Sarbanes-Oxley Act of 2002

Preparing Your Organization for Section404 – Internal Control over Financial Reporting

Impact on Actuarially Determined ItemsSEAC Fall Meeting - Atlanta, GA

November 19, 2003

2

Today’s Objectives

Share knowledge and lessons learned since inception of the Sarbanes-Oxley legislation

Discuss the impact of Sarbanes-Oxley on actuarially determined items.

This presentation provides certain information with respect to specific elements of the Sarbanes-Oxley Act of 2002. Consideration of the Act and its various provisions is ultimately a legal matter and the implications of the Act in specific situations should be discussed with legal counsel.

NOTHING HEREIN SHOULD BE CONSTRUED AS OFFERING ANY LEGAL OPINION, ADVICE OR GUIDANCE REGARDING LEGAL REQUIREMENTS OR IMPLICATIONS OF THE ACT.

3

Sarbanes-Oxley Section 404 Overview

4

Sarbanes-Oxley Section 404 – Overview

Management’s annual report on Internal Control Over Financial Reporting (ICFR) must:

� State management’s responsibility for establishing and maintaining adequate ICFR;

� Identify the control framework used by management to evaluate ICFR;

� Contain management’s assessment, as of year-end, of the effectiveness of ICFR, including a statement whether or not ICFR is effective; and

� Contain a statement that the independent auditor has issued an attestation report on management’s assessment of ICFR.

5

Sarbanes-Oxley Section 404 – Overview

Effective Dates

� Issuers, other than foreign private issuers, that meet the definition of an “accelerated filer” in Exchange Act rule 12b-2, will be required to comply for fiscal years ending on or after June 15, 2004.

� All other issuers, including small-business and foreign-private issuers, will be required to comply with the new rules for their fiscal years ending on or after April 15, 2005.

6

Sarbanes-Oxley Section 404 – Overview

� The SEC defines internal control over financial reporting.

� The SEC states management must base its evaluation of the effectiveness of internal control over financial reporting on a suitable, recognized control framework.

– The adopting release recognizes that the COSO Framework satisfies the above criteria, however the use of a particular framework is not mandated.

– The final rules require management's report to identify the framework used by management.

7

Sarbanes-Oxley Section 404 – Overview

The final rules do not specify the methodology to be followed orprocedures to be performed by management in their assessment of ICFR, however:

� The adopting release indicates inquiry is not sufficient.

� Evidential matter obtained should provide reasonable support for management’s:

– Evaluation of whether a control is designed to prevent or detect material misstatements or omissions

– Conclusion that the tests were adequately planned and performed, and

– Determination that the results were appropriately considered.

8

COSO Framework

� Control Environment - The control environment sets the tone of an organization, influencing the control consciousness of its people

� Risk Assessment – Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level

� Control Activities – These policies and procedures help ensure management directives are carried out

� Information and Communication –Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components

� Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time

9

PCAOB Update

� Independent auditor must attest to and report on management’s assessment in accordance with standards issued or adopted by thePublic Company Accounting Oversight Board (PCAOB).

� Establishing the attestation standard is a priority of the PCAOB

� On October 7, 2003, PCAOB voted to release a proposed standard for comment

10

Sarbanes-Oxley Section 404 – Overview

Management’s Assessment Objectives

� The objectives of management’s assessment process are two-fold:

– To support management’s public assertion about the effectiveness of internal control

– To satisfy a pre-condition of the independent audit of internal control

11

Sarbanes-Oxley Section 404 – Overview

Supporting the evaluation

� Identify processes and determine which controls are significant

– Controls that address significant classes of transactions, account balances, disclosures and related assertions

– Consider likelihood that control failure could cause misstatements and the potential magnitude

– Controls over selection of accounting policies

� Processes identified and significant controls should include:

– Fraud programs and controls

– Controls on which other controls are dependent (e.g., general controls, including IT controls)

– Controls over significant non-routine transactions, journal entries, and account involving judgments and estimates

– Controls over closing process and preparation of financial statements

12

Sarbanes-Oxley Section 404 – Overview

Evaluating Design Effectiveness

� Procedures to determine whether control is suitably designed to prevent or detect material misstatements in financial statement assertions

� Procedures include:

