Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Control & Sarbanes-Oxley Act

Published byGyles Robinson Modified over 6 years ago

Similar presentations

Presentation on theme: "Internal Control & Sarbanes-Oxley Act"— Presentation transcript:

1 Internal Control & Sarbanes-Oxley Act
ERPANET Workshop Antwerp, April 14, 2004 PwC © 2000 PricewaterhouseCoopers. PricewaterhouseCoopers refers to the individual member firms of the world-wide PricewaterhouseCoopers organisation. All rights reserved.

2 Agenda Background The Sarbanes-Oxley Act - An Overview
Approach to 404 readiness

3 Background So let’s now have a look at some of the background of the Act

4 Reasons for New Legislation

5 Congressional Votes Sarbanes-Oxley Act Yes 522 No 3 Not voting 9
Legalizing Marijuana** Yes No Not voting **House of Representatives only Securities Litigation Reform Act Yes No Not voting Authorizing Force against Iraq Yes No Not voting Sarbanes-Oxley Act Yes 522 No Not voting Just to show you how convinced the American Congres was about the Act – have a look at these voting results.

6 Criminal Penalties Escaping from prison 1 to 2 years
Kidnapping involving ransom 3 to 5 years Second degree murder to 14 years Air piracy to 25 years Sarbanes-Oxley Certification to 20 years And the severity of these criminal penalties.

7 Is all wisdom coming from the US…?
“Americans will always do the right thing….. after they have exhausted all other options.” Sir Winston Churchill

8 The Sarbanes-Oxley Act An Overview
So let’s now have a look at some of the background of the Act

9 Titles of the Act Public Company Accounting Oversight Board Auditor Independence Corporate Responsibility Enhanced Financial Disclosures Analyst Conflicts of Interest Commission Resources and Authority Studies and Reports Corporate and Criminal Fraud Accountability White Collar Crime Penalty Corporate Tax Returns Corporate Fraud and Accountability SOX of 2002: An Act to protect investors by improving the accuracy and reliability of corporate disclosures ……… I PCAOB: must establish rules or adopt standards requiring auditing and related attestation standards

10 SOX: Who will be affected and how?
Executives: Responsibility for financial reporting and keeping the markets informed Certifications: “Disclosure controles & procedures” “Internal controls for financial reporting” “CEO/CFO’s written statement on fairness” Implement Code of Ethics and whistleblower procedure Supervisory Board: Enhanced oversight Appointment of a “financial expert” Auditors: Independence Attestation on internal controls Definition of “internal control over financial reporting”: Encompasses subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives Including controls over safeguarding assets

11 SOX: Section 302 certification
Section 302 requires (starting March 2002): Quarterly certification by the CEO / CFO regarding the completeness and accuracy of quarterly reports as well as the nature and effectiveness of disclosure controls and procedures (DC&P) supporting the quality of information included in such reports Representations by CEO and CFO as required by Section 302 to include: Review of report: no untrue statement or omission of facts & fair presentation of financial position, results and cash flow Responsibility for design and maintenance of controls & controls effective during 90 days prior to filing Disclosure of deficiencies in internal control and fraud to AC and auditor Significant changes that affect internal control and management response Actions: Enhance DC&P assessment and turn into consistent and continous process Ensure coverage of entire organization (incl. all material subsidiairies) Embedding into regular review and monitoring processes Disclosure controls and procedures need to ensure that information required to be disclosed by the issuer is recorded, processed, summarized and reported and is accumulated and communicated within the time periods specified in the Commission’s rules and forms

12 SOX: Section 404 certification
Section 404 requires (domestic / foreign as of FY ending 15 November 2004 / 15 April 2005): Annual mngt report regarding effectiveness of internal control over financial reporting and attestation by the company’s auditors as to the accuracy of mngt’s assessment Representations by CEO and CFO as required by Section 404 to include: Management responsibility for adequate internal controls Conclusion about management’s evaluation of internal controls for financial reporting Actions: Document of processes & internal controls (process/activity, risk, control, responsibility) Management’s evaluation of effectiveness (audits and self assessments) Attestation by external auditor Attestation by the auditor on management’s report on internal control requires: Management accepts responsibility and assess internal controls Controls are suitable designed and appropriately documented Internal control is the process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with laws and regulations

