The Sarbanes-Oxley Act











101 Board Membership
103 Board Duties
108 Accounting Standards
201 Prohibited Activities
203 Audit Partner Rotation
301 Audit Committees
302 Corporate Responsibility For Financial Reports
402 Loans to Executives
404 Mgmt Assessment of Internal Controls
407 Disclosure of Audit Committee Financial Expert
806 Whistle Blower Protection
Section 404
Management Assessment of
Internal Controls

404(a)


Management’s responsibility for
establishing and maintaining adequate
internal control for financial reporting.
404(b)

Independent auditor’s responsibility
for attesting to and reporting on
management’s assessment of internal
control.
Section 404(a)

Management’s Responsibilities:




Implement effective internal structure
and procedures for ICOFR
Evaluate effectiveness of ICOFR using
suitable internal control framework
Support that evaluation with sufficient
evidence
Present a written assessment of the
effectiveness at year end
Section 404(b)

Auditor’s Responsibilities:




Evaluate management’s assessment
Obtain an understanding of the
company’s ICOFR
Test and Evaluate the design and
operational effectiveness of ICOFR
Form an opinion regarding the
adequacy and effectiveness of ICOFR
Section 302
Corporate Responsibility For
Financial Reports (1 of 3)

CEO/CFO certifications


Financial statements and disclosures comply
with the requirements of the Exchange Act
Disclosures fairly present, in all material
respects, the results of operations and
financial condition of the issuer
Section 302
Corporate Responsibility For
Financial Reports (2 of 3)



Establish and maintain disclosure controls
and procedures that are designed to ensure
that material information is made known to the
officers
Evaluate the effectiveness of the disclosure
controls and procedures in the last 90 days
Present their conclusions about the
effectiveness of the disclosure controls and
procedures
Section 302
Corporate Responsibility For
Financial Reports (3 of 3)


Disclose to the auditors/audit committee any
significant deficiencies or material
weaknesses in internal controls and any
fraud committed by any person with a
significant role in internal control
Indicate whether or not there were significant
changes in internal controls or other factors
that could significantly affect internal
controls subsequent to the date of their
evaluation, including corrective actions for
significant deficiencies/material weaknesses
Section 404
Management Assessment of
Internal Controls (1 of 2)

Internal Control Report

Effective for fiscal years ending on or after




November 15, 2004 for accelerated filers (Originally 6/15/04)
July 14, 2005 for non-accelerated filers (Originally 4/15/05)
Signed by the CEO and CFO
Must contain statements




Management is responsible for establishing and
maintaining adequate internal control over financial
reporting
Identify the framework used by management to evaluate
the effectiveness of the internal control
Assessment of the effectiveness of the internal controls
as of the end of year-end
Auditor has issued an attestation report on
management’s assessment
Section 404
Management Assessment of
Internal Controls (2 of 2)

ICOFR is not effective if there is one or
more material weaknesses in internal
control

Management's evaluation should be
based on a suitable, recognized internal
control framework
The Auditor



Is required to attest to/report on
management’s assessment
In accordance with standards
issued/adopted by PCAOB
This evaluation is not a separate
engagement

“… integrated audit …”
COSO

The Committee of Sponsoring Organizations of
the Treadway Commission




AICPA, AAA, FEI, IIA, IMA
Is a voluntary private sector organization
Formed in 1985 to sponsor the National
Commission on Fraudulent Financial Reporting
Dedicated to improving the quality of financial
reporting through business ethics, effective
internal controls and corporate governance.
COSO
Definition of Internal Control

Internal control is a process, instituted
by an entity’s board of directors and
management that is designed to provide
reasonable assurance regarding the
achievement of the following categories
of objectives:



Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and
regulations
COSO
Internal Control Framework
“Internal control consists of five interrelated
components.”





Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
-- Internal Control – Integrated Framework – Executive Summary,
Committee of Sponsoring Organizations of the Treadway Commission.
COSO
Internal Control Components
-- Internal Control – Integrated Framework – Framework, COSO, p. 13.
COSO
Internal Control Framework
-- Internal Control –
Integrated Framework –
Framework, COSO, p. 15.
COSO
Internal Control Framework
Control
Environment
Monitoring
Information &
Communicati
on
Risk
Assessment
Control
Activities
COSO
Internal Control Components

Control Environment factors








Organization tone
Discipline and structure
Integrity, ethics, competence
Management philosophy and operating style
Assignment of authority & responsibility
Work organization
Personnel development
Attention & direction of Board of Directors
-- Internal Control – Integrated Framework – Framework, COSO, p. 19.
COSO
Internal Control Framework
Control
Environment
Monitoring
Information &
Communicati
on
Risk
Assessment
Control
Activities
COSO
Internal Control Components

Risk Assessment




Identify relevant risks to achieve objectives
Analyze these risks
Determine how to manage them
Begins with the Objectives:

Operations Objectives


Financial Reporting Objectives


Achieving the entity’s mission
Producing reliable financial statements
Compliance Objectives

Complying with applicable laws and regulations
-- Internal Control – Integrated Framework – Framework, COSO, p. 29-44.
COSO
Internal Control Framework
Monitoring
Information &
Communicati
on
IS Controls
Control
Environment
Risk
Assessment
Control
Activities
COSO
Internal Control Components

Control Activities

Policies and Procedures, which include










Approvals
Authorizations
Verifications
Validations
Reconciliations
Valuations
Classification controls
Completeness controls
Timeliness
Posting and Summarization Controls
Operating performance reviews
Information Processing Controls
Asset security
Segregation of duties
-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.
COSO
Information Systems Controls

General Controls




Data Center Operations
System Software
Access Security
Application Development &
Maintenance

Application Controls

COBIT provides details
-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.
Application Controls
for Information Systems

Transaction processing integrity:




Complete
Accurate
Authorized
Valid
COSO
Internal Control Framework
Control
Environment
Monitoring
Information &
Communicati
on
Risk
Assessment
Control
Activities
COSO
Internal Control Components

Information and Communication


“Pertinent information must be
identified, captured and
communicated in a form and
timeframe that enable people to carry
out their responsibilities.”
To the right people in sufficient detail
on time
-- Internal Control – Integrated Framework – Framework, COSO, p. 55-63.
COSO
Information and Communication


Pertinent Financial & Non-financial
Information
Information Quality





Appropriate
Timely
Current
Accurate
Accessible
-- Internal Control – Integrated Framework – Framework, COSO, p. 55-63.
COSO
Information & Communication

Including





Effective communication of duties
and control responsibilities
Communication of improprieties
Management’s receptivity to employee
suggestions
Timely appropriate mgmt follow-up
Internal and External communications


Customer/supplier communications
Outside awareness of ethical standards
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 33-35.
COSO
Internal Control Framework
Control
Environment
Monitoring
Information &
Communicati
on
Risk
Assessment
Control
Activities
COSO
Internal Control Components

Monitoring


Ongoing assessment of the system’s
performance over time
Accomplished through




Ongoing monitoring
Separate evaluations
Internal and external audits
Combination
-- Internal Control – Integrated Framework – Framework, COSO, p. 65-74.
Internal Controls

Traditional Generic List of Controls



Preventive
Detective
Corrective

Manual
Computer

Managerial supervision

IT Controls

ISACA


Formerly EDP Auditors Association
Founded in 1967
COBIT



Control OBjectives for Information
and related Technology
ISACA/IT Governance Institute
Defines IT Controls in terms of




Planning & Organization
Acquisition & Implementation
Delivery & Support
Monitoring
Specific IT Control Issues







ERP
BPI (Business Process Improvement)
B2C & B2B
Risk Measurement
Intrusion Detection
Viruses
Email integrity
Systems Based Approach


Identify business processes
Express them in “flow charts”



Conceptual
Physical
Examine transaction life cycle (from
cradle-to-grave)

Perform tests of transactions