Sales Order Cycle Review Report

CORPORATE COMPLIANCE “Maximizing Risk Intelligence – Maximizing Value” Table of Contents Company Presentation      Introductions Nuvasive Inc. Reporting Structure Roles & Responsibilities Control Concept & Philosophy Compliance    Sarbanes-Oxley Discussion Governance & Adding Value Internal Controls      Definitions Frameworks Operational Benefit IT Discussion Risk Assessment Process 2 Nuvasive Inc. - Profile NuVasive, Inc. (NUVA) was founded in 1997 and is headquartered in San Diego, California. Medical device company, engages in the design, development, and marketing of products for the surgical treatment of spine disorders. NUVA’s products include a minimally disruptive surgical platform called Maximum Access Surgery (MAS), as well as cervical and motion preservation products. MAS platform combines three categories of product offerings: NeuroVision, a proprietary software-driven nerve avoidance system; MaXcess, a split-blade design retraction system providing enhanced surgical access to the spine; SpheRX and CoRoent, specialized implants. Public offering occurred in 2004 - $71.5 million. Year 2005 - #1 in Fast 500 Deloitte names NUVA “#1 fastest growing technology company in North America.” Year 2006 – Opened distribution facility in Memphis, Tennessee. 3 Nuvasive Inc. – Revenue Growth 4 Nuvasive Inc. – Historical Stock Price 5 Reporting Structure – Corporate Compliance REPORTS ISSUED: 1. Quarterly Reports – Audit Committee (AC) Package 2. Monthly – Dashboard to Executive Operations Committee 3. Annual Compliance Report – Management & AC 4. Annual – Risk Assessment 5. As Needed - Special Request Reports - AC 6 “Simply Good Business” CORPORATE GOVERNANCE CORNERSTONE CORPORATE COMPLIANCE AUDIT COMMITTEE-BOD EXECUTIVE MANAGEMENT EXTERNAL AUDIT All work to ensure NUVA: *Complies with existing and new legislation and regulations. *Identifies & manages enterprise-wide risks including: financial reporting risk, operational risk , compliance risk, & economic risk. 7 Roles & Responsibilities Financial & Operational Risk Assessment Process *Ethics Program *FCPA *Trade Compliance Compliance 8 Compliance & Audit Continuum Value Protection SHAREHOLDER EXPECTATIONS Balanced Value Enhancement COMPLIANCE & AUDIT FUNCTIONAL FOCUS Internal Control Processes Transactions Business Process Improvement Risk Management Internal Control Assurance Financial Compliance Auditing Relative Risk Coverage Enterprise-Wide Risk Assessment Risk Management Assurance Product & Operational Auditing Process Knowledge COMPLIANCE & AUDIT SKILL SETS ** PricewaterhouseCoopers - Trademark HOW DOES COMPLIANCE ADD TO THE “BOTTOM-LINE”? Audit/Compliance Strategic Business Partner +Achieve Business Objectives +Continuous Process Improvement Methodologies +Support & Assist in Defining & Implementing Business Changes +Pushing to Do More with Less +Embed Control Mechanisms (transparent, resilient & bullet-proof) –Help Contain Costs & Improve ROI via effective & efficient activities Operations & Finance Process Owners +Reporting Reliability assures Shareholders-Value 10 HOW DO MOST PEOPLE FEEL ABOUT AUDIT & COMPLIANCE WORK??? Premise Good Controls = Fewer Surprises Conclusion: Good controls are important and valuable. 5/23/2009 13 Internal Controls: Why are they important? An effective system of Internal Controls forms one of the keystones necessary to building, maintaining and improving shareholder value. Effective Internal Controls help to: • Avoid Surprises • Assure the adequacy of process performance • Perform jobs more efficiently and effectively • Improve the overall quality of the business Shareholders expect a good system of Internal Controls. 5/23/2009 14 Internal Controls: What are they? This definition reflects certain fundamental concepts: • • • • Internal control is a process. It’s a means to an end, not an end in itself. People effect internal control. It’s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management. Internal control is geared to the achievement of objectives in one or more specific but overlapping categories. They are: Control Environment Risk Assessment 5/23/2009 Information Communication Control Activities Monitoring 15 Internal Control Framework Selected All companies/organizations must designate an internal control model that can be relied upon in developing and maintaining an effective internal control system. The most widely used model is the COSO (Committee of Sponsoring Organizations) Model. 