– Inquiry

– Inspection

– Observation

– Tracing transactions

� Procedures will vary depending upon the nature of the control and complexity

13

Sarbanes-Oxley Section 404 – Overview

Evaluating Operating Effectiveness

� Procedures must be sufficient to verify operating effectiveness:

– Testing controls by corporate audit or others under the direction of management

– Use of service organization reports

– Self-assessment processes

� Inquiry alone is not adequate

� Procedures performed and controls and locations selected are affected by risk assessment and monitoring processes

� All significant controls and locations must be evaluated annually

14

Sarbanes-Oxley Section 404 – Overview

Identify Control Deficiencies

� A deficiency in design or operation may result from:

– A missing control (design)

– A control objective is not met by the control (design)

– A control is not operating as designed (operating)

– The person performing the control does not have the authority or qualifications needed to perform the control (operating)

� Inadequate documentation of controls is also considered a deficiency

� Deficiencies range from deficiency, significant deficiency, or material weakness

15

Sarbanes-Oxley Section 404 – Overview

Identify Control Deficiencies – continued

� Significant deficiency – could result in more than a remote likelihood of a misstatement of the company’s annual or interim financial statements that is more than inconsequential in amount.

� Material weakness – a single weakness or a combination of significant deficiencies results in more than a remote likelihood of a material misstatement in the company’s annual or interim financial statements.

� If a material weakness exists as of the end of the company’s most recent fiscal year, management and the auditor must conclude that the internal control is ineffective.

� Please note auditing standards are still in proposal change and the final rules could change.

16

Sarbanes-Oxley Section 404 – Overview

Independent Audit of the Internal Control

� Express an opinion on whether management’s written assertion about the effectiveness of internal control over financial reporting is fairly stated in all material respects

17

Six Steps for Management to Consider

18

Establish internal control evaluation process. Determine significant controls and locations/ busin ess units to be included. Define project approach, milestones, timeline, and resources. Launch project .

Plan & Scope the Evaluation1

Document design of significant controls for all significant locations and business units.

Document Controls2

Evaluate design and operating effectiveness of inte rnal control over financial reporting and document resul ts of evaluation.

Evaluate Design & Operating Effectiveness

3

Identify, accumulate and evaluate design and operat ing control deficiencies; communicate findings and corr ect deficiencies.

Identify & Correct Deficiencies 4

Prepare management’s written assertion on the effectiveness of internal control over financial re porting.

Report on Internal Control5

Prepare for independent auditor to conduct the inte rnal control audit.

Independent Audit of Internal Control6

Example Management Internal Control Evaluation Process

19

Scoping

The most important qualitative and quantitative criteria to determine locations to include in project scope are:

� Financial statement materiality or volume of transactions

� Potential impact of fraud or misstatement on operations

� Specific high risk areas (financial or operational)

� Judgments and estimates

� When locations are similar – product mix, size mix, belief of quality of controls at location

� All principle business units due to qualitative concerns

20

How Will You Ensure that the Population of Controls is Sufficient?

Thorough review and definition during scoping phase

Summary of controls for senior management

Inclusion of external auditor during process

Heavy involvement of internal audit throughout project

Continuous review by core team and project steering committee during the project

21

Extent of Documentation

Does your documentation include the design of significant controls related to all 5 components of internal control?

� Control Environment

� Risk Assessment

� Control Activities

� Information and Communication

� Monitoring

Significant controls should also include:

� Anti-fraud programs and controls

� Controls on which other controls are dependent(e.g., general controls)

22

Determining Extent andFrequency of Evaluation

� Management and SOX project team judgment and consensus with external audit input

� Test plans to be created by management. The number and frequency will be based on the frequency of the control.

� Evaluate each process and the key control points

� Frequently evaluate significant controls based on significance of changes

� All key controls that drive financial statement activity to be tested on an annual basis – more often if changes occur to controls

23

Actuarial Documentation

24

Reserving/DAC/VOBA Processes and Controlsunderlying these amounts vary widely by company

Significant Areas of Risk within Life Insurance Companies

Areas where control failure could cause misstatements:

� Policy Reserves often comprise 70-85% of total insurance liabilities

– reserves calculations reflect actuarial assumptions, estimates, interpretations of regulations and modeling, all of which include significant areas of judgment as part of the process

� DAC Asset usually represents about 40-70% of GAAP surplus

– the industry has seen significant DAC effects recently due to the impact of economic markets and underlying assumptions used by variable writers, in particular

