Rubik's Cube Audit Approach

Home , Acme Brick, Ben Bridge Jeweler, Borsheims, Business Wire, Central States Indemnity, Clayton Homes

Rubik’s Cube Audit Approach Johnny Cagle April 20, 2017 Agenda

• Session 1 – Introduction • Session 2 – Rubik’s Cube • Session 3 – Reporting Audit • Session 4 – Operations Audit • Session 5 – Compliance Audit • Conclusions

2 Why?

FROM: “When I finish, I know enough to start.”

TO: “When I start, I know enough to finish.”

3 Introduction Johnny Cagle April 20, 2017 4 Agenda • Background • Sarbanes-Oxley Act of 2002 • Research (“SOX”) • Fruit of the Loom • SEC Guidance on SOX • Berkshire Hathaway • Integrated Audit • Fruit of the Loom Internal Audit • Risk & Internal Audit • Auditors’ Dilemma • “Risk” • Theory of Constraints • Cost of Risk • Strategic Architecture • Risk-Based Audit • Foreign Corrupt Practices Act • Model-Based Audit (“FCPA”) • Summary • Committee of Sponsoring • Insights Organizations (“COSO”) • Conclusions 5 Background

• BS Accounting, Lipscomb, 1971 • MBA, Samford, 1982 • IIA Member #31919 (1970s) • Certified Fraud Examiner • “Innovative Auditor” • Gulf States Paper Corporation • Intergraph Corporation • SAIC (DoD, USDA, DOI, NASA…) • Tempurpedic • Rhino Energy • Fruit of the Loom

6 Research Universities Corporate

• “Auditing Real-Time Systems” (1971) • “Statement of Business Ethics” (1989) • “Christian Code of Ethics for Business” (1980) • “Internal Control Objectives” (1991) • “Forecasting the GNP, Price Level & • “Corporate Business Model” (1998) Unemployment” (1980) • “Integrating Methodology & Technology” (1999) • “Occupational Stress and Productivity” (1981) • “Strategic Mapping – Mapping Business Success in Three Dimensions” (2002) • “Model-Based Auditing” (2004) • “Business Process Engineering / Business Process Improvement” (2009) • “Risk Accounting – A New Way to Control Period Cost” (2014) • “A Top-Down, Risk-Based Approach to Performance Auditing for Internal Auditors” (2015) • “Rubik’s Cube Audit Approach” (2017) 7 Fruit of the Loom (“Fruit”)

• Founded in 1851 • Awarded trademark # 418 in 1871 for the Fruit of the Loom brand • Purchased by Berkshire Hathaway Inc. in 2002 • Purchased Russell Corporation in 2006 • Purchased Vanity Fair Intimates in 2007 • $2+ Billion annual revenue • 33,000 employees globally

Fruit of the Loom Corporate Headquarters – Bowling Green, KY 8 Berkshire Hathaway (“Berkshire”) • Original Berkshire Hathaway Inc. Founded in 1839 • Bought by Warren Buffett in 1964 • Headquarters in Omaha, Nebraska • Over 60 wholly-owned subsidiaries with some also owning several subsidiaries • Significant investments in Coca-Cola, American Express, IBM, Wells Fargo and others • $224 Billion annual revenue • 368,000 employees globally Warren Buffett, CEO Berkshire Hathaway Inc. • 25 headquarters staff “Risk comes from not knowing what you’re doing.” 9 Berkshire Subsidiaries

Acme Brick Company Central States Indemnity International Dairy Queen, Inc. National Indemnity Company Applied Underwriters Company IMC International Metalworking Nebraska Furniture Mart Ben Bridge Jeweler Charter Brokerage Companies NetJets® Benjamin Moore & Co. Clayton Homes Johns Manville Oriental Trading Company Berkshire Hathaway Automotive CORT Business Services Jordan's Furniture Pampered Chef® Berkshire Hathaway Energy CTB Inc. Justin Brands Precision Castparts Corp. Company Duracell Kraft Heinz Precision Steel Warehouse, Inc. Berkshire Hathaway GUARD Fechheimer Brothers Company Larson-Juhl Insurance Companies RC Willey Home Furnishings FlightSafety LiquidPower Specialty Products Berkshire Hathaway Homestate Richline Group Forest River Inc. (LSPI) Companies Scott Fetzer Companies Fruit of the Loom Companies Berkshire Hathaway Specialty Louis - Motorcycle & Leisure See's Candies Garan Incorporated Insurance Lubrizol Corporation Shaw Industries Gateway Underwriters Agency BH Media Group Marmon Holdings, Inc. Star Furniture GEICO Auto Insurance BoatU.S. McLane Company TTI, Inc. General Re Borsheims Fine Jewelry MedPro Group United States Liability Insurance Brooks Helzberg Diamonds Group Buffalo NEWS, Buffalo NY H.H. Brown Shoe Group XTRA Corporation BNSF HomeServices of America Business Wire 10 Fruit IA Mission

