SlideShare a Scribd company logo

Sox Ima

Download as PPTX, PDF
S
steinkamps6

Update on SOX

1 of 31
The Institute of Management Accountants St. Louis Chapter SOX LESSONS LEARNED September 20, 2011 1050 N. Lindbergh Blvd. | St. Louis, Missouri 63132 | 314.983.1200 1551 Wall St., Ste. 280 | St. Charles, Missouri 63303 | 636.255.3000 1000 Broadway, Ste. 300 | Highland, IL 62249 888.279.2792 | www.bswllc.com © 2011 Brown Smith Wallace All Rights Reserved
© 2011 Brown Smith Wallace All Rights Reserved 1
Agenda  SOX Background  Internal Control  2010 Sarbanes-Oxley Compliance Survey  Recent Research  Steps to Achieve SOX Efficiency  Integrating SOX & ERM © 2011 Brown Smith Wallace All Rights Reserved 2
SOX Background © 2011 Brown Smith Wallace All Rights Reserved 3
Refresher  Sarbanes-Oxley Act of 2002  Enacted January 23, 2002  Passed in response to financial scandals – Enron, WorldCom, etc.  Purpose - protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.  Administered by the Securities and Exchange Commission (SEC), which deals with compliance, rules and requirements.  Created a new agency, the Public Company Accounting Oversight Board (PCAOB) which is in charge of overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. © 2011 Brown Smith Wallace All Rights Reserved 4
Refresher  Key Sections of the Act  201 – Prohibited Auditor Activities  302 – CEO/CFO Responsibilities  404 – Assessment of Controls  409 – Real Time Disclosure  802 – Penalties for altering documents  806 – Whistleblower Protection  807 – Penalties - Fraud © 2011 Brown Smith Wallace All Rights Reserved 5
Section 404  Required the SEC to develop and publish rules for a management assessment of Internal Controls over Financial Reporting (ICFR).  Completed in June 2003.  Updated in June 2007.  Removed the requirement for external auditor to assess management’s process for assessing the system of ICFR.  Revised the definitions of significant deficiency and material weakness.  PCAOB followed with AS 2 approved by the SEC in June 2004 and then replaced with AS 5 in March 2007. © 2011 Brown Smith Wallace All Rights Reserved 6
Section 404  SEC Rules and PCAOB standard require that:  Management perform a formal assessment of controls over financial reporting, including tests that confirm the design and operating effectiveness of controls.  Management include in its annual report on Form 10-K an assessment of ICFR.  The external auditors provide two opinions as part of a single integrated audit of the company:  An independent opinion on the effectiveness of the system of ICFR.  The traditional opinion on the financial statements. © 2011 Brown Smith Wallace All Rights Reserved 7
Section 404  Management’s assessment:  Management is responsible for the system of internal control.  Not the internal or external auditor  Responsibility of the CEO, CFO and senior executive team.  The assessment must be made using a recognized internal control framework.  Most U.S. companies have used the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework.  Some use Control Objectives for Information and related Technology (COBIT) framework as a supplement to COSO for IT controls.  The assessment is annual and as of year-end.  The external auditor must perform specified work (AS 5) in relation to management’s assessment. © 2011 Brown Smith Wallace All Rights Reserved 8
Internal Control © 2011 Brown Smith Wallace All Rights Reserved 9
What is an Effective System Per 404?  Scope and quality of management’s identification, assessment, and testing of key controls is sufficient to address all major risks to the integrity of the financial statements.  No material weaknesses are identified. © 2011 Brown Smith Wallace All Rights Reserved 10
Who is Responsible?  Sections 302 and 404 make it clear that management – specifically the CEO and CFO – is responsible for the adequacy of internal controls.  Oversight is provided by the Audit Committee.  Leadership is normally provided by the CFO.  Internal Audit provides much of the support. © 2011 Brown Smith Wallace All Rights Reserved 11
2010 Sarbanes- Oxley Compliance Survey © 2011 Brown Smith Wallace All Rights Reserved 12
2010 SOX Survey  Conducted by Protivti.  Surveyed 400 executives and professionals.  All industry segments represented.  Major findings:  The cost of SOX compliance is down 50% when compared to year 1 costs.  Most respondents indicated benefits now exceed costs.  Most respondents believe external audit costs would decrease by as much as 30% if SOX was no longer required.  Nearly half perform all of their SOX compliance work in-house.  Outsourcing of SOX is highest during the initial years of compliance and falls steadily as an organization gains experience and confidence in its SOX compliance process. © 2011 Brown Smith Wallace All Rights Reserved 13
2010 SOX Survey  Internal audit has the primary responsibility for SOX compliance, followed by executive management and the audit committee. In larger organizations, process owners and a project management organization (PMO) play an important role.  SOX compliance program has matured across many organizations and has become more sustainable; consequently, reliance by external audits on SOX work performed internally has increased.  There are opportunities to automate more controls. Nearly 40% of respondents have only automated 20%-50% of their controls.  Most respondents indicated they have minimal plans to automate additional controls.  The use of a risk-based testing approach, establishing process owner accountability and maximizing lessons learned from previous years/peers were employed by a majority of organizations. © 2011 Brown Smith Wallace All Rights Reserved 14
