The Impact of Sarbanes-Oxley on IT Presented by Jerald Savin, FIMC, CMC, CPA, CITP Cambridge...

transcript

The Impact of Sarbanes-Oxley on IT

Presented byJerald Savin, FIMC, CMC, CPA, CITP

Cambridge Technology Consulting Group, Inc. 201 Wilshire Blvd., Ste 41, Santa Monica, CA 90401 Tel: (310) 229-8947 - Email: jsavin@ctcg.com

For the July CIO Breakfast

Jerald (Jerry) M. Savin

President/CEO, Cambridge Technology Consulting Group, Inc.

Certified Public Accountant (CPA) Fellow Institute of Management Consultants

(FIMC) Certified Management Consultant (CMC) Certified Information Technology Professional

(CITP) Former Chairman, Institute of Management

Consultants USA

co-author

Richard Savich, Ph. D., C.P.A. President, ABKO Consulting (A Business

Knowledge Organization) Director, Professional Development Institute,

The Collins School of Hospitality Management, Cal Poly Pomona

Formerly, National Director, Management Consulting Training, Coopers & Lybrand and Ernst & Young

Formerly, Professor, USC School of Accounting

Outline

The Sarbanes-Oxley Act Section 404 - Internal Controls Trends and Developments Questions & Answers

The Sarbanes-Oxley Act

101 Board Membership 103 Board Duties 108 Accounting Standards 201 Prohibited Activities 203 Audit Partner Rotation 301 Audit Committees 302 Corporate Responsibility For Financial Reports 402 Loans to Executives 404 Mgmt Assessment of Internal Controls 407 Disclosure of Audit Committee Financial Expert 806 Whistle Blower Protection

PCAOB (www.pcaobus.org)

PCAOB - Auditing Standards

Amend, modify, repeal and reject standards suggested by designated professional groups of accountants and by standard-setting advisory groups

Report on its standard-setting activities to the SEC annually

Section 404 Internal Control Standard PCAOB must adopt an audit standard to

implement an internal control review The standard must require the auditor to

evaluate whether the internal control structure and procedures Include records that accurately and fairly

reflect the transactions of the issuer Provide reasonable assurance that the

transactions are recorded in a manner that will permit the preparation of financial statements in accordance with GAAP, and

Provide a description of any material weaknesses in the internal controls

Section 404Management Assessment of Internal Controls 404(a)

Management’s responsibility for establishing and maintaining adequate internal control for financial reporting.

404(b) Independent auditor’s responsibility

for attesting to and reporting on management’s assessment of internal control.

Section 404(a)

Management’s Responsibilities: Implement effective internal structure

and procedures for ICOFR Evaluate effectiveness of ICOFR using

suitable internal control framework Support that evaluation with sufficient

evidence Present a written assessment of the

effectiveness at year end

Section 404(b)

Auditor’s Responsibilities: Evaluate management’s assessment Obtain an understanding of the

company’s ICOFR Test and Evaluate the design and

operational effectiveness of ICOFR Form an opinion regarding the

adequacy and effectiveness of ICOFR

Section 302 Corporate Responsibility For Financial Reports (1 of 3)

CEO/CFO certifications

Financial statements and disclosures comply with the requirements of the Exchange Act

Disclosures fairly present, in all material respects, the results of operations and financial condition of the issuer

Establish and maintain disclosure controls and procedures that are designed to ensure that material information is made known to the officers

Evaluate the effectiveness of the disclosure controls and procedures in the last 90 days

Present their conclusions about the effectiveness of the disclosure controls and procedures

Disclose to the auditors/audit committee any significant deficiencies or material weaknesses in internal controls and any fraud committed by any person with a significant role in internal control

Indicate whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation, including corrective actions for significant deficiencies/material weaknesses

Section 404 Management Assessment of Internal Controls (1 of 2)

Internal Control Report Effective for fiscal years ending on or after

November 15, 2004 for accelerated filers (Originally 6/15/04) July 14, 2005 for non-accelerated filers (Originally 4/15/05)

Signed by the CEO and CFO Must contain statements

Management is responsible for establishing and maintaining adequate internal control over financial reporting

Identify the framework used by management to evaluate the effectiveness of the internal control

Assessment of the effectiveness of the internal controls as of the end of year-end

Auditor has issued an attestation report on management’s assessment

Section 404 Management Assessment of Internal Controls (2 of 2)

