The Sarbanes-Oxley Act of 2002 1PricewaterhouseCoopers
Introduction of Panel Members
The Sarbanes-Oxley Act of 2002
What Companies Should Be Doing Now
March 10, 2003
Michael Cobb(813) 222-6212
Insert
Worlds Image /
Client Specific Image
Here
The Sarbanes-Oxley Act of 2002 2PricewaterhouseCoopers
Sarbanes-Oxley Act of 2002
Requires quarterly certification by the CEO / CFO of all companies filing periodic reports under section 13 (a) or 15 (d) of the Securities Exchange Act of 1934 regarding the completeness and accuracy of such reports as well as the nature and effectiveness of internal controls supporting the quality of information included in such reports.
Requires an annual report by management regarding internal controls and procedures for financial reporting, and an attestation as to the accuracy of that report by the company’s auditors.
Section 302
Section 404
The Sarbanes-Oxley Act of 2002 3PricewaterhouseCoopers
Addressing DC&P Requirements
Internal Accounting
Controls
Disclosure Requirements
Financial Reporting
ComplianceOperations
Internal Controls Over Financial Reporting
Disclosure Controls and Procedures
Internal Controls over Disclosure Requirements
LEGEND
The Sarbanes-Oxley Act of 2002 4PricewaterhouseCoopers
What are the Questions That Need to be Asked?
What does our control structure look like and how does it operate?
Who is accountable?
How does it deal with change?
What are the critical control activities?
Are they monitored?
Is all of this documented?
How will I demonstrate that I have reviewed the controls every quarter?
The Sarbanes-Oxley Act of 2002 5PricewaterhouseCoopers
Why the Need for Control Structure Documentation?
Available for third-party purposes
Enables External Auditor’s attestation work
Enables ongoing assessment of operating effectiveness
Facilitates linkage to COSO
Supports management assertions
Reduces risk and supports operational efficiency
The Sarbanes-Oxley Act of 2002 6PricewaterhouseCoopers
Controls over the IT environment
• Most business processes are critically enabled by IT
• Achieving objectives is often dependent on IT based controls
• Many controls depend on data generated by IT systems
• IT controls need to be considered at 2 levels:
– Controls over the IT environment (General Controls)
– Controls over individual applications
The Sarbanes-Oxley Act of 2002 7PricewaterhouseCoopers
Audit of Financial Statements vs. 404 Controls Attestation
Audit of Financial Statements
• Understanding and consideration of
internal controls only to develop the
audit approach
• Overall objective is the rendering of an
opinion on the financial statements, not
to opine on internal controls
• Internal control reports have been very
rare in practice and are the subject of
different auditing standards
404 Attestation
• 100% controls-based approach
• Must evaluate and test controls across
business and functional areas to opine on
effectiveness (broad and deep)
• Lack of errors, historically, in financial
statements is not de-facto evidence unto
itself, of an appropriate internal control
structure
The Sarbanes-Oxley Act of 2002 8PricewaterhouseCoopers
Management’s Requirements Under Section 404
Section 404 – Management Must Assess Internal Controls Annually (effective date pending)
• Internal control report states management’s responsibility for establishing and maintaining adequate internal control structure and procedures for financial reporting.
• Management must assess effectiveness of internal control structure and procedures for financial reporting as of the end of the most recent fiscal year.
• Attestation by external auditor (Section 404 and 103).
The Sarbanes-Oxley Act of 2002 9PricewaterhouseCoopers
The Intersection of Sections 302 and 404
404:
Basis for
Auditors’
Evaluation
And
Testing
302:
Management’s
Certification
Related to the
Financial
Reporting
Elements of
DC&P
Internal Controls for
Financial Reporting
The Sarbanes-Oxley Act of 2002 10PricewaterhouseCoopers
The Five Components under the COSO Framework
Control Activities
Policies/procedures that ensure management directives are carried out.
Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
Monitoring
Assessment of a control system’s performance over time.
Combination of ongoing and separate evaluation.
Management and supervisory activities.
Internal audit activities.
Control Environment
Sets tone of organization-influencing control consciousness of its people.
Factors include integrity, ethical values, competence, authority, responsibility.
Foundation for all other components of control.
Information and Communication
Pertinent information identified, captured and communicated in a timely manner.
Access to internal and externally generated information.
Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.
Risk Assessment
Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.
All five components must be in place for a control to be effective.
The Sarbanes-Oxley Act of 2002 11PricewaterhouseCoopers
Control Objectives and Types of Financial Controls to Be Identified
Standard Control Objectives (All Cycles/Processes/Activities):
Completeness of input
Accuracy of input
Completeness and accuracy of output
Authorization/Validity
Timeliness
Others:– Safeguarding of assets– Segregation of duties
Types of Financial Controls
Basic/Application
Controls
Monitoring Controls
General/Computer
Controls
The Sarbanes-Oxley Act of 2002 12PricewaterhouseCoopers
Mapping to Controls
STEPS:
1.Map F/S line items to cycles/processes
2.Document each existing process (detailed flowcharts and narratives)
3.Identify controls in place
4.Test controls for effectiveness
5.Highlight missing controls
6.Assess impact of missing controls
7.Fill gaps
—————
FINANCIALSTATEMENT
S
CYCLES/PROCESSES CONTROLSto to
The Sarbanes-Oxley Act of 2002 13PricewaterhouseCoopers
Implementation Issues
Resources
Training / Education
Project management
Scope Setting– Centralized vs. decentralized processes– Multinational / Multilocation– Common vs. independent systems– Acquisitions– Shared service centers
Measurement of control effectiveness
Reporting
Disclosure controls and procedures– Financial– Non-financial
The Sarbanes-Oxley Act of 2002 14PricewaterhouseCoopers
This process should be repeated as necessary in a continual effort to improve the level of maturity of an organization’s
internal controls.
Action Plan
Following an iterative approach to evaluate and assess control environment will provide readiness for 404 certifications and improve 302 compliance
Educate Management / Board
Mobilize
Collect Data on “As-Is”
Environment
Assess Maturity
and Perform
Gap Analysis
Address Needs for
Continuous Improveme
nt
Top Related