Your SlideShare is downloading. ×

SARBOX ALERT

258

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
258
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. April 2005 Volume 1, Issue 3 Feature Articles Industry News Using Risk Frameworks to Manage Sarbanes-Oxley Record Number of Requests for Extensions Controls Already this year, 1,769 companies have formally asked the SEC for an extension in filing their annual reports, according to Why Use Risk and Control Frameworks? John Heine, an SEC spokesman. For public companies, the most immediate reason for using For all of 2004, the number of companies that sought a standardized risk framework is… you have to. In interpreting extensions was 2,064. Most of these filings occur before the end the Sarbanes-Oxley Act, the SEC has required that of March, the deadline for companies whose fiscal years end Dec. managements' evaluations of the effectiveness of the 31. company's corporate internal controls (described in Section 302 of the Act) be based upon an industry-recognized controls A number of companies have asked for extensions in order to framework. Final Rule: Management's Reports on Internal comply with provisions of the 2002 Sarbanes-Oxley Act that Control Over Financial Reporting and Certification of kicked in this year. Disclosure in Exchange Act Periodic Reports explains how the - - SEC expects CEOs and CFOs to base their opinions. It says: "We believe that each company should be afforded the Failure Rates are In flexibility to design its system of internal control over financial So far this year, 7.7 percent of the internal control reporting to fit its particular circumstances" and then goes on assessments filed this proxy season have been given "failing to say "The methods of conducting evaluations of internal grades" by the companies' external auditor. control over financial reporting will, and should, vary from These figures come from a study form commissioned Raisch company to company. Therefore, the final rules do not specify Financial Information Services and Compliance Week. the method or (continued next page — see Risk Frameworks) What companies are failing? The industries with the highest number of "adverse opinions" provided by auditors are computer Managing Fraud as a Type of Risk hardware and software (18.20 percent); metals and mining (17.2 percent), and consumer services (16.7 percent). The Sarbanes-Oxley Act requires that companies acknowledge and manage risk. The COSO and COBIT What auditor is issuing adverse opinions? According to the frameworks are useful in that they provide industry standards study, the Big Four accounting firm that has issued the largest for classifying areas of interest that need to be safeguarded. number of They further classify those areas so that leadership and staff (continued on page 7 — see Industry News can unambiguously identify areas under consideration for the implementation of controls. These frameworks are especially useful in guarding against the types of risk that result from areas "falling through the cracks" and not receiving needed attention. Merely implementing a control framework, however, will not be effective in preventing a special type of risk: fraud. Fraud is defined in Black’s Law Dictionary as: An intentional perversion of truth for the purpose of inducing another in reliance upon it to part with some valuable thing belonging to him or to surrender a legal right. A false representation of a matter of fact, whether by words or by conduct, by false or misleading allegations, or by concealment of that which should have been disclosed, which deceives and is intended to deceive another so that he shall act upon it to his legal injury. . . A generic term, embracing all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 2. S A R B O X A L E R T Volume I, Number 3 page 2 another by false suggestions or by suppression of truth, In this issue... and includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated. Focus: Risk Frameworks (continued page 5 — see Fraud as Risk Articles • Industry News - page 1 • Using Risk Frameworks to Manage Sarbanes- Oxley controls - page 1 • Managing Fraud as a Type of Risk - page 1 Sarbox Project Templates - page 11 • Reference: The Elements of the COSO Risk Framework • Reference: The Elements of the COBIT Risk Framework • Worksheet: What is the Probability of a problem? • Worksheet: What is the Impact of a problem? • Template: a Risk Grid • Suggested Language: Expressing the same idea using "IT speak", "Risk speak" and "Auditing speak" • Crossword Puzzle: Risk Frameworks – page 11 © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 3. S A R B O X A L E R T Volume I, Number 3 page 3 Risk Frameworks – continued from previous page Publisher: Igor Lamser procedures to be performed in an evaluation." Editor-In-Chief: Gwen Thomas They go on to discuss the COSO framework: Editorial Office: 82 Wall Street, Suite 707, New York, NY 10005 "...we have modified the final requirements to specify phone: 212.825.1525 fax: 212.825.1530 www.riskcenter.com that management must base its evaluation of the effectiveness of the company's internal control over financial reporting on © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law a suitable, recognized control