� Claim Reserves may represent a significant percentage of liabilities for companies writing health or disability business

� VOBA Asset for purchases of a company or a block of business may be a key driver of earnings

25

Financial Reporting Objectives

Objectives must Relate to “Assertions” made by Management:

� Completeness of Transactions

� Accuracy of Transactions

� Timeliness of Posting of Transactions

� Existence of Assets and Liabilities

� Valuation of Assets and Liabilities

� Company has Rights and Obligations to Assets and Liabilities

� Accounts and Statements are Properly Presented (Disclosed) underGAAP

26

Internal Controls as part of the “Five Component” Framework

The five component framework:

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities

Four key risk areas:

Data - Gathering and Interpreting

Actuarial Valuation Systems

Compilation Process

Management Review Process

Evaluating controls for each risk area:

Completeness: Is something missing?

Accuracy: Is information accurate?

Judgments: Are judgments appropriate?

Data

ActuarialValuationSystems

CompilationProcess

27

Establish internal control evaluation process. Determine significant controls and locations/ business units to be included. Define project approach, milestones, timeline, and resources. Launch project.

Document design of significant controls for all significant locations and business units.

Evaluate design and operating effectiveness of internal control over financial reporting and document results of evaluation. Identify, accumulate, and evaluate design and operating control deficiencies; communicate findings and correct deficiencies.

Conduct training based on needs throughout the project including developing and maintaining documentation, performing regular evaluations of controls and documenting results of self assessment process.

Document Controls

Evaluate Design, Operating Effectiveness and Gap Analysis

Training

Plan and Scope the Implementation

Project Steps

3

4

2

1

28

Actuarial Processes and Sub-Processes

� Key processes, sub-processes and objectives are identified based on discussions with actuarial and non-actuarial personnel

� Process owners and sub-process owners must be clearly identified

� Processes, sub-processes and objectives are often modified after the documentation process begins

� First step in documentation should be in the form of a high level process map with key intervention points and control items identified

29

Sample Actuarial Processes and Sub-Processes

Business Process: Actuarial Valuation

� Sample Sub-Processes:

– Valuation of FAS 60 benefit reserves

– Valuation of FAS 97 general account benefit reserves

– Valuation of FAS 97 separate account benefit reserves

– Reporting of FAS 60 DAC balances

– Reporting of FAS 97 general account DAC balances

– Reporting of FAS 97 separate account DAC balances

– Calculation of experience studies

– Calculation of loss recognition testing

– Reinsurance

– Valuation of tax reserves

– Sign-off of valuation results by chief/corporate actuary

Sample Sub-Process MapReporting of FAS 97 Separate Account DAC BalancesCompany A: Products A-B; Company B: Products C-F

Main Admin SystemProducts A-F

PC-BasedActuarialValuation Systems

(1) System A(2) System B(3) System C(4) System D

Manual Coding Modifications & Verify

Accuracy

Electronic FeedInforce Records

and current year EGP Into 4 Systems

Runs System

FourOutput FilesCurrent Year& ProspectiveDAC Amortiz

Streams

SystemAppendHistoric

DAC AmortStreams

Two New Output Files

DAC Balances

Company A Company B

AccessDatabase

Excel-Based

Output FileFormatted for

Reporting

CorporateActuarialReporting

Responsibility

ElectronicFeed

Run System

ElectronicFeed

Perform HighLevel

Checks

VerifyAccuracy &

Completeness

PerformsHighLevel

Checks

VerifyAccuracy &

Completeness

ElectronicFeed

Rerun Valuation System if NecessaryRerun Valuation System or

Database if Necessary

RunDatabase

Variable annuities DAC process map based on discussions with actuarial personnel on mm/dd/yy

PerformSample Checks

VerifyAccuracy &

Completeness

Admin System 1

Product A

Admin System 2

Product B

Admin System 3

Product C & Product D

Admin System 4

Product E &Product F

ManualFeed

Electronic(mostly)

Feed

ManualFeed

ManualFeed

Perform Experience Analyses &

Obtain Pricing Assumptions

IdentifyKey Assumptions

•Inforce: prospective•NB: new assumptions

30

31

What are you really trying to accomplish?What are you really trying to accomplish?

