The Sarbanes-Oxley Act and its Implications for the Accounting

The Impact of Sarbanes-Oxley on IT

Presented by

Jerald Savin, FIMC, CMC, CPA, CITP

Cambridge Technology Consulting Group, Inc.

201 Wilshire Blvd., Ste 41, Santa Monica, CA 90401

Tel: (310) 229-8947 - Email: jsavin@ctcg.com

For the July CIO Breakfast

Jerald (Jerry) M. Savin













President/CEO, Cambridge Technology

Consulting Group, Inc.

Certified Public Accountant (CPA)

Fellow Institute of Management Consultants

(FIMC)

Certified Management Consultant (CMC)

Certified Information Technology Professional

(CITP)

Former Chairman, Institute of Management

Consultants USA

co-author

 Richard Savich, Ph. D., C.P.A.









President, ABKO Consulting (A Business

Knowledge Organization)

Director, Professional Development Institute,

The Collins School of Hospitality

Management, Cal Poly Pomona

Formerly, National Director, Management

Consulting Training, Coopers & Lybrand and

Ernst & Young

Formerly, Professor, USC School of

Accounting

Outline









The Sarbanes-Oxley Act

Section 404 - Internal Controls

Trends and Developments

Questions & Answers

The Sarbanes-Oxley Act























101 Board Membership

103 Board Duties

108 Accounting Standards

201 Prohibited Activities

203 Audit Partner Rotation

301 Audit Committees

302 Corporate Responsibility For Financial Reports

402 Loans to Executives

404 Mgmt Assessment of Internal Controls

407 Disclosure of Audit Committee Financial Expert

806 Whistle Blower Protection

PCAOB

(www.pcaobus.org)

PCAOB - Auditing Standards

 Amend, modify, repeal and reject standards suggested by designated professional groups of accountants and by standard-setting advisory groups

 Report on its standard-setting activities to the SEC annually

Section 404

Internal Control Standard





PCAOB must adopt an audit standard to implement an internal control review

The standard must require the auditor to evaluate whether the internal control structure and procedures

 Include records that accurately and fairly reflect the transactions of the issuer





Provide reasonable assurance that the transactions are recorded in a manner that will permit the preparation of financial statements in accordance with GAAP, and

Provide a description of any material weaknesses in the internal controls

Section 404

Management Assessment of

Internal Controls





404(a)



Management’s responsibility for establishing and maintaining adequate internal control for financial reporting.

404(b)



Independent auditor’s responsibility for attesting to and reporting on management’s assessment of internal control.

Section 404(a)



Management’s Responsibilities:

 Implement effective internal structure and procedures for ICOFR







Evaluate effectiveness of ICOFR using suitable internal control framework

Support that evaluation with sufficient evidence

Present a written assessment of the effectiveness at year end

Section 404(b)



Auditor’s Responsibilities:



Evaluate management’s assessment







Obtain an understanding of the company’s ICOFR

Test and Evaluate the design and operational effectiveness of ICOFR

Form an opinion regarding the adequacy and effectiveness of ICOFR

Section 302

Corporate Responsibility For

Financial Reports

(1 of 3)

 CEO/CFO certifications





Financial statements and disclosures comply with the requirements of the Exchange Act

Disclosures fairly present, in all material respects, the results of operations and financial condition of the issuer

Section 302


Financial Reports

(2 of 3)







Establish and maintain disclosure controls and procedures that are designed to ensure that material information is made known to the officers

Evaluate the effectiveness of the disclosure controls and procedures in the last 90 days

Present their conclusions about the effectiveness of the disclosure controls and procedures

Section 302


Financial Reports

(3 of 3)





Disclose to the auditors/audit committee any significant deficiencies or material weaknesses in internal controls and any fraud committed by any person with a significant role in internal control

Indicate whether or not there were significant changes in internal controls or other factors that could significantly affect internal controls subsequent to the date of their evaluation, including corrective actions for significant deficiencies/material weaknesses

Section 404


Internal Controls

(1 of 2)

