1/6/14 Internal Auditor

www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 1/8
S
Internal Auditor
PRINT CLOSE
June 2011
A Smarter Compliance Process

A look at how one company uses control self-assessments to efficiently and effectively manage
its Sarbanes-Oxley initiatives around the globe.

Aleksei Brizhik, CPA, CFE
Director, Internal AuditSOX Compliance
AES Corp.

Cecilia Lobo
Senior Manager, Internal AuditSOX Compliance
AES Corp.

Tae Yoo, CIA
Manager, Internal AuditSOX Compliance
AES Corp.

ince the enactment of the U.S. Sarbanes-Oxley Act of 2002, many companies have struggled with the
difficulties of implementing efficient compliance programs. Though challenging, a global company can
transform a Sarbanes-Oxley compliance initiative into an efficient, dynamic, and valuable organizational
program while minimizing the stress experienced by finance personnel.


AES, based in Arlington, Va., is a global S&P 500 power company that owns a portfolio of electricity
generation and distribution businesses in 30 countries spanning five continents. AES operates in more than
100 locations, comprising utilities, generation plants, shared services hubs, branches, and representative
1/6/14 Internal Auditor
www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 2/8
offices where local finance and accounting staff can range from a small group to a few hundred.
Establishing and managing an effective Sarbanes-Oxley compliance program at a company is a difficult task
when the company operates across multiple locations, cultures, time zones, and reporting and regulatory
environments. As part of a continuous effort to improve internal controls, AES has been transitioning from
an autonomous accounting reporting structure with multiple financial platforms to a network of
geographically consolidated regional hubs with one unified enterprise resource planning system.


Sarbanes-Oxley Section 404 requires U.S. publicly listed companies to file an internal control report with
their annual and interim reports stating managements responsibilities in establishing and maintaining
adequate internal controls and procedures for financial reporting, and managements conclusion on the
effectiveness of these internal controls. Examining changes in timing of controls testing, appropriately
determining the assessments scope, and continuously aggregating testing results can lead to a smarter
way to comply with Sarbanes-Oxley regulations.

COMPLIANCE AT A GLANCE
The Sarbanes-Oxley Compliance Group, part of the internal audit department that is based at corporate
headquarters, is organized by geographic region. To implement the requirements of Section 404, AES uses
the U.S. Public Company Accounting Oversight Boards (PCAOBs) Auditing Standard No. 5 (AS5) and The
Committee of Sponsoring Organizations of the Treadway Commissions (COSOs) Internal Control
Integrated Framework as guidelines. AES performs control self-assessments (CSAs) to assess the
effectiveness of internal controls over financial reporting for compliance purposes, and incorporates
activities including:

Quarterly process/control changes surveys through attestations certified by all financial officers
(Sarbanes-Oxley Section 302: Corporate Responsibility for Financial Reports certification).
Sarbanes-Oxley Section 404 annual assessments (through testing and periodic assessment of
aggregated control deficiencies).
Financial reporting internal audits with testing of internal controls related to audited areas as
determined by annual risk assessments.
IT general controls (ITGC) testing (as part of CSAs at significant locations).
Entity-level controls testing, including segregation of duties and an anti-fraud assessment.
A corrective action plan program.

Historically, CSAs were performed each quarter and coincided with the financial quarter or annual close,
causing the finance staff to deal with competing priorities and work long hours. The Compliance Group had
1/6/14 Internal Auditor
www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 3/8
to determine how to perform the CSAs without causing additional work for the local businesses. Beginning
in 2009, CSA frequency was changed to three times per year with each cycle covering a four-month period.
CSA testers are granted approximately one month to complete their testing and finalize the submission of
results. Immediately after submission, the Compliance Group reviews the results, completes the control
deficiency aggregation process, and communicates final results to the disclosure committee, executive
officers, and the audit committee.

The AES Sarbanes-Oxley compliance process addresses each of the COSO components of internal
control:

Control Environment
Process owners and department heads lead implementation of the annual Sarbanes-Oxley Section 404
compliance plan at AES with support from the Compliance Group. The Compliance Groups geographic
organization allows internal auditing to have a global presence and easily mobilize its resources. The
Compliance Group is in charge of the administration of the CSA process and all Sarbanes-Oxley-related
reporting requirements.

Risk Assessment
To establish the annual audit plan, internal auditing works with the Global Risks and Commodities Group to
identify major risks AES can potentially face. The Compliance Group determines the timing and scope of
internal control testing at the business units and corporate office based on risk assessment results and
other considerations, such as the significance of financial results, prior internal control testing results, and
significant changes in the business operations and structure, to ensure that all relevant risks have been
addressed. In addition, the Compliance Group evaluates the CSA test results to validate the adequacy of
test procedures performed and the conclusions rendered on the operating effectiveness of the controls.

