With the release of Issue 12, Protiviti has completed another volume of The Bulletin. Since Protiviti’s inception five years ago, The Bulletin has provided insights on significant corporate governance and related risk management topics. Volume 2, with a focus on improving Sarbanes-Oxley compliance processes, the effectiveness of the internal control structure, the quality of business processes and the management of other business risks, has continued this legacy established in 2002.
We began Volume 2 with a discussion about improving effectiveness and deriving value from compliance processes. We then continued with suggestions for planning ahead for the next year of compliance, as well as introducing core concepts around enterprise risk management (ERM). In this volume, we also devoted several issues to key areas germane to the audit committee agenda, such as anti-fraud programs, enterprise risk assessments and financial reporting risk profiles. We concluded Volume 2 with an explanation of the implications to management and audit committees of the U.S. Securities and Exchange Commission’s (SEC) new interpretive guidance. Each issue of Volume 2 (along with the accompanying supplements to Issues 8 and 9) is available at www.protiviti.com.
We are pleased to present you with this summary of the topics covered in Volume 2 of The Bulletin, and we look forward to continuing to provide our insights on governance, risk management and compliance topics in Volume 3.
Protiviti Inc. July 2007
Issue 1 – “The Self-Assessment Process: Management’s Tool for Reinforcing Process Owner Accountability”
Volume 1 of The Bulletin concluded with a discussion of the organizational structure needed to facilitate ongoing compliance with Sections 404 and 302 of the Sarbanes-Oxley Act. One of the cornerstones of this structure is an effective self-assessment program. Self-assessment is a flexible management tool that drives the “tone at the top” down to the process owners by reinforcing their responsibility and accountability for internal control over financial reporting (ICFR).
This inaugural issue of Volume 2 of The Bulletin discusses the self-assessment process and how organizations can implement one to reinforce process owner accountability or, if an organization already has a process in place, how it can be improved and made more effective.
Issue 2 – “Driving Value Out of the Section 404 Compliance Process”
Issue 2 addressed the subject of first year Section 404 compliance costs. The premise of this edition is that surveys and other sources of evidence have made it clear that the administrative burden of compliance is significant enough for most companies to warrant a review of their strategies and tactics to maximize the value derived from the compliance process. Therefore, Issue 2 focuses on the following questions: Are the costs we incurred in Year One representative of the costs we should expect in future years? Can we derive tangible benefits from our compliance investments? How can we make this compliance effort “work for us” in enhancing, as well as protecting, enterprise value? Issue 2 provides practical strategies on dealing with these questions.
Issue 3 – “Achieve Sustainability by Integrating the Section 404 and Section 302 Compliance Processes”
For most companies, the administrative burden encountered during the first year of Section 404 compliance warrants a fresh look at the overall compliance process and how to use this process for achieving sustainability of the internal control structure.
The more sustainable the control environment, the more capable the organization’s processes and controls in dealing with the inevitable changes in the operating environment. Sections 404 and 302 of the Sarbanes-Oxley Act provide the “launching pad” to improve the sustainability of the internal control structure, and in turn, enhance the reliability of the financial reporting process over time.
To help management attain this objective of improving sustainability, this issue of The Bulletin discusses strategies for integrating compliance activities around Sections 404 and 302 of the Sarbanes-Oxley Act.
Issue 4 – “Wanted: A Cost-Effective Approach to Validating Performance of the Internal Control Structure”
Section 404 of the Sarbanes-Oxley Act requires public companies to assert annually that ICFR is designed and operating effectively. The key question is: How will companies transition their Section 404 compliance activity from an ad hoc, high-cost project to an ongoing, cost-effective process?
This issue of The Bulletin explores how organizations can implement such an approach to validating the operating effectiveness of their ICFR that includes all primary sources of evidence, not just independent tests of controls. This broad approach in turn supports management’s assertion in the annual internal control report. The focus of this discussion addresses management’s assessment process, not the external auditor’s audit of ICFR.
Issue 5 – “Section 404 Compliance: Planning for Next Year”
With Year Two of Sarbanes-Oxley compliance shaping up to be a year of incremental improvement, this issue of The Bulletin asserts that senior management should consider the longer-term view of where the organization’s financial reporting processes and internal control structure need to be, so that appropriate improvements can be considered while the budget process for the following year is underway. Issue 5 focuses on some of the opportunities companies should consider as they plan for Year Three of Section 404 compliance.
Issue 6 – “Enterprise Risk Management: Practical Implementation Advice”
The concept underlying ERM, namely a portfolio view of risk, has been around for a long time. However, many executives have no idea what the value proposition of ERM is. Yet, when properly implemented, ERM can help organizations pursue strategic growth opportunities with greater speed, skill and confidence by aligning the organization’s risk taking with its core competencies and risk appetite.