 Internal Control Report







Effective for fiscal years ending on or after





November 15, 2004 for accelerated filers (Originally 6/15/04)

July 14, 2005 for non-accelerated filers

(Originally 4/15/05)

Signed by the CEO and CFO

Must contain statements









Management is responsible for establishing and maintaining adequate internal control over financial reporting

Identify the framework used by management to evaluate the effectiveness of the internal control

Assessment of the effectiveness of the internal controls as of the end of year-end

Auditor has issued an attestation report on management’s assessment

Section 404


Internal Controls

(2 of 2)

 ICOFR is not effective if there is one or more material weaknesses in internal control

 Management's evaluation should be based on a suitable, recognized internal control framework

Internal Control over Financial

Reporting (ICOFR) defined

(1 of 2)

 ICOFR







Is a process

Designed by the principal executive and financial officers and approved by management and the Board of Directors

To provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP and include those policies and procedures that

Internal Control over Financial

Reporting (ICOFR) defined

(2 of 2)







Pertains to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets

Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statement in accordance with GAAP, and that receipts and expenditures are being made only in accordance with authorizations of management and the directors

Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements

The Auditor







Is required to attest to/report on management’s assessment

In accordance with standards issued/adopted by PCAOB

This evaluation is not a separate engagement



“… integrated audit …”

Key Dates











July 30, 2002 - Date of Enactment

April 18, 2003 - Interim Auditing Stds issued

March 9, 2004 - Auditing Std No 2 issued

November 15, 2004



(Originally June 15, 2004)

404 Internal Control assessments due for Accelerated filers with fiscal years ending on/after

July 15, 2005



(Originally April 15, 2005)

404 Internal Control assessments due for Nonaccelerated filers with fiscal years ending on/after











PCAOB Auditing Standards

2004-001 – An Audit of Internal Control Over Financial

Reporting Performed in Conjunction with an Audit of

Financial Statements (03/09/04) (Standard No. 2)

2003-026 – Technical Amendments to Interim Standards

Rules (12/18/03)

2003-025 – References in Auditors’ Reports to the

Standards of the Public Company Accounting Oversight

Boards (12/18/03)

2003-009 – Compliance with Auditing and Related

Professional Practice Standards (6/30/03)

2003-006 – Establishment of Interim Professional Auditing

Standards (4/18/03) (Standard No. 1)

 2004-002 – Proposed Auditing Standards Conforming

Amendments to PCAOB Interim Standards …

(Comment period ended 4/23/04)

PCAOB Standards

 An Audit Of Internal Control Over

Financial Reporting Performed In

Conjunction With An Audit Of Financial

Statements, Release 2004-001, March 9, 2004



“… integrated audit of the financial statements and internal control over financial reporting.” “… not a … separate engagement.”

(p. 8)





“COSO … provides a suitable framework for purposes of management’s assessment.”

(p. 9)

“… an auditor impairs his or her independence if the auditor audits his or her own work, including any work on designing or implementing an audit client’s internal control system.”

(p. 10,11)

Outline










Section 404 - Internal Controls

Trends and Developments

Questions & Answers

COSO









The Committee of Sponsoring Organizations of the Treadway Commission

 AICPA, AAA, FEI, IIA, IMA

Is a voluntary private sector organization

Formed in 1985 to sponsor the National

Commission on Fraudulent Financial Reporting

Dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.

COSO

Definition of Internal Control

 Internal control is a process, instituted by an entity’s board of directors and management that is designed to provide reasonable assurance regarding the achievement of the following categories of objectives:







Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

COSO

Internal Control Framework

“Internal control consists of five interrelated components.”











Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring

-- Internal Control – Integrated Framework – Executive Summary,

Committee of Sponsoring Organizations of the Treadway Commission.

COSO


 Three categories of objectives:







Operations

Financial reporting

Compliance

 Relates to the entire enterprise:

 To all Units

 To all Activities

COSO

Internal Control Components

-- Internal Control – Integrated Framework – Framework, COSO, p. 13.