Defining Objectives for Key Process/Sub-Process Areas

1. Is the objective or summary task specific enough and has the objective been assigned to our group or specific individuals?

4. What customer expectation is being addressed by the objective?

7. Is the objective clearly understood by all responsible for its implementation?

5. How does the objective link to the overall organizational objectives?

6. How does the objective affect other parts of the organization?

2. Have the affected end-state processes been sufficiently defined to assure that all tasks are identified?

3. Have we considered the three categories of COSO objectives as a “completeness check” to ensure we have not ignored important objectives?

32

Sample Actuarial Processes and Sub-Processes Objectives

Business Process: Actuarial Valuation

� Sub-Process: Valuation of FAS 60 benefit reserves

– Objective: FAS 60 benefit reserves are appropriately reflected in the financial statements in a timely manner

� Sub-Process: FAS 97 separate account DAC balances

– Objective: FAS 97 separate account DAC balances are appropriately reflected in the financial statements in a timely manner

� Sub-Process: Calculation of experience studies

– Objective: Accurate and timely experience studies are available for use in DAC calculations and GAAP benefit reserve valuations

33

It has never happened ≠≠≠≠ it will never happen

Typical Approach to Risk

“…I have never been in an accident of any sort worth speaking about…I never saw a wreck, nor was I ever in any predicament that threatened to end in disaster of any sort,”

–Capital Edward J. Smith, RMS Titanic, replied to an interview by the New York press, 1907.

On April 15, 1912, RMS Titanic sank with the loss of more than 1,500 lives-including Captain Edward J. Smith’s.

34

Key Considerations Determining Risks

1. What could prevent the objective from being accomplished? Consider specific conditions that must exist or events which must occur for the objective to be met.

4. What are the ramifications to other processes/functions business if the risk occurs?

5. Which risks are most likely to occur? Which would have the most significant impact on your ability to achieve the objective?

3. Does this objective affect the internal/external customers?

7. Given the risks identified, is it necessary to modify your objective or strategy?

What could get in the way of achieving your objective?

What could get in the way of achieving your objective?

2. What other groups must be involved to accomplish this objective? Is there sufficient cross-functional involvement?

6. Is there adequate focus on the critical risks and are they appropriately prioritized for action?

35

Business Process: Actuarial ValuationSub-Process: FAS 97 Separate Account DAC Balances

Objective: FAS 97 separate account DAC balances are appropriately reflected in the financial statements in a timely manner

Sample Business Risks:

� Compilation of FAS 97 Separate Accounts DAC balances is too complex and leads to misstatement of results

� Excessive reliance on key individual for FAS 97 Separate Accounts DAC

� FAS 97 Separate Accounts DAC balances recorded on the balance sheet are not adequate because they do not accurately reflect the contract obligations or the balances are computed using inappropriate methodologies and assumptions for the underlying contracts

� Inaccurate approximations used for interim FAS 97 Separate Accounts DAC calculations

� FAS 97 Separate Accounts DAC calculations may not be performed on a timely basis

� FAS 97 Separate Accounts DAC balances are not properly classified, described and disclosed in the financial statements, including notes, in conformity with applicable accounting principles

36

1. In light of the priority risks, what control mechanisms must be identified or modified to achieve the objective or mitigate the risks?

2. Are any additional control actions necessary to manage the priority risks?

3. Do the actions of other process owners or teams affect the management of these risks? Is there necessary cross-functional involvement?

4. Have process models been used as a check for completeness and accuracy?

5.Have resources been specifically allocated to implement or manage the risks?

6. Have contingency plans been developed for priority or probable risks?

What specific control actions are required to effectively manage the risks?

What specific control actions are required to effectively manage the risks?

Key ConsiderationsIdentifying Controls

37

Limitations of Internal Controls

Human Errors

� Human errors may arise from misunderstanding of instructions, mistakes of judgment, and personal carelessness, distractions, or fatigue.

Collusion

� Collusion may circumvent the separation of duties.

Management Override

� Management may override the structure to commit fraud or misstate the financial statements.

Changing Conditions

� Conditions may change, weakening a system that was adequate at a point in time.

Segregation of duties

� An employee is performing conflicting job duties.