To help executives better understand ERM, this edition of The Bulletin defines the concept of ERM; discusses the benefits of implementing ERM strategies; provides five practical steps for implementing ERM; and outlines some important key success factors to keep in mind.
Issue 7 – “Setting the 2006 Audit Committee Agenda”
Much has happened since 2003 when the SEC adopted rules mandated by the Sarbanes-Oxley Act that, among other things, expanded and formalized the responsibilities of audit committees. Following suit, the major U.S. exchanges (e.g., the NYSE and NASDAQ) issued listing requirements that defined additional expectations for audit committees, including more stringent requirements with regard to director independence.
Against this backdrop, this issue of The Bulletin provides observations and ideas for boards and their audit committees regard ing matters they should consider during the coming year. As they have over prior years, audit committees must continue to address a long list of nonstandard items. Issue 7 lists eight items that should be on the committee’s agenda and frames topics to be explored further in the next four issues of The Bulletin.
Issue 8 – “Section 404 Compliance: Lessons Learned for the Next 12 Months”
On May 10, 2006, the SEC held a roundtable discussion on the second-year experiences with Section 404 of the SarbanesOxley Act. The following week, both the SEC and Public Company Accounting Oversight Board (PCAOB) announced their plans to follow up on the roundtable results and other feedback they had received.
Following these developments, it is a good time to reflect on lessons learned as many accelerated filers begin preparing for or executing their Year Three assessments. This issue of The Bulletin outlines seven lessons for improving processes and compliance approaches. The accompanying supplement, “More Section 404 Lessons Learned,” provides more granular lessons by phase of work beyond the seven lessons presented in this edition.
Issue 9 – “Protecting Enterprise Value Through Your Anti-Fraud Program”
In light of the new focus from the SEC and PCAOB, it has become increasingly clear that organizations need to improve their controls for preventing, deterring and detecting fraud. This issue of The Bulletin discusses such topics as how to define and evaluate an anti-fraud program, what has changed for management and how an anti-fraud program relates to protecting enterprise value.
Expanding on the topics from this issue, the accompanying supplement, “Suggestions for Evaluating Your Anti-Fraud Program,” provides observations, recommendations and suggestions for management and audit committees regarding the evaluation of an anti-fraud program.
Issue 10 – “Conducting Enterprise Risk Assessments That Make a Difference”
Risk management plays a critical role in helping executives and their boards make better choices during the strategy-setting process. Boards and management need an effective enterprise risk assessment (ERA) process to effectively discharge their responsibilities, especially in today’s rapidly changing operating environment.
In this fast-paced environment, strategy-setting is inextricably tied to ERM as a means to improve an organization’s ability to manage the future uncertainties it faces. This issue of The Bulletin focuses on key steps for executing an effective ERA, and discusses why integrating an ERA with strategy-setting is critical to improving business performance.
Issue 11 – “The Financial Reporting Risk Profile: Getting Ahead of the Curve”
Updated periodically, the financial reporting risk profile (FRRP) strips away the “black box,” and makes transparent the drivers and magnitude of financial reporting risks for all to see. This visibility into an organization’s key financial reporting risks leads to the strengthening of ICFR and improvement of the overall quality of financial reporting.
With this in mind, this issue of The Bulletin discusses the importance of the process of understanding and continuously evaluating an organization’s FRRP, and why this process is important to senior management and directors. This issue concludes the discussion of the audit committee’s agenda for the year ahead, which was introduced in Issue 7 and addressed in the subsequent four issues.
Issue 12 – “The SEC’s New Guidance on Section 404: What It Means to You”
In May 2007, the SEC approved its interpretive guidance to management on implementing Section 404 of the Sarbanes-Oxley Act. As a result, the Section 404 compliance process is a whole new ball game, requiring some reeducation and application of new knowledge and principles. The companies most knowledgeable about their opportunities, and that have the capabilities to capitalize on them, are in the best position to increase the cost-effectiveness of their compliance processes.
This issue of The Bulletin explores what’s new with respect to the Commission’s guidance, what hasn’t changed, the opportunity for management and the responsibilities of the audit committee. Issue 12 concludes the discussion with eight key decision points along the Section 404 compliance process that warrant a fresh look by every SEC registrant subject to Sarbanes-Oxley compliance requirements. These eight decisions are discussed further in a Protiviti white paper at www.protiviti.com, How the New SEC Guidance Impacts Eight Key Decisions Driving a Cost-Effective Section 404 Assessment Process.
The Bulletin (Volume 2 closing summary)