Provide independent audit and assurance services to help the Company reach its goals Goals, Objectives & while maintaining ethical business practices Requirements Risk of and effective internal controls with respect to Material Audits & Adverse Projects personnel, processes and systems. Event

Responsibilities

• Assess Risks Risk of Material Management • Test Controls Missed Requests Opportunity Laws, Focus on Service Regulations, • Standards, Policies, • “Audit Forward” Processes & Systems

11 Fruit IA Organization

Johnny Cagle, CFE VP Internal Audit (US)

Stephen Thompson, CA Matthew Pendel, CIA Amanda J. Brown, CIA Director Manager Supervisor Europe, Morocco & Americas Operations, IT Global Ethics & Vietnam & Reporting Compliance & Asia Pacific (UK) (US) (US)

Rachid Badoui Jackie Perkins Lesly Reyes Chase Carver Staff Auditor IT Auditor Staff Auditor Staff Auditor (Morocco) (US) (Central America) (US) 12 Berkshire Audit Focus

Continuity Management (ITGC)

Privacy Access Management Management (EU GDPR) (ITGC) Reputation Management (GRC)

Relationship Change Management Management (FCPA) (ITGC)

Evidence Management (SOX / FCPA)

13 The Auditor’s Dilemma • Financial vs. Operational • Substantive vs. Control • Balance Sheet vs. Income Statement • Analytics vs. Sampling • Values vs. Processes • Internal vs. External • Testing vs. Interviewing • Actual vs. Forecast • Cost vs. Benefit • Control vs. Risk • Certainty vs. Uncertainty • Global vs. Local “When you come to a fork in the road, take it!” – Yogi Berra • COSO vs. COBIT

• etc. vs. etc… 14 Theory of Constraints

• The Theory of Constraints (TOC) is a management paradigm that views any manageable system as being limited in achieving more of its goals by a very small number of constraints. There is always at least one constraint, and TOC uses a focusing process to identify the constraint and restructure the rest of the organization around it. • Developed by Eli Goldratt • Books: – “The Goal” (1984) – “Critical Chain” – “Beyond the Goal” – Many others… 15 Theory of Constraints

• The Goal: • Five Focusing Steps: – Maximize Throughput (Margin) 1. Identify the Constraint – Minimize Inventory 2. Exploit the Constraint – Minimize Operating Expense 3. Subordinate everything to the • The #1 Constraint is “making Constraint decisions without all of the 4. Elevate the Constraint relevant data”. 5. Prevent Inertia from Becoming • The Thinking Process helps the Constraint determine: • “Technology can bring benefits if – What to Change? and only if it diminishes a limitation.” – What to Change To? – How to Change? 16 Strategic Architecture

• “How Strategic Architecture Wins Technology Wars” • Harvard Business Review – March-April 1993: – Charles R. Morris – Charles H. Ferguson • Proposed assumptions on how technology companies survive(d) technology architecture evolution. • “Organizational architecture and decision making mirror technical architecture.” – What is our “technical architecture”?

17 Strategic Architecture • Follow-Up HBR Article – April • Architectural Standards Setters: 2000 – Lessons Learned: – Microprocessor – Intel – Competitive success flows to the – Operating System – Microsoft company that manages to establish – Network System – Novell proprietary architectural control over – Printer Page System – Adobe, HP a broad, fast moving competitive space. • IBM opened its architecture too – Architectures impose order on the broadly. system and make interconnections • Apple held its architecture too possible. closely. – Proprietary architectures are under constant competitive attack. • “Point Product” vendors (e.g. – Legislated standards usually settle to Lotus) are always at risk when the the least common denominator. architectural leader changes the rules of the game. 18 Foreign Corrupt Practices Act

• "(A) make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer; and • "(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that— – " ( i ) transactions are executed in accordance with management's general or specific authorization; – " ( i i ) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and ( I I ) to maintain accountability for assets; – " ( i i i ) access to assets is permitted only in accordance with management's general or specific authorization; and – "(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.” FCPA – December 1977

19 COSO

• Committee of Sponsoring Organizations of the Treadway Commission (“COSO”): – Internal Control – Integrated Framework - 1992 – Refreshed in 2013 • In an “effective” internal control system, the following five components work to support the achievement of an entity's mission, strategies and related business objectives: – Control Environment – Risk Assessment Integrated Internal Control Framework - 1992 – Control Activities – Information and Communication – Monitoring 20 Components & Principles

