150 likes | 294 Views
MIS 3090: IT for Financial Services. Technology Brief: The role of the SEC Investigating the Implications of Sarbanes-Oxley for Corporate IT. November 17, 2014. Role of the SEC. Protect investors; maintain integrity in the securities markets:
E N D
MIS 3090:IT for Financial Services Technology Brief: The role of the SEC Investigating the Implications of Sarbanes-Oxley for Corporate IT November 17, 2014
Role of the SEC • Protect investors; maintain integrity in the securities markets: • All investors, whether large institutions or private individuals, should have access to certain basic facts about an investment prior to buying it. • SEC requires public companies to disclose meaningful financial and other information to the public, which provides a common pool of knowledge for all investors to use to judge for themselves if a company's securities are a good investment. Only through the steady flow of timely, comprehensive and accurate information can people make sound investment decisions • Oversees key participants in the securities world, including stock exchanges, broker-dealers, investment advisors, mutual funds, and public utility holding companies. • Concerned primarily with promoting disclosure of important information, enforcing the securities laws, and protecting investors who interact with these various organizations and individuals.
Information Gathering & Retention • EDGAR (Electronic Data Gathering, Analysis, and Retrieval) • Automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others who are required by law to file forms with the SEC • Accelerating the receipt, acceptance, dissemination, and analysis of time-sensitive corporate information • Required documents • Form 10-K or 10-KSB is required to be filed on EDGAR • Only documents submitted to the EDGAR system in either plain text or HTML are official filings. PDF documents are unofficial copies of filings. Filers may not use the unofficial PDF copies instead of plain text or HTML documents to meet filing requirements • Filers may choose to voluntarily submit documents in eXtensible Business Reporting Language (XBRL) – see xbrl.org site; • XBRL automates processing and makes reports more interactive
XBRL • XML-based industry language for finance and accounting • Uses paired tags and commonly defined elements • 22 working groups…GL, Tax, etc. (see xbrl.org) • Sample raw XBRL for operating costs report (2000) <numericContext id="rg.cy00.hkd" cwa="false" precision="4"> <entity> <identifier scheme='http://www.gov.hk'>rg</identifier> </entity> <period> <startDate>2000-01-01</startDate> <endDate>2000-12-31</endDate> </period> <unit> <measure>iso4217:hkd</measure> </unit> </numericContext> <gaap:opc numericContext="rg.cy01.hkd">-3583000000.</gaap:opc>
The Plot Thickens… Why did Corporate America fall asleep at the wheel? • A litany of sob stories…>$500B lost because of… • Xerox (Latin American subsidiary anomalies) • Enron and Arthur Andersen (blame it on the shredder) • Tyco (shower curtains and pool-side birthday parties) • MCI / WorldCom (free loans available: apply within) • Mutual Funds (market timing based on posted NAV) • Where was IT? • Don’t we have controls to catch this sort of thing? • Why did internal audit not spot these irregularies sooner? • Prevention is better than cure (we now know with hindsight) • Would enhanced IT help to prevent financial wrongdoing in future; what would IT look like?