38

Business Process: Actuarial ValuationSub-Process: FAS 97 Separate Account DAC Balances

Objective: FAS 97 separate account DAC balances are appropriately reflected in the financial statements in a timely manner

Business Risk: FAS 97 Separate Accounts DAC balances recorded on the balance sheet are not adequate because they do not accurately reflect the contract obligations or the balances are computed using inappropriate methodologies and assumptions for the underlying contracts

Sample Controls:1. A formal review process exists to assess that the calculations and resulting FAS 97 Separate Accounts

DAC balances produced by application of the methodologies, formulas and assumptions are accurate.

2. A formal review process exists to assess that the FAS 97 Separate Accounts DAC calculation methodologies are appropriate.

3. A formal review process exists to assess that the underlying assumptions utilized in the calculation of the FAS 97 Separate Accounts DAC calculations are reasonable and appropriate in relation to the underlying contracts.

4. Actuarial assumptions for interest, expenses, and mortality and DAC methodologies are formally documented by issue era and by product, including any subsequent revisions, and approved by the appropriate level of management.

5. Studies are conducted of the entity’s actual experience for mortality, investment yield, and expenses, and compared to the FAS 97 Separate Accounts DAC assumptions. Comparisons are analyzed and documented.

39

Business Process: Actuarial ValuationSub-Process: FAS 97 Separate Account DAC Balances

Objective: FAS 97 separate account DAC balances are appropriately reflected in the financial statements in a timely manner

Business Risk: FAS 97 Separate Accounts DAC balances recorded on the balance sheet are not adequate because they do not accurately reflect the contract obligations or the balances are computed using inappropriate methodologies and assumptions for the underlying contracts

Sample Controls (continued)6. Regular review by management (at least quarterly) of FAS 97 Separate Accounts DAC, changes

in actuarial assumptions or calculation methodologies, analysis of gains and losses, any recoverability issues, and relevant comparisons with industry data.

7. Procedures are in place to assure that actuarial assumptions for interest, expenses, and mortality and DAC computation methodologies are in accordance with regulatory guidelines.

8. Any manual calculations or adjustments, in addition to automated calculations of FAS 97 Separate Accounts DAC balances, are reviewed by appropriate personnel.

9. Reconciliations of general ledger and FAS 97 Separate Account DAC balances are performed periodically and differences are followed up on a timely basis.

40

Actuarial Case Studies

41

Example: S404 Review of DAC

� The following slides are “live” case examples of situations which may be uncovered as part of a S404 review of internal controls specifically relating to a DAC asset for a variable annuity product

� “Live” situations where the internal controls were not appropriate and the potential outcomes which resulted from the lack of controls

� The “live” cases are not meant to represent an exhaustive list, they are included as specific examples only

In most circumstances, the situations and conclusions outlined for DAC translate just as easily to Reserve determinations

42

Example: S404 Review of DAC

� DAC for nontraditional products (FAS 97) is a complex actuarial calculation and represents a material item for many life insurers

� Data such as inforce records, experience studies, economic information and expense studies, comes from multiple sources

� Calculation of DAC uses a combination of actual historical and projected future data (e.g. amortization stream) for amortizing deferrable costs

� Amortization streams typically vary by product and by issue year (or groupings of years) � one Company may have hundreds of amortization streams

� Process of updating the amortization streams is called the “unlocking process” and this occurs at least annually

� Actuarial assumptions are used to project the future flows in the amortization streams

� Multiple PC-based actuarial valuation systems are often used in combination

� Loss recognition testing is performed as a last step to determine if the DAC asset calculated during the normal processes is recoverable

Judgment is used throughout to interpret data, set assumptions, allocate data to product/issue year groupings, run and modify actuarial valuation systems, compile and review results

43

Example: S404 Review of DAC

DAC balance may not be supportable and therefore financial reporting is not reliable

New product is incorrectly reflected resulting in misstated balances for as long as coding errors persist

Inaccurate reflection of lapses could result is a material misstatement of DAC during the unlocking process

Outcome without Appropriate Controls

� Modifications are documented with appropriate support highlighted

� Peer review of modifications by senior company personnel

� Detailed documentation of coding modifications

� Peer review that documentation is consistent with product

� Peer review by actuary who understands the software system

� Controls needed over the frequency and quality of lapse studies performed

� Peer review on the interpretation of the experience studies

Internal Control Involved

Manual modifications are made to assumptions to achieve earnings targets

New product specifications miscoded in actuarial projection software

Lapse study not updated to reflect recent activity (assumptions stale)

Situation

Case 3Case 2Case 1

44

Actuarial Self Assessments

45

Assess

Control (Self) Assessment

� The Process Owner identifies and documents their tests for the specific controls to determine effectiveness of the control design and its current operation. Are the risks being managed?