21 COSO ERM • The COSO Enterprise Risk Management (“ERM”) framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. • Relationship to Internal Control — Integrated Framework: • Adds “Strategic” category. • Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” • Includes objective setting as a separate ERM Integrated Framework - 2004 component. • Expands the control framework’s “Financial

Reporting” and “Risk Assessment.” 22 Sarbanes-Oxley Act

• The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. – Section 302 – Corporate Responsibility for Financial Reports – Section 404 – Management Assessment of Internal Controls • Security Exchange Commission (SEC) Guidance for SOX Compliance in 2007: – Recommends Top-Down Risk-Based Audit of Internal Controls over Financial Reporting • Public Company Accounting Oversight Board (PCAOB): – Requires an integrated audit of the financial statements and internal controls over financial reporting SOX – July 2002 23 SEC Guidance on SOX

24 Integrated Audit

• An Integrated Audit is where auditors, in addition to an opinion on the financial statements, must also express an opinion on the effectiveness of a company's internal control over financial reporting, in accordance with PCAOB Auditing Standard No. 5. – Opinion on the financial statements. – Opinion on the effectiveness of internal control over financial reporting. – How to audit both simultaneously?

25 Risk & Internal Auditing

• Risk is the potential of gaining or losing something of value. (Wikipedia)

• “Risk comes from not knowing what you’re doing.” (Warren Buffett)

• Enterprise Risk Management (ERM) includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. (Wikipedia)

• Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance

processes. (The IIA) 26 “Risk” • Amazon – 0 • Hanes – 4 • American Express – 3 • IBM – 0 • Bank of America – 13 • Microsoft – 2 • Berkshire Hathaway – (Annual • Nike – 3 Letter) – 7 • Oracle – 2 • Coca Cola – 0 • Tempur-Sealy – 2 • General Electric – 0 • Under Armour – 3 • Gildan – 4 • WalMart – 5 • Google – 2 • Wells Fargo – 13

Use of “Risk” in Select Quarterly Investor Call Transcripts in 2012, 2013 and 2014 5 Cost of Risk • Patented Methodology to Calculate Enterprise Total Cost of Risk • Based on Actual & Forecast Income Statements • Quantifies the Impact of Risk on Performance • Invented / Patented by Gary Bierc 28 Risk-Based Audit

• A Risk-Based Audit is an internal methodology which is primarily focused on the risk involved (inherent or residual) in the activities or system and provide assurance that risk is being managed within defined risk appetite levels. • Used by many auditors by preparing a risk assessment in advance of the audit and tailoring the audit to the relevant risks. • Risk / Control / Test matrices are prepared in advance for audits using this approach.

Risk Controls Tests Results Shipment Select a random sample of shipments and No exceptions noted. information is trace to related invoices. All shipments automatically or… are not transferred to Select a random sample of invoices and invoiced. Accounts trace to related shipments. Exceptions noted. See Receivable for explanation of test invoicing. Reconcile shipment data to invoice data. results.

29 Model-Based Audit

• A Model-Based Audit is an audit based on a pre- developed model that has enough structure and data to be a relevant comparison to live results. It helps ensure audit completeness and visibility into significant non-audit scope areas of concern.

30 Summary

• What to change? – From using a limited dimension audit approach. • What to change to? – To using a three-dimensional audit approach based on the COSO Cube. • How to change? – Begin with the COSO Cube and simplify it to represent any organization or entity. • What is the number one constraint? – “Making decisions without all of the relevant data.” • How do we “exploit the constraint”? – Create a model that represents all of the relevant data. – Find the single center cube and relate everything else Integrated Internal Control Framework - 1992 to that cube.

31 Summary

• FROM: • TO: Relationships Responsibilities Requirements Integrated Internal Control Framework - 1992

Simplified Integrated Internal Control Framework - 2017

32 Insights

# Top Left Right • 6 sides 1 Operations Control Requirements 4 Operations Risk Requirements 7 Operations Monitor Requirements • 27 cubes (3X3X3) 10 Operations Control Responsibilities 13 Operations Risk Responsibilities 16 Operations Monitor Responsibilities 19 Operations Control Relationships 22 Operations Risk Relationships • 6 face center cubes 25 Operations Monitor Relationships 2 Reporting Control Requirements • 8 corner cubes 5 Reporting Risk Requirements 8 Reporting Monitor Requirements 22 Reporting Control Responsibilities • 12 center edge cubes 14 Reporting Risk Responsibilities 17 Reporting Monitor Responsibilities 20 Reporting Control Relationships • = 26 face cubes Relationships 23 Reporting Risk Relationships