framework that is established prohibits duplication or reproduction in any form, including electronic, without by a body or group that has followed due-process express permission by the publisher. procedures, including the broad distribution of the framework for public comment. The COSO Framework satisfies our criteria and may be The National Commission was jointly sponsored by the used as an evaluation framework for purposes of five major financial professional associations in the United management's annual internal control evaluation and States, the American Accounting Association, the American disclosure requirements. However, the final rules do not Institute of Certified Public Accountants, the Financial mandate use of a particular framework, such as the COSO Executives Institute, the Institute of Internal Auditors, and the Framework, in recognition of the fact that other evaluation National Association of Accountants (now the Institute of standards exist outside of the United States, and that Management Accountants). The Commission was wholly frameworks other than COSO may be developed within the independent of each of the sponsoring organizations, and United States in the future, that satisfy the intent of the statute contained representatives from industry, public accounting, without diminishing the benefits to investors." investment firms, and the New York Stock Exchange." Other reasons to use the COSO framework The original COSO framework contains five control It's helpful to remember the reasons that we use internal components needed to help assure sound business objectives. controls. They exist to provide reasonable assurance The control components are: regarding the achievement of the following three objectives:  Control Environment.  Economy and efficiency of operations (this includes  Risk Assessment. achieving performance goals and safeguarding of assets against loss)  Control Activities.  Reliable financial and operational data and reports.  Information and Communication.  Compliance with laws and regulations.  Monitoring. The original COSO framework was designed as a tool for evaluating internal control systems and to provide a The Original COSO Cube common basis for management teams, directors, regulators, and others to better understand and effectively communicate about enterprise risk management. It was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. From the COSO home page: "COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. 2004 COSO Document: Single year subscription : $495. Enterprise Risk Management (ERM) COSO Framework Group subscription inquiries: 212.825.1525 or subscriptions@sarboxalert.com. Advertising: Contact Igor Lamser at 212.825.1525 The new Enterprise Risk Management (ERM) COSO framework (COSO-ERM) emphasizes the importance of © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 4. S A R B O X A L E R T Volume I, Number 3 page 4 identifying and managing risks across the enterprise. The new Quality Requirements: COSO framework consists of eight components:  Quality  Internal control environment (from original COSO)  Cost  Objective setting (new component)  Delivery  Event identification (new component) Fiduciary Requirements (COSO Report):  Risk assessment (from original COSO)  Effectiveness and Efficiency of operations  Risk response (new component)  Reliability of Information  Control activities (from original COSO)  Compliance with laws & regulations  Information and communication (from original Security Requirements: COSO)  Confidentiality  Monitoring (from original COSO).  Integrity The COSO-ERM Cube  Availability Why You Need Both An Accounting Framework And An IT Framework In most companies of any size, data moves between multiple business groups and IT systems on its way from initial transactions to the reports to which the CEO and CFO must attest. Attesting to the accuracy of the data requires confidence in accounting procedures and controls. These are addressed within the COSO framework. COSO's primary role is fiduciary. The SOX 404 attestation also requires confidence in the IT systems that house, move, and transform data. This requires confidence in the processes and controls for those IT systems and databases. Neither the SEC nor the U.S. Public Company Accounting Oversight Board has openly endorsed a specific information technology control framework. However, the COBIT framework was designed to complement COSO by addressing information criteria: quality requirements, fiduciary requirements, and security requirements. © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 5. S A R B O X A L E R T Volume I, Number 3 page 5 Because COSO focuses on fiduciary controls and COBIT control point, or auditing discussion. As such, it contains addresses broader information criteria as they are affected many areas that do not apply to Sarbanes-Oxley concerns. In by IT, COSO and COBIT do not seamlessly map to each applying COBIT to Sarbox, users and auditors must other. In using them for Sarbanes-Oxley compliance, determine the relevance to Sarbox of a significant IT process companies should remember that compliance is their goal – or IT-dependent process by assessing its primary contribution not checking off every item in lists created for other