650 likes | 1.19k Views
SOX for Everyone. Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks Source: Brink’s Modern Internal Auditing , Robert Moeller, Wiley Publishing. Agenda for Today. What is internal control and why is it important for governmental entities?
E N D
SOX for Everyone Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks Source: Brink’s Modern Internal Auditing, Robert Moeller, Wiley Publishing
Agenda for Today • What is internal control and why is it important for governmental entities? • History of internal control leading up to SOX • COSO framework • Fundamentals of internal control and control systems • Wrap up
What is Internal Control? • What is “internal control?” • General procedures for a well-managed, well-functioning business • Components include • Accomplishes its mission • Produces accurate, reliable data • Complies with laws and corporate policies • Results in economical/efficient use of resources • Provides for safeguarding of assets
Internal Control and Governmental Entities • How do Internal Control objectives translate into government objectives? • Increase the public’s confidence level in government operations. • Increase management’s accountability for financial reporting and information disclosed to the public. • Reveal the critical need for management’s well-defined job requirements. • Reduce fraud and increase accountability. Source:http://www.governmentauditors.org/content/view/273/123/
Internal Controls Standards: Background Developments • Earliest definition of internal control: • The organization’s plan and actions to • safeguard its assets, • operate efficiently, • adhere to policies, and • accurately and reliably produce accounting data
Internal Controls Standards: Background DevelopmentsContinued • Foreign Corrupt Practices Act (FCPA) • Response to Watergate scandal • Required management to • Maintain accurate books and records, • Implement a system of internal control • Also prohibited bribes • Excludes “grease” payments to minor officials • Created a flurry of activity to comply, today is seen primarily as anticorruption
Efforts Leading to the Treadway Commission • Cohen Commission (an AICPA commission) • Recommended that management report on internal controls and auditors opine on fairness of management’s assertion • Resulted in criticism from external auditors; lack of consistent definitions regarding internal controls, “adequate”, etc. • FEI endorsed the Cohen recommendation • As a result, some CEO management letters discussed internal control; some letters included “negative assurance”
Efforts Leading to the Treadway Commission Continued • SEC 1979 proposal • Based on Cohen Commission and FEI • Called for mandatory management reports on internal control • Again controversy and criticism centered on lack of a clear definition of internal accounting control • SEC dropped the proposal, but it established a need for a management report on internal control as part of required SEC filings
Efforts Leading to the Treadway Commissioncontinued • SAS No. 55 (Stmnt. On Auditing Stds.) • Issued by the AICPA • Defined internal control in terms of the • Control environment • Accounting system • Control procedures • Management’s view of internal control is broader and encompasses the entire control system • External auditors focus on internal control related to financial statements
Efforts Leading to the Treadway CommissionContinued • Treadway Committee (National Commission on Fraudulent Reporting) • Late 1970s and early 1980s were a period of high inflation, high interest rates, many business failures despite the company having reported adequate earnings • Congress proposed but didn’t pass bills to correct the business and audit failures • Treadway Commission formed to identify fraud factors and propose recommendations
Efforts Leading to the Treadway CommissionContinued • Treadway Committee, continued • Again, a call for management reports on the effectiveness of internal control • Most important contribution of Treadway was raising level of concern and attention directed toward reporting on internal control • FCPA, Cohen Commission, SEC 1979 Report, SAS No. 55 and Treadway Commission • Occurred almost in a parallel fashion over a period of 20 and helped redefine internal control
Sarbanes-Oxley Act • Sarbanes-Oxley Act • Passed in 2002 • Most significant overhaul to public accounting, corporate governance and financial reporting since 1930s • Established regulatory rules for public accounting firms, auditing standards, and corporate governance • PCAOB established to oversee public accounting firms and to establish auditing standards
Sarbanes-Oxley ActContinued • Section 101 • Establishes PCAOB • Non-profit, private-sector corporation • PCAOB consists of 5 members appointed by the SEC • AICPA no longer establishes Statements on Auditing Standards or GAAS • PCAOB now oversees all audits of SEC-reporting corporations
Sarbanes-Oxley ActContinued • Section 201 • Establishes new rules regarding auditor independence and prohibited practices • Limitations include financial information system design and implementation, internal audit outsourcing, and other services • Tax and other non-prohibited services may be performed by the external auditor if approved in advance by the audit committee