COSO


-- Internal Control –

Integrated Framework –

Framework, COSO, p. 15.

COSO


Monitoring

Information &

Communicati on

Control

Activities

Control

Environment

Risk

Assessment

COSO


 Control Environment factors

 Organization tone















Discipline and structure

Integrity, ethics, competence

Management philosophy and operating style

Assignment of authority & responsibility

Work organization

Personnel development

Attention & direction of Board of Directors

-- Internal Control – Integrated Framework – Framework, COSO, p. 19.

COSO


 Control Environment factors





















Integrity & ethical values

Incentives & temptations

Moral Guidance

Commitment to Competence

Board of Directors & Audit Committee

Management Philosophy & Operating Style

Organizational Structure

Assignment of Authority & Responsibility

Human Resources Policies & Practices

Evaluation

(p. 27/28)

-- Internal Control – Integrated Framework – Framework, COSO, p. 19-28.

COSO


Monitoring

Information &

Communicati on

Control

Activities

Control

Environment

Risk

Assessment

COSO






Risk Assessment







Identify relevant risks to achieve objectives

Analyze these risks

Determine how to manage them

Begins with the Objectives:





Operations Objectives



Achieving the entity’s mission

Financial Reporting Objectives

 Producing reliable financial statements

 Compliance Objectives

 Complying with applicable laws and regulations


Risk Assessment

 Types of Risk-





Control Risk

 That error will not be prevented, detected or corrected on a timely basis

Detection Risk

 Fail to detect material errors

COSO

Risk Management

 Managing Change

















Identify & react to routine events

Identify & react to dramatic events

New or redesigned information systems

Rapid growth

New technology

New lines, products, activities, acquisitions

Corporate restructuring

Foreign operations

-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 24-27.

COSO


Monitoring

Information &

Communicati on

IS Controls

Control

Environment

Risk

Assessment

Control

Activities

COSO


 Control Activities

 Policies and Procedures, which include





















Approvals

Verifications

Reconciliations

Classification controls

Timeliness

Authorizations

Validations

Valuations

Completeness controls

Posting and Summarization Controls

Operating performance reviews

Information Processing Controls

Asset security

Segregation of duties


COSO

Information Systems Controls





General Controls









Data Center Operations

System Software

Access Security

Application Development &

Maintenance

Application Controls

 COBIT provides details


General Controls for Information Systems

 Data Center Operations









Backup and recovery procedures

Contingency and disaster recovery planning

Job set up and scheduling procedures

Operational controls


 System Software Controls

 Acquisition, implementation & maintenance of











Operating system software

Database management software

Telecommunications

Security

Utility


 Access Security







Access controls

Firewalls, Intrusion Detection and

Prevention Systems (IDS/IPS)

Password policies


 Application development (SDLC)











Project authorization

Approval of development & maintenance

Application system development controls

Application system maintenance controls

Testing

Application Controls for Information Systems

 Application level risks









Application availability

Security

Integrity

Maintainability


 Application level risks

 Data risks

 Completeness









Integrity

Confidentiality

Privacy

Accuracy


 Application interface integrity:









All inputs are received

Inputs are valid

Outputs are correct

Outputs are properly distributed


 Transaction processing integrity:









Complete

Accurate

Authorized

Valid

COSO


Monitoring

Information &

Communicati on

Control

Activities

Control

Environment

Risk

Assessment

COSO


 Information and Communication



“Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.”

 To the right people in sufficient detail on time


COSO

Information and Communication





Pertinent Financial & Non-financial

Information

Information Quality











Appropriate

Timely

Current

Accurate

Accessible


COSO

Information & Communication

 Including











Effective communication of duties and control responsibilities

Communication of improprieties

Management’s receptivity to employee suggestions

Timely appropriate mgmt follow-up

Internal and External communications





Customer/supplier communications

Outside awareness of ethical standards

-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 33-35.

