29
SOX Compliance - 2013 SOX Section 302 Certification Ernst & Young Fees & Hiring EY staff

SOX Compliance - 2013

Embed Size (px)

DESCRIPTION

SOX Section 302 Certification Ernst & Young Fees & Hiring EY staff. SOX Compliance - 2013. SOX. SOX. What is SOX?. The Sarbanes–Oxley Act is a federal law that requires public companies to set up an internal system of control to insure that: Reduce the potential of fraud - PowerPoint PPT Presentation

Citation preview

Page 1: SOX Compliance - 2013

SOX Compliance - 2013

• SOX

• Section 302 Certification

• Ernst & Young Fees & Hiring EY staff

Page 2: SOX Compliance - 2013

2

S O X

SOX

Page 3: SOX Compliance - 2013

3

W H AT I S S O X ?

The Sarbanes–Oxley Act is a federal law that requires public companies to set up an internal system of control to insure that:

• Reduce the potential of fraud

• Financial Statements are accurate

• Top management has certified the above

• Protect the investors through actions above

• Restore faith in public markets

Page 4: SOX Compliance - 2013

4

W H AT I S K E Y C O N T R O L ?

A key control is a control that provides reasonable assurance that material errors will be prevented or detected in a timely manner

Page 5: SOX Compliance - 2013

5

VeriFone has identified 11 key process cycles:

1) Entity Level Controls

2) Order to Cash

3) Procure to Pay

4) Inventory

5) Fixed Assets

6) Payroll / HR

7) Financial Statement Close Process (FSCP)

8) Information Technology

9) Tax

10) Treasury

11) Equity

S O X – K E Y C O N T R O L S

Page 6: SOX Compliance - 2013

6

S O X – E N T I T Y L E V E L C O N T R O L S

These are VeriFone’s code of conduct policy, governance (board and committees of the board oversight), authority and responsibility (authority matrix and 302 certifications), hiring practices (background checks), fraud prevention and detection controls (ethics hotline)

Entity level controls are internal controls that help ensure management directives pertaining to the entire entity are carried out.

Page 7: SOX Compliance - 2013

7

S O X – E N T I T Y L E V E L C O N T R O L S

•We have ZERO tolerance on unethical behavior and fraud. We have an ethics hotline you can call +1-888-719-1218.

•Accounting records should be properly supported.

•You are responsible to read and understand all our policies.

REMINDERS:

Page 8: SOX Compliance - 2013

8

C O N T R O L S – E N T I T Y L E V E L C O N T R O L S

Entity Level Controls

Key Controls (20)

Common Issues

Requirements

• Policies and Procedures

• Code of Ethics• Whistleblower

Process• Authorization

Matrix• Background

checks• Operating plan• Internal Audit

function• Budget to Actual• Audit comments

are addressed

• Knowledge of code and reporting process

• Performance of background checks

• Following the operating plan

• Responding to auditors

• Not following policy • Not signing code of

ethic acknowledgment

• Legal/practical difficulties with background checks

• No timely response to auditors

Page 9: SOX Compliance - 2013

9

C O N T R O L S – O R D E R T O C A S H

Order To Cash

Key Controls (21)

Common Issues

Requirements

• Bad Debt Reserve is reviewed and approved

• AR adjustments are reviewed and approved

• Revenue is recognized as per policy

• Invoice data interfaces are monitored

• Quarterly revenue cutoff is performed

• Specific and General reserve

• AR adjustment matrix

• Revenue Recognition policy

• Logs/exceptions• Any non ex-

works shipping terms must be reviewed

• Documentation inadequate

• Not running or retaining exception reports

• Not performing cutoff entirely

Page 10: SOX Compliance - 2013

10

C O N T R O L S – P R O C U R E T O PAY

Procure to Pay

Key Controls (12)

