1 / 51

SOX for Everyone

SOX for Everyone. Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks Source: Brink’s Modern Internal Auditing , Robert Moeller, Wiley Publishing. Agenda for Today. What is internal control and why is it important for governmental entities?

Download Presentation

SOX for Everyone

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SOX for Everyone Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks Source: Brink’s Modern Internal Auditing, Robert Moeller, Wiley Publishing

  2. Agenda for Today • What is internal control and why is it important for governmental entities? • History of internal control leading up to SOX • COSO framework • Fundamentals of internal control and control systems • Wrap up

  3. What is Internal Control? • What is “internal control?” • General procedures for a well-managed, well-functioning business • Components include • Accomplishes its mission • Produces accurate, reliable data • Complies with laws and corporate policies • Results in economical/efficient use of resources • Provides for safeguarding of assets

  4. Internal Control and Governmental Entities • How do Internal Control objectives translate into government objectives? • Increase the public’s confidence level in government operations. • Increase management’s accountability for financial reporting and information disclosed to the public. • Reveal the critical need for management’s well-defined job requirements. • Reduce fraud and increase accountability. Source:http://www.governmentauditors.org/content/view/273/123/

  5. Internal Controls Standards: Background Developments • Earliest definition of internal control: • The organization’s plan and actions to • safeguard its assets, • operate efficiently, • adhere to policies, and • accurately and reliably produce accounting data

  6. Internal Controls Standards: Background DevelopmentsContinued • Foreign Corrupt Practices Act (FCPA) • Response to Watergate scandal • Required management to • Maintain accurate books and records, • Implement a system of internal control • Also prohibited bribes • Excludes “grease” payments to minor officials • Created a flurry of activity to comply, today is seen primarily as anticorruption

  7. Efforts Leading to the Treadway Commission • Cohen Commission (an AICPA commission) • Recommended that management report on internal controls and auditors opine on fairness of management’s assertion • Resulted in criticism from external auditors; lack of consistent definitions regarding internal controls, “adequate”, etc. • FEI endorsed the Cohen recommendation • As a result, some CEO management letters discussed internal control; some letters included “negative assurance”

  8. Efforts Leading to the Treadway Commission Continued • SEC 1979 proposal • Based on Cohen Commission and FEI • Called for mandatory management reports on internal control • Again controversy and criticism centered on lack of a clear definition of internal accounting control • SEC dropped the proposal, but it established a need for a management report on internal control as part of required SEC filings

  9. Efforts Leading to the Treadway Commissioncontinued • SAS No. 55 (Stmnt. On Auditing Stds.) • Issued by the AICPA • Defined internal control in terms of the • Control environment • Accounting system • Control procedures • Management’s view of internal control is broader and encompasses the entire control system • External auditors focus on internal control related to financial statements

  10. Efforts Leading to the Treadway CommissionContinued • Treadway Committee (National Commission on Fraudulent Reporting) • Late 1970s and early 1980s were a period of high inflation, high interest rates, many business failures despite the company having reported adequate earnings • Congress proposed but didn’t pass bills to correct the business and audit failures • Treadway Commission formed to identify fraud factors and propose recommendations

  11. Efforts Leading to the Treadway CommissionContinued • Treadway Committee, continued • Again, a call for management reports on the effectiveness of internal control • Most important contribution of Treadway was raising level of concern and attention directed toward reporting on internal control • FCPA, Cohen Commission, SEC 1979 Report, SAS No. 55 and Treadway Commission • Occurred almost in a parallel fashion over a period of 20 and helped redefine internal control

  12. Sarbanes-Oxley Act • Sarbanes-Oxley Act • Passed in 2002 • Most significant overhaul to public accounting, corporate governance and financial reporting since 1930s • Established regulatory rules for public accounting firms, auditing standards, and corporate governance • PCAOB established to oversee public accounting firms and to establish auditing standards

  13. Sarbanes-Oxley ActContinued • Section 101 • Establishes PCAOB • Non-profit, private-sector corporation • PCAOB consists of 5 members appointed by the SEC • AICPA no longer establishes Statements on Auditing Standards or GAAS • PCAOB now oversees all audits of SEC-reporting corporations

  14. Sarbanes-Oxley ActContinued • Section 201 • Establishes new rules regarding auditor independence and prohibited practices • Limitations include financial information system design and implementation, internal audit outsourcing, and other services • Tax and other non-prohibited services may be performed by the external auditor if approved in advance by the audit committee

