Sarbanes-Oxley Act (404) An IT Viewpoint

Slides:



Advertisements
Similar presentations
ITAuditing Using GAS & CAATs
Advertisements

Auditing Concepts.
Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.
Internal Control.
1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Sarbanes-Oxley Compliance Process Automation
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Quality evaluation and improvement for Internal Audit
Internal Control in a Financial Statement Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Chicagoland IASA Spring Conference
Central Piedmont Community College Internal Audit.
The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.
Auditing Internal Control over Financial Reporting
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Chapter 5 Internal Control over Financial Reporting
Page 1 Internal Audit Outsourcing The Moss Adams Approach to Internal Audit Outsourcing Proposed SOX 404 Changes.
Considering Internal Control
Internal Control in a Financial Statement Audit
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
Internal Control in a Financial Statement Audit
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Richard F. Chambers, CIA, CGAP Vice President, IIA Learning Center The Institute of Internal Auditors.
Evaluation of Internal Control System. Learning Objective 1 Contrast management’s need for internal control with the auditor’s need to consider internal.
CHAPTER 5 INTERNAL CONTROL OVER FINANCIAL REPORTING.
Casualty Loss Reserve Seminar General Session II September 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS,
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley Section 404 Audits of Internal Control and Control Risk Chapter.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
1 Overview of PCAOB Auditing Standard No. 5 An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements.
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Internal Control. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition A process...designed.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
8 INTERNAL CONTROL. Definition Duty  mgt (CEO)  Board  Internal auditor  Employee  External person.
Section 404 Audits of Internal Control and Control Risk
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Auditing Concepts.
Internal and external control in an automated environment
Internal Control in a Financial Statement Audit
Internal Control Evaluation: Assessing Control Risk
Internal Audit & Accounting Systems Review
Internal Control in a Financial Statement Audit
SYSTEMS ANALYSIS Chapter-2.
Internal control objectives
Auditing Application Controls
COSO Internal Control s Framework
Tim Grow, CPA Charleston Office Managing Shareholder
An Update of COSO’s Internal Control–Integrated Framework
Sarbanes-Oxley Act of 2002 Presentation to
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Sarbanes-Oxley Act (404) An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Senior Manager January 2, 2019

404 IT Agenda Section 404: Overview and Impact IT Controls Overview 404 IT Focus Significant Accounts and Processes IT Documentation Considerations Identifying Possible IT Errors Identifying Relevant IT Controls Evaluating and Reporting Deficiencies 404 IT Viewpoint Summary January 2, 2019

Overview of Section 404 Internal Control Evaluation and Reporting Sarbanes-Oxley Act Language Excerpt “…each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.” Background on Standards PCAOB Standards Language Excerpt “The bottom line for Congress, and for the PCAOB, is the reliability of the company's financial statements – statements relied on by shareholders, management, directors, regulators, lenders, investors and the market at large.” January 2, 2019

Overview of Section 404 Two Attestations Compliance Deadline Financial Statement Opinion Internal Control Opinion Compliance Deadline Accelerated Filers November 15, 2004 Others (ie, Market Cap.<$75M) July 15, 2005 January 2, 2019

Impact of Section 404 Compliance costs in the tens of billions Substantial and direct impact to information systems and related environments Creation of specific 404 job positions Impact from disclosure of material weaknesses unknown January 2, 2019

IT Controls Overview Standards and Guidance Entity Level Controls General Controls Application Controls January 2, 2019

Standards and Guidance IT Controls Overview Standards and Guidance PCAOB Internal Control Standards Issued March 9, 2004 Based on COSO AICPA SAS 94 – “The effect of IT on internal control in a financial statement audit.” IT Governance Institute Guidance on IT Related Controls Specific to 404 Based on COBIT January 2, 2019

IT Controls Overview Entity Level Controls General Controls 404 requires an assessment at the following levels of controls: Entity Level Controls Strategic Planning Organizational Structure Policies and Procedures Risk Assessment Third Party Management General Controls Logical Access Program Change Program Development Computer Operations Application Level Controls Input Transmission Processing / Recording Output / Reporting January 2, 2019

404 IT Focus Significant Accounts and Processes Virtually every process is IT dependent in some form or fashion Transaction flows are typically automated Management often relies on programmed controls for routine and non-routine processes Estimation processes are normally dependent on IT generated data elements January 2, 2019

404 IT Focus IT Documentation Considerations Should describe flow of transaction initiation, recording, processing and reporting Flowcharts, diagrams and narratives Level of required system and control documentation dependent on: Number of businesses / locations Degree of IT centralization Nature / complexity of transactions Degree of management reliance on IT systems January 2, 2019

404 IT Focus Identifying Possible IT Errors Errors that individually or collectively could have a material effect on the financial statements Root cause for errors include: Integrity of major input sources Significant processing procedures Access to important data files Erroneous factors and assumptions Competency of personnel Functional segregation of duties January 2, 2019

404 IT Focus Identifying Relevant IT Controls Should involve a collaboration with process owners and knowledgeable IT personnel Automated application controls System generated information IT general controls January 2, 2019

404 IT Focus Evaluating & Reporting Control Deficiencies Deficiency Significant Deficiency Material Weakness January 2, 2019

404 IT Viewpoint Summary of Findings IT has been an integral part of the evaluation process. Organizations are taking advantage of new ERP implementations to also meet SOX requirements. IT functions that are segregated across multiple locations have been using a “teaming” and sometimes automated approach to document controls. Organizations are looking to streamline and improve IT processes as a result of the documentation effort. Organizations have placed heavy reliance on manual controls. As a result, application controls are not effectively used. January 2, 2019

404 IT Viewpoint Summary of Findings Focus has been on key and selective IT controls to be used for testing. Organizations without proper IT audit experience and knowledge appear to have developed “inadequate” documentation. Documentation has been in narrative format vs flowcharts to save time and effort. IT documentation has been kept separate from the manual / financial process documentation. January 2, 2019

404 IT Viewpoint Challenges Organizations who require IT assistance have had difficulty finding resources internally or externally. Resources are extremely scarce! Determining what and how much to document are key areas of concerns. Integrating the IT documentation within the manual / financial process documentation is difficult. Coordination and documentation efforts for decentralized IT operations is challenging. Organizations don’t have access to automated tools to efficiently analyze application controls. January 2, 2019

404 IT Viewpoint Leading Practices Include IT executives on project team. Hire or engage qualified IT auditors. Consider COBIT standards as a baseline for consideration of IT controls. Use automated tools to analyze financial applications. Documentation should describe flow of transaction initiation, recording, processing and reporting Consider documenting controls in the form of flowcharts rather than narratives, or a combination of the two. January 2, 2019

404 IT Viewpoint Leading Practices Consider standard surveys and questionnaires for organizations with decentralized IT operations. Validate and test only those IT controls considered critical and key to the financial process. Meet with your external auditor frequently to obtain “buy-in”. Consider using application controls to reduce dependence on manual controls January 2, 2019

404 IT Viewpoint Moving Forward – Year 2 Maintaining ownership of IT processes and controls Building sustainability for long term Gaining efficiencies through centralized IT processes and increased use of application controls Building skill sets internally vs use of auditing firms Ongoing software implementations / upgrades Implementing enhanced documentation tools January 2, 2019

Summary Key Things to Remember about 404 from an IT Perspective: Controls help to maintain the integrity of business processes, including financial reporting Information systems play a key role in these processes Stronger control environments will reduce the likelihood of another Enron or Worldcom 404 requires extensive documentation January 2, 2019

Thanks For Listening! Questions / Answers January 2, 2019

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.