Sarbanes-Oxley ActContinued • Section 301 • Mandates that all audit committee members be independent • External auditor reports to, is overseen by, and is compensated by the audit committee
Sarbanes-Oxley ActContinued • Section 302 • Requires that the CEO and CFO certify quarterly and annual financial reports • SOX imposes criminal fines or jail time on violators
Sarbanes-Oxley ActContinued • Sections 304 and 305 • Designed to eliminate or limit seemingly outrageous behavior • Earnings restatements may require CEO and CFO to return bonuses based on bogus numbers • Blackout periods related to trading in 401K and pension plans apply equally to all employees • Revised rules related to attorney reporting of corporate misconduct • Controversial due to attorney-client privilege
Sarbanes-Oxley ActContinued • Section 404 • Makes management responsible for acknowledging its responsibility for establishing and maintaining internal control • Makes management responsible for an annual assessment of internal controls
Sarbanes-Oxley ActContinued • Other sections of Title IV • Require the company to adopt a code of ethics for senior officers • Require a “financial expert” on the audit committee • Mandate companies to provide information about material financial statement issues to investors ASAP
Sarbanes-Oxley ActContinued • Other Titles of SOX • Mandate workpaper retention policies • Provide whistleblower protection • Require CEO and CFO to personally certify that the financial reports are fairly presented • Personal penalties for knowingly falsifying (not corporate responsibility)
REVIEW Under the 2002 Sarbanes-Oxley Act, _____________ must certify the effectiveness of the company’s internal controls each year. If they sign off on ineffective controls, they could _______________. a. CFOs and CEOs; face civil and criminal penalties. b. CFO; face civil penalties. c. CEO; get fired. d. External auditor; face the Audit Committee.
REVIEW The primary responsibility for overseeing the establishment and administration of internal control rests with a. The external auditor. b. The controller. c. The internal auditor. d. Senior management.
COSO Internal Control Framework • Common frameworkfor thedefinition of internal control and procedures to evaluate controls • Process affected by BOD, management and others to provide reasonable assurance regarding achieving effective and efficient operations, reliable financial reporting, and compliance with laws • Released in 1992 and has become widely accepted
COSO Internal Control FrameworkContinued • COSO Framework • Pyramid with 5 layered and interconnected components comprise the overall control system • Control environment: foundation • Risk assessment, control activities and monitoring are layered on top of the foundation • The 5th element is an interface channel between the other 4 layers: communication and information
COSO Internal Control FrameworkContinued Source: COSO’s Internal Control Integrated framework
COSO Internal Control FrameworkContinued • Internal control environment • Has a pervasive influence on the organization • Reflects the attitude, awareness and actions of the BOD, management and others regarding the importance of internal control • History and culture play important roles • “Tone at the top”
COSO Internal Control FrameworkContinued • Internal control environment • Integrity and ethical values • Strong code of conduct communicated throughout the organization • Commitment to competence • Adequate training, supervision, job descriptions • BOD and audit committee • Independent audit committee
COSO Internal Control FrameworkContinued • Internal control environment • Management’s philosophy and operating style • Risk taker/conservative, “seat of the pants”/careful planner • Organizational structure • Centralized/decentralized, reporting relationships
COSO Internal Control FrameworkContinued • Internal control environment • Human resources policies and practices • Recruitment/hiring, new employee orientation, evaluation/promotion/compensation, disciplinary actions
COSO Internal Control FrameworkContinued • Risk Assessment • Evaluation of potential risks to the organization’s ability to achieve its objectives • 3-step process • Estimate the significance of the risk • Assess its likelihood • Consider how to manage the risk or actions to take
COSO Internal Control FrameworkContinued • Risk Assessment • Risks from external factors include legislation, technology • Risks from internal factors include quality of hiring/training • Specific activity-level risks include risks related to specific new products
COSO Internal Control FrameworkContinued • Control Activities • Policies and procedures • Top-level reviews compare results to budget or other benchmarks • Direct functional or activity management entails reviewing operational reports or exception reports and taking corrective action • Information processing entails development of new systems or access to data
COSO Internal Control FrameworkContinued • Control Activities • Policies and procedures-continued • Physical controls over assets • Performance indicators entails relating operating data to financial data, and taking analytical, investigative or corrective action • Segregation of duties
COSO Internal Control FrameworkContinued • Control Activities • Integrating risk assessment and control activities • Appropriate control activities are established to address specific risks • May need to prune “dumb” controls