ICOFR is not effective if there is one or more material weaknesses in internal control

Management's evaluation should be based on a suitable, recognized internal control framework

Internal Control over Financial Reporting (ICOFR) defined (1 of 2)

ICOFR Is a process Designed by the principal executive and

financial officers and approved by management and the Board of Directors

To provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP and include those policies and procedures that

Internal Control over Financial Reporting (ICOFR) defined (2 of 2)

Pertains to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets

Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statement in accordance with GAAP, and that receipts and expenditures are being made only in accordance with authorizations of management and the directors

Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements

The Auditor

Is required to attest to/report on management’s assessment

In accordance with standards issued/adopted by PCAOB

This evaluation is not a separate engagement “… integrated audit …”

Key Dates

July 30, 2002 - Date of Enactment April 18, 2003 - Interim Auditing Stds issued March 9, 2004 - Auditing Std No 2 issued November 15, 2004 (Originally June 15,

2004) 404 Internal Control assessments due for Accelerated

filers with fiscal years ending on/after July 15, 2005 (Originally April 15,

2005) 404 Internal Control assessments due for Non-

accelerated filers with fiscal years ending on/after

PCAOB Auditing Standards 2004-001 – An Audit of Internal Control Over Financial

Reporting Performed in Conjunction with an Audit of Financial Statements (03/09/04) (Standard No. 2)

2003-026 – Technical Amendments to Interim Standards Rules (12/18/03)

2003-025 – References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Boards (12/18/03)

2003-009 – Compliance with Auditing and Related Professional Practice Standards (6/30/03)

2003-006 – Establishment of Interim Professional Auditing Standards (4/18/03) (Standard No. 1)

2004-002 – Proposed Auditing Standards Conforming Amendments to PCAOB Interim Standards … (Comment period ended 4/23/04)

PCAOB Standards An Audit Of Internal Control Over

Financial Reporting Performed In Conjunction With An Audit Of Financial Statements, Release 2004-001, March 9, 2004

“… integrated audit of the financial statements and internal control over financial reporting.” “… not a … separate engagement.” (p. 8)

“COSO … provides a suitable framework for purposes of management’s assessment.” (p. 9)

“… an auditor impairs his or her independence if the auditor audits his or her own work, including any work on designing or implementing an audit client’s internal control system.” (p. 10,11)

Outline

The Committee of Sponsoring Organizations of the Treadway Commission AICPA, AAA, FEI, IIA, IMA

Is a voluntary private sector organization Formed in 1985 to sponsor the National

Commission on Fraudulent Financial Reporting Dedicated to improving the quality of financial

reporting through business ethics, effective internal controls and corporate governance.

COSO Definition of Internal Control

Internal control is a process, instituted by an entity’s board of directors and management that is designed to provide reasonable assurance regarding the achievement of the following categories of objectives:

Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and

regulations

COSO Internal Control Framework

“Internal control consists of five interrelated components.”

Control Environment Risk Assessment Control Activities Information and Communication Monitoring

-- Internal Control – Integrated Framework – Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission.

Three categories of objectives: Operations Financial reporting Compliance

Relates to the entire enterprise: To all Units To all Activities

COSO Internal Control Components

-- Internal Control – Integrated Framework – Framework, COSO, p. 13.

Control Environment

Risk Assessment

Control Activities

Information & Communicati

Monitoring

Control Environment factors Organization tone Discipline and structure Integrity, ethics, competence Management philosophy and operating style Assignment of authority & responsibility Work organization Personnel development Attention & direction of Board of Directors

COSO Internal Control Components Control Environment factors

Integrity & ethical values Incentives & temptations Moral Guidance Commitment to Competence Board of Directors & Audit Committee Management Philosophy & Operating Style Organizational Structure Assignment of Authority & Responsibility Human Resources Policies & Practices Evaluation (p. 27/28)

-- Internal Control – Integrated Framework – Framework, COSO, p. 19-28.

Control Environment

Risk Assessment

Control Activities

Monitoring

Risk Assessment Identify relevant risks to achieve objectives Analyze these risks Determine how to manage them

Begins with the Objectives: Operations Objectives

Achieving the entity’s mission Financial Reporting Objectives

Producing reliable financial statements Compliance Objectives

Complying with applicable laws and regulations

Risk Assessment

Types of Risk- Control Risk

That error will not be prevented, detected or corrected on a timely basis

Detection Risk Fail to detect material errors

COSO Risk Management

Managing Change Identify & react to routine events Identify & react to dramatic events New or redesigned information systems Rapid growth New technology New lines, products, activities, acquisitions Corporate restructuring Foreign operations

-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 24-27.

