Post on 19-Jan-2016
description
The Sarbanes-Oxley Act
101 Board Membership 103 Board Duties 108 Accounting Standards 201 Prohibited Activities 203 Audit Partner Rotation 301 Audit Committees 302 Corporate Responsibility For Financial Reports 402 Loans to Executives 404 Mgmt Assessment of Internal Controls 407 Disclosure of Audit Committee Financial Expert 806 Whistle Blower Protection
Section 404Management Assessment of Internal Controls 404(a)
Management’s responsibility for establishing and maintaining adequate internal control for financial reporting.
404(b) Independent auditor’s responsibility
for attesting to and reporting on management’s assessment of internal control.
Section 404(a)
Management’s Responsibilities: Implement effective internal structure
and procedures for ICOFR Evaluate effectiveness of ICOFR using
suitable internal control framework Support that evaluation with sufficient
evidence Present a written assessment of the
effectiveness at year end
Section 404(b)
Auditor’s Responsibilities: Evaluate management’s assessment Obtain an understanding of the
company’s ICOFR Test and Evaluate the design and
operational effectiveness of ICOFR Form an opinion regarding the
adequacy and effectiveness of ICOFR
Section 302 Corporate Responsibility For Financial Reports (1 of 3)
CEO/CFO certifications
Financial statements and disclosures comply with the requirements of the Exchange Act
Disclosures fairly present, in all material respects, the results of operations and financial condition of the issuer
Section 302 Corporate Responsibility For Financial Reports (2 of 3)
Establish and maintain disclosure controls and procedures that are designed to ensure that material information is made known to the officers
Evaluate the effectiveness of the disclosure controls and procedures in the last 90 days
Present their conclusions about the effectiveness of the disclosure controls and procedures
Section 302 Corporate Responsibility For Financial Reports (3 of 3)
Disclose to the auditors/audit committee any significant deficiencies or material weaknesses in internal controls and any fraud committed by any person with a significant role in internal control
Indicate whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation, including corrective actions for significant deficiencies/material weaknesses
Section 404 Management Assessment of Internal Controls (1 of 2)
Internal Control Report Effective for fiscal years ending on or after
November 15, 2004 for accelerated filers (Originally 6/15/04) July 14, 2005 for non-accelerated filers (Originally 4/15/05)
Signed by the CEO and CFO Must contain statements
Management is responsible for establishing and maintaining adequate internal control over financial reporting
Identify the framework used by management to evaluate the effectiveness of the internal control
Assessment of the effectiveness of the internal controls as of the end of year-end
Auditor has issued an attestation report on management’s assessment
Section 404 Management Assessment of Internal Controls (2 of 2)
ICOFR is not effective if there is one or more material weaknesses in internal control
Management's evaluation should be based on a suitable, recognized internal control framework
The Auditor
Is required to attest to/report on management’s assessment
In accordance with standards issued/adopted by PCAOB
This evaluation is not a separate engagement “… integrated audit …”
COSO
The Committee of Sponsoring Organizations of the Treadway Commission AICPA, AAA, FEI, IIA, IMA
Is a voluntary private sector organization Formed in 1985 to sponsor the National
Commission on Fraudulent Financial Reporting Dedicated to improving the quality of financial
reporting through business ethics, effective internal controls and corporate governance.
COSO Definition of Internal Control
Internal control is a process, instituted by an entity’s board of directors and management that is designed to provide reasonable assurance regarding the achievement of the following categories of objectives:
Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and
regulations
COSO Internal Control Framework
“Internal control consists of five interrelated components.”
Control Environment Risk Assessment Control Activities Information and Communication Monitoring
-- Internal Control – Integrated Framework – Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission.
COSO Internal Control Components
-- Internal Control – Integrated Framework – Framework, COSO, p. 13.
COSO Internal Control Framework
-- Internal Control – Integrated Framework – Framework, COSO, p. 15.
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
Information & Communicati
on
Monitoring
COSO Internal Control Components
Control Environment factors Organization tone Discipline and structure Integrity, ethics, competence Management philosophy and operating style Assignment of authority & responsibility Work organization Personnel development Attention & direction of Board of Directors
-- Internal Control – Integrated Framework – Framework, COSO, p. 19.
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
Information & Communicati
on
Monitoring
COSO Internal Control Components
Risk Assessment Identify relevant risks to achieve objectives Analyze these risks Determine how to manage them
Begins with the Objectives: Operations Objectives
Achieving the entity’s mission Financial Reporting Objectives
Producing reliable financial statements Compliance Objectives
Complying with applicable laws and regulations
-- Internal Control – Integrated Framework – Framework, COSO, p. 29-44.
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
IS Controls
Information & Communicati
on
Monitoring
COSO Internal Control Components Control Activities
Policies and Procedures, which include Approvals Authorizations Verifications Validations Reconciliations Valuations Classification controlsCompleteness controls Timeliness Posting and Summarization Controls Operating performance reviews Information Processing Controls Asset security Segregation of duties
-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.
COSO Information Systems Controls General Controls
Data Center Operations System Software Access Security Application Development &
Maintenance Application Controls
COBIT provides details-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.
Application Controls for Information Systems
Transaction processing integrity: Complete Accurate Authorized Valid
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
Information & Communicati
on
Monitoring
COSO Internal Control Components
Information and Communication “Pertinent information must be
identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.”
To the right people in sufficient detail on time
-- Internal Control – Integrated Framework – Framework, COSO, p. 55-63.
COSO Information and Communication
Pertinent Financial & Non-financial Information
Information Quality Appropriate Timely Current Accurate Accessible
-- Internal Control – Integrated Framework – Framework, COSO, p. 55-63.
COSO Information & Communication Including
Effective communication of dutiesand control responsibilities
Communication of improprieties Management’s receptivity to employee
suggestions Timely appropriate mgmt follow-up Internal and External communications
Customer/supplier communications Outside awareness of ethical standards
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 33-35.
COSO Internal Control Framework
Control Environment
Risk Assessment
Control Activities
Information & Communicati
on
Monitoring
COSO Internal Control Components
Monitoring Ongoing assessment of the system’s
performance over time Accomplished through
Ongoing monitoring Separate evaluations Internal and external audits Combination
-- Internal Control – Integrated Framework – Framework, COSO, p. 65-74.
Internal Controls
Traditional Generic List of Controls Preventive Detective Corrective
Manual Computer
Managerial supervision
IT Controls
ISACA Formerly EDP Auditors Association Founded in 1967
COBIT
Control OBjectives for Information and related Technology
ISACA/IT Governance Institute Defines IT Controls in terms of
Planning & Organization Acquisition & Implementation Delivery & Support Monitoring
Specific IT Control Issues
ERP BPI (Business Process Improvement) B2C & B2B Risk Measurement Intrusion Detection Viruses Email integrity
Systems Based Approach
Identify business processes Express them in “flow charts”
Conceptual Physical
Examine transaction life cycle (from cradle-to-grave) Perform tests of transactions