5/23/2009 16 Maturity Framework Model Internal Controls Maturity Framework - Where is the Company? Unreliable - Control activities are not designed or in place. The environment is unpredictable. Informal - Control activities are designed and in place but they are not adequately documented. Standardized - Control activities are designed, in place and adequately documented. Monitored - Controls are standardized. There is periodic testing for effective design & operation with reporting to management. Optimized - Controls are integrated. There is real-time monitoring by management and continuous improvement. GOAL ---------is "rightward" 5/23/2009 17 Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed. • A precondition to risk assessment is the establishment of objectives, linked at different levels and internally consistent. • Risk assessment is the identification and analysis of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed. • Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. 5/23/2009 18 Business Risk Management Defined What is Business Risk Management? A continuous process and an element of Corporate Governance. It promotes efficient and effective assessment of risk, increases risk awareness and improves the management of risk throughout an organization. Includes anticipating and avoiding threats and losses as well as identifying and realizing opportunities. 19 Enterprise Risk Management Defined What is Enterprise Risk Management? A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 20 Enterprise Risk Management (ERM) Process According to the Protiviti Risk Barometer (published February 2006): Most senior executives lack a high degree of confidence that their organization’s risk management capabilities identify and manage all potentially significant business risks. 38% believe that their organization is “very effective” at identifying and managing potentially significant risk. Less than half of large companies deploy proven risk management practices. 38% utilize Enterprise Risk Management. 65% of companies plan to make changes in risk management capabilities in the next two years. The CFO is most likely to be the primary individual responsible for risk management policy (32% of companies). 21 Risk Assessment – Ownership & Data Gathering Ownership: Any or all: Internal Audit ----Corporate Compliance----Risk Officer---Risk Management Office & Business Process Owners Activities Include: Executive and management interviews Management surveys Facilitated Risk Assessment Sessions Internal Audit Risk Assessment Risk Maps – Summarize and Prioritize Key Risks Review of 10-K and other Company Information Review of Industry and Risk Publications 22 What is the Role of Internal Audit in Risk Management? • Give assurance on RM process • Give assurance that risks are correctly evaluated • Evaluating the reporting of key risks • Review the management of key risks • Facilitate identification & evaluation of risks • Coaching management in responding to risks • Coordinating ERM activities • Maintaining and developing the ERM framework • Developing RM strategy for board approval • Setting the risk appetite • Imposing RM processes • Management assurance on risks • Decisions on risk responses • Accountability for RM Core Internal Audit Roles Legitimate IA roles with safeguards Roles NOT undertaken by IA 23 Information Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. • Information systems produce reports, containing operational, financial and compliance-related information that make it possible to run and control the business. • They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. How reliable, timely, pertinent and comprehensive is the information received? Scale of 1 to 5 (1 being weakest) 5/23/2009 24 Communication Effective communication also must occur in a broader sense, flowing down, across and up the organization. • All personnel must receive a clear message from top management that control responsibilities must be taken seriously. • They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. • They must have a means of communicating significant information upstream. • There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders. How effective is the communication upstream and downstream in the company? Scale of 1 to 5 (1 being weakest) 5/23/2009 25 Monitoring • Internal control systems need to be monitored - a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. • Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities and other actions personnel take in performing their duties. • The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. • Internal control deficiencies should be reported upstream with serious matters reported to top management and the board. 