220 likes | 651 Views
Sarbanes Oxley Act of 2002. Introduction. During the course of this presentation you will learn the following: What is Sarbanes Oxley (SOX) Act of 2002? Impact of SOX on Corporate Governance Standards Section 302 – Management Certification Section 404 – Evaluation of New Controls
E N D
Introduction During the course of this presentation you will learn the following: • What is Sarbanes Oxley (SOX) Act of 2002? • Impact of SOX on Corporate Governance Standards • Section 302 – Management Certification • Section 404 – Evaluation of New Controls • How to comply with the Act? • What if you don’t comply? • Summary
What is the Sarbanes Oxley Act of 2002? • Sarbanes Oxley Act of 2002, commonly referred to as “SOX”, was passed by the US Congress in response to corporate scandals such as Enron. • The bill was jointly introduced in the Congress by Sen. Paul Sarbanes (D-Ohio) and Michael J. Oxley (R-Ohio) and was enacted in July of 2002. • Sarbanes Oxley Act of 2002 aims to: • Reduce if not eliminate corporate fraud by having publicly traded companies provide greater financial accountability. • Increase while collar crime penalties. • Section 302 – Management Certification • Section 404 – Evaluation of New Controls
What is the Sarbanes Oxley Act of 2002?(Cont.) • CFOs and CEOs must certify financial statements. • SAS70 Audit may be required in corporate takeover situations wherein the state of the smaller company’s IT and Security controls are scrutinized by an independent audit. • Greater independence of Auditors to avoid commingling and/or undue influence of interests
Impact of SOX on Corporate Governance Standards • The bill was jointly introduced in the Congress by Sen. Paul Sarbanes (D-Ohio) and Michael J. Oxley (R-Ohio) and was enacted in July of 2002. • Sarbanes Oxley Act of 2002 aims to: • Reduce if not eliminate corporate fraud by having publicly traded companies provide greater financial accountability. • Increase while collar crime penalties. • Section 302 – Management Certification • Section 404 – Evaluation of New Controls • As a result of the Sarbanes Oxley Act of 2002, publicly traded companies must now include in their annual reports, a report of management on the companies internal control over financial reporting.
Section 302 – Management Certification Section 302 deals with corporate responsibility over financial reports. • This section of SOX requires that the principal executive officer(s) such as a company’s CFO and CEO certify in each annual or quarterly report that… • The signing officer has reviewed the report; • Based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading; • Based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report; (Cont.)
Section 302 – Management Certification • The signing officers— • Are responsible for establishing and maintaining internal controls; • Have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared; • Have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and • Have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date; (Cont.)
Section 302 – Management Certification • The signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)— • All significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and • Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls. • Provide new meaning to ROI (Return on Investment) as better Accounting, IT and Security controls have translated into better management decision. • The Accounting, IT and Security wings of a company are now aligned as the each have an impact on the other.
Section 404 – Evaluation of New Controls • Section 404 of SOX deals with the Management Assessment of Internal Controls. • Although, the language of this section at first does not alert one to the heavy reliance on IT and IT Security controls for this section of SOX, a study of the impact of this section does indicate that the devil is in the details. • Under Section 404 if there is any change in software implemented and that change would have an impact, direct or indirect, to the financial reporting of a company; then as part of the internal control reporting, … (Cont.)
Section 404 – Evaluation of New Controls …the following five most common internal controls need to be part of the corporate governance standard mindset. • Documented • Each development process related to making a change in a software system needs to be well documented. • Approved • The three most common approval control points that have emerged in the development process are: feature selection (or prioritization of service requests such as patches), testing signoff, and rollout to production. (Cont.)
Section 404 – Evaluation of New Controls …the following five most common internal controls need to be part of the corporate governance standard mindset. • Audited • As part of the this control all changes will need to be audited. This should cover areas such as who performed a change, what was affected in the change, and when that change was made • Ensure all types of changes are monitored and audited. If there is a manual step in your build process where you execute stored procedures to create data structures, changes to those stored procedures need to be audited as well. (Cont.)
Section 404 – Evaluation of New Controls …the following five most common internal controls need to be part of the corporate governance standard mindset. • Separation of duties • Separation of duties is the simple concept of segregating different users from different parts of a software system. This assists in greater objectivity as well as provides more stability to the overall change process. For example, a person who is responsible for implementing code modifications in a software should not also be the person who signs off on the codes effectiveness. (Cont.)
Section 404 – Evaluation of New Controls …the following five most common internal controls need to be part of the corporate governance standard mindset. • Tested • All changes implemented should also be tested to validate and confirm that the key financial-related business processes still work as planned. (Cont.)
The impact of SOX on Corporate Governance Standards • Provide new meaning to ROI (Return on Investment) as better Accounting, IT and Security controls have translated into better management decision. • The Accounting, IT and Security wings of a company are now aligned as the each have an impact on the other. • While as a result of SOX companies have had to spend good portion of their revenue to meet regulatory compliance needs; this in turn, has ushered an era of renewed investor confidence in corporate America.
How to comply with the Act? • Top down approach enforcing corporate integrity and ethical responsibility. • Conduct annual (more frequently if preliminary results indicate greater than anticipated risks) internal audits to meet compliance with SOX requirements. • Have a whistleblower program in place to ensure employees can report irregularities without fear of being targeted or retaliated against. • Conduct ongoing employee training emphasizing the overall outcome of corporate accountability. • Have documented processes in place to ensure business continuity.
How to comply with the Act? • Put into place an Information Security Management System (ISMS) to ensure IT Best Practices are followed corporate wide. (Cont.)
What if you don’t comply? • Depending on the area of non-compliance substantial fines can be levied against a company. • Both the CFO and CEO can be subjected to civil as well as criminal penalties including but not limited to jail time. • Non-compliance can lead to a weakening of investor sentiment and can wreak havoc for a publicly traded company.
Summary • Sarbanes Oxley Act of 2002 (more commonly referred to as SOX), was enacted in response to corporate scandals such as Enron. • The ultimate goal of SOX is promote better corporate governance by auditing Financial, IT and Security controls of a company. • CFO and CEO of an organization have to sign-off on regulatory filings such as annual and quarterly reports, thus adding greater accountability to corporate finances. • Failure to comply with the SOX can lead to weakening of investor sentiment in a company and subject the company’s officers to civil (fines) as well as criminal action (jail time).
Thank You T e h n d E