260 likes | 498 Views
Sarbanes- oxley Act of 2002: An introduction. UNC Charlotte, MBAD 7090. Objectives. Summary of the Sarbanes-Oxley Act (SOX) Implications for IT IT Controls and SOX. Background. A number of major corporate and accounting scandals
E N D
Sarbanes-oxley Act of 2002: An introduction UNC Charlotte, MBAD 7090 IS Security, Audit, and Control (Dr. Zhao)
Objectives • Summary of the Sarbanes-Oxley Act (SOX) • Implications for IT • IT Controls and SOX IS Security, Audit, and Control (Dr. Zhao)
Background • A number of major corporate and accounting scandals • Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom • Boardroom failure • Conflicts of interests: auditor, financial analysts • Internet bubble • Purpose: • Bring honesty, clarity, and speed to corporate financial reporting • Restore investors’ confidence IS Security, Audit, and Control (Dr. Zhao)
Overview • Public company accounting oversight board (PCAOB) • Auditor Independence • Corporate Responsibility • Enhanced Financial Disclosures • Analyst Conflicts of Interest • Commission Resources and Authority • Studies and Reports • Corporate and Criminal Fraud Accountability • White Collar Crime Penalty Enhancement • Corporate Tax Returns • Corporate Fraud Accountability IS Security, Audit, and Control (Dr. Zhao)
A Central Oversight Board (Section 101-109) • Establishment of PACOB • Oversee the audit of public companies • Five members (2 CPA), 5 year terms • All public accounting firms must register with PACOB • Registration fees • Annual accounting support fees • Responsibilities: standard-setting, inspections (1 year/3 years), investigation • SEC have “oversight and enforcement authority over the PACOB”. IS Security, Audit, and Control (Dr. Zhao)
Public Company Audit Committees (Section 301) • Member: • A member of the board of directors of the issuers • An independent member • Responsibility: • Appoint, compensate, and oversee the work of any registered public accounting firm employed by the issuers • Confidentially communicate with whistle-blowers. IS Security, Audit, and Control (Dr. Zhao)
Individual Accountability • CEO/CEO need to certify the accuracy and completeness of the financial statement (Section 302) • Penalties • CEO/CFO knowingly submits a wrong certification • $1 million and up to 10 years in jail • If the wrong certification is submitted “willfully” • Up to $5 million and 20 years in jail IS Security, Audit, and Control (Dr. Zhao)
Reporting and Disclosure • Enhanced reporting requirement for financial transactions (Section 401) • Off balance transactions, pro-forma figures, security transactions of corporate officers • Timely Disclosure (Section 409) • “Issuers must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.” IS Security, Audit, and Control (Dr. Zhao)
What Information Is “Material” • Information is material if there is “a substantial likelihood that a reasonable investor would consider it important in making an investment decision” or if it would be “viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” IS Security, Audit, and Control (Dr. Zhao)
Section 404: Management Assessment of Internal Controls • Requires each annual report of an issuer to contain an ‘internal control report’, which shall: • State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. • Contain an assessment, as of the end of the issuer’s fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for firnanical reporting. IS Security, Audit, and Control (Dr. Zhao)
Auditor Independence • Restricts auditing companies from providing non-audit services such as: • Services related to the accounting records or financial statement • Financial information systems design and implementation • Appraisal or valuation • Actuarial services • Internal audit outsourcing • Management functions or human resources • Broker or dealer, investment adviser • Legal services and expert services unrelated to the audit • Audit partner rotation IS Security, Audit, and Control (Dr. Zhao)
Costs and Criticism • Costs • Significant • In 2007, the average compliance costs were $1.7 million for firms with average revenues of $4.7 billion • Decreases over time • Different impacts • Centralized vs. decentralized firms • Small vs. large firms • Criticism • Does the compliance benefit exceed the cost? • Does SOX deter small firms and foreign firms to register on American stock exchanges? IS Security, Audit, and Control (Dr. Zhao)
Implications for IT • “The nature and characteristics of a company’s use of IT in its information systems affect the company’s internal control over financial reporting.” (PACOB Auditing Standard No.2) • Whether finance understands technology issues involved in SOX compliance? • Whether IT understands the business issues? IS Security, Audit, and Control (Dr. Zhao)
Implications for IT IS Security, Audit, and Control (Dr. Zhao)
Provisions Applied to IT • 302 – Corporate responsibility for financial reporting • Is our financial data accurate? • Do we have transaction level detail if required? • Do we understand all the processes involved? • 404 – Annual mgmt assessment of internal controls • How does our control structure operate? • Who is accountable? • Is it monitored? • Is it documented? • 409 – Real-time disclosure of material changes • 802 – Retention of relevant records for audits/reviews IS Security, Audit, and Control (Dr. Zhao)
Controls Over IT • IT control environment • Computer operations • Access to program and data • Program development and program changes • Keep in mind: • Not “one size fits all” • No need to reinvent the wheel • Different controls methods • Preventive vs. detective • Manual vs. automatic IS Security, Audit, and Control (Dr. Zhao)
IT Control Environment • “The auditor’s preliminary judgment about its effectiveness often influences the nature, timing, and extent of the tests of operating effectiveness considered necessary.” (PCAOB) • IT control environment • IT governance: IS strategic plan, risk management, compliance and regulatory management, IT policies, procedures and standards • Monitoring • Reporting IS Security, Audit, and Control (Dr. Zhao)
Computer Operations • Control over IT infrastructure • Acquisition, installation, configuration, integration, and maintenance • Control over daily operations • Service level management • Third-party management • System availability • Problem and incident management IS Security, Audit, and Control (Dr. Zhao)
Access to Programs and Data • Methods • Secure passwords • Internet firewalls • Data encryption • Cryptographic keys • Regular review of user profiles • Remove unauthorized users, such as terminated employees, immediately IS Security, Audit, and Control (Dr. Zhao)
Program Development and Program Changes • New applications • System development methodology • Quality assurance methodology • Existing applications • Change management IS Security, Audit, and Control (Dr. Zhao)
Compliance Road Map 1. Plan and Scope • Not all IT processes are relevant • Define key systems 2. Risk Assessment • Impact and probability 3. Identify significant accounts • Accounts that have a significant impact on financial reporting and disclosure IS Security, Audit, and Control (Dr. Zhao)
Compliance Map 4. Document Control Design • The design of control • Transaction flows • Fraud prevention and detection • Management testing and evaluation 5. Evaluate Control Design • Maturity stage: Nonexistent, initial, repeatable, defined, managed and measurable, optimized IS Security, Audit, and Control (Dr. Zhao)
Compliance Map 6. Evaluate Operational Effectiveness • How IT affects the financial reporting process • Control external service organizations for outsourced services 7. Identify and Remediate Deficiencies 8. Document Process and Results 9. Build Sustainability • A continuous process IS Security, Audit, and Control (Dr. Zhao)
Discussion • What’s happening now? • Bear Sterns, Lehman Brothers, Merry Lynch • Freddie Mac, Fannie Mae • AIG, Washington Mutual… • Any system wide risks? • Thoughts on regulatory controls? IS Security, Audit, and Control (Dr. Zhao)