SOX for Everyone Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks...

SOX for Everyone

Brief History of Internal Control, Brief History of Internal Control, SOX, and Fundamentals of SOX, and Fundamentals of

Control FrameworksControl Frameworks

Source: Source: Brink’s Modern Internal AuditingBrink’s Modern Internal Auditing, Robert Moeller, Wiley Publishing, Robert Moeller, Wiley Publishing

Agenda for Today What is internal control and why is it

important for governmental entities? History of internal control leading up to

SOX COSO framework Fundamentals of internal control and

control systems Wrap up

What is Internal Control?

What is “internal control?”– General procedures for a well-managed, well-

functioning business

Components include– Accomplishes its mission– Produces accurate, reliable data– Complies with laws and corporate policies– Results in economical/efficient use of resources– Provides for safeguarding of assets

Internal Control and Governmental Entities

How do Internal Control objectives translate into government objectives?– Increase the public’s confidence level in

government operations.– Increase management’s accountability for financial

reporting and information disclosed to the public. – Reveal the critical need for management’s well-

defined job requirements.– Reduce fraud and increase accountability.Source: http://www.governmentauditors.org/content/view/273/123/

Internal Controls Standards: Background Developments

Earliest definition of internal control:– The organization’s plan and actions to

• safeguard its assets, • operate efficiently, • adhere to policies, and • accurately and reliably produce accounting data

Internal Controls Standards: Background Developments

Continued

Foreign Corrupt Practices Act (FCPA)– Response to Watergate scandal– Required management to

• Maintain accurate books and records,• Implement a system of internal control• Also prohibited bribes

– Excludes “grease” payments to minor officials

– Created a flurry of activity to comply, today is seen primarily as anticorruption

Efforts Leading to the Treadway Commission

Cohen Commission (an AICPA commission)– Recommended that management report on internal

controls and auditors opine on fairness of management’s assertion

– Resulted in criticism from external auditors; lack of consistent definitions regarding internal controls, “adequate”, etc.

– FEI endorsed the Cohen recommendation• As a result, some CEO management letters discussed internal

control; some letters included “negative assurance”


Continued

SEC 1979 proposal– Based on Cohen Commission and FEI– Called for mandatory management reports on

internal control– Again controversy and criticism centered on lack of

a clear definition of internal accounting control– SEC dropped the proposal, but it established a

need for a management report on internal control as part of required SEC filings


continued

SAS No. 55 (Stmnt. On Auditing Stds.) Issued by the AICPA Defined internal control in terms of the

• Control environment• Accounting system• Control procedures

Management’s view of internal control is broader and encompasses the entire control system

• External auditors focus on internal control related to financial statements


Continued

Treadway Committee (National Commission on Fraudulent Reporting)– Late 1970s and early 1980s were a period of high

inflation, high interest rates, many business failures despite the company having reported adequate earnings

– Congress proposed but didn’t pass bills to correct the business and audit failures

– Treadway Commission formed to identify fraud factors and propose recommendations


Continued

Treadway Committee, continued– Again, a call for management reports on the

effectiveness of internal control– Most important contribution of Treadway was

raising level of concern and attention directed toward reporting on internal control

FCPA, Cohen Commission, SEC 1979 Report, SAS No. 55 and Treadway Commission

• Occurred almost in a parallel fashion over a period of 20 and helped redefine internal control

Sarbanes-Oxley Act

Sarbanes-Oxley Act– Passed in 2002

• Most significant overhaul to public accounting, corporate governance and financial reporting since 1930s

– Established regulatory rules for public accounting firms, auditing standards, and corporate governance

– PCAOB established to oversee public accounting firms and to establish auditing standards

Sarbanes-Oxley ActContinued

Section 101– Establishes PCAOB

– Non-profit, private-sector corporation– PCAOB consists of 5 members appointed by the SEC

