Sox Ima
- 1. The Institute of Management Accountants
St. Louis Chapter
SOX LESSONS LEARNED
September 20, 2011
1050 N. Lindbergh Blvd. | St. Louis, Missouri 63132 | 314.983.1200 1551 Wall St., Ste. 280 | St. Charles, Missouri 63303 | 636.255.3000
1000 Broadway, Ste. 300 | Highland, IL 62249
888.279.2792 | www.bswllc.com © 2011 Brown Smith Wallace All Rights Reserved
- 3. Agenda
SOX Background
Internal Control
2010 Sarbanes-Oxley Compliance Survey
Recent Research
Steps to Achieve SOX Efficiency
Integrating SOX & ERM
© 2011 Brown Smith Wallace All Rights Reserved
2
- 5. Refresher
Sarbanes-Oxley Act of 2002
Enacted January 23, 2002
Passed in response to financial scandals – Enron, WorldCom, etc.
Purpose - protect investors by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws, and for other
purposes.
Administered by the Securities and Exchange Commission (SEC), which
deals with compliance, rules and requirements.
Created a new agency, the Public Company Accounting Oversight Board
(PCAOB) which is in charge of overseeing, regulating, inspecting, and
disciplining accounting firms in their roles as auditors of public companies.
© 2011 Brown Smith Wallace All Rights Reserved
4
- 6. Refresher
Key Sections of the Act
201 – Prohibited Auditor Activities
302 – CEO/CFO Responsibilities
404 – Assessment of Controls
409 – Real Time Disclosure
802 – Penalties for altering documents
806 – Whistleblower Protection
807 – Penalties - Fraud
© 2011 Brown Smith Wallace All Rights Reserved
5
- 7. Section 404
Required the SEC to develop and publish rules for a
management assessment of Internal Controls over Financial
Reporting (ICFR).
Completed in June 2003.
Updated in June 2007.
Removed the requirement for external auditor to assess management’s process for
assessing the system of ICFR.
Revised the definitions of significant deficiency and material weakness.
PCAOB followed with AS 2 approved by the SEC in June 2004
and then replaced with AS 5 in March 2007.
© 2011 Brown Smith Wallace All Rights Reserved
6
- 8. Section 404
SEC Rules and PCAOB standard require that:
Management perform a formal assessment of controls over financial
reporting, including tests that confirm the design and operating
effectiveness of controls.
Management include in its annual report on Form 10-K an assessment of
ICFR.
The external auditors provide two opinions as part of a single integrated
audit of the company:
An independent opinion on the effectiveness of the system of ICFR.
The traditional opinion on the financial statements.
© 2011 Brown Smith Wallace All Rights Reserved
7
- 9. Section 404
Management’s assessment:
Management is responsible for the system of internal control.
Not the internal or external auditor
Responsibility of the CEO, CFO and senior executive team.
The assessment must be made using a recognized internal control
framework.
Most U.S. companies have used the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework.
Some use Control Objectives for Information and related Technology (COBIT)
framework as a supplement to COSO for IT controls.
The assessment is annual and as of year-end.
The external auditor must perform specified work (AS 5) in relation to
management’s assessment.
© 2011 Brown Smith Wallace All Rights Reserved
8
- 11. What is an Effective System Per 404?
Scope and quality of management’s identification, assessment,
and testing of key controls is sufficient to address all major
risks to the integrity of the financial statements.
No material weaknesses are identified.
© 2011 Brown Smith Wallace All Rights Reserved
10
- 12. Who is Responsible?
Sections 302 and 404 make it clear that management –
specifically the CEO and CFO – is responsible for the adequacy
of internal controls.
Oversight is provided by the Audit Committee.
Leadership is normally provided by the CFO.
Internal Audit provides much of the support.
© 2011 Brown Smith Wallace All Rights Reserved
11
- 13. 2010 Sarbanes-
Oxley Compliance
Survey
© 2011 Brown Smith Wallace All Rights Reserved
12
- 14. 2010 SOX Survey
Conducted by Protivti.
Surveyed 400 executives and professionals.
All industry segments represented.
Major findings:
The cost of SOX compliance is down 50% when compared to year 1 costs.
Most respondents indicated benefits now exceed costs.
Most respondents believe external audit costs would decrease by as much
as 30% if SOX was no longer required.
Nearly half perform all of their SOX compliance work in-house.
Outsourcing of SOX is highest during the initial years of compliance and falls
steadily as an organization gains experience and confidence in its SOX
compliance process.
© 2011 Brown Smith Wallace All Rights Reserved
13
- 15. 2010 SOX Survey
Internal audit has the primary responsibility for SOX compliance, followed
by executive management and the audit committee. In larger
organizations, process owners and a project management organization
(PMO) play an important role.
SOX compliance program has matured across many organizations and has
become more sustainable; consequently, reliance by external audits on SOX
work performed internally has increased.
There are opportunities to automate more controls. Nearly 40% of
respondents have only automated 20%-50% of their controls.
Most respondents indicated they have minimal plans to automate additional
controls.
The use of a risk-based testing approach, establishing process owner
accountability and maximizing lessons learned from previous years/peers
were employed by a majority of organizations.