Information and Communication
The Compliance Group also is responsible for managing the CSA component that addresses ITGC and
works closely with IT management to identify critical applications throughout the organization for inclusion in
the CSA. IT departments at each in-scope location are responsible for executing the testing and providing
the results to internal auditing for review. This approach allows for individuals most familiar with the
applications to perform the testing and provides IT with valuable insights into the strength of its internal
control environment.

Control Activities
1/6/14 Internal Auditor
www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 4/8
In addition to managing the execution and review of periodic CSAs, the Compliance Group is responsible
for managing the CSA re-performance audits. As part of this process, internal audit resources at the hubs
test and follow-up on the implementation of corrective action plans to address control deficiencies. These
independent audits provide an additional level of assurance as to the testing results through validation of
samples already tested and evaluation of additional/independent samples for select controls. The audits
are performed at businesses, hubs, and corporate areas that are selected based on the risk profile and
history of CSA deficiencies at each entity.

Monitoring
Senior managements responsibility also involves continuous monitoring regarding the resolution of
deficiencies and any changes that could affect the internal control environment. This includes
communicating any changes in processes or controls and any issues affecting compliance with Sarbanes-
Oxley requirements or corporate policies. Such communication is made either through quarterly Sarbanes-
Oxley Section 302 certification or through other appropriate channels. Furthermore, AES uses the CSA
process to support the quarterly Section 302 disclosure within the companys 10-Qs and year-end 10-K.
Finally, CSAs are used as one of the venues for the businesses to report control failures for inclusion in
corrective action plans.

CSA testing results are captured in a Web-based application where testers upload their workpapers and
document their conclusions. Testers are granted access to their specific business or hubs. The application
contains a sign-off sheet where the performers and reviewer of the CSA must be identified. It also includes
a page for documenting the assessment of process/control changes (attestation) that is used for analysis
and support of Sarbanes-Oxley Section 302. Each financial cycle is separately tabbed for efficient testing of
the respective controls. The application allows for customization of CSAs according to the applicability of
controls to specific businesses (i.e., controls for generation companies vs. controls for distribution
companies).

ADJUSTING OUR APPROACH
Due to the companys global exposure and operations, the AES Sarbanes-Oxley program required some
flexibility to appropriately meet its compliance requirements. The program has evolved into a dynamic and
customizable approach that leads to a more efficient and effective assessment of internal controls. Two of
the elements in our approach that have been subject to this evolution and adjustment are scope and
aggregation of control deficiencies.

Scope
When the CSA process was first implemented, AES tested a single set of controls (scope) at every
1/6/14 Internal Auditor
www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 5/8
operating business. Consideration of size, risks, industry, and complexity of the businesses were not
factored into the CSA scope, and the Compliance Group realized this one-size-fits-all approach was costly
and time consuming. If the CSA process was to be improved, it had to address the following issues:
The creation of regional hubs both transferred and consolidated key accounting functions to the hub
level, eliminating the need to test some controls at the business level.
Many entities participating in CSA reviews were quantitatively immaterial but still were fully tested.
Certain accounting processes were immaterial or irrelevant to a given business, yet were still being
tested.
Small businesses with limited resources struggled with the level of effort required to conduct CSAs;
the main difficulties were the frequency of the CSAs (quarterly) and the volume of controls tested
each quarter.
Accounting personnel reductions caused by hub transition and economic downturn at many AES
businesses hindered their ability to perform effective and timely CSAs.

Today the CSA process is customized to address the unique risks and control environment of the various
business types that make up AES. The different categories of CSA scope include:

Full CSA. Performed at businesses that are quantitatively and/or qualitatively significant (i.e.,
historically had many control deficiencies).
CSA Light. A customized scope performed at businesses with certain functions that were moved to
the regional hubs and are quantitatively and/or qualitatively not as significant.
Equity Affiliate CSA. Focuses on testing AES monitoring and core financial reporting and accounting
controls over the companys equity affiliates, businesses where AES has influence, but not control.
Corporate CSA. A full-scope CSA designed to test a set of controls unique to corporate functions
such as financial consolidation and reporting, tax provision, and long-term compensation.

Aggregation of Control Deficiencies
The examination of control deficiencies is critical to understanding an organizations weaknesses, analyzing
the root causes, and implementing and monitoring remediation actions to improve the control environment
continuously. The impact of control deficiencies on a stand-alone basis could be viewed as short-sighted
without a broader consideration of how deficiencies impact AES collectively. Effectively aggregating the
control deficiencies can yield improvements in the organizations control environment and should be a top
priority for senior management.

