World-class audit and control practices: John Hancock's detailed processes are proving effective in meeting the requirements of Sarbanes-Oxley

Internal Auditor, Feb, 2004 by Donald B. Robitaille

JOHN HANCOCK FINANCIAL SERVICES HAS BEEN BUILDING world-class audit and control processes for several years. Thus, the company was well-positioned when the U.S. Sarbanes-Oxley Act was enacted in 2002. John Hancock took advantage of this positioning to develop additional practices to assist in the implementation of the internal control provisions of Sarbanes-Oxley. Systems and procedures for full compliance with the act, including an enterprisewide controls database, are now fully implemented and operational.

This completely integrated audit and control model can be used by organizations worldwide to improve audit results, corporate governance, and regulatory compliance. These practices deliver the highest level of assurance (a key expectation of management and regulators in the post-Enron environment); profit improvements that more than offset the entire cost of the internal audit function; controls documentation used by management to perform Sarbanes-Oxley control self-assessments (CSA); controls training for management and other key personnel; and consistent reporting of audit results to all stakeholders.

THE BASE OF ALL OPERATIONS

In 1996, the internal audit function developed end-result auditing (ERA), which is based on The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) internal control framework. The goal was to develop a comprehensive process that embodied the latest audit and control concepts. Now the heart of the company's internal audit operation, ERA is the base from which all audit and control practices are developed. The primary attributes of the process include:

* A review and evaluation of controls against a set of business objectives and risks.

* A thorough compliance testing of control procedures to verify their consistent, effective application.

* An intensive testing of business operations to determine the precise level of achievement for each business and control objective of the function under audit. The degree to which business and control objectives are being achieved is the best measure of the effectiveness of a control system. Verifying that business objectives are achieved is also a requirement of The IIA's International Standards for the Professional Practice of Internal Auditing.

* The use of the computer as a tool for intensive testing to measure business results and to identify fraud and operating improvements. The information technology (IT) capabilities of today's internal auditor, combined with the advanced IT tool kits available, dictates that additional audit testing be performed.

* A secondary focus on the identification of operating improvements that demonstrate quantifiable increases to the corporation's profits. Cumulative annually recurring profit improvements are currently four times internal auditing's annual budget and have resulted in the organization's internal audit function being viewed as a profit center, instead of overhead.

Normally, the only deliverable provided to management at the close of an audit is an audit report. However, with the ERA process there is an additional deliverable--a control summary. Using the COSO model, the summary relates all of a function's control procedures to the business and control objectives and risks associated with that function. The control summaries were provided to business areas at the close of each audit for ongoing reference and optional CSA.

At the time of Sarbanes-Oxley's passage, the corporate audit group had prepared control summaries for 200 company functions. With the passage of Sarbanes-Oxley, the chief financial officer (CFO) required all company functions to develop and maintain control summaries. Company business areas have been preparing additional control summaries for the past year, and summaries are now available for approximately 350 business functions. Documenting controls using the COSO model has been widely accepted as the Sarbanes-Oxley standard.

MAINTAINING CONTROL SUMMARIES

In the first half of 2003, the corporate auditor led a team of auditors and system analysts who designed, developed, and implemented a Web-based enterprisewide controls database system to maintain the control summaries. The system provides read-only access for all executives to encourage sharing of best practices, real-time update capability, and a facility for quarterly certifications by control-summary owners. The database contains approximately 11,000 control procedures.

Each control summary has an owner, generally an officer, who is the only person authorized to change the summary and is responsible for quarterly assessments of controls for the function and the related controls certification. During assessment, the owner is required to test the controls and maintain supporting documentation. When the testing is complete, the owner signs on to the system and certifies both the controls design and operation for each control objective. The system allows summary owners to delegate responsibility for certifying one or more control objective to objective owners, but the summary owners must still sign off at the control summary level that they agree with the system certifications made at the objective level.