COSO Internal Control FrameworkContinued • Control Activities • Controls over information systems • General controls that ensure control over all applications (locks on door to computer center) • Application controls apply to specific programs • Organization needs to consider evolving technologies and new/modified controls
COSO Internal Control FrameworkContinued • Communications and Information • Information systems can be formal or informal, internal or external • COSO emphasized that they be • Strategic, consistent with the organization’s goals (not outdated) • Integrated with other operations
COSO Internal Control FrameworkContinued • Communications and Information • COSO suggests and SOX requires that information be • Timely • Accurate • Current • Accessible • Appropriate
COSO Internal Control FrameworkContinued • Communications and Information • Internal systems • Most important component may be communication from senior management, “tone at the top” • Each person needs to know how he fits into the organization, otherwise may think errors don’t matter • Each person needs to know limits, what is unethical/improper • Communication must flow up and down
COSO Internal Control FrameworkContinued • Communications and Information • External systems • Include a mechanism to capture and act upon complaints, source of potential control issues • Communication must flow in both directions
COSO Internal Control FrameworkContinued • Monitoring • Historically the role of internal auditors • COSO expands to include ongoing assessments of and adjustments to internal control as circumstances warrant • Many routine business functions are considered monitoring activities, such as reconciliations
COSO Internal Control FrameworkContinued • Monitoring • Separate internal control evaluations (in addition to ongoing monitoring) need to be performed periodically • Can be done by management • Identified internal control deficiencies (no matter how they’re identified) should be reported, investigated, and appropriately acted upon
REVIEW Which of the following are elements included in the control environment? a. Organizational structure, management philosophy, and planning. b. Risk assessment, assignment of responsibility, and human resource practices. c. Competence of personnel, backup facilities, laws, and regulations. d. Integrity and ethical values, assignment of authority, and human resource policies.
REVIEW Which of the following fits most directly under the control activities component of the COSO Internal Control framework? a. Company-level controls dealing with tone at the top. b. Accounting for shipping documents to ensure that all sales are recorded. c. Overall methods for assigning authority and responsibility. d. The control environment.
Understanding, Using, and Documenting COSO Internal Controls • SOX 404 requires that organizations understand, document, test, and evaluate internal controls of major processes and systems • COSO is the suggested tool for this process
Fundamentals of Internal Controls • Definition of a control system • The car is an example, if the accelerator or brakes aren’t used properly, the car operates out of control • An organization is similar, all the parts have to operate/be directed properly or the organization is out of control • Internal control system should attain or maintain a desired state
Fundamentals of Internal ControlsContinued • Elements of a control system • Detector/sensor element measures the system being controlled (often the auditor) • Selector or standard element is the base used to compare/evaluate what’s detected (standards, best practices) • Controller element changes the behavior based on comparison of detector and standard • Communications network element transmits messages between the controller element and the thing being controlled
Fundamentals of Internal ControlsContinued • Types of control techniques, a combination of all 3 assure a process is operating properly • Preventive controls • Locked doors, passwords • Detective controls alert management that a problem has occurred • Door alarms, account reconciliations • Corrective controls assist in recovery from problems • Insurance policy
Fundamentals of Internal ControlsContinued • Preventive, detective and corrective controls operate on 3 levels • Steering: preventive controls designed to attract management attention and prompt action (respond to falling market share) • Yes-No: protective controls designed to ensure adherence to a pre-established control (approvals) • Post-action: requires management’s after-the-fact action, may require correcting detective, preventive or corrective controls (reassign an employee, repair damaged products)
REVIEW Controls may be classified according to the function they are intended to perform; which of the following is a detective control? a. Dual signatures on all disbursements over a specific amount. b. Recording every transaction on the day it occurs. c. Monthly bank statement reconciliations. d. Requiring all members of the internal audit staff to be CPAs.
REVIEW Controls designed to deter undesirable events from occurring are a. Preventive controls. b. Directive controls. c. Detective controls. d. Output controls.