Control Environment

Risk Assessment

Control Activities

IS Controls

Monitoring

COSO Internal Control Components Control Activities

Policies and Procedures, which include Approvals Authorizations Verifications Validations Reconciliations Valuations Classification controlsCompleteness controls Timeliness Posting and Summarization Controls Operating performance reviews Information Processing Controls Asset security Segregation of duties

COSO Information Systems Controls General Controls

Data Center Operations System Software Access Security Application Development &

Maintenance Application Controls

COBIT provides details-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.

General Controls for Information Systems

Data Center Operations Backup and recovery procedures Contingency and disaster recovery

planning Job set up and scheduling procedures Operational controls

System Software Controls Acquisition, implementation &

maintenance of Operating system software Database management software Telecommunications Security Utility

Access Security Access controls Firewalls, Intrusion Detection and

Prevention Systems (IDS/IPS) Password policies

Application development (SDLC) Project authorization Approval of development & maintenance Application system development controls Application system maintenance controls Testing

Application Controls for Information Systems

Application level risks Application availability Security Integrity Maintainability

Application level risks Data risks

Completeness Integrity Confidentiality Privacy Accuracy

Application interface integrity: All inputs are received Inputs are valid Outputs are correct Outputs are properly distributed

Transaction processing integrity: Complete Accurate Authorized Valid

Control Environment

Risk Assessment

Control Activities

Monitoring

Information and Communication “Pertinent information must be

identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.”

To the right people in sufficient detail on time

COSO Information and Communication

Pertinent Financial & Non-financial Information

Information Quality Appropriate Timely Current Accurate Accessible

COSO Information & Communication

Including Effective communication of duties

and control responsibilities Communication of improprieties Management’s receptivity to employee

suggestions Timely appropriate mgmt follow-up Internal and External communications

Customer/supplier communications Outside awareness of ethical standards

-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 33-35.

Control Environment

Risk Assessment

Control Activities

Monitoring

Monitoring Ongoing assessment of the system’s

performance over time Accomplished through

Ongoing monitoring Separate evaluations Internal and external audits Combination

Internal Controls

Traditional Generic List of Controls Preventive Detective Corrective

Manual Computer

Managerial supervision

Internal Control Examples

Direct management of the business Performance reviews

Executive Functional Activity

Use of performance measures, indicators, benchmarks

Independent performance checks Management of human capital

Internal Controls Examples

Proper procedures for authorizing transactions

Proper execution of transactions & events

Accurate & timely recording of transactions & events

Segregation of duties Authorization Record keeping Custody

Internal Controls Examples

Physical controls over vulnerable Assets and records

Access restrictions to and accountability for resources & records

Appropriate documentation of transactions and internal controls

Information processing controls

COSOReference Manual

Format Objectives O,F,C:

O = Operations F = Financial reporting C = Compliance

Risks Points of Focus for Actions/Control

Activities-- Internal Control – Integrated Framework – Evaluation Tools, COSO.

Basic Value Chain Activities: Inbound Operations Outbound Marketing/Sales Service

-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 49.

Infrastructure Support Activities: Administration Human Resources Technology Development Procurement

COSOReference Manual Administrative subactivities:

Manage Finance Manage Enterprise Manage External Relations Provide Administrative Services Manage Information Technology Manage Risks Manage Legal Affairs Plan

Administrative Controllership subactivities : Process A/P Process A/R Process Funds Process Fixed Assets Analyze and Reconcile Process Benefits & Retirement

Administrative Controllership subactivities : Process Payroll Process Tax Compliance Process Product Costs Provide Financial & Management

Reporting

COSO Summary

Criticized as Too Vague

Contains guidelines Doesn’t contain specific work program

Too Operational Includes operational areas traditionally

outside of auditors examination

IT Controls

ISACA Formerly EDP Auditors Association Founded in 1967

Standards Guidelines Procedures Control Objectives Control Practices Audit Guidelines Management Guidelines

Control OBjectives for Information and related Technology

ISACA/IT Governance Institute Defines IT Controls in terms of

Planning & Organization Acquisition & Implementation Delivery & Support Monitoring