Common Issues

Requirements

• Accruals are recorded

• 3 – way match• Manual accruals

are reviewed and approved

• Invoices are supported and approved

• GL coding is accurate

• All significant contingencies must be disclosed

• All unprocessed invoices at period end must be reviewed

• Non-inventory invoices have to be approved prior to entry

• Invoice audits are not performed

• Coding to wrong GL account

• Not all accruals are recorded

• Not all contingencies are disclosed

Page 11: SOX Compliance - 2013

11

C O N T R O L S – I N V E N T O RY

Inventory Key Controls (22)

Common Issues

Requirements

• Cycle/Physical counts results are reviewed and approved

• Doc Walk is performed

• CM liability is approved by each controller

• Warranty reserves are reviewed and approved

• Cycle count policy

• Last 5 / First 5• All liabilities with

CM must be included

• Warranty reserve calculation

• Adjustments not documented or approved

• Doc walk is not done or evidence is lacking

Page 12: SOX Compliance - 2013

12

C O N T R O L S – F I X E D A S S E T S

Fixed Assets

Key Controls (4)

Common Issues

Requirements

• Additions, disposals and depreciation are recorded based on policy

• All additions should be supported

• All disposals must use a disposal form

• Depreciation should be calculated by system and verified

• Disposals not approved

• Incorrect in service dates of assets

• Depreciation calculated wrong

Page 13: SOX Compliance - 2013

13

C O N T R O L S – F I N A N C I A L C L O S E P R O C E S S

Financial Statement

Close Process

Key Controls (22)

Common Issues

Requirements

• Flux analysis of actual results is performed via conference call

• 302 Certifications are completed

• Significant variances must be investigated and explained

• CEO and CFO are required to sign before filing

• Insufficient explanations

• Inadequate disclosures

Page 14: SOX Compliance - 2013

14

C O N T R O L S – F I N A N C I A L C L O S E P R O C E S S

Financial Statement

Close Process

Key Controls (22)

Common Issues

Requirements

• All BS accounts are reconciled timely

• All Manual JE are reviewed and approved

• Timely = before date noted on closing calendar

• Reconciled = entire balance explained

• Reviewed = determined the item is correct

• Approved = signature or email

• Items are not accurate

• Late/No approval• Items in

reconciliation not included with reconciliation

• Approval inadequate

Shared Controls

• AR• AP• Deferred

Revenue• Inventory• Fixed

Assets

Page 15: SOX Compliance - 2013

15

C O N T R O L S – PAY R O L L

Payroll Key Controls (6)

Common Issues

Requirements

• Commissions are approved by Regional Controller

• New employees are approved, Payroll reports monitored for unusual activity

• Review and documentation of approval for commission calculation

• Approval of any new employee prior to adding to payroll

• Must compare current payroll expense to prior

• Improperly documented payroll reconciliation

• No approval for new hire

Page 16: SOX Compliance - 2013

16

C O N T R O L S – I T G C ( I N F O R M AT I O N T E C H N O L O G Y G E N E R A L C O N T R O L S )

ITGC Key Controls (13)

Common Issues

Requirements

• ERP – Oracle System Controls

• User access approval

• Segregation of Duties

• Although these are system related in many instances there are manual parts of the control

• Relying on system while not performing manual portion of control

• Relying on system, when underlying is not system controlled or does not include all instances

Page 17: SOX Compliance - 2013

17

S O D ( S E G R E G AT I O N O F D U T I E S ) C O N F L I C T S

SOD conflicts exist because of incompatible duties that a single person or group of persons may have, which elevates the risk associated with potential fraudulent activity

SOD reviews are performed in each location to identify SOD conflicts and mitigate through approved testing

Each location will identify conflicting activity and perform tests to mitigate the risk associated with the underlying SOD conflict

SOD conflicts are based on 9 policies

Page 18: SOX Compliance - 2013

18

S O D C O N F L I C T S

Policy Number 2012 Policy Name

P01 AR Customers Credit and Sales Orders

P03 AP Invoices/Expense Reports and AP Vendors

P04 AP Invoices/Expense Reports and Purchase Orders

P05 AP Payments and AP Invoices/Expense Reports

P06 AR Invoices and AR Customers Credit

P07 AR Invoices and AR Cash Receipts

P09 Purchase Orders and AP Payments

P10 Purchase Order and Purchase Order Receipts

P13 Ship Confirm and Sales Orders

Page 19: SOX Compliance - 2013

19

C O N T R O L S – TA X

Tax Key Controls (10)