purposes. to internal controls over financial reporting. Relevant processes should be assigned appropriate controls from COBIT and other IT control models such as the ISO/IEC The COBIT framework 17799 Code of Practice for Information Security COBIT (Control Objectives for Information and Related Management, established by the International Organization Technologies) is an open standard published by the IT for Standardization (ISO) and the International Governance Institute and the Information Systems Audit and Electrotechnical Commission (IEC). Control Association. It's an IT control framework built in part COBIT documents are free for download from upon the COSO framework. It approaches IT control by http://www.isaca.org/Content/NavigationMenu/Members_ looking at information that is needed to support business and_Leaders/COBIT6/COBIT_Publications/COBIT_Compone requirements and the associated IT resources and processes. nts.htm . COBIT addresses information quality and security requirements in seven overlapping categories: effectiveness, efficiency, confidentiality, integrity, availability, compliance, Using COSO and COBIT to Manage Sarbanes-Oxley Controls and reliability of information. These categories form the Whether you use COSO or COBIT to address a foundation of COBIT's 34 control objectives. These objectives particular area that falls within the Sarbanes-Oxley area of (and corresponding control activities) are organized into four interest, you'll follow the same essential steps: identify a risk domains: planning and organization, acquisition and and prioritize it, decide upon a risk management strategy, implementation, delivery and support, and monitoring. identify controls to implement, provide governance and COBIT was designed as a framework comprehensive stewardship to ensure that controls are applied consistently. enough to provide a point of reference for any IT decision, - - © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 6. S A R B O X A L E R T Volume I, Number 3 page 6 Fraud as Risk – continued from page 1 © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 7. S A R B O X A L E R T Volume I, Number 3 page 7 What does this mean? While many types of risk occur  integrity, ethical values because of accidents, errors, or omissions, fraud occurs  competence of management and staff because someone intentionally did something wrong. Most  management’s philosophy and operating style controls that companies put into place are designed to prevent, detect, or correct accidents, errors, or omissions. It Tangible Aspects often takes a special approach – and special controls – to  how management assigns authority and prevent or detect fraudulent actions. responsibility Types Of Fraud  how people are organized According to Big Four Auditing company  development opportunities and training for PriceWaterhouseCoopers, fraud generally falls into one of management and staff four categories: (source: Key Elements of Antifraud Programs  definition of the role of the audit committee and and Controls) board of directors.  Fraudulent financial reporting If fraud occurs – or if a company gets into other types of Most fraudulent financial reporting schemes involve trouble – auditors are going to look at the company's control earnings management, arising from improper environment as they assess whether the problem under revenue recognition, and overstatement of assets or consideration was an isolated instance or the result of a an understatement of liabilities. inadequate control environment. Consequences to the  Misappropriation of assets company will generally be much greater if the control This category involves external and internal environment is deemed poorly designed or implemented. schemes, such as embezzlement, payroll fraud and And so, it is critical that great attention be given to the theft. control environment. From the Board of Directors down to  Expenditures and liabilities for improper purposes every staff member involved in Sarbanes-Oxley This category refers to commercial and public implementation, there should be a mechanism for reporting bribery, as well as other improper payment any real or perceived inadequacy. (This is an example of the schemes. old maxim that perceptions may be reality.)  Fraudulently obtained revenue and assets, and costs and expenses avoided This category refers to schemes where an entity To advertise in commits a fraud against its employees or third parties, or when an entity improperly avoids an SARBOX ALERT, expense, such as tax fraud. or Responsibility For Fraud for group subscriptions, It is the responsibility of the company Board of Directors to put in place programs to deter and detect fraud. Specifically, the board's Audit Committee has responsibility for: contact 1. Monitoring the financial reporting process Igor Lamser 2. Overseeing the internal control system 3. Overseeing the internal audit and independent at public accounting functions, and 4. Reporting findings to the Board of Directors. 212.825.1525 or Control Environment If your company gets into trouble, the U.S. Sentencing Why is a control environment important? It has a Guidelines Manual may be brought into play. Chapter 8 pervasive influence on the way business activities are states that an “effective program to prevent and detect structured, objectives are established, and risks are assessed. violations of law” means a program that has been It also influences risk assessment, control activities, reasonably designed, implemented and enforced so that it information and communication systems, and monitoring generally will be effective in preventing and detecting activities. criminal conduct. What's in a control environment? This means that it is not enough to design an anti-fraud Intangible aspects program. It must be implemented and enforced. Start with your Code of Conduct/Ethics. Consider having representative © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 8. S A R B O X A L E R T Volume I, Number 3 page 8 staff review it and discuss it so you can develop a strong Identifying Risk confidence level that your employees will understand what it In defining a system of controls and in assessing their says and interpret it the way your legal and compliance effectiveness, special attention should be given to controls groups intended, and that you have a clear path for against fraud. Because much fraud occurs at senior levels of implementing it and enforcing your code. the organization, it makes sense for the Board of Directors to PriceWaterHouseCoopers recommends the following be involved in assessing controls aimed at fraud. They should additional steps that should be implemented regarding the give attention to: Code of Conduct (source: Key Elements of Antifraud  The process for identifying and documenting fraud Programs and Controls). risk  The code of conduct also must be communicated  The types of fraud considered by management effectively (through the employee handbook, policy (fraudulent financial reporting, misappropriation of manual, intranet, etc.) on a periodic basis to all assets, unauthorized or improper receipts and covered persons. Ineffective communication prevents expenditures, and fraud by senior management) even a comprehensive code of conduct from being  The level at which risk is considered (company-wide, effective and contributing to an appropriate “tone at business unit and significant account) the top.”  The level of likelihood of fraud (probable,  Employees should evidence their receipt and reasonably possible and remote) reading of the code. This is generally accomplished through a confirmation process. Annual  The level of significance of fraud (inconsequential, confirmations from the covered persons regarding more than inconsequential or material) their compliance (or lack thereof) with the code of Another area of special attention is the requirement for a conduct, including appropriate follow-up regarding confidential employee hotline as part of a Sarbanes-Oxley lack of response and any exceptions noted, provide Whistleblower Program. SarboxAlert has devoted an entire adequate evidence. issue to this: see Volume 1 Number 2, published March,  Requiring attendance at training at the time of hiring 2005. and periodically thereafter evidences the entity’s Other Considerations commitment to ensuring that the employees It is important that the audit committee has taken steps to understand the code. Training should address the ensure that the organization has implemented what will be “tone at the top,” code of conduct, and the interpreted as an effective ethics and compliance program individual’s duty to communicate or report actual or that is properly and periodically tested. suspected fraud or misconduct. Interactive training Fraud often happens when a member of management or may provide evidence that a code has been staff is able to override internal controls, so all Sarbanes- communicated, and that employees have received, Oxley staff – from implementation teams to the audit read and understood the code. committee – should work to ensure that internal controls  Both management and the audit committee are address the appropriate risk areas and are functioning as required to monitor the code of conduct. Meeting designed. minutes should evidence their ongoing or periodic monitoring. - - © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 9. S A R B O X A L E R T Volume I, Number 3 page 9 Industry News – Continued from Page 1 accounting firm in an amendment to the Form 10-K prior to adverse opinions is PricewaterhouseCoopers, which failed May 2, 2005," IGate said in a statement. "There can be 9.3 percent of its 398 internal control audits. KPMG appears however no assurances that Nasdaq will grant the company's to be the easiest "grader," failing only 5.5 percent of its 348 request for continued listing." SOX 404 audits. Shares of IGate fell 25 cents, or 6.5 percent, to close at $3.60 on the Nasdaq. - - March Internal Control Disclosures - - Sarbox Project Templates 116 companies have disclosed material weaknesses in Sarbox Project Templates to complement the topics covered their internal controls during the month of March. That's up in this issue's features are available as stand-alone Microsoft from 23 in February 2005. Most interpretation say that Word documents. Download the following Sarbox Project increase is largely due to the high volume of companies filing Templates – as well as others – from the SARBOX ALERT their annual reports in March. In March 2004, only 28 download section at www.riskcenter.com: companies made similar disclosures. • Reference: The Elements of the COSO Risk Framework What are the issues? • Reference: The Elements of the COBIT Risk Framework Financial systems and procedures. Problems with financial • Worksheet: What is the Probability of a problem? systems and procedures accounted for 70 percent of all weakness disclosures. Those problems typically involved the • Worksheet: What is the Impact of a problem? financial close process, account reconciliation, or inventory • Template: a Risk Grid processes. 