470 likes | 949 Views
The Sarbanes-Oxley Act. 101 Board Membership 103 Board Duties 108 Accounting Standards 201 Prohibited Activities 203 Audit Partner Rotation 301 Audit Committees 302 Corporate Responsibility For Financial Reports 402 Loans to Executives 404 Mgmt Assessment of Internal Controls
E N D
The Sarbanes-Oxley Act • 101 Board Membership • 103 Board Duties • 108 Accounting Standards • 201 Prohibited Activities • 203 Audit Partner Rotation • 301 Audit Committees • 302 Corporate Responsibility For Financial Reports • 402 Loans to Executives • 404 Mgmt Assessment of Internal Controls • 407 Disclosure of Audit Committee Financial Expert • 806 Whistle Blower Protection
Section 404Management Assessment of Internal Controls • 404(a) • Management’s responsibility for establishing and maintaining adequate internal control for financial reporting. • 404(b) • Independent auditor’s responsibility for attesting to and reporting on management’s assessment of internal control.
Section 404(a) • Management’s Responsibilities: • Implement effective internal structure and procedures for ICOFR • Evaluate effectiveness of ICOFR using suitable internal control framework • Support that evaluation with sufficient evidence • Present a written assessment of the effectiveness at year end
Section 404(b) • Auditor’s Responsibilities: • Evaluate management’s assessment • Obtain an understanding of the company’s ICOFR • Test and Evaluate the design and operational effectiveness of ICOFR • Form an opinion regarding the adequacy and effectiveness of ICOFR
Section 302 Corporate Responsibility For Financial Reports (1 of 3) • CEO/CFO certifications • Financial statements and disclosures comply with the requirements of the Exchange Act • Disclosures fairly present, in all material respects, the results of operations and financial condition of the issuer
Section 302 Corporate Responsibility For Financial Reports (2 of 3) • Establish and maintain disclosure controls and procedures that are designed to ensure that material information is made known to the officers • Evaluate the effectiveness of the disclosure controls and procedures in the last 90 days • Present their conclusions about the effectiveness of the disclosure controls and procedures
Section 302 Corporate Responsibility For Financial Reports (3 of 3) • Disclose to the auditors/audit committee any significant deficiencies or material weaknesses in internal controls and any fraud committed by any person with a significant role in internal control • Indicate whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation, including corrective actions for significant deficiencies/material weaknesses
Section 404 Management Assessment of Internal Controls (1 of 2) • Internal Control Report • Effective for fiscal years ending on or after • November 15, 2004 for accelerated filers (Originally 6/15/04) • July 14, 2005 for non-accelerated filers (Originally 4/15/05) • Signed by the CEO and CFO • Must contain statements • Management is responsible for establishing and maintaining adequate internal control over financial reporting • Identify the framework used by management to evaluate the effectiveness of the internal control • Assessment of the effectiveness of the internal controls as of the end of year-end • Auditor has issued an attestation report on management’s assessment
Section 404 Management Assessment of Internal Controls (2 of 2) • ICOFR is not effective if there is one or more material weaknesses in internal control • Management's evaluation should be based on a suitable, recognized internal control framework
The Auditor • Is required to attest to/report on management’s assessment • In accordance with standards issued/adopted by PCAOB • This evaluation is not a separate engagement • “… integrated audit …”
COSO • The Committee of Sponsoring Organizations of the Treadway Commission • AICPA, AAA, FEI, IIA, IMA • Is a voluntary private sector organization • Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting • Dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.
COSO Definition of Internal Control • Internal control is a process, instituted by an entity’s board of directors and management that is designed to provide reasonable assurance regarding the achievement of the following categories of objectives: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations
COSO Internal Control Framework “Internal control consists of five interrelated components.” • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring -- InternalControl – IntegratedFramework – ExecutiveSummary, Committee of Sponsoring Organizations of the Treadway Commission.
COSO Internal Control Components -- InternalControl – IntegratedFramework – Framework, COSO, p. 13.
COSO Internal Control Framework -- InternalControl – IntegratedFramework – Framework, COSO, p. 15.
COSO Internal Control Components • Control Environment factors • Organization tone • Discipline and structure • Integrity, ethics, competence • Management philosophy and operating style • Assignment of authority & responsibility • Work organization • Personnel development • Attention & direction of Board of Directors -- InternalControl – IntegratedFramework – Framework, COSO, p. 19.
COSO Internal Control Components • Risk Assessment • Identify relevant risks to achieve objectives • Analyze these risks • Determine how to manage them • Begins with the Objectives: • Operations Objectives • Achieving the entity’s mission • Financial Reporting Objectives • Producing reliable financial statements • Compliance Objectives • Complying with applicable laws and regulations -- InternalControl – IntegratedFramework – Framework, COSO, p. 29-44.
COSO Internal Control Components • Control Activities • Policies and Procedures, which include • Approvals Authorizations • Verifications Validations • Reconciliations Valuations • Classification controls Completeness controls • Timeliness • Posting and Summarization Controls • Operating performance reviews • Information Processing Controls • Asset security • Segregation of duties -- InternalControl – IntegratedFramework – Framework, COSO, p. 45-53.
COSO Information Systems Controls • General Controls • Data Center Operations • System Software • Access Security • Application Development & Maintenance • Application Controls • COBIT provides details -- InternalControl – IntegratedFramework – Framework, COSO, p. 45-53.
Application Controls for Information Systems • Transaction processing integrity: • Complete • Accurate • Authorized • Valid
COSO Internal Control Components • Information and Communication • “Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.” • To the right people in sufficient detail on time -- InternalControl – IntegratedFramework – Framework, COSO, p. 55-63.
COSO Information and Communication • Pertinent Financial & Non-financial Information • Information Quality • Appropriate • Timely • Current • Accurate • Accessible -- InternalControl – IntegratedFramework – Framework, COSO, p. 55-63.
COSO Information & Communication • Including • Effective communication of duties and control responsibilities • Communication of improprieties • Management’s receptivity to employee suggestions • Timely appropriate mgmt follow-up • Internal and External communications • Customer/supplier communications • Outside awareness of ethical standards -- InternalControl – IntegratedFramework – Evaluation Tools, COSO, p. 33-35.
COSO Internal Control Components • Monitoring • Ongoing assessment of the system’s performance over time • Accomplished through • Ongoing monitoring • Separate evaluations • Internal and external audits • Combination -- InternalControl – IntegratedFramework – Framework, COSO, p. 65-74.
Internal Controls • Traditional Generic List of Controls • Preventive • Detective • Corrective • Manual • Computer • Managerial supervision
IT Controls • ISACA • Formerly EDP Auditors Association • Founded in 1967
COBIT • Control OBjectives for Information and related Technology • ISACA/IT Governance Institute • Defines IT Controls in terms of • Planning & Organization • Acquisition & Implementation • Delivery & Support • Monitoring
Specific IT Control Issues • ERP • BPI (Business Process Improvement) • B2C & B2B • Risk Measurement • Intrusion Detection • Viruses • Email integrity
Systems Based Approach • Identify business processes • Express them in “flow charts” • Conceptual • Physical • Examine transaction life cycle (from cradle-to-grave) • Perform tests of transactions