SOX - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

SOX

Description:

Certified ... public company will have to provide certifications quarterly and annually. ... the CEO and CFO certify to the financial statements ... – PowerPoint PPT presentation

Number of Views:78

Avg rating:3.0/5.0

Slides: 35

Provided by: coreym1

Category:

more less

Transcript and Presenter's Notes

Title: SOX

1
SOX IT Governance

A New Reality
Corey Benish, CISA

2
Background

Certified Information Systems Auditor.
Experience in various industries including
broker-dealer, private asset management, mortgage
and commercial lending, manufacturing, software
development, and other financial services.
Managed Sarbanes-Oxley compliance activities for
both business and IT processes.
Consulted with organizations of various sizes (lt
1 billion in revenue to gt10 billion in revenue)
on their Sarbanes-Oxley compliance.

3
Agenda

Sarbanes Oxley (SOX) Review
Outcomes of SOX
Common IT Governance Frameworks
Typical Compliance Approach
Key Success Factors
Question Answer

4
Sarbanes Oxley (SOX) Review
5
SOX Review - Intent of the Law

Strong corporate governance.
Increased accountability of executives.
Strengthen anti-fraud measures.
Protect public interest and restore investor
confidence.

6
SOX Review - Intent of the Law

The Bottom Line
SOX is designed to ensure public companies have
controls in place over financial reporting
controls that support the assertions that are
made in public disclosures of financial
statements.

7
SOX Review - Effective Dates

The Sarbanes-Oxley Act of 2002 was enacted by
Congress on July 26, 2002.
Companies were required to be compliant by
various dates (based upon several factors
including market capitalization, spin-off
exclusions, etc.).
Currently considering extending deadline for
non-accelerated filers (On of after 12/31/2007
for management assessment On or after 12/31/2008
for auditor attestation).
Going forward, every public company will have to
provide certifications quarterly and annually.

8
SOX Review - Key Sections

Section 302 (Certification) Officers of the
company must make representations related to the
disclosure of controls, procedures, internal
controls and assurance from fraud.
Officers personally responsible.
Officers could be subject to criminal prosecution
and fines.
Unintentionally Bad Certification Fines up to 1
Million and up to 10 years imprisonment.
Willfully Bad Certification Fines up to 5
Million and up to 20 years imprisonment.
Ultimately, SEC can order the company be
de-listed.

9
SOX Review - Key Sections

Section 404 (Internal Controls) Management must
provide an annual assessment as to the
effectiveness of internal controls over financial
reporting and obtain an attestation from
external auditors that managements approach was
effective and that controls are effective. Annual
reports will need to contain a report that
States the responsibility management has been
given to establish and maintain an adequate
internal control structure and procedures for
financial reporting.
Contains a current, point-in-time assessment of
the effectiveness of that structure and
procedures.
The external auditor has attested to and reported
on assessments made by management.

10
SOX Review - Key Sections

Section 404 Annual Assessment
Managements assessment must be based on
procedures sufficient both to evaluate design and
test operating effectiveness. Inquiry alone will
generally not provide and adequate basis for
assessment.
Management must maintain evidential matter,
including documentation, to provide reasonable
support for its assessment and testing of both
design and operating effectiveness.
Any material weakness in internal controls over
financial reporting must be disclosed by
management in its filings and management is
precluded from reporting that internal controls
over financial reporting are effective if a
material weakness is detected.
Management must be actively involved in the
assessment process it cannot delegate assessment
responsibility to the auditor.

11
SOX Review - Key Sections

Section 404 A small section
but a bulk of the work!!

12
SOX Review - Groups that Oversee

Securities Exchange Commission (SEC)
The primary overseer and regulator of the U.S.
securities market. Oversees key participants in
the securities world, including securities
exchanges, securities brokers and dealers,
investment advisors, and mutual funds.
Public Company Accounting Oversight Board (PCAOB)
a private-sector, non-profit corporation,
created by the Sarbanes Oxley Act of 2002, to
oversee the auditors of public companies in order
to protect the interests of investors and further
the public interest in the preparation of
informative, fair, and independent audit
reports.
PCAOB website (www.pcaobus.org)

13
Outcomes of SOX
14
SOX Consequences Cost

External audit fees are dramatically increasing.
Smaller companies are having difficulty acquiring
audit services.
Less competition in the assurance industry
(particularly internationally).
Changing relationships between external auditors
and their clients.
It is estimated that Sarbanes-Oxley compliance
cost firms in the U.S. approximately 6 billion a
year and that this level of spending will
continue for the upcoming years.

15
SOX Positive Outcomes

Development of an efficient, organized approach
to regulatory challenges.
Process improvements driving company performance.
IT infrastructure enhancements.
Stronger tone at the top.
Internal audit viewed as key team member.
Faster identification and remediation of
exceptions.
Improved cultural awareness of controls and
control activities.

16
Common IT Governance Frameworks
17
Governance - COSO

Comprehensive framework for evaluating an
organizations controls process-oriented and
controls-based.
Focuses on fiduciary controls lends itself well
to evaluating business processes for SOX.
3 objective categories.
Operations, Financial Reporting, and Compliance.
5 control components.
Control Environment, Risk Assessment, Control
Activities, Information Communication,
Monitoring.
More information available online (www.coso.org).

