1 / 22

Technology Career Briefing Sarbanes-Oxley Compliance and Implications for Technology Friday, March 3, 2006

Agenda. IntroductionsOverview of Sarbanes-Oxley (SOX or SARBOX)IT Auditor impact and role in audit of internal controls over financial reporting (ICOFR )IT professional impact and role in audit of ICOFRQuestions and Answers. David Friedrichs Senior Manager

valarie
Download Presentation

Technology Career Briefing Sarbanes-Oxley Compliance and Implications for Technology Friday, March 3, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    2. Agenda Introductions Overview of Sarbanes-Oxley (SOX or SARBOX) IT Auditor impact and role in audit of internal controls over financial reporting (ICOFR ) IT professional impact and role in audit of ICOFR Questions and Answers

    3. David Friedrichs Senior Manager – Information Risk Management 8+ years in Public Accounting, with KPMG since 2001 Extensive experience in IT Auditing and SOX compliance Variety of industries, including Manufacturing, Food & Beverage, Healthcare and Communications Extensive experience in financial systems implementations Certified Information Systems Auditor (CISA) – 2006 Certified Public Accountant (CPA) – 1997

    4. My role in SOX…. Advisory Assist clients in their documentation, testing, remediation, and internal preparation for Sarbanes Oxley compliance Audit of ICOFR Support financial audit teams in the performance of integrated audits of internal controls over financial reporting

    5. Overview of SOX Sarbanes-Oxley Act of 2002 Legislation signed into law on July 30, 2002 by President Bush to protect investors by improving the accuracy and reliability of corporate disclosures Representative Michael G. Oxley (R-Ohio) and Senator Paul Sarbanes (D-Md.) developed the legislation

    6. Overview of SOX Contributing Factors Misstatements of financial status to keep company’s stock prices inflated ~ Enron Securities fraud/conspiracy and false regulatory filings ~ WorldCom Other high-profile companies with execs facing criminal charges: HealthSouth Tyco Intention of the Legislation Restore investor confidence End financial scandals and implement proper corporate oversight Produce more accurate financial statements Enhance direct responsibility of senior corporate management Restore investor confidence

    7. Overview of SOX TITLE I – Established the Public Company Accounting Oversight Board TITLE II – Enhanced Auditor Independence TITLE III – Defined Corporate Responsibility TITLE IV – Enhanced Financial Disclosures TITLE V – Recognized Analyst Conflicts of Interest TITLE VI – Outlined Commission Resources and Authority TITLE VII – Recognized Studies and Reports TITLE VIII – Enhanced Corporate and Criminal Fraud Accountability TITLE IX – Enhanced White-Collar Crime Penalties TITLE X – Outlined signing of Corporate Tax Returns TITLE XI – Identified Corporate Fraud and Enhanced Accountability Title I: Established the PCAOB -Registration with the Board, Commission oversight of the Board, Accounting Standards, etc… Title II: Enhanced Auditor Independence -Pre approval requirements, auditor reports to audit committee, conflicts of interest, etc… Title III: Defined Corporate Responsibility -Public company audit committees, Corporate responsibility for financial reports, Improper influence on conduct of audits, etc.. Title IV: Enhanced Financial Disclosures -Disclosures in periodic reports, Management assessment of internal controls, Disclosure of audit committee fin’l expert, etc.. Title V: Recognized Analyst Conflicts of Interest -Treatment of securities analysts by registered securities associations and national securities exchanges. Title VI: Outlined Commission Resources and Authority -Authorization of appropriations, Appearance and practice before the Commission, etc… Title VII: Recognized Studies and Reports -GAO study and report regarding consolidation of public accounting firms, Study and report on violators and violations, etc… Title VIII: Enhanced Corporate and Criminal Fraud Accountability -Criminal penalties for altering documents, Statute of limitations for securities fraud, Protection for employees of publicly traded companies who provide evidence of fraud Title IX: Enhanced White-Collar Crime Penalties -Attempts and conspiracies to commit criminal fraud offenses, Corporate responsibility for financial reports, etc… Title X: Outlined signing of Corporate Tax Returns -Sense of the Senate regarding the signing of corporate tax returns by CEOs Title XI: Identified Corporate Fraud and Enhanced Accountability -Tampering with a record or otherwise impeding an official proceeding, Increased criminal penalties under the Securities Exchange Act of 1934.Title I: Established the PCAOB -Registration with the Board, Commission oversight of the Board, Accounting Standards, etc… Title II: Enhanced Auditor Independence -Pre approval requirements, auditor reports to audit committee, conflicts of interest, etc… Title III: Defined Corporate Responsibility -Public company audit committees, Corporate responsibility for financial reports, Improper influence on conduct of audits, etc.. Title IV: Enhanced Financial Disclosures -Disclosures in periodic reports, Management assessment of internal controls, Disclosure of audit committee fin’l expert, etc.. Title V: Recognized Analyst Conflicts of Interest -Treatment of securities analysts by registered securities associations and national securities exchanges. Title VI: Outlined Commission Resources and Authority -Authorization of appropriations, Appearance and practice before the Commission, etc… Title VII: Recognized Studies and Reports -GAO study and report regarding consolidation of public accounting firms, Study and report on violators and violations, etc… Title VIII: Enhanced Corporate and Criminal Fraud Accountability -Criminal penalties for altering documents, Statute of limitations for securities fraud, Protection for employees of publicly traded companies who provide evidence of fraud Title IX: Enhanced White-Collar Crime Penalties -Attempts and conspiracies to commit criminal fraud offenses, Corporate responsibility for financial reports, etc… Title X: Outlined signing of Corporate Tax Returns -Sense of the Senate regarding the signing of corporate tax returns by CEOs Title XI: Identified Corporate Fraud and Enhanced Accountability -Tampering with a record or otherwise impeding an official proceeding, Increased criminal penalties under the Securities Exchange Act of 1934.