© 2011 Brown Smith Wallace All Rights Reserved
14
- 16. 2010 SOX Survey
Key inefficiencies that exist in many companies include:
High dependency on spreadsheets for data accumulation to record accounting
transactions, prepare manual journal entries or support financial disclosures.
General ledger close-cycle exceeding five days.
Majority of respondents reported that regardless of market capitalization,
public companies should not be exempt from Section 404(a) compliance.
© 2011 Brown Smith Wallace All Rights Reserved
15
- 18. Recent Research
Article in the September 2011 issue of the Journal of
Accountancy titled “Highlights of Corporate Governance
Research” points related to post-SOX implementation:
Companies with adverse 404 opinions had CFOs with weaker accounting
qualifications and were more likely to receive better SOX 404 opinions after
hiring new CFOs with more accounting knowledge.
The audit committee is more involved:
Meet with auditors over 6 times per year compared to 2-3 times per year before
SOX.
Auditors report more questions and discussions of accounting and auditing issues.
Independence and expertise have increased.
Internal auditor now reports more frequently to the Audit Committee.
Management certification has had a positive impact on the integrity of
financial statements.
© 2011 Brown Smith Wallace All Rights Reserved
17
- 19. Steps to Achieve
SOX Efficiency
© 2011 Brown Smith Wallace All Rights Reserved
18
- 21. Efficiency
1. Operating management must take ownership of their
processes and documentation.
2. Operating management must update all processes and
control documentation promptly throughout the year as
changes occur.
3. A change management process must be in place that
includes a timely assessment of process changes for their
impact on key controls.
4. Operating management must be committed to assess and
remediate all control deficiencies promptly.
© 2011 Brown Smith Wallace All Rights Reserved
20
- 22. Efficiency
5. The fewer the controls to test, the lower the cost. A top
down, risk-based approach should be used to identify key
controls.
Management must be confident that identified key control are truly key.
The design of the related processes should be reviewed to determine if
changes can result in fewer and more effective controls.
Rely more on automated controls or on high-level controls (continuous
monitoring, detailed reconciliations, etc.)
© 2011 Brown Smith Wallace All Rights Reserved
21
- 23. Efficiency
6. Management of the Section 404 program should be at a high
level within the organization to:
Influence operating management relative to completion of their
responsibilities.
Communicate effectively with executive management on progress and
potential issues.
Negotiate as needed with the external auditor to:
Increase reliance on management testing.
Agree on key controls early.
Address concerns as they arise.
© 2011 Brown Smith Wallace All Rights Reserved
22
- 24. Efficiency
7. Optimize the use of internal resources (internal auditors) to
perform testing or to validate testing performed by
management.
8. Work to optimize reliance of external auditor on
management testing.
9. Ensure the external auditor is following a top-down, risk
based approach as required by AS 5.
© 2011 Brown Smith Wallace All Rights Reserved
23
- 25. Efficiency
10. Create a detailed project plan that:
Includes a walk-through of all significant processes early in the year.
Ensures all key controls are tested by mid-year, with additional testing to
update the results scheduled closer to year-end.
Includes all key activities required to complete the project, such as fraud
risk assessment, consideration of IT issues, assessment of SAS 70 (SSAE
16) reports from service providers, etc.
Details all required resources, including specialists, so they can be
scheduled early.
Includes regular reporting to senior management that focuses on key
metrics and issues.
© 2011 Brown Smith Wallace All Rights Reserved
24
- 26. Efficiency
11. Communicate and coordinate with all service providers to
ensure that a SAS 70 (SSAE 16) report will be available at
the appropriate time and that early warning is provided of
potential issues identified during the SAS 70.
12. Assess the Section 404 program for effectiveness on a
continuing basis to ensure it is improved as the organization
learns from experience and benefits from changes in
regulations and interpretations.
© 2011 Brown Smith Wallace All Rights Reserved
25
- 27. Integrating
SOX & ERM
© 2011 Brown Smith Wallace All Rights Reserved
26
- 28. ERM Defined
ERM = Enterprise Risk Management
ERM is a continuous process that identifies, mitigates, and
monitors potential events that create uncertainty for an
organizations achievement of it’s objectives.
© 2011 Brown Smith Wallace All Rights Reserved
27
- 29. The Link Between SOX & ERM
Investments in SOX compliance can be leveraged.
Attention to control issues provide a foundation for
enterprise risk efforts.
SOX focus is on financial reporting risk. ERM goes further to
focus on the following objectives:
Strategic – high-level goals supporting the organization’s mission and
vision.
Operations – effective and efficient use of resources.
Reporting – reliable reports (not just financial).
Compliance – compliance with laws and regulations.
© 2011 Brown Smith Wallace All Rights Reserved
28
- 30. Q&A
© 2011 Brown Smith Wallace All Rights Reserved
29
- 31. Ron Steinkamp, CPA, CIA, CFE
Principal, Risk Advisory Services
Brown Smith Wallace LLC
314.983.1238 Direct
314.302.1382 Cell
rsteinkamp@bswllc.com
1050 N. Lindbergh Blvd. | St. Louis, MO 63132
www.bswllc.com
© 2011 Brown Smith Wallace All Rights Reserved
30