Handout
advertisement
Handout Introduction: The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 or commonly called SOX or Sarbox, was the response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals shook public confidence in the nation's securities markets . It was signed in July 30,2002 by President Bush. It is considered one of the most important laws passed by congress since Franklin Roosevelt. This legislation establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, ranging from additional Corporate Board responsibilities to criminal penalties. Requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (ROH). Debate continues about the benefit and cost of this legislation: In favor: It was and useful law bacause; Restore public confidence in the nation’s capital markets. Strengthening corporate accounting controls Opponents of the bill complaints: The bill has reduced America’s competitiveness against foreign financial services providers, because according to them the bill has introduced a complex set of regulations into US Financial markets. The bill creates a quasi-public agency called PCAOB, Public Company Accounting Oversight Board, which is charged with overseeing, regulating, and inspecting accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure. Titles: TITLE I—PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD TITLE II—AUDITOR INDEPENDENCE TITLE III—CORPORATE RESPONSIBILITY TITLE IV—ENHANCED FINANCIAL DISCLOSURES TITLE V—ANALYST CONFLICTS OF INTEREST TITLE VI—COMMISSION RESOURCES AND AUTHORITY TITLE VII—STUDIES AND REPORTS TITLE VIII—CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY TITLE IX—WHITE-COLLAR CRIME PENALTY ENHANCEMENTS TITLE X—CORPORATE TAX RETURNS TITLE XI—CORPORATE FRAUD AND ACCOUNTABILITY Key provisions or sections: Section 302----The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company are fairly presented. Section 404----Requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting (ICFR)? Section 802----Whoever alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document shall be fined, imprisoned not more than 20 years, or both. Section 1107----Whoever takes any action against any person for providing to a law enforcement officer any truthful information relating to fraud, shall be fined, imprisoned not more than 10 years, or both. SOX Section 404 • Management must report on the effectiveness of the company's internal controls over financial reporting. – A statement of management's responsibility over internal controls – Management's assessment of the effectiveness of the company's internal controls – Identify the framework used to evaluate controls – State that their auditor has reported on their internal controls as well • In today’s business environment IT systems initiate, process, and report most financial transactions • Because they are so involved in the day to day financial transactions, the IT systems become key to financial reporting • Making the controls over the IT systems key to financial reporting as well • Management is required to implement an internal control framework. • COSO is most widely used framework for SOX compliance – • Pays little attention to IT controls COBIT is one of the better known frameworks that relate to IT controls Key Controls: Controls that are key to ensuring that the values on the balance sheet are accurate and reliable – – Database triggers entry in general ledger. System to ensure that if an email fails to be sent, it is resent later IT Auditor ensures that they are effective, reliable, and reproducible General Controls: Controls that go across all IT systems and are essential to ensuring the integrity, reliability, and quality of the systems – – – Security Policies Change Management Administration of Duties/Rights Example of Assessing General Controls Administration of Duties/Rights must include the following 3 principles: • Separation of Duties – Individual Permissions Roles • Least Privilege – Individual only given privileges needed to do their job • User Provisioning – New users set up with correct privileges – Standard profile for each user If these 3 principles are not in place he IT system has failed to meet SOX Compliance The Auditor must: • Note the exception • Flag it up to Management for remediation There is no clear Pass or Fail criteria, all auditors have different levels of comfort with exceptions Work cited: http://www.deloitte.com/dtt/cda/doc/content/Taking%20Control(2).pdf 10/20/2008 http://en.wikipedia.org/wiki/Sarbanes_oxley 10/20/2008 http://www.sec.gov/rules/final/33-8238.htm#ia 10/21/2008 Johnston Sollicito, Michelle. "Executing an IT 10/22/2008 Audit for Sarbanes-Oxley Compliance." http://www.e-janco.com/Sarbanes-Oxley.htm Sarbanes-Oxley Compliance Kit Sarbanes-Oxley Section 404 requires that: Enterprises have an enterprise wide security policy; Enterprises have enterprise wide classification of data for security, risk, and business impact; Enterprises have security related standards and procedures; Enterprises have formal security based documentation, auditing, and testing in place; Enterprise enforce separation of duties; and Enterprises have policies and procedures in place for Change Management, Help Desk, Service Requests, and changes to applications, policies, and procedures.