Common Issues

Requirements

• Tax JE are approved VP of Tax

• Tax positions or events in each jurisdiction are reported

• Unusual events triggering tax planning should be reported

• Not reporting events or disregarding tax strategies

• Local tax audits potential adjustments disclosed too late

Page 20: SOX Compliance - 2013

20

C O N T R O L S – T R E A S U RY

TreasuryKey

Controls (7)

Common Issues

Requirements

• Borrowing policy• Investments are

periodically evaluated

• Loan covenants are monitored

• Hedging strategy is reviewed and approved prior to execution

• All financing is subject to borrowing policy

• Investments must be monitored

• Everyone is responsible for covenant compliance

• Hedging should be approved

• Not aware of policy restrictions

• Misclassification of investments

• Not being aware of covenants

Page 21: SOX Compliance - 2013

21

C O N T R O L S – E Q U I T Y

Equity Key Controls (7)

Common Issues

Requirements

• Equity awards are approved

• Grants are reconciled to 3rd party data

• Cancelations, vesting, etc are monitored

• Proper expense is recorded

• All new plans must be approved

• All grants must be recorded and approved

• Communicating grants without authorization

• Not terminating grants timely in system

Page 22: SOX Compliance - 2013

22

VERIFONE SYSTEMS, INC. - WORLDWIDE 404/SOX PROCESS OWNER LIST AS OF JANUARY 2013

CORP/WW CORP/WW CORP/WW CORP/WW

KEY SOX FUNCTION Global Process Owner SUB/OWNER KEY SOX FUNCTION Global Process Owner SUB/OWNER

OVERALL INTERNAL CONTROL COMPLIANCE SAGIT MANOR OMAR PEREZ

FSCP - SEC BARBARA MCKEE PROCURE TO PAY - AP&DISB. ROGER KENT B REPOLLO

FSCP - M&A SUZANNE COLVIN PROCURE TO PAY - PURCHASING SEAN O'CONNOR JIM HUFF

FSCP - FP&A JIM JOHNSON WHITNEY NGUYEN PROCURE TO PAY - RECEIVING DAVE MANGELSDORF DAVID GRANTHAM

FSCP - CLOSE THE BOOKS

FSCP - CONSOLIDATION

TAX *

FIXED ASSETS/DEPRECIATION SAGIT MANOR ROGER KENT TAX - CORPORATE PROVISION LYNDA HAUSWIRTH ROSE ROACHELL

CAPITALIZED SOFTWARE DEVELOPMENT JIM JOHNSON GOPINATH GOLLAPUDI TAX - INTERNATIONAL LYNDA HAUSWIRTH ROSANNA LEE

TREASURY*

INVENTORY MGMT DAVE MANGELSDORF TREASURY - CASH RECONCILIATIONS DOUG REED SAGIT MANOR

INVENTORY COSTING CINDY DIERKEN TREASURY - CASH MGMT DOUG REED

INVENTORY EXCESS / OBSOLESENCE RESERVES ALASDAIR RENDALL TREASURY - BORROWING/HEDGING

WARRANTY RESERVES PAUL COCCOVILLO

CONTRACT MANUFACTURING LYNN WONG

ORDER TO CASH - ORDER MGMT PAYROLL PROCESSING DAWN LAPLANTE ANN CLEARKIN / MANDY JEFFERY

ORDER TO CASH - AR/CASH RECPTOTHER COMPENSATION(bonus, separation, etc.)

ORDER TO CASH - AR RESERVES

ORDER TO CASH - REVENUE SUZANNE C. MANDIE HA

ORDER TO CASH - DEFRD REVENUE SUZANNE C. FAIZA RAHIM EQUITY DAWN LAPLANTE CAROLYN BELAMIDE

INCENTIVE COMPENSATION - COMMISSIONS

REGIONAL CONTROLLER & EXECUTIVE MGMT.