At AES, deficiencies are identified through four primary sources: the CSA, internal audits, external audits,
and an analysis of the summary of accounting adjustments. All four sources serve as arteries to the
assessment of the control environment that supplies vital information, including indications of possible
1/6/14 Internal Auditor
www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 6/8
errors and lack of adherence to policies and procedures. The same four sources feed into an overall
aggregation process that produces a comprehensive list of control deficiencies that impact the company.
Thus, the aggregation process provides a scorecard that helps identify areas where the risk of
noncompliance and significant financial impact resulting from control gaps and exceptions is higher.
Communication is a key factor that helps to avoid duplication of efforts. For instance, if deficiencies have
already been identified and evidenced through internal audits, the other three sources will help monitor the
correction of the exceptions rather than reporting the same errors. Therefore, having these four different
sources of information joined through the aggregation of deficiencies process provides efficiency in testing
and reporting.

Aggregation is performed after each CSA testing period and initiated with each Sarbanes-Oxley manager
collecting, reviewing, and producing a consolidated list of deficiencies sourced from the four primary
sources for their respective regions and businesses. Each deficiency is reviewed and assessed to
determine whether the root cause is attributed to a control deficiency and what, if any, potential financial
impact exists.

Regional summary reports of aggregated deficiencies feed the master aggregation file that becomes the
baseline for a consolidated report of deficiencies to management. Deficiencies are categorized by the
nature of the exception, evaluated both individually and collectively, and aggregated across all businesses.
Additionally, the Compliance Group determines whether the issue escalates to levels that would trigger
further qualitative analysis or whether the company has a significant deficiency or material weakness. A
summary of the aggregation of deficiencies is presented to the Disclosure Committee, members of the
executive office, and the Audit Committee for consideration before issuance of the 10-Qs and annual 10-K.

All subsequent aggregation after the first CSA is rolled forward until the third and final CSA is completed at
year-end. Deficiencies determined to be remedied after retesting are removed from the aggregation to
represent the current state of all deficiencies identified throughout the year. A continuous aggregation
process affords us the advantage of projecting problematic areas or trends that management needs to
address timely.

Although there may be other methods to aggregation, the processes we use ultimately provide AES with a
clear picture of the control environment to concisely define the
deficiencies, analyze the root causes, and develop appropriate remedies to prevent such issues from
occurring in the future.

1/6/14 Internal Auditor
www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 7/8
LEARNING TO ADAPT
Sarbanes-Oxley compliance requires time to adapt to changing environments and effort to be open-minded
to new strategies that better fit with the organization. Modifying the timing and scope of controls tested are
good examples of how audit shops can evolve their Sarbanes-Oxley initiatives to achieve greater success.

Continuous monitoring of our internal stakeholders needs revealed process improvement opportunities that
led to enhanced effectiveness and efficiency of our Sarbanes-Oxley program. Course changes included the
periodic reassignment of CSA testers based on roles and responsibilities to ensure greater tester
independence, and the issuance of workpaper templates with standardized testing procedures for testing
and documentation consistency. Other notable modifications to our approach include the customization of
CSA test plans per unique needs and type of business (e.g., generation, distribution, holding company,
equity affiliate), and the annual rationalization (consolidation) of controls to reduce redundancy and
eliminate noncritical controls from being tested.

The shift of testing to off-quarter close periods allows personnel to concentrate on performing the CSA
testing more diligently and effectively with less stress. Furthermore, business units and corporate
departments now have the opportunity to complete testing of their quarterly and monthly controls before the
year-end close, leaving only a few annual controls to be tested during January of the following fiscal year.
As a result, the Compliance Group is now able to dedicate more time to meaningful review and accurate
aggregation of deficiencies. The results of these changes led to more timely and efficient analysis and
reporting of control deficiency aggregation, thus providing the ability to react and correct control
weaknesses before they become deficiencies with significant financial and compliance impact.

The new multiscope CSA approach allows AES to recognize both greater efficiency and broader coverage
with regard to its internal control assessment program. After the first year of implementing the multiscope
CSA program, the company has experienced:

Improved resource allocation at businesses and with the Sarbanes-Oxley Compliance Group.
A CSA process that is aligned with the new hub structure.
Time and cost reductions while allotting greater attention toward problematic processes and controls.
Greater cooperation from process owners and testers.
Continued assessment of the most critical controls and risks at smaller AES businesses.
A culture of strong processes and internal controls across AES businesses, regardless of size.

Our CSA process and best practices provide a value proposition to our organization and key stakeholders
1/6/14 Internal Auditor
www.theiia.org/intAuditor/feature-articles/2011/june/a-smarter-compliance-process/index.cfm?print 8/8
that are worth consideration. Internal auditors should recognize that by being flexible with timing and
controls to be tested, companies can eliminate unnecessary stress and frustration related to the CSA
process. Aggregating and communicating control deficiencies throughout the year helps remedy
deficiencies before they result in major problems.
See the AES CSA Survey Questions and Schedule.

Sahba Yazdani, CIA, manager, Internal AuditSOX Compliance at AES Corp., contributed to this
article.


Internal Auditor
247 Maitland Ave, Altamonte Springs Florida, 32701
Tel. 123
www.internalauditoronline.org