Sarbanes Oxley Sales Presentation

1
The Committee ofSponsoring Organizations Implemen
ting the COSO Framework
2005
2
The COSO Internal Control Integrated Framework

• In 1985, the Committee of Sponsoring
  Organizations of the Treadway Commission (COSO)
  was formed to sponsor the National Commission on
  Fraudulent Financial Reporting, whose charge was
  to study and report on the factors that can lead
  to fraudulent financial reporting.
• A significant part of this mission is aimed at
  developing guidance on internal control.
• In 1992, COSO published Internal
  Control-Integrated Framework, which established a
  framework for internal control and provided
  evaluation tools that businesses could use to
  evaluate their control systems.

3
Scoping The COSO Framework
Control Activities
Monitoring

• Assessment of a control systems performance over
  time
• Combination of ongoing and separate evaluation
• Management and supervisory activities
• Internal audit activities

• Policies/procedures that ensure management
  directives are carried out
• Range of activities including approvals,
  authorizations, verifications, recommendations,
  performance reviews, asset security and
  segregation of duties

Information Communication

• Pertinent information identified, captured and
  communicated in a timely manner
• Access to internally and externally generated
  information
• Flow of information that allows for successful
  control actions from instructions on
  responsibilities to summary of findings for
  management action

Risk Assessment

• Risk assessment is the identification and
  analysis of relevant risks to achieving the
  entitys objectives forming the basis for
  determining control activities

Control Environment

• Sets tone of organization, influencing control
  consciousness of its people
• Factors include integrity, ethical values,
  competence, authority, responsibility,
  organization structure, HR policies and IT
  control environment
• Foundation for all other components of control

4
Control Environment

• Sets the tone of the Company
• Senior Management must set an appropriate Tone
  at the Top that positively influences the
  control consciousness of the personnel.
• This is the foundation for all other components
  of internal controls and provides discipline and
  structure.

5
Control Environment

• Factors that contribute to an effective control
  environment
• Integrity and Ethical Values
• Commitment to Competence
• Managements Philosophy and Operating Style
• Organizational Structure
• Assignment of Authority and Responsibility
• Human Resources Policies and Practices
• IT Considerations

6
Risk Assessment

• Company must be aware of and deal with the risks
  it faces.
• Set Objectives so that the organization is
  operating in concert.
• Once set, Company must then identify the risks to
  achieve those objectives, analyze and develop
  ways to manage them

7
Risk Assessment Process
Risk Assessment Process
8
Risk Assessment Manage Change

• Changes in the operating environment
• New personnel
• New or revamped information systems
• Rapid growth
• New technology
• New lines, products, or activities
• Restructurings
• Foreign operations
• Accounting changes

9
Control Activities

• Control Policies and Procedures must be
  established and executed to help ensure the
  actions identified by management to address risks
  are carried out.

10
Types of Control Activities

• Top-level reviews
• Information processing
• General controls including software, maintenance,
  security
• Application controls apply to the processing of
  individual applications, help ensure transactions
  are valid, properly authorized, completely and
  accurately processed.
• Physical controls
• Segregation of Duties

11
Information Communication

• Systems, including the accounting system, that
  enable Companys people to capture and exchange
  information needed to conduct, manage, and
  control its operations.

12
Characteristics of Information Communication

• Financial and non-financial information needed to
  prepare reports
• Information received from external sources
• Expected behavior-what is acceptable and
  unacceptable
• Key role played by senior management-open and
  effective means of communicating information
  upstream.
• A clear cut willingness to listen
• Routine and non-routine information

13
Monitoring

• The entire control process must be monitored.
• A process that assesses the quality of internal
  control performance over time.

14
Examples of On-Going Monitoring Activities

• The regular management and supervisory activities
  carried out in the normal course of business
• Communications from external parties, which can
  corroborate internally generated information or
  indicate problems
• Customers corroborate billing data
• Customer complaints
• External Auditors regularly provide
  recommendations on the way internal controls can
  be strengthened.
• Employees may be required to sign off to
  evidence performance of control functions.

15
Anti-Fraud Provisions

• The SECs rules relating to managements reports
  on internal control include commentary on the
  background of the rules and insight on how the
  rules should be interpreted and implemented,
  including
• The assessment of a companys internal control
  over financial reporting must be based on
  procedures sufficient both to evaluate its design
  and to test its operating effectiveness. Controls
  subject to such assessment include, but are not
  limited to controls related to the prevention
  and detection of fraud.
• In addition to the SEC guidance, the PCAOB, in
  its Auditing Standards 2, has stated the
  following
• That management's responsibility when designing a
  company's internal control over financial
  reporting is to design and implement programs and
  controls to prevent, deter, and detect fraud.
• Management, along with those who have
  responsibility for oversight of the financial
  reporting process (such as the audit committee),
  should set the proper tone create and maintain a
  culture of honesty and high ethical standards
  and establish appropriate controls to prevent,
  deter, and detect fraud.

16
Anti-Fraud Provisions Roles and Responsibilities

• Anti-fraud roles and responsibilities of
  principal corporate players
• The Board of Directors and Audit Committee
  actively oversee the internal controls over
  financial reporting established by management as
  well as the process by which management satisfies
  itself that these controls are acting
  effectively. Board oversight must be active, not
  passive, and should extend to
• Managements antifraud programs and controls,
  including managements identification of fraud
  risks and implementation of antifraud measures
• The potential for management override of controls
  or other inappropriate influence
• Mechanisms for employees to report concerns
• Receipt and review of periodic reports describing
  the nature, status and eventual disposition of
  alleged or suspected fraud and misconduct
• An internal audit plan that addresses fraud risk
  and a mechanism to ensure that internal audit can
  express any concerns about managements
  commitment to appropriate internal controls or to
  report suspicions or allegations of fraud (NYSE
  traded only)
• Involvement of other experts legal, accounting
  and other professional advisors as needed to
  investigate any alleged or suspected wrongdoing
  brought to their attention
• Management is responsible for the design,
  implementation and execution of the
  organizations antifraud programs and controls.
  Management must assess fraud risk at the
  company-wide, business-unit and
  significant-account levels as well as attest to
  the quality of the companys antifraud controls.

17
COSO and Fraud Assessment

• Control Environment
• Code of Conduct/Ethics
• Whistleblower/Ethics hotline
• Hiring and Promotion
• Audit Committee Oversight
• Investigative Process
• Remediation
• Risk Assessment
• Systematic Process
• Likelihood and Significance
• Control Activities
• Linking Controls to Identified Fraud Risks
• Information and Communication
• Fraud and Code of Conduct Training and Knowledge
  Management
• IT Systems (Security, Misuse) Considerations
• Monitoring
• On-Going Monitoring by Management
• Separate after the fact evaluations by
  Management

18
The New Box

• What Does the Future Hold?

Strategic
Objective Setting
Event Identification
Internal Environment
Risk Response