Add to collection(s) Add to saved
  1. Business
  2. Accounting

Handout

advertisement 
Handout
Introduction:






The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and
Investor Protection Act of 2002 or commonly called SOX or Sarbox, was the response to a
number of major corporate and accounting scandals including those affecting Enron, Tyco
International, Adelphia, Peregrine Systems and WorldCom.
These scandals shook public confidence in the nation's securities markets .
It was signed in July 30,2002 by President Bush. It is considered one of the most important laws
passed by congress since Franklin Roosevelt.
This legislation establishes new or enhanced standards for all U.S. public company boards,
management, and public accounting firms. The Act contains 11 titles, ranging from additional
Corporate Board responsibilities to criminal penalties.
Requires the Securities and Exchange Commission (SEC) to implement rulings on requirements
to comply with the new law.
Named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (ROH).
Debate continues about the benefit and cost of this legislation:
In favor: It was and useful law bacause;
 Restore public confidence in the nation’s capital markets.
 Strengthening corporate accounting controls
Opponents of the bill complaints:
 The bill has reduced America’s competitiveness against foreign financial services providers,
because according to them the bill has introduced a complex set of regulations into US Financial
markets.
The bill creates a quasi-public agency called PCAOB, Public Company Accounting Oversight Board, which
is charged with overseeing, regulating, and inspecting accounting firms in their roles as auditors of
public companies.
The Act also covers issues such as auditor independence, corporate governance, internal control
assessment, and enhanced financial disclosure.
Titles:











TITLE I—PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD
TITLE II—AUDITOR INDEPENDENCE
TITLE III—CORPORATE RESPONSIBILITY
TITLE IV—ENHANCED FINANCIAL DISCLOSURES
TITLE V—ANALYST CONFLICTS OF INTEREST
TITLE VI—COMMISSION RESOURCES AND AUTHORITY
TITLE VII—STUDIES AND REPORTS
TITLE VIII—CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY
TITLE IX—WHITE-COLLAR CRIME PENALTY ENHANCEMENTS
TITLE X—CORPORATE TAX RETURNS
TITLE XI—CORPORATE FRAUD AND ACCOUNTABILITY
Key provisions or sections:

Section 302----The signing officers must certify that they are “responsible for establishing and
maintaining internal controls” and “have designed such internal controls to ensure that material
information relating to the company are fairly presented.

Section 404----Requires management and the external auditor to report on the adequacy of the
company’s internal control over financial reporting (ICFR)?

Section 802----Whoever alters, destroys, mutilates, conceals, covers up, falsifies, or makes a
false entry in any record, document shall be fined, imprisoned not more than 20 years, or both.

Section 1107----Whoever takes any action against any person for providing to a law
enforcement officer any truthful information relating to fraud, shall be fined, imprisoned not
more than 10 years, or both.
SOX Section 404
•
Management must report on the effectiveness of the company's internal controls over financial
reporting.
–
A statement of management's responsibility over internal controls
–
Management's assessment of the effectiveness of the company's internal controls
–
Identify the framework used to evaluate controls
–
State that their auditor has reported on their internal controls as well
•
In today’s business environment IT systems initiate, process, and report most financial
transactions
•
Because they are so involved in the day to day financial transactions, the IT systems become key
to financial reporting
•
Making the controls over the IT systems key to financial reporting as well
•
Management is required to implement an internal control framework.
•
COSO is most widely used framework for SOX compliance
–
•
Pays little attention to IT controls
COBIT is one of the better known frameworks that relate to IT controls
Key Controls:
Controls that are key to ensuring that the values on the balance sheet are accurate and reliable
–
–
Database triggers entry in general ledger.
System to ensure that if an email fails to be sent, it is resent later
IT Auditor ensures that they are effective, reliable, and reproducible
General Controls:
Controls that go across all IT systems and are essential to ensuring the integrity, reliability, and quality of
the systems
–
–
–
Security Policies
Change Management
Administration of Duties/Rights
Example of Assessing General Controls
Administration of Duties/Rights must include the following 3 principles:
•
Separation of Duties
– Individual Permissions Roles
• Least Privilege
– Individual only given privileges needed to do their job
• User Provisioning
– New users set up with correct privileges
– Standard profile for each user
If these 3 principles are not in place he IT system has failed to meet SOX Compliance
The Auditor must:
• Note the exception
• Flag it up to Management for remediation
There is no clear Pass or Fail criteria, all auditors have different levels of comfort with exceptions
Work cited:
http://www.deloitte.com/dtt/cda/doc/content/Taking%20Control(2).pdf 10/20/2008
http://en.wikipedia.org/wiki/Sarbanes_oxley
10/20/2008
http://www.sec.gov/rules/final/33-8238.htm#ia
10/21/2008
Johnston Sollicito, Michelle. "Executing an IT
10/22/2008
Audit for Sarbanes-Oxley Compliance."

http://www.e-janco.com/Sarbanes-Oxley.htm
Sarbanes-Oxley Compliance Kit
Sarbanes-Oxley Section 404 requires that:






Enterprises have an enterprise wide security policy;
Enterprises have enterprise wide classification of data for security, risk, and
business impact;
Enterprises have security related standards and procedures;
Enterprises have formal security based documentation, auditing, and
testing in place;
Enterprise enforce separation of duties; and
Enterprises have policies and procedures in place for Change Management,
Help Desk, Service Requests, and changes to applications, policies, and
procedures.
Related documents
Here - SOX and Creativity
Here - SOX and Creativity
File
File
Part II
Part II
InternalControl1
InternalControl1
What is Sarbanes – Oxley also known as? - E
What is Sarbanes – Oxley also known as? - E
Sarbanes-Oxley, COSO and You
Sarbanes-Oxley, COSO and You
DHN Conference Notes 12.11 – Financial Management
DHN Conference Notes 12.11 – Financial Management
New York University Stern School of Business
New York University Stern School of Business
Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Ten Steps of the Texas State Auditor`s Performance Measures
The Ten Steps of the Texas State Auditor`s Performance Measures
Sarbanes-Oxley (SOX) How should your company respond
Sarbanes-Oxley (SOX) How should your company respond
qualification of auditors according to the companies act
qualification of auditors according to the companies act
Internal Controls After Sarbanes - Oxley Donald C. Langevoort
Internal Controls After Sarbanes - Oxley Donald C. Langevoort
Reporting on Internal Controls
Reporting on Internal Controls
Sarbanes-Oxley Act
Sarbanes-Oxley Act
An Information Technology Perspective of Sarbanes
An Information Technology Perspective of Sarbanes
Document10994452 10994452
Document10994452 10994452
White Paper_Wasikowski
White Paper_Wasikowski
HSS-SECNegative - SpartanDebateInstitute
HSS-SECNegative - SpartanDebateInstitute
Download
advertisement