The Sarbanes-Oxley Act 101 Board Membership 103 Board Duties 108 Accounting Standards 201 Prohibited Activities 203 Audit Partner Rotation 301 Audit Committees 302 Corporate Responsibility For Financial Reports 402 Loans to Executives 404 Mgmt Assessment of Internal Controls 407 Disclosure of Audit Committee Financial Expert 806 Whistle Blower Protection Section 404 Management Assessment of Internal Controls 404(a) Management’s responsibility for establishing and maintaining adequate internal control for financial reporting. 404(b) Independent auditor’s responsibility for attesting to and reporting on management’s assessment of internal control. Section 404(a) Management’s Responsibilities: Implement effective internal structure and procedures for ICOFR Evaluate effectiveness of ICOFR using suitable internal control framework Support that evaluation with sufficient evidence Present a written assessment of the effectiveness at year end Section 404(b) Auditor’s Responsibilities: Evaluate management’s assessment Obtain an understanding of the company’s ICOFR Test and Evaluate the design and operational effectiveness of ICOFR Form an opinion regarding the adequacy and effectiveness of ICOFR Section 302 Corporate Responsibility For Financial Reports (1 of 3) CEO/CFO certifications Financial statements and disclosures comply with the requirements of the Exchange Act Disclosures fairly present, in all material respects, the results of operations and financial condition of the issuer Section 302 Corporate Responsibility For Financial Reports (2 of 3) Establish and maintain disclosure controls and procedures that are designed to ensure that material information is made known to the officers Evaluate the effectiveness of the disclosure controls and procedures in the last 90 days Present their conclusions about the effectiveness of the disclosure controls and procedures Section 302 Corporate Responsibility For Financial Reports (3 of 3) Disclose to the auditors/audit committee any significant deficiencies or material weaknesses in internal controls and any fraud committed by any person with a significant role in internal control Indicate whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation, including corrective actions for significant deficiencies/material weaknesses Section 404 Management Assessment of Internal Controls (1 of 2) Internal Control Report Effective for fiscal years ending on or after November 15, 2004 for accelerated filers (Originally 6/15/04) July 14, 2005 for non-accelerated filers (Originally 4/15/05) Signed by the CEO and CFO Must contain statements Management is responsible for establishing and maintaining adequate internal control over financial reporting Identify the framework used by management to evaluate the effectiveness of the internal control Assessment of the effectiveness of the internal controls as of the end of year-end Auditor has issued an attestation report on management’s assessment Section 404 Management Assessment of Internal Controls (2 of 2) ICOFR is not effective if there is one or more material weaknesses in internal control Management's evaluation should be based on a suitable, recognized internal control framework The Auditor Is required to attest to/report on management’s assessment In accordance with standards issued/adopted by PCAOB This evaluation is not a separate engagement “… integrated audit …” COSO The Committee of Sponsoring Organizations of the Treadway Commission AICPA, AAA, FEI, IIA, IMA Is a voluntary private sector organization Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting Dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance. COSO Definition of Internal Control Internal control is a process, instituted by an entity’s board of directors and management that is designed to provide reasonable assurance regarding the achievement of the following categories of objectives: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations COSO Internal Control Framework “Internal control consists of five interrelated components.” Control Environment Risk Assessment Control Activities Information and Communication Monitoring -- Internal Control – Integrated Framework – Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission. COSO Internal Control Components -- Internal Control – Integrated Framework – Framework, COSO, p. 13. COSO Internal Control Framework -- Internal Control – Integrated Framework – Framework, COSO, p. 15. COSO Internal Control Framework Control Environment Monitoring Information & Communicati on Risk Assessment Control Activities COSO Internal Control Components Control Environment factors Organization tone Discipline and structure Integrity, ethics, competence Management philosophy and operating style Assignment of authority & responsibility Work organization Personnel development Attention & direction of Board of Directors -- Internal Control – Integrated Framework – Framework, COSO, p. 19. COSO Internal Control Framework Control Environment Monitoring Information & Communicati on Risk Assessment Control Activities COSO Internal Control Components Risk Assessment Identify relevant risks to achieve objectives Analyze these risks Determine how to manage them Begins with the Objectives: Operations Objectives Financial Reporting Objectives Achieving the entity’s mission Producing reliable financial statements Compliance Objectives Complying with applicable laws and regulations -- Internal Control – Integrated Framework – Framework, COSO, p. 29-44. COSO Internal Control Framework Monitoring Information & Communicati on IS Controls Control Environment Risk Assessment Control Activities COSO Internal Control Components Control Activities Policies and Procedures, which include Approvals Authorizations Verifications Validations Reconciliations Valuations Classification controls Completeness controls Timeliness Posting and Summarization Controls Operating performance reviews Information Processing Controls Asset security Segregation of duties -- Internal Control – Integrated Framework – Framework, COSO, p. 45-53. COSO Information Systems Controls General Controls Data Center Operations System Software Access Security Application Development & Maintenance Application Controls COBIT provides details -- Internal Control – Integrated Framework – Framework, COSO, p. 45-53. Application Controls for Information Systems Transaction processing integrity: Complete Accurate Authorized Valid COSO Internal Control Framework Control Environment Monitoring Information & Communicati on Risk Assessment Control Activities COSO Internal Control Components Information and Communication “Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.” To the right people in sufficient detail on time -- Internal Control – Integrated Framework – Framework, COSO, p. 55-63. COSO Information and Communication Pertinent Financial & Non-financial Information Information Quality Appropriate Timely Current Accurate Accessible -- Internal Control – Integrated Framework – Framework, COSO, p. 55-63. COSO Information & Communication Including Effective communication of duties and control responsibilities Communication of improprieties Management’s receptivity to employee suggestions Timely appropriate mgmt follow-up Internal and External communications Customer/supplier communications Outside awareness of ethical standards -- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 33-35. COSO Internal Control Framework Control Environment Monitoring Information & Communicati on Risk Assessment Control Activities COSO Internal Control Components Monitoring Ongoing assessment of the system’s performance over time Accomplished through Ongoing monitoring Separate evaluations Internal and external audits Combination -- Internal Control – Integrated Framework – Framework, COSO, p. 65-74. Internal Controls Traditional Generic List of Controls Preventive Detective Corrective Manual Computer Managerial supervision IT Controls ISACA Formerly EDP Auditors Association Founded in 1967 COBIT Control OBjectives for Information and related Technology ISACA/IT Governance Institute Defines IT Controls in terms of Planning & Organization Acquisition & Implementation Delivery & Support Monitoring Specific IT Control Issues ERP BPI (Business Process Improvement) B2C & B2B Risk Measurement Intrusion Detection Viruses Email integrity Systems Based Approach Identify business processes Express them in “flow charts” Conceptual Physical Examine transaction life cycle (from cradle-to-grave) Perform tests of transactions