13 SOX: Section 404 Assessment
Management’s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness Management must maintain evidential matter, including documentation, to provide reasonable support for the assessment (both design and testing) of effectiveness Any material weakness in internal control over financial reporting precludes management from reporting that internal control is effective Reiteration of guidance regarding independence: Auditors may assist management in documenting internal controls. Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor KEY POINT: Management’s documentation is key and is required to be maintained as evidential matter to support its assessment. Prior to the final issuance of this Rule, many companies were wavering on the necessity of their documentation of their internal controls; however, the final rule makes it clear that both their internal controls and their assessment of the design and operating effectiveness must be maintained. Management must also report any material weaknesses they identify and such weaknesses will preclude them from reporting that internal control is effective.

14 Disclosure Requirements
SOX: Scope of 302 and 404 302: Disclosure controls and procedures 404: Internal controls & procedures for financial reporting (COSO & “CobiT”) Disclosure Requirements Internal Accounting Controls Compliance & Regulatory Operations Financial Reporting Disclosure Controls and Procedures Other aspects of Compliance and Operations relate to DC&P Internal Controls Over Financial Reporting

15 SOX: Meeting SEC Expectations
Compliance with COSO control standards (or other accepted standards; IT Governance Institute recently recommended CobiT for general IT controls assessment) Clear documentation of internal controls as well as the testing processes Evidence that management have evaluated the adequacy of the design and the effectiveness of operation of the procedures and controls Evidence that the auditor has adequately evaluated the design and operation of financial controls Evidence that the audit committee and/or disclosure committee have taken a keen interesting the effectiveness of controls

16 SOX: Auditor Responsibility (1)
Independent evaluation of design effectiveness Independent tests of operating effectiveness Use of internal audit and management tests will need to be assessed to determine how they impact nature, timing and extent of auditor testing Requires some re-performance for each significant account, class of transactions, and disclosure Independent testing Limited use of or inability to use tests performed by others; e.g., internal audit Monitoring function may impair objectivity and ability to use in direct assistance Precluded from using internal testing related to certain controls

17 SOX: Auditor Responsibility (2)
Auditors’ Report: On management’s assertion, if effective internal control or Directly on ineffectiveness of internal control over financial reporting Findings reported include: Significant Deficiency – referred to in body of opinion A deficiency that could adversely affect an entity’s ability to initiate, record, process and report financial data Material Weakness – results in an “except for” qualified report A deficiency that precludes the entity’s internal control from reducing to an appropriately low level the risk that a material misstatement will not be prevented or detected on a timely basis.

18 Approach to 404 readiness So let’s now have a look at some of the background of the Act

19 Approach to 404 readiness Recommend a Sound but Practical approach
Maximise what has already been achieved and is internally available Anticipate on upcoming Changes Value Added Approach Goals from Sarbanes-Oxley Efforts Value Added Approach – seek out operating improvements and identify best practices Avoid “process fatigue” Appropriate Control Documentation Formal management process to maintain compliance throughout organization Opportunity for ROI Enabling Technology Use technology throughout organization to facilitate assessment and communication Compliance would add recurring costs

20 Considerations Appropriate control documentation: Enabling technology:
Compliance with SOX 404 regulations and proof of compliance Timely identification of control weaknesses Facilitation of prioritization of remedial actions and action tracking Provides basis for attestation by the auditors Enabling technology: Consistency and quality of controls documentation Transparency of weaknesses and improvement areas Maintenance and improvement of controls documentation Linkage to other risk and quality initiatives Auditability of controls Facilitation of project management

21 Project Structure Top down: develop at the center, execution by opco’s with support of “Group” teams Development of process and controls standards by corporate & “Group” teams Methodology to be developed by corporate project team and tested and tailored at pilot site (opportunity: extrapolate best practices) Based on Blueprint Internal Control Framework (guidelines following COSO/CobiT) and Roadmap (project steering) Steering Committee SOX 404 Core Project Team Group Team ICT Team