COSO


Monitoring

Information &

Communicati on

Control

Activities

Control

Environment

Risk

Assessment

COSO


 Monitoring



Ongoing assessment of the system’s performance over time

 Accomplished through

 Ongoing monitoring







Separate evaluations

Internal and external audits

Combination


Internal Controls

 Traditional Generic List of Controls







Preventive

Detective

Corrective





Manual

Computer

 Managerial supervision

Internal Control Examples











Direct management of the business

Performance reviews







Executive

Functional

Activity

Use of performance measures, indicators, benchmarks

Independent performance checks

Management of human capital

Internal Controls Examples









Proper procedures for authorizing transactions

Proper execution of transactions & events

Accurate & timely recording of transactions & events








Authorization

Record keeping

Custody

Internal Controls Examples









Physical controls over vulnerable

 Assets and records

Access restrictions to and accountability for resources & records

Appropriate documentation of transactions and internal controls

Information processing controls

COSO

Reference Manual

 Format









Objectives

O,F,C:







O = Operations

F = Financial reporting

C = Compliance

Risks

Points of Focus for Actions/Control

Activities

-- Internal Control – Integrated Framework – Evaluation Tools, COSO.

COSO

Reference Manual

 Basic Value Chain Activities:











Inbound

Operations

Outbound

Marketing/Sales

Service

-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 49.

COSO

Reference Manual

 Infrastructure Support Activities:









Administration

Human Resources

Technology Development

Procurement


COSO

Reference Manual

 Administrative subactivities:









Manage Finance

Manage Enterprise

Manage External Relations

Provide Administrative Services





Manage Information Technology

Manage Risks

 Manage Legal Affairs

 Plan


COSO

Reference Manual

 Administrative Controllership subactivities :













Process A/P

Process A/R

Process Funds

Process Fixed Assets

Analyze and Reconcile

Process Benefits & Retirement


COSO

Reference Manual

 Administrative Controllership subactivities :









Process Payroll

Process Tax Compliance

Process Product Costs

Provide Financial & Management

Reporting


COSO Summary

 Criticized as





Too Vague





Contains guidelines

Doesn’t contain specific work program

Too Operational

 Includes operational areas traditionally outside of auditors examination

IT Controls

 ISACA





Formerly EDP Auditors Association

Founded in 1967

ISACA















Standards

Guidelines

Procedures

Control Objectives

Control Practices

Audit Guidelines

Management Guidelines

C

OBI

T







Control OBjectives for Information and related Technology

ISACA/IT Governance Institute

Defines IT Controls in terms of









Planning & Organization

Acquisition & Implementation

Delivery & Support

Monitoring

C

OBI

T

 Planning & Organization













Define strategic IT plan

Define information architecture

Determine technology direction

Define IT organization & relationships

Manage IT investment

Communicate mgmt aims & direction

C

OBI

T

 Planning & Organization











Manage human resources

Comply with external requirements

Assess risks

Manage projects

Manage quality

C

OBI

T

 Acquisition & Implementation













Identify automated solutions

Acquire & maintain application software

Acquire & maintain technology infrastructure

Develop & maintain procedures

Install & accredit systems

Manage changes

C

OBI

T

 Delivery & Support













Define & manage service levels

Manage third-party services

Manage performance & capacity

Ensure continuous service

Ensure systems security

Identify & allocate costs

C

OBI

T

 Delivery & Support















Educate & train users

Assist & advise customers

Manage configuration

Manage problems & incidents

Manage data

Manage facilities

Manage operations

C

OBI

T

 Monitoring









Monitor the process

Assess internal control adequacy

Obtain independent assurance

Provide for independent audit

Specific IT Control Issues















ERP

BPI (Business Process Improvement)

B2C & B2B

Risk Measurement

Intrusion Detection

Viruses

Email integrity

Third Parties







Evaluate the role third parties play in relation to IT environment, related controls and control objectives

Third party provider controls

Third parties subcontractors

 SAS 70 Type 2

ISO 17799 (BS7799)





“A comprehensive set of controls comprising best practices in information security”

“Management should set a clear policy direction and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization”

ISO 17799 (BS7799)











Security Policy

System Access

Control

Computer &

Operations Mgmt

System Development

& Maintenance

Physical &

Environment

Security











Compliance

Personnel Security

Security

Organization

Asset Classification and Control

Business Continuity

Management (BCM)

Mgmt Assessment Process

3.