Background to Sarbanes-Oxley • Sarbanes-Oxley Act (2002) was a reaction to emerging corporate accounting scandals and the ensuing loss of investor confidence • The “law” is derived from a combination of: • Sarbanes Oxley Act of 2002 (H.R. 3763) • Pending and final rules of the Public Company Accounting Oversight Board (PCAOB) • Pending and final Rules of the SEC (as regards trading/listing constraints) • Studies by the GAO and others that may result in new laws and/or new rules • Applies to any existing or prospective publicly traded company • Private firms and not-for-profit firms are off the hook for the moment • Senior executives are directly responsible for financial statements • “See no evil, hear no evil” is not an acceptable excuse • (max) $1,000,000 fine and 10 year sentence for officers who certify financial statements knowing them to be inconsistent with the Sarbanes-Oxley Act. • Increases to $5,000,000 fine and 20 year prison sentence for officers who willfully certify…
Title III: Corporate Responsibility Section 302: Requires CEO and CFO to: • Certify fairness of financial statements • Certify that the content is accurate, complete and fairly presented • Take responsibility for maintaining and evaluating controls and procedures • Officers must make disclosures regarding: • The absence and prevention of fraud • Deficiencies, material weaknesses, changes in systems of internal controls • Evaluation of the effectiveness of the disclosure controls and procedures • Companies must establish and maintain an overall system of disclosure controls and procedures so that the CEO and CFO can • Supervise and review periodic evaluations of the disclosure system • Effectiveness of disclosure controls and procedures must be assessed within 90 days prior to filing dates of quarterly and annual reports • Failure to maintain adequate disclosure controls and procedures may result in SEC action even if it doesn’t lead to flawed financial statements
Title IV: Enhanced Disclosure Section 404: Management Assessment of Internal Controls • Requires management to establish and maintain adequate internal controls and procedures for financial reporting • SEC defines internal controls and procedures for financial reporting as controls that provide reasonable assurances that: • Transactions are properly authorized • Assets are safeguarded against unauthorized or improper use • Transactions are properly recorded to permit the preparation of financial statements that are presented consistent with GAAP • Each annual report must include a statement that: • Describes management’s responsibility for internal controls and procedures for financial reporting • Documents management’s assessment of the effectiveness of the controls and financial reporting procedures • Incorporates the independent auditor’s review of management’s assessment of internal controls and financial reporting procedures
General Controls • Manage and control the IT activities and computer environment: • Information security – both physical and logical access • Maintenance of existing systems (e.g., program change controls – see below) • Computer operations, data centers, backup tape facilities, etc. • Development and implementation of new systems • Examples include: • Authentication of users (e.g., use of user-ids and passwords) • Password controls (e.g., password expiry, minimum length, etc.) • Security administration (e.g., user set-up, removing employees, password resets) • Security monitoring (e.g., procedures to follow up security breaches) • Physical security of computers and business facility (e.g., swipe cards) • Program change controls (e.g., authorized, testing, segregation of duties)
Application Controls (CAVR) Completeness Controls to ensure financial transactions and data are complete. e.g., control totals, sequencing Accuracy Controls to ensure financial transactions and data are accurate. e.g., logic tests, check sums Validity Controls to ensure financial transactions and data are valid. e.g., maintain record trail, electronic signatures Restricted Access Controls to ensure restricted access to data and financial transactions. e.g., passwords, asset tags, locks, approval forms
Controls and Financial Statements • Business Process A • Completeness • Accuracy • Validity • Restricted Access Business Objectives Account Balances and Transactions • Financial Statement Assertions • Completeness • Accuracy • Rights & Obligations • Existence / Occurrence • Valuation / Allocation • Presentation / Disclosure • Cutoff • Business • Risks related to achieving Objectives • …… • …… • …… • Business Process B • Completeness • Accuracy • Validity • Restricted Access Account Balances and Transactions • Business Process C • Completeness • Accuracy • Validity • Restricted Access Account Balances and Transactions General Computer Controls Source: PWC
IT Organization Requirements • Get ready! Don’t leave it all to the “C” types • Hire some security specialists – e.g., CISA, ESIC • Brush up on your accounting skills • Training courses in ethics, responsible management • IT Audit: become a watch dog, not a blood hound • Audit by exception – impossible to check everything • Pass bad news up the chain of command FAST! • Controls evolve: keep on top of things
Cost of SOX Compliance • ~$3M/year for medium-large firms • As high as $1.4T if measuring lost market value of firms • 78% of firms say it’s not worth cost • Opportunity costs of foreign firms choosing not to list in U.S. • Offset by implied benefits for those that do list?
For Next Class… • Read • Read the Merrill Lynch case carefully – be prepared to answer questions in class on the case (to be posted shortly). • Read through the articles listed on the class website.