Planning & Organization Define strategic IT plan Define information architecture Determine technology direction Define IT organization & relationships Manage IT investment Communicate mgmt aims & direction

Planning & Organization Manage human resources Comply with external requirements Assess risks Manage projects Manage quality

Acquisition & Implementation Identify automated solutions Acquire & maintain application software Acquire & maintain technology

infrastructure Develop & maintain procedures Install & accredit systems Manage changes

Delivery & Support Define & manage service levels Manage third-party services Manage performance & capacity Ensure continuous service Ensure systems security Identify & allocate costs

Delivery & Support Educate & train users Assist & advise customers Manage configuration Manage problems & incidents Manage data Manage facilities Manage operations

Monitoring Monitor the process Assess internal control adequacy Obtain independent assurance Provide for independent audit

Specific IT Control Issues

ERP BPI (Business Process Improvement) B2C & B2B Risk Measurement Intrusion Detection Viruses Email integrity

Third Parties

Evaluate the role third parties play in relation to IT environment, related controls and control objectives

Third party provider controls Third parties subcontractors

SAS 70 Type 2

ISO 17799 (BS7799)

“A comprehensive set of controls comprising best practices in information security”

“Management should set a clear policy direction and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization”

ISO 17799 (BS7799)

Security Policy System Access

Control Computer &

Operations Mgmt System Development

& Maintenance Physical &

Environment Security

Compliance Personnel Security Security

Organization Asset Classification

and Control Business Continuity

Management (BCM)

Mgmt Assessment Process

1. Plan the Assessment

2. Document the ICOFR

3. Evaluate their design & effectiveness

4. Identify, Assess, Correct Deficiencies

5. Prepare written assessment

-- Adapted from the 404 Institute

1. Plan the Assessment Determine Scope:

Controls related to all significant accounts and disclosures in financial statements

An account is considered significant when there is more than a remote likelihood that it could contain misstatements that individually or aggregated with others could have a material affect on the financials. -- Std No. 2

1. Plan the Assessment Identify assessment team Identify significant

Milestones Schedule Resources

Determine documentation approach

1. Plan the Assessment Other Considerations:

Multi-location Use of outside service organizations –

Type II SAS 70 report Evaluation of IT Controls – IT risks

Inaccurately processing accurate data; accurately processing inaccurate data

Unauthorized access; Unauthorized changes to programs/data; Potential loss of data

2. Document ICOFR Document the design of controls over

relevant assertions Document the initiation, authorization,

recording, processing and reporting of significant transactions

Document transaction flow to identify where misstatements might occur

2. Document ICOFR Document controls designed to prevent

or detect fraud Document controls over period-end

processing Document controls to safeguard assets Document the results of management’s

assessment

3. Evaluate the design & effectiveness of ICOFR

Effectively designed controls are expected to prevent and detect errors or fraud

Design = the controls are appropriate to prevent or detect misstatements

Effectiveness = the controls are functioning as designed

3. Evaluate the design & effectiveness of ICOFR

Measuring effectiveness Are the systems functioning as intended? Are the controls operating as designed? Do the people performing the controls

possess the authority and qualifications to effectively perform the controls?

4. Identify, Assess & Correct Deficiencies Deficiency

Deficiencies exist when misstatements are not prevented or detected on a timely basis in the normal course of business

Design deficiency = a necessary control is missing or not properly designed

Operating deficiency = a properly designed control is not operating as designed or the person performing the control is inadequate

4. Identify, Assess, Correct Deficiencies Definitions:

Significant deficiency = control deficiency that adversely affect the initiation, authorization, recording, processing or reporting of reliable financial data

Material deficiency = significant deficiency that results in more than remote likelihood of a material misstatement

Per PCAOB Standard No. 2

5. Prepare report Management acknowledges its

responsibility for establishing and maintaining adequate ICOFR

Identifies the ICOFR framework used Assesses the effectiveness of ICOFR as

of yearend No sample management report was

provided in Standard No. 2.

The Audit Process

1. Plan the engagement

2. Evaluate Management’s Assessment Process

3. Understand company’s ICOFR

4. Test & Evaluate Design and Effectiveness of ICOFR

5. Form an Opinion-- Adapted from the 404 Institute

Auditor Questions

What was examined to determine the existence of errors?

What kinds of errors were found? What happened as a result of finding

these errors? How were the errors resolved? Have personnel been asked to

override the processes or controls?