5/23/2009 26 Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. • They help ensure that necessary actions are taken to address risks to the achievement of the entity’s objectives. • Control activities occur throughout the organization, at all levels and functions. • They include a range of activities as diverse as: • • • • • • • approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. 5/23/2009 27 Who owns the Control Processes – Assessment, Identification & Documentation? • Internal Audit/Compliance meets with Business Owners to assist in the Risk and Control identification process. “Risk” is just another way of saying “What could go wrong?” The risks that are defined for each process are meant to be general. Example: There are not separate risks for inaccurate journal entries, duplicate journal entries, and miscoded journal entries. There is one risk that addresses a variety of errors that may occur with journal entries. “Controls” are the procedures that provide the business owner comfort that they can avoid risks and achieve business objectives. These procedures include verifications, balancing reports, edit reports, approvals, written policies/procedures, and reconciliations just to name a few. Business Owners should update and document control descriptions and describe the controls as specifically as possible. Business Owners own all aspects of their Business Controls! 5/23/2009 28 Internal Controls: Preventative vs. Detective All Internal Controls can be classified as either preventative or detective. Preventative controls focus on preventing errors or exceptions. The following are types of preventative controls: • • • • Standard policies and procedures Proper segregation of duties Firewalls and ID specific passwords Authorizations Levels/Approvals Detective controls are designed to identify an error or exception after it has occurred. Examples include: • • • • 5/23/2009 Exception reports Reconciliations Periodic Audits Authorization Levels/Approvals 29 CLASSIFICATION OF CONTROLS – Fraud – Prevent - Detect Controls can be classified, and we will be classifying the identified key controls according to the following characteristics: FRAUD MANUAL OR SYSTEM? PREVENT OR DETECT? There are 2 Basic Classifications of Controls: PREVENT Upfront Controls designed to discourage errors and irregularities from occurring.  Authorization and Approval  Proper Segregation of Duties  Limiting Access to Assets and OR DETECT Designed to identify the undesirable outcomes if/when they do happen (usually occur after the fact)  Reconciliations  Management Reporting  Periodic Inventory counts  Spot checks of records  Operating Meetings  Automatic System flags  Comparing Actual vs. Systems  Planning/Budgeting process  Adequate documentation and proper record keeping  “Whistle Blowing” processes Plan/Budget  Confirmation of Bank Balances  Monitoring of Specific Operational Activity Internal Controls – Classified – Manual - Automated Internal controls can further be classified as: MANUAL Performed by a person    Manager reviews Locking up blank check stock Filing signed expense reports OR       SYSTEM/APPLICATION Performed automatically by a system Configuration/set-up System Access Interfaces of data Auto accounting rules Duplicate vendor set-up Duplicate invoicing prevention Finally, there are internal controls, of either prevent or detect, manual or system variety, that also serve the function of being FRAUD controls. FRAUD CONTROLS Controls that are specifically designed to prevent and/or detect fraud  Segregation of Duties  System passwords/ access  Approvals & Authorizations The best set of controls is a combination of prevent and detect controls. A single control to protect financial risk is not the best answer. If that control were to fail, we would be out of luck. That’s why we typically have multiple controls that address a single financial statement balance to mitigate the risk of having a material misstatement of financial statements. HOW DO I IDENTIFY A KEY CONTROL? See: UIC Reference Guide - Pages 11-15 Consider the following: (1) What are some of the risks that are prevented by having this process in place? (2) What are specific actions or process steps that mitigate those risks? (3) Can we call any of those action/process steps key controls? (4) What evidence exists to prove that this control actually took place? (5) Can we verify who performed this control and when he/she performed it? (6) How would we go about testing this control? Can the Process Owner generate the evidence so that it can be tested? For each control we, or any other party after us, should be able to verify who performed it and when – and there should be evidence that it was DONE. Some 1. 