• AICPA no longer establishes Statements on Auditing Standards or GAAS

• PCAOB now oversees all audits of SEC-reporting corporations


Section 201– Establishes new rules regarding auditor

independence and prohibited practices• Limitations include financial information system

design and implementation, internal audit outsourcing, and other services

– Tax and other non-prohibited services may be performed by the external auditor if approved in advance by the audit committee


Section 301 Mandates that all audit committee

members be independent– External auditor reports to, is overseen

by, and is compensated by the audit committee


Section 302– Requires that the CEO and CFO certify

quarterly and annual financial reports– SOX imposes criminal fines or jail time on

violators


Sections 304 and 305– Designed to eliminate or limit seemingly

outrageous behavior– Earnings restatements may require CEO and CFO to

return bonuses based on bogus numbers– Blackout periods related to trading in 401K and

pension plans apply equally to all employees

– Revised rules related to attorney reporting of corporate misconduct

– Controversial due to attorney-client privilege


Section 404– Makes management responsible for

acknowledging its responsibility for establishing and maintaining internal control

– Makes management responsible for an annual assessment of internal controls


Other sections of Title IV– Require the company to adopt a code of

ethics for senior officers– Require a “financial expert” on the audit

committee– Mandate companies to provide information

about material financial statement issues to investors ASAP


Other Titles of SOX– Mandate workpaper retention policies– Provide whistleblower protection– Require CEO and CFO to personally

certify that the financial reports are fairly presented • Personal penalties for knowingly

falsifying (not corporate responsibility)

REVIEWUnder the 2002 Sarbanes-Oxley Act,

_____________ must certify the effectiveness of the company’s internal controls each year. If they sign off on ineffective controls, they could _______________.

a.CFOs and CEOs; face civil and criminal penalties.

b.CFO; face civil penalties.c. CEO; get fired.d.External auditor; face the Audit Committee.

REVIEW

The primary responsibility for overseeing the establishment and administration of internal control rests with

a.The external auditor.

b.The controller.

c.The internal auditor.

d. Senior management.

COSO Internal Control Framework

Common framework for the definition of internal control and procedures to evaluate controls– Process affected by BOD, management and others

to provide reasonable assurance regarding achieving effective and efficient operations, reliable financial reporting, and compliance with laws

Released in 1992 and has become widely accepted

COSO Internal Control FrameworkContinued

COSO Framework– Pyramid with 5 layered and interconnected

components comprise the overall control system– Control environment: foundation– Risk assessment, control activities and monitoring

are layered on top of the foundation– The 5th element is an interface channel between

the other 4 layers: communication and information


Source: COSO’s Internal Control Integrated framework


Internal control environment– Has a pervasive influence on the

organization– Reflects the attitude, awareness and

actions of the BOD, management and others regarding the importance of internal control

• History and culture play important roles

– “Tone at the top”


Internal control environment– Integrity and ethical values

• Strong code of conduct communicated throughout the organization

– Commitment to competence• Adequate training, supervision, job descriptions

– BOD and audit committee• Independent audit committee


Internal control environment– Management’s philosophy and operating

style• Risk taker/conservative, “seat of the

pants”/careful planner

– Organizational structure• Centralized/decentralized, reporting

relationships


Internal control environment– Human resources policies and practices

• Recruitment/hiring, new employee orientation, evaluation/promotion/compensation, disciplinary actions


Risk Assessment– Evaluation of potential risks to the

organization’s ability to achieve its objectives

– 3-step process• Estimate the significance of the risk• Assess its likelihood• Consider how to manage the risk or actions to

take


Risk Assessment– Risks from external factors include

legislation, technology– Risks from internal factors include quality of

hiring/training– Specific activity-level risks include risks

related to specific new products


Control Activities– Policies and procedures

• Top-level reviews compare results to budget or other benchmarks

• Direct functional or activity management entails reviewing operational reports or exception reports and taking corrective action

• Information processing entails development of new systems or access to data


Control Activities– Policies and procedures-continued

• Physical controls over assets• Performance indicators entails relating

operating data to financial data, and taking analytical, investigative or corrective action