    8. Overview of SOX Section 404 Requires companies management to assess their internal controls over financial reporting (ICOFR) Requires external auditors to evaluate and provide an opinion on: Managements assessment process The companies internal controls over financial reporting Many companies hire a different auditing firm to assist them with their assessment Many of those being audited view this as a double whammy! Reiterate the difference between Advisory and Audit, and that I find myself sitting on both sides of the table, depending on the client.Reiterate the difference between Advisory and Audit, and that I find myself sitting on both sides of the table, depending on the client.

    9. Internal Controls over Financial Reporting Manual Controls Review & Approval Account Reconciliations Accruals & Estimates Automated Controls System Matching Transaction Limits Edit / Exception Reporting General Computer Controls System Access Change Management Program Development Computer Operations

    10. Impact on IT Organizations IT must provide the information required by finance/accounting in support of SOX. IT departments can expect more thorough and frequent audits. IT is a significant component of the internal control environment. This includes documentation of their processes, identification of their controls. This includes documentation of their processes, identification of their controls.

    12. What is an IT Auditor? A number of factors have contributed to the IT Audit professional becoming a vital part of the fabric of many organizations: The regulatory environment of business has experienced an onslaught of legislation, governance and technology change HIPAA - 1996 Graham-Bliley-Leach – 1999 Sarbanes-Oxley Act – 2002 Governance standards have codified how organizations should achieve internal control. COSO (Committee of Sponsoring Organizations of the Treadway Commission) COBIT (Control Objectives for Information and related Technology from the IT Governance Institute) ITIL (IT Infrastructure Library) Advances in technology, the exponential expansion of the Internet, integrated systems and new forms of data storage and transmission have enhanced the need for the careful retooling of IT control mechanisms The IT Auditor is in the middle of all of this

    13. IT Auditor - Education and Skills Education Accounting / MIS / CIS Degree in Accounting with an IT minor or emphasis Skills Effective Communication Leadership and time management skills Strong technical ability Team player

    14. Real World Examples System Access New hires – authorization Job Changes – Segregation of Duties (SOD) Terminations – Removal Remote Access Penetration vulnerabilities Program Change & Program Development Authorization, development, testing, approval, migration to production SOD Computer Operations System Backup & recovery Problem Management

    16. Over 20 years in Information Systems at Edward Jones Extensive experience in Software Development, Project Management, IT Leadership, Organizational Design and Leadership Development Vision and Strategic Planning for IT for five years Represented IT on Edward Jones’ firm wide Sarbanes Oxley Committee SIUE SOX Symposium Committee and Presenter, 2005 Sheila Burkett Business Owner, Tuxedo Park Racing

    17. My role in SOX….. IS General Controls SOX Observation Remediation Primary contact with Internal and External Auditor Responsible for reporting to CIO Responsible for methodologies, standards, quality, change management, software distribution and problem management

    18. Impacts in IT All layers of the organization All areas of the organization Most methodologies and processes Challenges efficiency and productivity Multiple reviews Multiple auditors

    19. Organizational Impact Delay’s other efforts Communication Understanding by people Focus of leaders and management Details at high levels of organization

    20. Education and Skills Required…… Education Degree in Management Information Systems/Computer Science Skills Effective Communication Process orientation Strong technical ability Team player

    21. Real World Examples Documentation Job Processing Change Management Security Software Development Data Access

    22. Additional References www.sox-online.com www.pcaobus.org www.coso.org www.isaca.org www.gartner.com Compliance Weekly

More Related