Responsibilities 26 Reporting Monitor Relationships

Requirements 3 Compliance Control Requirements 6 Compliance Risk Requirements 9 Compliance Monitor Requirements Simplified Integrated Internal Control Framework - 2017 • + 1 center center “cube” 12 Compliance Control Responsibilities 15 Compliance Risk Responsibilities – Reporting 18 Compliance Monitor Responsibilities 21 Compliance Control Relationships 24 Compliance Risk Relationships – Risk 27 Compliance Monitor Relationships

– Responsibilities 33 Insights Stakeholder Perspective

Audit Management Perspective Perspective Relationships Responsibilities Requirements

Simplified Integrated Internal Control Framework - 2017

34 Conclusions • Constraints control performance but can be leveraged to improve performance. • Strategic Architecture establishes organizational and decision making design. • FCPA requires books, records & system of internal accounting control. • COSO provides an updated Internal Control – Integrated Framework. • COSO provides an Enterprise Risk Management Framework. • SOX requires documented and tested Internal Controls over Financial Reporting. • SEC SOX guidance provides for a top-down risk-based compliance approach. • PCAOB requires an integrated audit. • Risk-Based audits extend Internal Auditing into the impact of risk on performance. • Model-based audits provide a comparative model to benchmark and test against with actual and budget results. • A simplified COSO Model provides a model for Operations, Reporting & Compliance benchmarking. • New rules are needed to use a model-based approach. • The 3X3X3 Cube is a good comparative physical model to use for a model-based approach.

35 “Find the center. Audit out!” New Rules

• Rule of One – Find the center. Audit out.

• Rule of Three – Focus on three dimensions.

• Rule of Ten – Minimum 10% Operating Margin.

• Rule of Twenty – Identify and work on the 20% of actions that drive 80% of results.

• Rule of Thirty – Expect no more than 30% cost of control. 36 Session 2 – Rubik’s Cube Johnny Cagle April 20, 2017 37 Agenda

• History • Solutions • Solving • Importance • Relevance • Conclusions

https://www.youtube.com/watch?v=egWvQuT5TCU

38 History

• The Rubik's cube was invented in 1974 by Erno Rubik, a Hungarian architect, who wanted a working model to help explain three-dimensional geometry.

• After designing the “magic cube” as he called it (twice the weight of the current toy), he realized he could not actually solve the puzzle.

https://www.youtube.com/watch?v=bOxNBQxp4_A

39 Solutions • 43,252,003,274,489,856,000 (43 Quintillion) Combinations. • Lowest Number of Moves to Solve is 20. • Numerous Solutions on YouTube, On-Line and in Books and Apps. • World Records – 4.73 Seconds – Felix Zemdigs – 4.74 Seconds – Mats Valk

https://www.youtube.com/watch?v=tLksISrKtO8

40 Solutions • Stage 1 – Know Your Cube. • Stage 2 – Form The White Cross. • Stage 3 – Place The White Corners. • Stage 4 – Fix The Middle Layer. • Stage 5 – Form The Yellow Cross. • Stage 6 – Align the Yellow Cross. • Stage 7 – Place The Yellow Corners.

T2 Games 41 Solving

• Detailed instructions as provided by T2 Games. • Close but not guaranteed. • “Practice Makes Perfect”. • Knowing where you are and what you are trying to do at each point is critical. • It can be done!

T2 Games https://www.youtube.com/watch?v=9Za5PhDBpQQ 42 Importance

• We live in a multi-dimensional world, but make decisions as if we live in only one or two dimensions. • Three dimensions are generally enough to achieve completeness if time is not considered. • Think about GPS vs. Paper Maps: – 3 vs. 2 – Latitude – Longitude – Altitude • A physical object that is relevant to any organization is helpful in seeing the impact of changes and understanding how to prevent harmful changes as well as protect helpful changes. 43 Relevance

• How is this relevant to Internal Auditing?

• What lessons can we learn?

• How do we apply it to audits?

• Why would we want to apply it to audits?

• How would we explain it to management?

