Other Subsidiaries
- Control activities documented for risks for four
key sub-processes - All four pillars completed annually after
year-end 2005/06 for the key sub-processes. - If you use SAP, you will also have to sign off on
documentation for other processes annually, but
will not be required to perform testing.
Scope is different for different sizes of
companies.
48Layer Two Accounts/Processes/Systems/Locations
External Testing Attestation
Control Framework Structure Content
Materiality Thresholds
Accounts/Processes/Systems/Locations
COSO Model
- Controls occur at the process level for a
business, and in the systems that enable that
process. We need to map the accounts to the
processes that generate the numbers, then to the
systems that enable the process for each location.
49Layer Two Accounts/Systems/Processes/Locations
All controls occur at the process and system
level.
To ensure that proper controls are in place for
all material financial line items, all accounts
must be mapped to processes, and their IT enabler
must be identified for each location.
50The processes that generate the financial numbers
4 key sub-processes The Big Four
Other local financially-significant sub-processes.
Large operations will test controls for all
financially-significant sub-processes. All Other
operations will test the Big Four.
51Additional processes
Local processes, contd
Corporate Finance and BPT processes
52Layer Three Control Frameworks
External Testing Attestation
Control Framework Structure Content
Materiality Thresholds
Accounts/Processes/Systems/Locations
COSO Model
- Controls occur at the process level for a
business, and in the systems that enable that
process. We need to map the accounts to the
processes that generate the numbers, then to the
systems that enable the process for each location.
53Controls Frameworks are the tie between the
Bricks and Pillars.
- The Act requires that each financially
significant process, those that generate numbers
that are in the financial statements, must have
specific documentation. - A small number of other processes, such as
payroll, local taxes and budgets, are performed
outside of SAP and will also have to be
documented at the local level. - All Other companies will only complete Controls
Frameworks for the Big Four. No additional
documentation is needed.
54Control Framework
A Control Framework has three parts ? Control
Objectives - DESCRIBES a controlled
environment. ?Risks - Tells WHAT can go
wrong. ?Control Activities - Explains HOW the
activity will be performed to reduce the risk.
SAMPLE
?
?
?
Control Frameworks will be maintained centrally,
in Racine, for all locations. These are the
global standards.
55Bricks
- Bricks represent the framework of the Sarbanes
Oxley 404 effort. They are the structure for the
effort. - Bricks are maintained centrally by the Global
COE. - Base for the effort is the COSO model.
- All ABC companies will participate, but the
effort will be greater for the larger companies
than for the smaller companies. - Control Frameworks are the link between the
Bricks and Pillars.
56PILLAR 1 Documentation
Documentation
Control Framework Structure Content
Accounts/Processes/Systems/Locations Matrix
Materiality Thresholds
COSO Model
Legislation requires a flowchart and narrative
for the process, and documentation of the
controls in place. The documentation developed
for Global One meets these requirements and will
be used as a standard for all processes.
57Controls Assertions Localization
- Sarbanes Oxley states that companies have to
assess controls in two ways - Design Effectiveness Are the controls designed
properly? - Operating Effectiveness Are the controls
actually operating correctly? - ABC Company is doing this in two steps
- The Controls group is analyzing proposed local
controls (when different from Global Controls)
for design effectiveness. Once approved, the
controls will be designed effectively. - Each location needs to test for operating
effectiveness. - How do we ensure that we have designed solid
local control activities?
58Pillar 2 Testing Assessment
PILLARS
Control Framework Structure Content
Materiality Thresholds
Accounts/Processes/Systems/Locations Matrix
COSO Model
59Planning the Testing
- In each operation, testing is best performed by
someone who is independent from whoever is
performing the work. - Options for testers include
- Other departments in the company, e.g. someone in
AP tests the AR controls AR tests the GL
controls etc. - If there is another ABC company nearby, the
companies can set up testing of each others
processes. - Summer interns work well as does trained
contract help - Other ideas?
- When we need to attest the results, we will need
to have more independent testing.
60Sampling Size Chart
61How to prepare?
- If you are an SAP location, review control
activities sent by the Controls group and ensure
that controls are in place. - If you are an SAP location, review the
documentation for processes, ensuring that it is
in place for your company. - If you are not an SAP location, you will be
contacted about the four main financial
sub-processes. There will be risks that apply to
all locations, and you will provide the control
activities. - Contact the Controls group with any questions
- Marie Kidder
- Hsiu Hua (Emily) Liu
62Pillars Management Review
PILLARS
Control Framework Structure Content
Accounts/Processes/Systems/Locations Matrix
Materiality Thresholds
COSO Model
This is a critical review of the testing and
assessment that have been done up to this point.
63Pillars Management Assertion
PILLARS
Control Framework Structure Content
Accounts/Processes/Systems/Locations Matrix
Materiality Thresholds
COSO Model
This step is performed by the General Manager and
Finance Director for each subsidiary and by the
CEO and CFO for the entire company.
64External Testing Attestation
- This work would be done by our external auditors.
- Review of all of our testing, assessment and
assertions. - Re-perform testing of some key controls
- Attest that our controls are properly designed
and executed.
External Testing Attestation
Control Framework Structure Content
Materiality Thresholds
Accounts/Processes/Systems/Locations
COSO Model
- We will contract for this work only when required
by some external event.
But we must be ready.
65Finance Role in Corporate Governance
Review Course Objectives
- Develop a common understanding of what corporate
governance means at ABC Company - Gain a practical understanding of the COSO model
for internal controls - Be able to apply COSO to business processes
- Understand the main requirements of the
Sarbanes-Oxley act of 2002 - Gain an awareness of how ABC Company will address
the requirements of the Act