REGIONAL CONTROLLER & EXECUTIVE MGMT.

ORDER TO CASH - SHIPPING/RMAs DAVE MANGELSDORF DAVID GRANTHAM ITGC - CHANGE MGMT. WAYNE CHINGRAY NIGHTINGALE

VIVEK SETH

ITGC - ACCESS/SECURITY/ APPLICATION

ITGC - DATA CENTER

FINANCIAL STATEMENT CLOSE PROCESS (FSCP) *

SUZANNE COLVIN

SAGIT MANOR OSNAT LEVY

LAURA WEISS

PROCURE TO PAY PROCESSES *

PAYROLL AND INCENTIVE COMPENSATION *

EQUITY AND STOCK ADMINISTRATION *

INFORMATION TECHNOLOGY GENERAL CONTROLS *

CAPITALIZED ASSETS *

INVENTORY / SUPPLY CHAIN *

JOCHEN VOGT

ORDER TO CASH PROCESSES *

TIM MUSCO

Page 23: SOX Compliance - 2013

23

S O X – K E Y C O N T R O L S T E S T I N G

Key controls testing is determined by the frequency of the control. Our current planned testing timetable is as follows:

For legacy entities:• Phase 1 in May to July for transactions from November to May;

• Phase 2 in September to October for transaction from June to August;

• Phase 3 in November for transactions from September to October;

For Point entities:• Phase 1 in August to September for July transactions;

• Phase 2 in September to October for transactions from August to September;

• Phase 3 in November for transactions in October.

Controls are not a deficiency at year end if it has been working before October 31, 2013 for the following frequency:

• Annual – Once;

• Quarterly – Last 2 quarters;

• Monthly – Last 2 months;

• Weekly – Last 5 weeks; and

• Transactional – Last 25 transactions

Page 24: SOX Compliance - 2013

24

S O X – S O X D E F I C I E N C I E S A S S E S S M E N T• If a key control has not been working for the minimum period

immediately prior to year end then it is considered a deficiency.

• Deficiency assessment starts with realization of whether there is a possibility that the deficiency might result in a error.

• If there is a reasonable possibility then we need to identify the magnitude of the potential error.

• The quantitative and qualitative factors are considered to determine if it is a material, significant or control deficiency.

• SOX require that we look at the potential error that could result from the key control not working. If there was a an error of $2K in a reconciliation of $200 million, SOX require us to start the assessment at $200 million. We have to ask the local finance team what factors or other key controls will help us reduce the risk of not having an error of the entire $200 million.

Page 25: SOX Compliance - 2013

25

S E C T I O N 3 0 2 S U B - C E RT I F I C AT I O N

Section 302 Sub-Certification

Page 26: SOX Compliance - 2013

26

S E C T I O N 3 0 2 S U B - C E RT I F I C AT I O N On Section 302(a) of the Sarbanes–

Oxley Act VeriFone’s CEO and CFO are required to make certain certifications regarding the presentation of the financial statements

After the close of each quarter designated members of VeriFone management are sent representation letters for review, signature and explanation. Any exceptions in the representations are noted in a memo that is addressed to VeriFone’s CEO and CFO

The Sub-certification process provides assurances to the CEO and CFO so they can make the appropriate certifications

Page 27: SOX Compliance - 2013

27

E R N S T & Y O U N G F E E S & H I R I N G E Y S TA F F

Ernst & Young Fees and Hiring EY Staff

Page 28: SOX Compliance - 2013

28

E R N S T & Y O U N G F E E S & H I R I N G E Y S TA F F

Our auditor Ernst & Young (“E&Y”) have to be independent from VeriFone

VeriFone cannot engage E&Y or anyone related to E&Y to perform any work without the approval of VeriFone’s audit committee. Please submit any request through the Corporate Controller. There are NO EXCEPTIONS

This includes hiring any E&Y staff or their family members

Page 29: SOX Compliance - 2013

Q&A