Internal Control Assessment

Alternative Approaches Financial Statement/Account based Systems based Role of “Best Practice Models”

Account Based Approach

Begin with Financial Statement captions or Trial Balance accounts

Identify Business cycle Client processes Inherent risks

Risk ranking (High, Medium, Low) Identify Internal Controls

Account Based ApproachF/S

Caption Business Cycle Client ProcessInherent

RisksRisk

Ranking

1 Revenue Revenue Cycle Client's sales process Revenue RecognitionAuthorizationBilling AccuracyGAAP compliance

2 AccountsReceivable

Treasury Cycle AR processCash application processCollection processDiscrepancy resolution

AccuracyApplicationValuation

3 Cash Treasury Cycle Cash ReceiptsCheck Authorization/Writing

AccuracyCompleteness

4 OperatingExpenses

Expenditure Cycle - Non-payroll

Vendor controlsProcurement processReceiving processInvoice processingGeneral Ledger recording

AccuracyCompletenessSegregation of duties

Medium

5 AccruedCompensation

Expenditure Cycle - Payroll Employee hiringPersonnel recordsTime and Attendance capturePayroll interface

AccuracyCompleteness

Evaluating Risk

In terms of Materiality Process Complexity Susceptibility to Change Accounting History

Evaluating Risk

Materiality Dollar amount Transaction volume Impact on ratios & covenants Individually & collectively

Evaluating Risk

Process Complexity Number of people/departments Number of steps/phases Number of interfaces (“hand-offs”) Number of internal controls Technical nature Skill required vs. Skill available

Evaluating Risk

Susceptibility to Change Process stability Likelihood of future changes

Accounting History Number of errors Number of adjustments

Systems Based Approach

Identify business processes Express them in “flow charts”

Conceptual Physical

Examine transaction life cycle (from cradle-to-grave) Perform tests of transactions

Systems Based Approach

Approaches: “Black Box”

Reconciliation “White Box”

Internal controls

Identify control mechanisms Are they adequate (design)? Are they effective?

Internal Controls

Which Approach is Best?

Top Down Process oriented Systemic approach Requires systems expertise May take longer

Bottom Up Financial Statement/Account oriented Focuses on the pieces before the whole Tends exaggerate the number of assertions

and controls Do not necessarily comprehend the whole

Outline

Trends

Internal control review is more expensive than audit, at least the first time

Internal control prep takes extensive resources and budget

Annual reports will increase in size

Trends

Different standards among the Big 4 Different standards within the Big 4 Struggle between auditors and clients

over amount of ICOFR Big 4 cannot consult on ICOFR for clients The “grey line”

May provide some guidance/resources But cannot impair independence

Private Companies Trends

Two standards “Big GAAS” and “Little GAAS”

Other Actions Banking Regulators SEC: Non-Public Broker-Dealers

deferred until after 1/1/05 Cascading

Cascading

New York 8 Bills

California AB 664 (Correa) AB 665 (Correa) SB 1262 (Sher) SB 1272

Private Companies Trends

Being acquired by a public company just became more complicated

Going public just became more complicated

Questions to ponder

How will SOX be applied to non-public companies?

What will businesses do differently tomorrow because of SOX?

How will you be involved?

From the IT Perspective

Confusing, contradictory guidance Prone to evaluate IT at the micro level

rather than macro level Corporate level Policy/Procedures Adapted for locations/systems

Fail to involve IT in accounting systems assessments Compartmentalize the controls

Assessors have limited IT expertise Opportunity to enhance IT

Convert a directive into growth IT will require additional resources to

comply

Confusing areas: Business continuity Third parties

Hot Topics: Change management System Development/Maintenance Security

Weak areas: Data integrity

Complicating factors: Multi-location Multi-system

Resources

www.404institute.com www.aaahq.org www.accountingweb.com www.aicpa.org www.coso.org www.fei.org

www.imanet.org www.isaca.org www.pcaobus.org www.sec.gov www.theiia.org

Resource

Internal Control Reporting – Implementing Sarbanes-Oxley Section 404, AICPA paperback

Authoritative Literature COSO IC Integrated Framework Project Planning Documentation of Internal Control Testing of Internal Control

Outline

Questions and Answers

Good Luck!

The Impact of Sarbanes-Oxley on IT Presented by Jerald Savin, FIMC, CMC, CPA, CITP Cambridge...

Documents