2. 3. 4. controls are, by definition, generally always significant. They include: Segregation of duties Authorization, approvals, and review Reconciliations System access While reviewing the process documentation, think about the specific steps that are in place to prevent any type of errors, irregularities and/or fraud from occurring. What about IT Controls? Understand: ♦ IT management & organization ♦ Geographical organization ♦ Strategy for managing technology & applications IT ORGANIZATION & STRUCTURE IT EVALUATION IS REQUIRED AT: Application Level Operating System Level Database Level Internal Network Level Perimeter Network Level Five (5) General Computer Control Domains 1. IT Control Environment 2. Program Development 3. Program Change 4. Access to Programs and Data 5. Computer Operations 33 5/23/2009 Sarbanes – Oxley Timeline 2001 AUGUST OCTOBER NOVEMBER JANUARY 2002 Rigas family MAY surrenders control of Adelphia as SEC probes the company’s finances. AUGUST SEC investigates Arthur Andersen DECEMBER Enron files Chapter 11 Enron CEO resigns for “personal reasons” Justice Dept. begins investigation of Enron; CEO Kenneth Lay resigns MARCH Pres. Bush unveils proposal that would require CEO’s to certify financial statements. Andersen surrenders its licenses and right to practice. SEPTEMBER SEC launches a formal investigation; Enron CFO Andrew Fastow is ousted APRIL WorldCom fires CFO Scott Sullivan JUNE Tyco CEO Dennis Kozlowski and CFO Mark Swartz indicted for enterprise corruption. House committee approves new auditor-oversight board; House passes “accounting reform package” JULY Sarbanes-Oxley Act takes effect; WorldCom files Chapter 11 Key Sections of Sarbanes-Oxley 101 & 103 – Define BOD Membership Qualifications & Duties Make “unlawful” certain services outside the scope of practice of External Auditors (certain non-audit services not included as unlawful, may be pre-approved) Audit Partner Rotation – mandatory every 5 years. Firm must report to the Audit Committee all “critical accounting” policies & practices. 206 – The CEO, Controller, CFO, CAO, or person in an equivalent position cannot have been employed by the company’s audit firm during the 1-year period after the audit. 302 – CEO & CFO certification is required. 402a – Prohibition on personal loans to executives. 403 – Directors, officers, and 10% owner must report designated transactions by the end of the second business day following the day on which the transaction was executed. 404 – Annual Report must contain an “internal control report” which includes assessment. Auditors are required to maintain “all audit or review work-papers” for five years Publicly traded companies must maintain an Internal Audit Activity. 35 Gaining Operational Benefits SOX Benefits reported by companies: Source of valuable insights into operations Translation of insight into improved efficiencies and cost savings Strengthened control environment More reliable documentation Better and less burdensome compliance with other statutory regimes More standardized processes for IT and other functions Reduced complexity of organizational processes Better internal controls within partner companies More effective use of both automated and manual controls Increased and re-directed audit committee involvement 5/23/2009 Source: “Leveraging SOX to Optimize Shareholder Value – A Best Practice Report” APQC Publications 36 Sarbanes Oxley Benefits ISO 9000 Reorganization of Finance Security Policies - Standardization % 100 80 60 Automation of controls and process Process Standardization Documentation 40 20 0 20 40 60 80 100 Frequency of Response 5/23/2009 Source: “Leveraging SOX to Optimize Shareholder Value – A Best Practice Report” APQC Publications 37 AS 5 – SEC CHANGES - New Guidance – Issued in 2007 Key SOX 404 Decision Points (1) Select significant financial reporting elements OLD: Bottom-Up, Focused on Coverage NEW: Top-Down, Risk-Based Quantitative and qualitative factors are considered together Differentiate assertions based