� The Process Owner is responsible for documenting the results of the tests that are performed and providing this to management.

� After all controls are tested and assessed, the assessment is complete.

The controls and assessment results may be formally documented within a Control Assessment Tool.

46

Process owner’s key steps to assess an identified control:

Documenting the Assessment of Controls

1. Determine what actions are necessary to conclude on the effectiveness of the pre-identified controls

2. Add and/or modify the test steps for each control as changes are needed

3. Execute the test activities

4. Document the test results; all results must be available for both internal and external audit for independent review

5. Determine and document if compensating controls exist, if the control doesn’t exist or is ineffective

6. Prepare Remediation Action Plan and ensure it is executed

Note - test evidence will generally be comprised of samples of the evidence showing that the control was and continues to be working over the year

47

Self Assessment Example

Control:

Possible tests of the Control:

� Reconciliations of general ledger and FAS 97 Separate Account DAC balances are performed periodically and differences are followed up on a timely basis

� Select a sample of reconciliations to confirm that they are being prepared, reviews are being evidenced, and reconciling differences are being resolved.

� Interview individuals responsible for performing and reviewing the reconciliations.

48

Self Assessment Example (cont’d)

Control:

Possible tests of the Control:

� A formal review process exists to assess that the calculations and resulting FAS 97 Separate Accounts DAC balances produced by application of the methodologies, formulas and assumptions are accurate.

� Select sample of DAC balances and re-perform work to ensure properly processed and recorded.

� Interview individuals responsible for performing key process activities.

� Inspect evidence maintained by person responsible for performing activity.

� Inspect evidence of the formal review process including issues identified and resolved, key metrics reviewed and testwork performed as part of the review.

49

Self Assessment Example (cont’d)

Control:

Possible tests of the Control:

� Regular review by management (at least quarterly) of FAS 97 Separate Accounts DAC, changes in actuarial assumptions or calculation methodologies, analysis of gains and losses, any recoverability issues, and relevant comparisons with industry data.

� Select a sample of DAC balances and verify that they are properly approved.

� Interview individuals responsible for performing key analysis steps.

� Inspect evidence maintained by person responsible for performed activity.

� Inspect evidence of management approval process.

50

Assessing Control Activity Effectiveness

�Explain the reason why and establish an action plan.

�The controls described were not in place.

•There are no controls

�Indicate the mitigating controls, if any. Establish an action plan as soon as possible.

�The control in place is not effective therefore, notreducing the risk event to an acceptable level.

•Controls are NOT effective

�No additional work is required (until next assessment).

�Controls are in place and working, reducing the likelihood of the risk event to an acceptable level.

•Controls are effective

Next StepDetailsAssessment

51

Assessing Control Activity Effectiveness (continued)

Here are some additional considerations for assessing control activity effectiveness:

� Has the control been in operation for the entire period?

� Is the control operating as designed?

� Has the control been operating consistently?

� Has there been any management override of this control?

� Is the control performed in a timely manner?

� Is there a mitigating control?

52

Impact of a Failed Control

What is the Impact on the Company if a Control Fails? What are the implications?

� Financial reports are misstated

� Risk not appropriately mitigated

� Potential unacceptable exposure to the company

� Possibility that fraud can occur

� Inaccurate reporting of results

� It will take time to investigate the root cause of control failure – design flaw, lack of awareness or practicality issue

� Corrective actions will be required – with the development of an action plan

� Need to monitor the implementation status of corrective action plans to ensure that the risk is appropriately addressed

53

If a control is not in place you will need to develop an action plan.

Developing an Action Plan

Who needs to prepare a Remediation Action Plan?

What should you consider when preparing an action plan?

What should an action plan address?

� Process Owners who have identified ineffective or non-existent control activities

� The urgency of each issue raised

� How to address the root cause of the ineffective or missing control

� The amount of resources needed and whether the resources are available

� Target dates

� Most importantly, the action plan must be realistic and practical

� Establishing the control(s)– Consider automated controls

� Increasing training when necessary