  15. Sarbanes-Oxley ActContinued • Section 301 • Mandates that all audit committee members be independent • External auditor reports to, is overseen by, and is compensated by the audit committee

  16. Sarbanes-Oxley ActContinued • Section 302 • Requires that the CEO and CFO certify quarterly and annual financial reports • SOX imposes criminal fines or jail time on violators

  17. Sarbanes-Oxley ActContinued • Sections 304 and 305 • Designed to eliminate or limit seemingly outrageous behavior • Earnings restatements may require CEO and CFO to return bonuses based on bogus numbers • Blackout periods related to trading in 401K and pension plans apply equally to all employees • Revised rules related to attorney reporting of corporate misconduct • Controversial due to attorney-client privilege

  18. Sarbanes-Oxley ActContinued • Section 404 • Makes management responsible for acknowledging its responsibility for establishing and maintaining internal control • Makes management responsible for an annual assessment of internal controls

  19. Sarbanes-Oxley ActContinued • Other sections of Title IV • Require the company to adopt a code of ethics for senior officers • Require a “financial expert” on the audit committee • Mandate companies to provide information about material financial statement issues to investors ASAP

  20. Sarbanes-Oxley ActContinued • Other Titles of SOX • Mandate workpaper retention policies • Provide whistleblower protection • Require CEO and CFO to personally certify that the financial reports are fairly presented • Personal penalties for knowingly falsifying (not corporate responsibility)

  21. REVIEW Under the 2002 Sarbanes-Oxley Act, _____________ must certify the effectiveness of the company’s internal controls each year. If they sign off on ineffective controls, they could _______________. a. CFOs and CEOs; face civil and criminal penalties. b. CFO; face civil penalties. c. CEO; get fired. d. External auditor; face the Audit Committee.

  22. REVIEW The primary responsibility for overseeing the establishment and administration of internal control rests with a. The external auditor. b. The controller. c. The internal auditor. d. Senior management.

  23. COSO Internal Control Framework • Common frameworkfor thedefinition of internal control and procedures to evaluate controls • Process affected by BOD, management and others to provide reasonable assurance regarding achieving effective and efficient operations, reliable financial reporting, and compliance with laws • Released in 1992 and has become widely accepted

  24. COSO Internal Control FrameworkContinued • COSO Framework • Pyramid with 5 layered and interconnected components comprise the overall control system • Control environment: foundation • Risk assessment, control activities and monitoring are layered on top of the foundation • The 5th element is an interface channel between the other 4 layers: communication and information

  25. COSO Internal Control FrameworkContinued Source: COSO’s Internal Control Integrated framework

  26. COSO Internal Control FrameworkContinued • Internal control environment • Has a pervasive influence on the organization • Reflects the attitude, awareness and actions of the BOD, management and others regarding the importance of internal control • History and culture play important roles • “Tone at the top”

  27. COSO Internal Control FrameworkContinued • Internal control environment • Integrity and ethical values • Strong code of conduct communicated throughout the organization • Commitment to competence • Adequate training, supervision, job descriptions • BOD and audit committee • Independent audit committee

  28. COSO Internal Control FrameworkContinued • Internal control environment • Management’s philosophy and operating style • Risk taker/conservative, “seat of the pants”/careful planner • Organizational structure • Centralized/decentralized, reporting relationships

  29. COSO Internal Control FrameworkContinued • Internal control environment • Human resources policies and practices • Recruitment/hiring, new employee orientation, evaluation/promotion/compensation, disciplinary actions

  30. COSO Internal Control FrameworkContinued • Risk Assessment • Evaluation of potential risks to the organization’s ability to achieve its objectives • 3-step process • Estimate the significance of the risk • Assess its likelihood • Consider how to manage the risk or actions to take

  31. COSO Internal Control FrameworkContinued • Risk Assessment • Risks from external factors include legislation, technology • Risks from internal factors include quality of hiring/training • Specific activity-level risks include risks related to specific new products

  32. COSO Internal Control FrameworkContinued • Control Activities • Policies and procedures • Top-level reviews compare results to budget or other benchmarks • Direct functional or activity management entails reviewing operational reports or exception reports and taking corrective action • Information processing entails development of new systems or access to data