on relative risk Begin top-down, starting with entity-level controls Start at entity level and work down: documentation is driven by ICFR risk, including the risk of control failure When determining tests of controls, consider ICFR risk (which includes control failure risk) Base scoping on assessed ICFR risk Start with quantitative first, then consider qualitative factors as additive (2) Identify relevant assertions for each Consider all assertions as risksignificant financial reporting element equivalent (3) Select effectively-designed key controls Begin bottom-up, starting with addressing each relevant assertion process-level controls (4) Decide documentation standards at different Start at process level and work up; documentation is tiered based on levels of risk the assessed risk of misstatement (5) Consider ICFR risk levels to decide tests of operating effectiveness Test all controls, emphasizing coverage and ignoring control failure risk (6) Determine locations and units to include into Achieve minimum coverage scope (7) Understand and apply standards driving Use work of others within cap and Use work of others with cap and restrictions; confusion over rules some restrictions moved; auditor’s use of work of others confusion over using work of written for internal auditors others eliminated (8) Establish methodology to assess severity of Apply Firm Framework with much Focus solely on material attention directed to significant control deficiencies weaknesses deficiencies 5/23/2009 38 What is Top-Down, Risk Top-downahas two dimensions: Based Approach? –Scoping –Identifying the relevant controls Risk-based is relevant at each phase/activity: –Scoping •Deciding what is in or not in scope •For what is in scope, which areas represent high risks or potential errors/financial statement assertions are more critical (e.g., valuation of goodwill) –Evaluation of Operating Effectiveness •Nature and number of control activities to achieve a control objective or address relevant potential errors/financial statement assertions •Nature, timing and extent of evaluation –Concluding 5/23/2009 •Classifying deficiencies 39 16 Steps: Top-Down Risk-Based Approach STEP 14– MAXIMIZE RELIANCE ON PCAOB Guidance: The new proposed audit standard provides auditors the ability to rely more on broader provisions for management opinion and judgment on ICFR. As a result, management has the obligation to make their work more reliable. ICFR WORK STEP 15– EVALUATE AND PCAOB Guidance: Management has historically done a poor job reporting on deficiencies. REMEDIATE DEFICIENCIES STEP 16– MANAGEMENT OPINION ON PCAOB Guidance: The proposed AS5 has a significant focus on risk as a key element on risk and a top-down, risk-based approach as a guiding principal to ICFR. ICFR EFFECTIVENESS 5/23/2009 40 DOCUMENTATION – FINANCIAL REPORTING The documentation produced in the Section 404 project forms the basis and support for management’s evaluation of internal control over financial reporting. Further, the SEC’s final rules on the Sarbanes-Oxley Act of 2002, Section 404, indicate that it is a company’s responsibility to document internal control, and that developing and maintaining such documentation is inherent to effective internal control. 1. Process Flow must be presented in a complete and logical order, usually in a narrative or flowchart form. 2. Walkthrough of the process – Are we doing what we say we do in the process flow? 3. Is the process well designed? 4. Test the operating effectiveness – Are the controls we have in place operating as we indicated? Risk Based Review: Nuvasive •Pricing •Reimbursement •Revenue Recognition Risks •Distribution Network •Product Development •Mergers & Acquisitions •Supply Chain Infrastructure Risks Risks How do we analyze, address, and mitigate? 5/23/2009 42 Identifying Financial Reporting Risks Identify Significant Financial Reporting Elements –Begin with financial statement accounts • Consider whether similar risks and processes exist at the financial statement account level. –If necessary, further disaggregate at the account level to sub-accounts. –Once accounts have been identified, use an appropriate materiality threshold and consider other qualitative risk factors to determine whether account or subaccount is significant. • It is a significant account if there is a reasonable possibility of a material misstatement. • Generally, accounts greater than management‘s materiality threshold will be considered significant. • Other accounts that are below management‘s materiality threshold may be considered significant based on qualitative factors. 