44 Conclusions

• A Rubik’s Cube is a changeable control framework. • A Rubik’s Cube integrated with the COSO Framework could be considered to be an Enterprise Architecture. • A Rubik’s Cube is solvable where organizational mis- alignments may not be. • A Rubik’s Cube is visible as far as its alignment where organizational visibility may not be possible. • A Rubik’s Cube has one center center cube that is the pivot point for all of the other cubes. • Studying the Rubik’s Cube can provide insights into organizational mis-alignments and how to correct them. 45 Session 3 – Reporting Audit Johnny Cagle April 20, 2017 46 Agenda

• Insights • Purpose • Exercise • Conclusions

47 Insights

Responsibilities 26 Reporting Monitor Relationships

– Responsibilities 48 “Find the center. Audit out!” Purpose

• Reporting Audit: – Audit of Financial Statements / Accounts – Risk / Control / Test Matrix – Core Domains: • Reporting • Risk • Responsibilities – Results

49 Reporting Audit

• Financial statement audit Monitor Operations • Internal controls over financial

Control Risk Compliance reporting Reporting • Integrated financial audit Audit Objectives • Goals driven performance Products • Risk matrix: Processes

– Risk – material misstatement, Responsibilities adverse event or condition – Control – design & operating Requirements Relationships effectiveness & efficiency – Monitor – walkthroughs, tests & reports Reporting Exercise

• Using the modified COSO Cube: – Develop a Risk / Control / Test Matrix for an audit of Cash

– Develop an audit program that focuses on a “Find the center. Audit out.” approach to auditing Cash

– Prepare to present your audit plan to the Chief Auditor Reporting RCT Matrix

Risk Control Evidence Test Material Account Reviewed and Obtain & confirm Misstatement Reconciliations approved reconciliations Organizational responsibilities

Balance Sheet / Changes in Cash Statement

52 Conclusions

• ???

53 Session 4 – Operations Audit Johnny Cagle April 20, 2017 54 Agenda

• Insights • Purpose • Exercise • Conclusions

55 Insights

Responsibilities 26 Reporting Monitor Relationships

– Responsibilities 56 “Find the center. Audit out!” Purpose

• Operations Audit: – Audit of Inventory Control Processes – Risk / Control / Test Matrix – Core Domains: • Reporting • Risk • Responsibilities – Results

57 Operations Audit

• Process audit Monitor Operations • Internal controls

Control Risk Compliance • Integrated performance audit Reporting

• Goals driven performance Audit Objectives • Risk matrix: Products Processes – Risk – material adverse event or

condition Responsibilities – Control – design & operating effectiveness & efficiency Requirements Relationships – Monitor – walkthroughs, tests & reports Operations Exercise

• Using the modified COSO Cube: – Develop a Risk / Control / Test Matrix for an audit of inventory control processes

– Develop an audit program that focuses on a “Find the center. Audit out.” approach to auditing inventory

– Prepare to present your audit plan to the Chief Auditor Operations RCT Matrix

Risk Control Evidence Test Material Adverse Risk-based pre- Approved & tested Obtain & confirm Event or Condition developed and tested procedures procedures. Organizational responsibilities

Actual and budget income statements

60 Conclusions

• ???

61 Session 5 – Compliance Audit Johnny Cagle April 20, 2017 62 Agenda

• Insights • Purpose • Exercise • Conclusions

63 Insights

Responsibilities 26 Reporting Monitor Relationships

– Responsibilities 64 “Find the center. Audit out!” Purpose

• Compliance Audit: – Audit of compliance for a regulatory requirement – Risk / Control / Test Matrix – Core Domains: • Reporting • Risk • Responsibilities – Results

65 Compliance Audit

• Government audit Monitor Operations • Internal controls

Control Risk Compliance • Integrated performance audit Reporting

• Goals driven performance Audit Objectives • Risk matrix: Products Processes – Risk – material adverse event or

condition Responsibilities – Control – design & operating effectiveness & efficiency Requirements Relationships – Monitor – walkthroughs, tests & reports Compliance Exercise

• Using the modified COSO Cube: – Develop a Risk / Control / Test Matrix for an audit of a regulatory compliance requirement

– Develop an audit program that focuses on a “Find the center. Audit out.” approach to auditing compliance

– Prepare to present your audit plan to the Chief Auditor Compliance RCT Matrix

Risk Control Evidence Test Material Adverse Risk-based pre- Approved & tested Obtain & confirm. Event or Condition developed and tested procedures. procedures. Organizational responsibilities

Related compliance account actual and budget analyses

68 Conclusions

• ???

69 Conclusions Johnny Cagle April 20, 2017 70 New Rules

• Rule of One – Find the center. Audit out.

• Rule of Three – Focus on three dimensions.

• Rule of Ten – Minimum 10% Operating Margin.

• Rule of Twenty – Identify and work on the 20% of actions that drive 80% of results.

• Rule of Thirty – Expect no more than 30% cost of control. 71 Conclusion

“Find the center. Audit out!”

72 Rubik’s Cube Audit Approach Johnny Cagle April 20, 2017 73