18
Governance - COBIT

IT framework established by IT Governance
Institute (ITGI) and Information System Audit and
Control Association (ISACA).
Comprehensive framework with 4 domains Plan and
Organize, Acquire and Implement, Deliver and
Support, and Monitor and Evaluate.
ITGI/ISACA recently issued the second edition of
IT Control Objectives for Sarbanes-Oxley.
Maps 12 (of 34) high-level objectives from COBIT
to the PCAOBs 4 categories for General Computer
Controls Program Changes, Program Development,
Computer Operations, and Access to Programs and
Data.
More information available at ITGI (www.itgi.org)
or ISACA (www.isaca.org).

19
Governance - Other

While COSO and COBIT are widely utilized, there
are other frameworks available that can also be
leveraged in support of SOX including
IT Infrastructure Library (ITIL) www.itil.co.uk
International Organization for Standardization
(ISO) 17799 www.iso.org
Can be used to augment COBIT security objectives.

20
Typical Compliance Approach
21
Typical Compliance Approach
Repeat
Train
Scope
Document
Test
Remediate
Re-Test
Certify
22
Typical Compliance Approach
Repeat
Train
Scope
Document
Test
Remediate
Re-Test
Certify

SOX requires companies develop and align
compliance approach and methodology with
generally accepted internal control framework
(e.g. COSO COBIT).
Define materiality (e.g. - 5 of Income Before
Taxes).
Deficiency lt20 of materiality.
Significant Deficiency 20 - 99 of
materiality.
Material Weakness 100 or more of materiality.
Scope and map processes based upon materiality
and other qualitative risk factors.

23
Typical Compliance Approach
Repeat
Train
Scope
Document
Test
Remediate
Re-Test
Certify

Decentralized organizations often have processes
spread across various business units, locations,
countries, etc.
If the company is U.S. based and publicly held,
foreign locations can also be subject to
compliance if they are material enough to be
in-scope.
Training is critical to ensuring cultural
acceptance of controls and consistent
understanding of compliance requirements.
Define terms to create a common vocabulary.

24
Typical Compliance Approach
Repeat
Train
Scope
Document
Test
Remediate
Re-Test
Certify

Utilize risk based approach.
Process control ranking (e.g. - High, Medium,
Low).
Complete documentation
Entity-level controls.
Business process controls, anti-fraud controls,
outside service provider controls.
IT controls
General computing controls.
Application interface controls.
End-user computing controls.
Complete design assessment.

25
Typical Compliance Approach
Repeat
Train
Scope
Document
Test
Remediate
Re-Test
Certify

Perform testing (operating effectiveness
assessment).
Use a risk based testing approach focused on
high-ranked processes and primary controls.
Focus on evidence it is the key to proving the
control existed and was operating as designed.
PCAOB (AS2) specifies that inquiry alone is not
sufficient.
Identify potential control weaknesses resulting
from design and operating effectiveness
assessments.
Coordinate with external auditors for their
evaluation and testing.

26
Typical Compliance Approach
Repeat
Train
Scope
Document
Test
Remediate
Re-Test
Certify

Assess overall impact of potential control
weaknesses and determine remediation plan,
ownership, and completion dates. Control
weaknesses are evaluated individually and in
aggregate.

27
Typical Compliance Approach
Repeat
Train
Scope
Document
Test
Remediate
Re-Test
Certify

Re-test near year-end in support of 404 opinion.
High risk processes may require a full retest.
Include any remediated control weaknesses in the
retesting.
Be aware of sampling needs when determining the
roll-forward testing timing (i.e. ensure enough
days remain in the year to obtain a daily sample
of 25 days).
Coordinate with external auditors for their
evaluation and testing.

28
Typical Compliance Approach
Repeat
Train
Scope
Document
Test
Remediate
Re-Test
Certify

Since the CEO and CFO certify to the financial
statements quarterly, it is common for
organizations to utilize a quarterly
certification process.
The quarterly certifications roll-up to the CEO
and CFO beginning with the process owners, then
the process managers, then senior management and
IT.
Certifications can be tailored to the quarter and
the audience.
Once the effort is complete for the current
fiscal year, the process starts over again for
the next fiscal year.

29
Typical Compliance Approach
SOX-404 Compliance Timeline
Fiscal Year
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Ongoing Planning Oversight Provided by
Ownership Group
Initial Scoping
Finalize Risk Assessment Mapping for Year-End
Refresh Training for Process Owners Process
Managers Training for New Hires - Ongoing
New In-Scope Processes Controls
L/H Risk Processes
M Risk Processes
Roll-Forward
New In-Scope Processes Controls
M Risk Processes
Roll-Forward
L/H Risk Processes
Ongoing Remediation
Q1
Q2
Q3
Q4
Planning
Walkthroughs
Testing
Roll-Forward
LEGEND L Low M Medium H High
30
Key Success Factors
31
Key Success Factors

Additions or changes should be SOX-compliant upon
implementation.
After completing your first-year filing, the
requirements for accuracy of interim financial
statements becomes much more rigorous since SOX
legislation requires real-time disclosure of
significant or material changes in the control
environment.
This leaves companies with a limited remediation
window if they should discover that an addition
or change created a control weakness.

32
Key Success Factors

Process owners and process managers should own
and maintain documentation.
Process owners and process managers should be
prepared to participate in testing.
The organization should continue to identify and
communicate ongoing change to the ownership group
for impact assessment on process/control
documentation.

33
Compliance Maturity
The level of sophistication with which a company
manages its compliance initiatives is directly
proportional to the value it derives in terms of
internal control effectiveness and risk
management.
Perpetual