2004 disclosures showed only about half of the • Suggested Language: Expressing the same idea using disclosures were related to financial systems and procedures. "IT speak", "Risk speak" and "Auditing speak" Tax issues. In March 2005, more than 22 percent of the • Crossword Puzzle: Risk Frameworks disclosures mentioned problems with tax accounting. (That’s - - up from just 3 percent in 2004.) Some instances related to personnel (e.g., understaffed accounting departments, or employees that lacked appropriate expertise), but most of the tax problems were tied to financial systems and procedures (e.g., lack of appropriate controls related to income tax accounting). Accounting for leases and loans. Approximately 14 percent of the problems with financial systems and procedures in March dealt with accounting for leases and loans. Generally these were related to lease accounting practices or errors, loan loss allowances, or depreciation assumptions. ------ From the Wires: IGate Gets Delisting Notice From Nasdaq 04.11.2005, 05:10 PM (Associated Press) - Technology company IGate Corp. said Monday said it received a delisting notice from the Nasdaq because it has yet to complete an accounting review as part of compliance efforts under the Sarbanes-Oxley Act. The company said the delisting notice gives it until April 14 to either complete a review of its internal accounting controls or request a hearing on the matter. IGate said it has already made an appeal, and requested a hearing to stay the delisting action." "The company is working diligently to complete its management report on internal control over financial reporting and expects to file its report and the related attestation report of the independent registered public © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 10. S A R B O X A L E R T Volume I, Number 3 page 10 Next Issue: Sarbox, SAS 70s, and Outsourcers Articles: • A SAS 70 Primer • Using Your Sarbox and Governance Programs to Maintain Control Over Outsourcers Sarbox Project Templates: • Reference: Comparison of SAS 70 Types 1 and 2 Audits • Checklist: SAS 70 Control Points • Roles and Responsibilities Chart: Maintaining Control Over Outsourcers • Visual Aid: A Governance and Stewardship Framework for Matrixed Organizations • Visual Aid: Placing Governance and Stewardship Control Points Into Your Outsourcers' Organization © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 11. S A R B O X A L E R T Volume I, Number 3 page 11 Sarbox Project Template Crossword Puzzle: Control Frameworks 1 2 3 4 5 6 7 8 Created with EclipseCrossword — www.eclipsecrossword.com Across 1. A reason to use COSO: Economy and ____ of Key to Last Issue's Puzzle: operations Whistleblowing 3. COSO component that deals with tone from the top: • Control 1 2 F R A U D 5. Control Objectives for Information and Related Technologies U 3 4 6. They believe "each company should be afforded the S C O N F I D E N T I A L flexibility to design its system of internal control over E I 5 6 financial reporting to fit its particular circumstances" N A T T E S T A T I O N 7. What COSO says you do to manage risk: Control ____ T N 8. A component shared by COSO and COBIT 7 R E T A L I A T I O N 8 N N P Down C Y L I M A 9 N N E E D T O K N O W 2. COBIT security requirements: ___, Integrity, Availability G U 10 4. Publisher of COBIT F O R E N S I C Created with EclipseCrossword — www.eclipsecrossword.com © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 12. S A R B O X A L E R T Volume I, Number 3 page 12 Yes! Please send me one year of SARBOX ALERT at the SPECIAL RATE of $495. Name Title Organization Address City State Zip Code Phone Fax E-mail (required)  Payment enclosed  Charge my: Mastercard Visa American Express Discover Account Number Expiration Date Signature Make all checks payable to RiskCenter, LLC Client agrees to pay any and all applicable sales tax. Suggestions for additional coverage are always welcome. In fact, we encourage it! This is one of the reasons RiskCenter stays on top of market trends. If you have an idea or two on new issues, trends, interview subjects - anything really - in this new market, feel free to jot down your thoughts in the space below. We will likely take your suggestions to heart. Use the space below or send us an email at feedback@riskcenter.com. Thank you in advance for your comments. - The Editor Comments: © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 13. S A R B O X A L E R T Volume I, Number 3 page 13 SARBOX ALERT – published by RiskCenter, LLC 82 Wall Street, Suite 707, New York, NY 10005 phone: 212.825.1525 fax: 212.825.1530 www.riskcenter.com © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.

×