WORLD-CLASS AUDIT AND CONTROL PRACTICES
operation, the system requires the summary owner to enter the planned corrective action and related target date into
the database. The system monitors corrective action and sends e-mails to the
summary owner, business area CFO, and
the certification controller whenever a CONTROL CERTIFICATIONS AND
target date is missed. THE DISCLOSURE COMMITTEE
Each control summary contains cross- The enterprise controls database system
references to all affected line items on is the heart of the quarterly certification
the financial statements, footnotes, man- process and is used by management to
agement’s discussion and analysis, and certify the results of their reviews. When
the proxy. The system can provide on- the certification process is complete, the
demand reports of the control summaries certification coordinator in the con-affecting each line item and clearly indi- troller’s department requests a system
cate line items that have no support. report of all negative certifications and
The system also sends automatic outstanding control issues, which are
e-mails to the business area CFO and the reported to the Disclosure Committee.
business area audit director whenever con- The Disclosure Committee, which
trol objectives or procedures are changed includes the CFO, general audit director,
so that they can review the control sum- and all senior executives, reviews the cer-mary to ensure that they are comfortable
with the changes. The system has a robust
set of reports and screens to monitor such
issues as database changes, certification
status, and outstanding control issues.
The external auditors have full access
to the enterprise controls database for their
financial statement audit and the Section
404 controls evaluation. The database provides them up-to-date controls documentation throughout the year and greatly
facilitates their audit activities.
Although Sarbanes-Oxley requires an
assessment and certification of only
financial reporting controls, the other
two COSO control categories — operating controls and regulatory controls —
are just as important to a corporation’s
well-being. At John Hancock, control
summaries, control evaluations, and the
enterprise control database cover all three
types of controls. Further, many in the
financial world are now realizing that
these other control types can affect financial reporting. Recently, the National
Association of Securities Dealers issued
a draft regulation that would require certification of compliance controls by the
chief executive officer (CEO) and chief
The controls database system is built
on an SQL Server platform with Crystal
Reports used for system reports. Programming was done using Microsoft’s
.NET Web-development methodology.
The corporate audit group prepared all
test scripts for user acceptance testing,
wrote the user manual, and developed
and presented all user training. Once
operational, the system was turned over
to the controller’s department for ongoing administration of the quarterly certification process.
tification results in detail and presents
its conclusions to the CEO. This process
provides strong bottom-up support to
the quarterly Sarbanes-Oxley Section
302 and annual Section 404 certifications
of the CFO and CEO. Because the quarterly certification process covers all three
COSO categories, certifications by the
control owners also confirm the ongoing effectiveness of business and regulatory controls.
At first glance, the final Section 404
rules issued by the U.S. Securities and
Exchange Commission (SEC) on June 5,
2003, appears to indicate that quarterly
assessments of all financial reporting controls are no longer required. Instead, management will be required to perform
quarterly evaluations of changes that have
materially affected — or are reasonably
likely to materially affect — the company’s
CONTROLS ARE DESIGNED EFFECTIVELY
■ Do the procedures cover all the risks, and do they ensure the objective will
be met, or are there any gaps?
■ Do the controls appear adequate to meet the control objectives?
■ Is the control strongly enough based on risk?
■ Should a preventive control be used instead of a detective control?
■ Have you considered all threats?
■ Will the controls prevent or detect threats on a timely basis?
■ Have you walked through the control system under each risk scenario?
CONTROLS ARE OPERATING EFFECTIVELY
■ Maintain evidence that the control is operating.
■ Verify the controls are achieving the objective.
■ Maintain evidence that you have adequately tested the control enough to
reach a valid conclusion.
■ To test controls you could:
■ Select transactions to see evidence they were reviewed, signed, and dated
by the appropriate persons.
■ Obtain a sample of account reconciliations and verify the reconciliations
have been performed properly.
■ Review reports that track compliance with laws and regulations.
■ Verify the organization chart and job descriptions are current and job
functions are appropriately segregated to prevent fraud.
■ Review system and data access listings to ensure only authorized
individuals have access.
■ Based on the results of your tests, conclude whether the controls are
operating effectively to achieve each objective.
■ Identify corrective action plan, including:
■ New or corrected controls.
■ Planned implementation date.
■ Resources required.
■ Interim manual controls, if a system solution is required.
FEBRUARY 2004 INTERNAL AUDITOR