  33. COSO Internal Control FrameworkContinued • Control Activities • Policies and procedures-continued • Physical controls over assets • Performance indicators entails relating operating data to financial data, and taking analytical, investigative or corrective action • Segregation of duties

  34. COSO Internal Control FrameworkContinued • Control Activities • Integrating risk assessment and control activities • Appropriate control activities are established to address specific risks • May need to prune “dumb” controls

  35. COSO Internal Control FrameworkContinued • Control Activities • Controls over information systems • General controls that ensure control over all applications (locks on door to computer center) • Application controls apply to specific programs • Organization needs to consider evolving technologies and new/modified controls

  36. COSO Internal Control FrameworkContinued • Communications and Information • Information systems can be formal or informal, internal or external • COSO emphasized that they be • Strategic, consistent with the organization’s goals (not outdated) • Integrated with other operations

  37. COSO Internal Control FrameworkContinued • Communications and Information • COSO suggests and SOX requires that information be • Timely • Accurate • Current • Accessible • Appropriate

  38. COSO Internal Control FrameworkContinued • Communications and Information • Internal systems • Most important component may be communication from senior management, “tone at the top” • Each person needs to know how he fits into the organization, otherwise may think errors don’t matter • Each person needs to know limits, what is unethical/improper • Communication must flow up and down

  39. COSO Internal Control FrameworkContinued • Communications and Information • External systems • Include a mechanism to capture and act upon complaints, source of potential control issues • Communication must flow in both directions

  40. COSO Internal Control FrameworkContinued • Monitoring • Historically the role of internal auditors • COSO expands to include ongoing assessments of and adjustments to internal control as circumstances warrant • Many routine business functions are considered monitoring activities, such as reconciliations

  41. COSO Internal Control FrameworkContinued • Monitoring • Separate internal control evaluations (in addition to ongoing monitoring) need to be performed periodically • Can be done by management • Identified internal control deficiencies (no matter how they’re identified) should be reported, investigated, and appropriately acted upon

  42. REVIEW Which of the following are elements included in the control environment? a. Organizational structure, management philosophy, and planning. b. Risk assessment, assignment of responsibility, and human resource practices. c. Competence of personnel, backup facilities, laws, and regulations. d. Integrity and ethical values, assignment of authority, and human resource policies.

  43. REVIEW Which of the following fits most directly under the control activities component of the COSO Internal Control framework? a. Company-level controls dealing with tone at the top. b. Accounting for shipping documents to ensure that all sales are recorded. c. Overall methods for assigning authority and responsibility. d. The control environment.

  44. Understanding, Using, and Documenting COSO Internal Controls • SOX 404 requires that organizations understand, document, test, and evaluate internal controls of major processes and systems • COSO is the suggested tool for this process

  45. Fundamentals of Internal Controls • Definition of a control system • The car is an example, if the accelerator or brakes aren’t used properly, the car operates out of control • An organization is similar, all the parts have to operate/be directed properly or the organization is out of control • Internal control system should attain or maintain a desired state

  46. Fundamentals of Internal ControlsContinued • Elements of a control system • Detector/sensor element measures the system being controlled (often the auditor) • Selector or standard element is the base used to compare/evaluate what’s detected (standards, best practices) • Controller element changes the behavior based on comparison of detector and standard • Communications network element transmits messages between the controller element and the thing being controlled

  47. Fundamentals of Internal ControlsContinued • Types of control techniques, a combination of all 3 assure a process is operating properly • Preventive controls • Locked doors, passwords • Detective controls alert management that a problem has occurred • Door alarms, account reconciliations • Corrective controls assist in recovery from problems • Insurance policy

  48. Fundamentals of Internal ControlsContinued • Preventive, detective and corrective controls operate on 3 levels • Steering: preventive controls designed to attract management attention and prompt action (respond to falling market share) • Yes-No: protective controls designed to ensure adherence to a pre-established control (approvals) • Post-action: requires management’s after-the-fact action, may require correcting detective, preventive or corrective controls (reassign an employee, repair damaged products)

  49. REVIEW Controls may be classified according to the function they are intended to perform; which of the following is a detective control? a. Dual signatures on all disbursements over a specific amount. b. Recording every transaction on the day it occurs. c. Monthly bank statement reconciliations. d. Requiring all members of the internal audit staff to be CPAs.

  50. REVIEW Controls designed to deter undesirable events from occurring are a. Preventive controls. b. Directive controls. c. Detective controls. d. Output controls.

More Related