5/23/2009 43 Qualitative Risk Factors • Susceptibility to errors and fraud • Volume of activity, complexity, and homogeneity • Nature of account • Complexities • Exposure to loss • Possibility of contingent liabilities • Related-party transactions • Changes from prior period • History of misstatements 5/23/2009 44 Financial Information Select Financial Reporting Elements (in millions) Balance Sheet Amounts (9/30/2007) Cash and cash equivalents Short-term investments Accounts receivable, net Inventory, net Property and equipment, net of accumulated depreciation Intangible assets, net of accumulated amortization Long-term investments Accounts payable and accrued liabilities Accrued payroll and related expenses Income Statement Sales Sales, marketing and administrative Research and development $54,573 33,610 24,330 29,291 36,203 24,864 10,499 11,226 10,707 $107,360 85,012 17,914 5/23/2009 45 Balance Sheet Accounts Accounts Cash and cash equivalents Short-term investments Accounts receivable, net Inventory, net Property and equipment, net of accumulated depreciation Intangible assets, net of accumulated amortization Long-term investments Accounts payable and accrued liabilities $54,573 33,610 24,330 29,291 Disaggregated N N N Y Sub-Account Amount Significant Element (Y/N) Y Y Y Y Y (1) Inventory Inventory Reserves $32,665 (3,374) 36,203 24,864 10,499 11,226 N N N Y AP Accrued Expenses Other 3,275 5,004 2,947 26 (9) (3) 787 1,682 800 7,170 250 N Y (1) N N N N N Y (1) N Y N Y (1) Accrued payroll and related expenses 10,707 Y 401(k) (ING) Payable Section 125 (BDG) Payable Vision Plan (MED) Payable Employee Stock Purchase Plan Commissions Payable Accrued Vacation Accrued Payroll Accrued Workers Comp Royalties payable 1,504 Y 1) Although the account is less than materiality, due to qualitative risk factors (including significant estimates and judgments), this account has been deemed to be significant. 5/23/2009 46 Income Statement Accounts Income Statement Disaggregated Sub-Account Amount Significant Element (Y/N) Sales Sales, marketing and administrative Research and development $107,360 85,012 17,914 N N N Y Y Y 5/23/2009 47 Planning Materiality NuVasive, Inc Planning Materiality 11/5/2007 Forecasted 2007 Revenue……………. Overall Materiality…………………... (in thousands) $152,000 $7,600 Annual Significant Deficiency (SD) Threshold……………………………... interim SD Threshold………………… $1,520 $380 5/23/2009 48 Relevant Financial Assertions and What Can Go Wrong The assertions (from COSO) include: •Existence or Occurrence—Assets, liabilities, and ownership interests exist at a specific date, and recorded transactions represent events that actually occurred during a certain period. •Completeness—All transactions and other events and circumstances that occurred during a specific period, and should have been recognized in that period, have, in fact, been recorded. •Valuation or Allocation—Asset, liability, revenue, and expense components are recorded at appropriate amounts in conformity with relevant and appropriate accounting principles. •Rights and Obligations—Assets are the rights, and liabilities are the obligations, of the entity at a given date. •Presentation and Disclosure—Items in the statements are properly classified, described, and disclosed. 5/23/2009 49 What could go wrong? Significant Account Inventory Selected Assertion Valuation or Allocation What Could Go Wrong (i.e., Risk) Inventory is not salable or usable Shipments of inventory are not recorded in the right period Existence or Occurrence Accounts payable and accrued liabilities Accrued payroll and related expenses Rights and Obligations Medical Advisory fees are not calculated or accrued Completeness Unpaid compensation is earned but not recorded Sales Completeness Sales invoices issued are not recorded Valuation or Allocation Sales return estimates are not calculated or recorded 5/23/2009 50 Process Risk Assessment Process risk assessments allow individual processes to be evaluated and improved: They allow a business to: • Identify opportunities to streamline the process by eliminating unnecessary activities. • Perform a cost/benefit of implementing process changes. • Improve process controls. • Improve business performance. An assessment of each process should address the following: >Objective >Evidence >Risk >Evaluation >Control(s) >Follow-up 5/23/2009 51 Questions & Answers 52