22 Project Responsibilities
Corporate project team also responsible for: Communication to divisional teams Monitoring of progress Consolidation/consistency Quality assurance on divisional input Change management and training Coordination with steering committee Quality, progress and consistency of opco activities and deliverables to be assured by project teams on Group level Execution and addressing control gaps is the responsibility of each opco Decision to be taken on full roll out or selected companies only

23 Project Steps Step 0.1 Project setup
Initial awareness, project owners, resources, budget Project team: roles & responsibilities Step 0.2 Develop Blueprint “Internal Control Framework” (COSO/CobiT) Internal control requirements, objectives & components Control environment Risk assessment Control activities Monitoring Information & communication: guidelines & tools Step 0.3 Develop Roadmap Project time line, organisation & quality assurance Project communication, training and information sessions

24 Next Steps… Phase 1 Project Preparation & Mobilisation Phase 2
Execution Phase 3 Evaluation Step 1 Mobilisation & Project Management Step 3 Setting the Scope for Pilots Step 6 Evaluating Results & Gap Analysis Step 4 Pilot Execution & Completion of Templates Step 7 Assessment & Testing Step 2 Information Gathering & Project Planning Step 8 Internal Reporting Step 5 Roll-out at the Selected Opcos Step 9 External Audit & Action Planning

25 Next steps… Phase 1: Preparation & Mobilisation
Step 1: Mobilisation & project mngt Project organisation, project plan and initial communication Establishment of communication channels Step 2: Information gathering & detailed planning Overview of key processes Selected Opcos for pilot and full roll out Communication and training plan Detailed project plan & status reporting template Documentation templates

26 Next steps… Phase 2: Execution
Step 3: Setting the scope for the pilots Key business processes relevant for reporting One pilot for each selected process Communication to all selected Opcos Step 4: Pilot execution and completion of templates Templates to be rolled out to all Opcos Trained Opco representatives Updated control self assessment questionnaire Updated detailed roll-out planning Step 5: Roll-out at the selected Opcos Populated documentation for all selected Opcos

27 Next steps… Phase 3: Evaluation
Step 6: Evaluation of results & gap analysis Assessment of key controls Identification of gaps (internal control weaknesses) High level action plan for improvement (closing the gaps) Completed and validated documentation on process, risk and controls Step 7: Assessment & testing Testing plan and execution of internal testing Step 8: Internal reporting Overview of the assessment process Reported conclusions on effectiveness of internal control, weaknesses and reportable conditions and improvement actions Clear process for 302 certification and 404 reporting Definition of the text of the 302 certification and 404 reporting in SEC filing

28 Selecting relevant Business Units
Evaluate documentation and test Is location or business unit Yes significant controls at each individually important? location or business unit No Are there specific Evaluate documentation and Yes and test controls over significant risks? specific risks No Are there locations or business Yes No further action units that are not important even required for such units when aggregated with others? No Evaluate documentation and Yes test entity - wide controls over group Are there documented entity - wide controls over this group? No Some testing of controls at individual locations or business units required

29 SOX: How does IT fit in (1)?
COSO CE RA CA IC M CobiT: Control Objectives for information and related Technology x x x x x x x x x x x x x x x x x x x x

30 SOX: How does IT fit in (2)?
CobiT: COSO CE RA CA IC M x x x x x x

31 SOX: How does IT fit in (3)?
CobiT: COSO CE RA CA IC M x x x x x x x x x x x x x x x x x x x x x x x x x x x x x

32 SOX: How does IT fit in (4)?
CobiT: COSO CE RA CA IC M x x x x x

Download ppt "Internal Control & Sarbanes-Oxley Act"

Similar presentations

Garrett L. Stauffer, CPA Partner PricewaterhouseCoopers LLP.

Garrett L. Stauffer, CPA Partner PricewaterhouseCoopers LLP.
Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Purpose of the Standards

Purpose of the Standards
Nature of an Integrated Audit

Nature of an Integrated Audit
PAINTING THE FULL PICTURE

PAINTING THE FULL PICTURE
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting

Similar presentations

Ads by Google