• Segregation of duties


Control Activities– Integrating risk assessment and control

activities• Appropriate control activities are established to

address specific risks• May need to prune “dumb” controls


Control Activities– Controls over information systems

• General controls that ensure control over all applications (locks on door to computer center)

• Application controls apply to specific programs

– Organization needs to consider evolving technologies and new/modified controls


Communications and Information– Information systems can be formal or

informal, internal or external– COSO emphasized that they be

• Strategic, consistent with the organization’s goals (not outdated)

• Integrated with other operations


Communications and Information– COSO suggests and SOX requires that

information be• Timely• Accurate• Current• Accessible• Appropriate


Communications and Information– Internal systems

• Most important component may be communication from senior management, “tone at the top”

• Each person needs to know how he fits into the organization, otherwise may think errors don’t matter

• Each person needs to know limits, what is unethical/improper

• Communication must flow up and down


Communications and Information– External systems

• Include a mechanism to capture and act upon complaints, source of potential control issues

• Communication must flow in both directions


Monitoring– Historically the role of internal auditors– COSO expands to include ongoing

assessments of and adjustments to internal control as circumstances warrant

– Many routine business functions are considered monitoring activities, such as reconciliations


Monitoring– Separate internal control evaluations (in addition to

ongoing monitoring) need to be performed periodically

• Can be done by management

– Identified internal control deficiencies (no matter how they’re identified) should be reported, investigated, and appropriately acted upon

REVIEWWhich of the following are elements included in

the control environment?a.Organizational structure, management

philosophy, and planning.b.Risk assessment, assignment of

responsibility, and human resource practices.c. Competence of personnel, backup facilities,

laws, and regulations.d. Integrity and ethical values, assignment of

authority, and human resource policies.

REVIEWWhich of the following fits most directly under

the control activities component of the COSO Internal Control framework?

a. Company-level controls dealing with tone at the top.

b. Accounting for shipping documents to ensure that all sales are recorded.

c. Overall methods for assigning authority and responsibility.

d. The control environment.

Understanding, Using, and Documenting COSO Internal Controls

SOX 404 requires that organizations understand, document, test, and evaluate internal controls of major processes and systems– COSO is the suggested tool for this

process

Fundamentals of Internal Controls

Definition of a control system– The car is an example, if the accelerator or brakes

aren’t used properly, the car operates out of control– An organization is similar, all the parts have to

operate/be directed properly or the organization is out of control

Internal control system should attain or maintain a desired state

Fundamentals of Internal ControlsContinued

Elements of a control system• Detector/sensor element measures the system

being controlled (often the auditor)• Selector or standard element is the base used

to compare/evaluate what’s detected (standards, best practices)

• Controller element changes the behavior based on comparison of detector and standard

• Communications network element transmits messages between the controller element and the thing being controlled


Types of control techniques, a combination of all 3 assure a process is operating properly– Preventive controls

• Locked doors, passwords

– Detective controls alert management that a problem has occurred

• Door alarms, account reconciliations

– Corrective controls assist in recovery from problems

• Insurance policy


Preventive, detective and corrective controls operate on 3 levels– Steering: preventive controls designed to attract

management attention and prompt action (respond to falling market share)

– Yes-No: protective controls designed to ensure adherence to a pre-established control (approvals)

– Post-action: requires management’s after-the-fact action, may require correcting detective, preventive or corrective controls (reassign an employee, repair damaged products)

REVIEWControls may be classified according to the

function they are intended to perform; which of the following is a detective control?

a.Dual signatures on all disbursements over a specific amount.

b.Recording every transaction on the day it occurs.

c. Monthly bank statement reconciliations.d.Requiring all members of the internal audit

staff to be CPAs.

REVIEW

Controls designed to deter undesirable events from occurring are

a.Preventive controls.

b.Directive controls.

c.Detective controls.

d.Output controls.

WRAP UP

Questions?

SOX for Everyone Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks...

Documents

Transcript of SOX for Everyone Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks...