Sarbanes-Oxley, COSO and You

Implementation Issues of
CASE Presentation
September 23, 2004
By Denise Farnan
• Overview of Sarbanes-Oxley legislation
• Key sections of legislation and key players
• SOX implementation issues for public
insurance companies
• Positives from implementation of SOX
Overview of Sarbanes-Oxley Act
• Became law on July 30, 2002
• The Act established a board (PCAOB) to create
auditing standards and regulation for all SEC
• Created specific corporate responsibility for
financial reporting, internal controls and audit
committee standards
• Enacted rules relevant to attorneys, securities
analysts, auditors and brokers
• Established criminal penalties for non-compliance
Intent of Sarbanes-Oxley Act
• Provide confidence and trust to investors
and public in the post-Enron era.
• Requires management accountability -focus on rapid identification & correction of
control weaknesses along with additional
financial disclosure requirements
• Hold external auditors to a higher
attestation standard
Key Sections of SOX
• Section 302 requires the CEO and CFO on a quarterly basis to sign off
on financial statement fairness and internal control effectiveness. They
also must report any significant changes in internal controls since their
last evaluation.
• Section 404 requires a separate management report on internal control
effectiveness and audit by the organization’s external financial
statement auditor. It becomes effective for most large companies for
their entire reporting year ending December 31, 2004 and has a
12/31/2005 effective date for other companies.
• Section 906 is related to Sections 302 and 404, and requires that CEOs
and CFOs ensure all financial reporting (including annual and periodic
reports) fairly presents, in all material respects, the financial condition
and results of operations of the issuer. It also provides for significant
criminal penalties for non-compliance.
Key Sections of SOX (cont’d)
• Section 201 prohibits a registered public accounting firm from
performing both audit and non-audit services.
• Section 301 requires an audit committee to establish
“whistleblower” procedures to allow the confidential and
anonymous submission of concerns regarding questionable
accounting or auditing matters.
• Section 409 requires disclosure to the public on a rapid and
current basis additional information concerning material
changes in the financial condition or operations of the issuer
(Form 8-K).
Who are the key external
Public Company Accounting Oversight Board (PCAOB)
• Is a private-sector, non-profit corporation, created by the SarbanesOxley Act, to oversee the auditors of public companies.
• Responsible for establishing auditing and related attestation standards,
quality control standards, and ethics standards to be used by registered
public accounting firms in the preparation and issuance of audit
• Proposed rules and standards must be submitted to the Securities and
Exchange Commission for approval prior to becoming law.
Who are the key external
Securities and Exchange Commission (SEC)
Is the primary overseer and regulator of the U.S.
securities markets.
Reviews documents that publicly-held companies are
required to file with the Commission. The documents
Registration statements for newly-offered securities;
Annual and quarterly filings (Forms 10-K and 10-Q);
Proxy materials sent to shareholders before an annual meeting;
Annual reports to shareholders.
Disclosure of current reportable events (Form 8-K)
Who are the key external
COSO - Committee of Sponsoring Organizations
COSO is the Internal Control Framework recommended by
regulatory/industry bodies for use in Sarbanes-Oxley
compliance purposes.
Designed to provide reasonable assurance towards achieving
business objectives in the following three categories:
Reliability of financial reporting (primary emphasis of SOX)
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
Establishes that management has primary responsibility for
establishing and maintaining internal controls.
Internal Control Items
COSO’s Five Internal Control Components
Control Environment (Assignment of authority & responsibility,
Management’s philosophy and operating style)
Risk Assessment (Establishment of objectives, Ability to manage
internal & external change)
Control Activities (Segregation of duties, Documentation of polices
& procedures, reconciliations, Transaction approvals)
Information & Communication (Is the right information provided
to the right people at the right time?)
Monitoring (Responding to control deficiencies, Frequency of
monitoring procedures, Evidence that monitoring took place)
Implementation Issues for SOX
• Sarbanes-Oxley Act requires education of employees and
management across departments
• Increased documentation, testing, walkthrough
requirements for management and auditors
• Efforts to correct any potential deficiencies identified
during walkthrough
• Development of testing and monitoring strategy for risk
assessment and control activity
Implementation Issues for SOX
• $$$$ --- Higher audit fees
• Purchase of compliance software – which one?
• Work with 3rd Party vendors on investor communications
and establishment of a whistleblower program
• Changes in IT Department on system controls utilizing the
recommended Internal Control Framework established by
Positives Results from
Implementation of SOX
• Improve process efficiencies through
identification of weaknesses
• Reduce internal fraud with implementation
of improved controls
• Create environment for corporate