1. Sustaining SOX 404:�A Project�Management�Approach Magnus, Hilliard, and Kresyman�Wednesday, October 6, 2010
2. Sarbanes-Oxley Act of 2002 Named after sponsors Senator Paul Sarbanes (D=MD) and Representative Michael Oxley (R-OH)
Enacted by U.S. Congress in response to highly-publicized business failures
Enron: Biggest Audit Failure
WorldCom: Overstated cash flow by booking billions in operating expenses as capital expenses
Adelphia: Founding family collected $3.1 billion in off-balance-sheet loans backed by Adelphia and overstated results by inflating capital expenditures and hiding debt
3. Sarbanes-Oxley Act of 2002 Applies to publically held companies
SEC required to implement ruling on requirements to comply with law
Created Public Company Accounting Oversight Board (PCAOB)
PCAOB’s goal is to oversee, regulate, inspect and discipline accounting firms in their roles as auditors of public companies
4. Sarbanes-Oxley Act of 2002 Section 404: internal control over financial reporting
Requires involvement of management:
Management must assess the effectiveness of the organization’s internal control over financial reporting
Management must annually report the result of that assessment
Section 302- Auditor’s Responsibilities
External auditors must attest to management’s assessment by independently opining on the effectiveness of a company’s ICFR
5. Sarbanes-Oxley Act of 2002 SEC rules require management to base its evaluation on a suitable, recognized control framework
The COSO framework (Committee of Sponsoring Organizations of the Treadway Commission ) is the most widely used
6. Components of Internal Control
7. COSO
8. Five Framework Components
9. This sets the tone of an organization and is the foundation for all other components of internal control, providing discipline and structure. It reflects:
the integrity, ethical values and competence of the people
management’s philosophy and operating style
the way management assigns authority and responsibility
the attention and direction provided by the board of directors.
The Control Environment
10. Changes in regulatory or operating environment
New personnel
Changes in the information system
Rapid growth
New technologies
New lines of business
Restructuring
Foreign operations
New accounting principles Risk Assesment
11. Control Activities Are duties adequately segregated?
Are transactions and activities properly authorized?
Does adequate documentation and recordkeeping occur
Are physical safeguards over assets and records in place?
Are independent checks on performance in place?
12. Information and Communication Content must be appropriate
Information is timely and available when needed
Information is current
Information is correct
Information is accessible to appropriate parties
13. Information and Communication Personnel must understand
their own role in the internal control system
how individual activities relate to the work of others
Personnel must have a means of communicating significant information upstream
Must have effective communication with external parties, such as customers, suppliers, regulators and shareholders
14. Communication from external parties
Internal auditors
Exception reports
Reports to regulators
Customer complaints Monitoring of System
15. Implementation Issues Determining the scope of SOX -404 compliance year after year is one of the most important decisions a company can make
Challenges:
For smaller companies: Where do we start?
For larger companies: How to sustain SOX effort in a cost effective manner?
Both the SEC and PCAOB advocate a “top-down, risk-based approach” to assessing and certifying internal controls
16. Scoping Decisions
17. Top-Down Approach “Forces management to start with entity level controls and work to lower level transactional/process controls”
18. SOX Compliance Steering Committee
Responsible for the whole compliance process and work as executive sponsors
Typically led by the Controller who serves as “Executive Project Lead”
Composition is set up depending on the way the company is centralized or decentralized
19. SOX Steering Committee: Centralized Org
20. SOX Steering Committee: Decentralized Org
21. SOX Steering Committee: Decentralized Org
22. Corporate Leadership Team
23. SOX Project Management Office
Run the daily efforts of the SOX project
Led by the SOX Director who is heavily experienced in internal control design and both internal and external auditing
Escalate issues to the steering committee, such as slow progress, test failures, significant changes in internal control structure, etc
24. Control Executives Company leaders (i.e. VPs, CEOs of individual units)
Set direction of SOX project within their area.
Overseeing the development, documentation, and management of control activities;
Ensuring proper and timely execution of test plans;
25. Process Leads Responsible for one or more processes (i.e. record to report, procure to cash, etc.)
Manage all aspects of SOX for their process
Ensure all control activities are being executed and tested as agreed upon
Ensure all documentation is complete, up-to-date and accurate
26. Control Owners Individuals who either perform or directly oversee the evaluation of the control activities
Ensure all control activities are being executed and tested as agreed upon
Identify control changes as necessary and support management in independent testing
Ensure all documentation is complete, up-to-date and accurate
27. Internal Auditors Internal partner for SOX compliance project
Most functional when independent of management
Provide “outside” advising role and act as independent testing resource for external auditors
28. Management Testing and Documentation Three key aspects of management testing:
identification of key controls
the nature, timing and extent of these controls
independent testing of the key controls to assess the effectiveness of ICFR
29. Management Testing and Documentation In determining which controls to test management must consider:
The magnitude of the potential misstatement that could result from the failure of the control
The likelihood that failure of the control could result in a misstatement
The degree to which other controls, if effective, achieve the same control objective
30. Management Testing and Documentation Key controls likely to lead to a material misstatement that must be documented:
Controls over the selection and application of accounting policies (i.e. capitalize vs expense R&D)
Controls over significant nonroutine transactions involving judgment (i.e. deriving estimations)
Controls over the period-end financial reporting process (i.e. ensuring all transactions recorded)
31. Real World Jargon D = Deficiency
SD = Significant Deficiency
MW = Material Weakness
materiality and likelihood– amount of misstatement that could result from a break down in a particular control and measure of the likelihood of this having an affect
(how much? and how remote?)
32. Nature of Tests of Controls Tests management might perform in order of evidence they ordinarily would produce, from least to most:
Inquiry
Observation
Inspection of relevant documentation
Re-performance of a control
33. Timing of Tests of Controls Testing controls over greater period of time provides more evidence of effectiveness than testing over shorter period of time
Tests performed closer to date of management's assessment provides more evidence than testing performed earlier in the year
34. Extent of Testing Controls Refers to the number of samples that must be chosen
Typically, the higher the risk, the greater the number of items that should be in the sample
35. Management Documentation Process Flowcharts
Control Matrix
Narratives
Template Approach
36. Better Practices Tone at the top
Training
PMO function
Communication
Ownership
No bottom up approaches