4.

1.

2.

5.

Plan the Assessment

Document the ICOFR

Evaluate their design & effectiveness

Identify, Assess, Correct Deficiencies

Prepare written assessment

-- Adapted from the 404 Institute


1.






Determine Scope:

Controls related to all significant accounts and disclosures in financial statements

 An account is considered significant when there is more than a remote likelihood that it could contain misstatements that individually or aggregated with others could have a material affect on the financials. -- Std

No. 2


1.








Identify assessment team







Identify significant

Milestones

Schedule

Resources

Determine documentation approach


1.










Other Considerations:

Multi-location

Use of outside service organizations –

Type II SAS 70 report

Evaluation of IT Controls – IT risks





Inaccurately processing accurate data; accurately processing inaccurate data

Unauthorized access; Unauthorized changes to programs/data; Potential loss of data


2.







Document ICOFR

Document the design of controls over relevant assertions

Document the initiation, authorization, recording, processing and reporting of significant transactions

Document transaction flow to identify where misstatements might occur


2.









Document ICOFR

Document controls designed to prevent or detect fraud

Document controls over period-end processing

Document controls to safeguard assets

Document the results of management’s assessment


3.





Evaluate the design & effectiveness of ICOFR

 Effectively designed controls are expected to prevent and detect errors or fraud

Design = the controls are appropriate to prevent or detect misstatements

Effectiveness = the controls are functioning as designed


3.



Evaluate the design & effectiveness of ICOFR



Measuring effectiveness

Are the systems functioning as intended?





Are the controls operating as designed?

Do the people performing the controls possess the authority and qualifications to effectively perform the controls?


4.



Identify, Assess & Correct Deficiencies







Deficiency

Deficiencies exist when misstatements are not prevented or detected on a timely basis in the normal course of business

Design deficiency = a necessary control is missing or not properly designed

Operating deficiency = a properly designed control is not operating as designed or the person performing the control is inadequate


4.



Identify, Assess, Correct Deficiencies



Definitions:

Significant deficiency = control deficiency that adversely affect the initiation, authorization, recording, processing or reporting of reliable financial data





Material deficiency = significant deficiency that results in more than remote likelihood of a material misstatement

Per PCAOB Standard No. 2


5.









Prepare report

Management acknowledges its responsibility for establishing and maintaining adequate ICOFR

Identifies the ICOFR framework used

Assesses the effectiveness of ICOFR as of yearend

No sample management report was provided in Standard No. 2.

The Audit Process

1.

2.

3.

4.

5.

Plan the engagement

Evaluate Management’s

Assessment Process

Understand company’s ICOFR

Test & Evaluate Design and

Effectiveness of ICOFR

Form an Opinion

-- Adapted from the 404 Institute

Auditor Questions









 What was examined to determine the existence of errors?

What kinds of errors were found?

What happened as a result of finding these errors?

How were the errors resolved?

Have personnel been asked to override the processes or controls?

Internal Control Assessment

 Alternative Approaches







Financial Statement/Account based

Systems based

Role of “Best Practice Models”

Account Based Approach





Begin with Financial Statement captions or Trial Balance accounts

Identify









Business cycle

Client processes

Inherent risks

 Risk ranking (High, Medium, Low)

Identify Internal Controls

Account Based Approach

F/S

Caption

1 Revenue

Business Cycle

Revenue Cycle

Client Process

Client's sales process

2 Accounts

Receivable

3 Cash

4 Operating

Expenses

Treasury Cycle

Treasury Cycle

Expenditure Cycle -

Non-payroll

5 Accrued

Compensation

Expenditure Cycle - Payroll

AR process

Cash application process

Collection process

Discrepancy resolution

Cash Receipts

Check Authorization/Writing

Vendor controls

Procurement process

Receiving process

Invoice processing

General Ledger recording

Employee hiring

Personnel records

Time and Attendance capture

Payroll interface

Inherent

Risks

Revenue Recognition

Authorization

Billing Accuracy

GAAP compliance

Accuracy

Application

Valuation

Accuracy

Completeness

Accuracy

Completeness


Risk

Ranking

High

High

High

Medium

Accuracy

Completeness

High

Evaluating Risk



In terms of

 Materiality

 Process Complexity

 Susceptibility to Change

 Accounting History

Evaluating Risk



Materiality

 Dollar amount

 Transaction volume

 Impact on ratios & covenants

 Individually & collectively

Evaluating Risk

 Process Complexity













Number of people/departments

Number of steps/phases

Number of interfaces (“hand-offs”)

Number of internal controls

Technical nature

Skill required vs. Skill available

Evaluating Risk



Susceptibility to Change

 Process stability

 Likelihood of future changes



Accounting History

 Number of errors

 Number of adjustments

Systems Based Approach







Identify business processes

Express them in “flow charts”

 Conceptual

 Physical

Examine transaction life cycle (from cradle-to-grave)

 Perform tests of transactions

Systems Based Approach





Approaches:



“Black Box”



 Reconciliation

“White Box”

 Internal controls

Internal

Controls

Identify control mechanisms





Are they adequate (design)?

Are they effective?

Which Approach is Best?





Top Down

 Process oriented







Systemic approach

Requires systems expertise

May take longer

Bottom Up

 Financial Statement/Account oriented







Focuses on the pieces before the whole

Tends exaggerate the number of assertions and controls

Do not necessarily comprehend the whole

Outline










Section 404 - Internal Controls

Trends and Developments

Questions & Answers

Trends







Internal control review is more expensive than audit, at least the first time

Internal control prep takes extensive resources and budget

Annual reports will increase in size

Trends











Different standards among the Big 4

Different standards within the Big 4

Struggle between auditors and clients over amount of ICOFR

Big 4 cannot consult on ICOFR for clients

The “grey line”

 May provide some guidance/resources

 But cannot impair independence

Private Companies Trends







Two standards



“Big GAAS” and “Little GAAS”

Other Actions





Banking Regulators

SEC: Non-Public Broker-Dealers deferred until after 1/1/05

Cascading

Cascading

Cascading





New York

 8 Bills

California









AB 664 (Correa)

AB 665 (Correa)

SB 1262 (Sher)

SB 1272

Private Companies Trends





Being acquired by a public company just became more complicated

Going public just became more complicated

Questions to ponder







How will SOX be applied to nonpublic companies?

What will businesses do differently tomorrow because of SOX?

How will you be involved?

From the IT Perspective







Confusing, contradictory guidance

Prone to evaluate IT at the micro level rather than macro level





Corporate level Policy/Procedures

Adapted for locations/systems

Fail to involve IT in accounting systems assessments

 Compartmentalize the controls








Assessors have limited IT expertise

Opportunity to enhance IT

 Convert a directive into growth

IT will require additional resources to comply






Confusing areas:





Business continuity

Third parties

Hot Topics:







Change management

System Development/Maintenance

Security






Weak areas:

 Data integrity

Complicating factors:





Multi-location

Multi-system

Resources











 www.404institute.com

 www.aaahq.org

 www.accountingweb.com  www.aicpa.org www.coso.org www.fei.org



 www.imanet.org www.isaca.org www.pcaobus.org

www.sec.gov

www.theiia.org

Resource

 Internal Control Reporting –

Implementing Sarbanes-Oxley Section

404, AICPA paperback











Authoritative Literature

COSO IC Integrated Framework

Project Planning

Documentation of Internal Control

Testing of Internal Control

Outline










Section 404 - Internal Controls

Trends and Developments

Questions & Answers

Questions and Answers

Good Luck!