2010 SOX Survey  Key inefficiencies that exist in many companies include:  High dependency on spreadsheets for data accumulation to record accounting transactions, prepare manual journal entries or support financial disclosures.  General ledger close-cycle exceeding five days.  Majority of respondents reported that regardless of market capitalization, public companies should not be exempt from Section 404(a) compliance. © 2011 Brown Smith Wallace All Rights Reserved 15
Recent Research © 2011 Brown Smith Wallace All Rights Reserved 16
Recent Research Article in the September 2011 issue of the Journal of Accountancy titled “Highlights of Corporate Governance Research” points related to post-SOX implementation:  Companies with adverse 404 opinions had CFOs with weaker accounting qualifications and were more likely to receive better SOX 404 opinions after hiring new CFOs with more accounting knowledge.  The audit committee is more involved:  Meet with auditors over 6 times per year compared to 2-3 times per year before SOX.  Auditors report more questions and discussions of accounting and auditing issues.  Independence and expertise have increased.  Internal auditor now reports more frequently to the Audit Committee.  Management certification has had a positive impact on the integrity of financial statements. © 2011 Brown Smith Wallace All Rights Reserved 17
Steps to Achieve SOX Efficiency © 2011 Brown Smith Wallace All Rights Reserved 18
© 2011 Brown Smith Wallace All Rights Reserved 19
Efficiency 1. Operating management must take ownership of their processes and documentation. 2. Operating management must update all processes and control documentation promptly throughout the year as changes occur. 3. A change management process must be in place that includes a timely assessment of process changes for their impact on key controls. 4. Operating management must be committed to assess and remediate all control deficiencies promptly. © 2011 Brown Smith Wallace All Rights Reserved 20
Efficiency 5. The fewer the controls to test, the lower the cost. A top down, risk-based approach should be used to identify key controls.  Management must be confident that identified key control are truly key.  The design of the related processes should be reviewed to determine if changes can result in fewer and more effective controls.  Rely more on automated controls or on high-level controls (continuous monitoring, detailed reconciliations, etc.) © 2011 Brown Smith Wallace All Rights Reserved 21
Efficiency 6. Management of the Section 404 program should be at a high level within the organization to:  Influence operating management relative to completion of their responsibilities.  Communicate effectively with executive management on progress and potential issues.  Negotiate as needed with the external auditor to:  Increase reliance on management testing.  Agree on key controls early.  Address concerns as they arise. © 2011 Brown Smith Wallace All Rights Reserved 22
Efficiency 7. Optimize the use of internal resources (internal auditors) to perform testing or to validate testing performed by management. 8. Work to optimize reliance of external auditor on management testing. 9. Ensure the external auditor is following a top-down, risk based approach as required by AS 5. © 2011 Brown Smith Wallace All Rights Reserved 23
Efficiency 10. Create a detailed project plan that:  Includes a walk-through of all significant processes early in the year.  Ensures all key controls are tested by mid-year, with additional testing to update the results scheduled closer to year-end.  Includes all key activities required to complete the project, such as fraud risk assessment, consideration of IT issues, assessment of SAS 70 (SSAE 16) reports from service providers, etc.  Details all required resources, including specialists, so they can be scheduled early.  Includes regular reporting to senior management that focuses on key metrics and issues. © 2011 Brown Smith Wallace All Rights Reserved 24
Efficiency 11. Communicate and coordinate with all service providers to ensure that a SAS 70 (SSAE 16) report will be available at the appropriate time and that early warning is provided of potential issues identified during the SAS 70. 12. Assess the Section 404 program for effectiveness on a continuing basis to ensure it is improved as the organization learns from experience and benefits from changes in regulations and interpretations. © 2011 Brown Smith Wallace All Rights Reserved 25
Integrating SOX & ERM © 2011 Brown Smith Wallace All Rights Reserved 26
ERM Defined  ERM = Enterprise Risk Management  ERM is a continuous process that identifies, mitigates, and monitors potential events that create uncertainty for an organizations achievement of it’s objectives. © 2011 Brown Smith Wallace All Rights Reserved 27
The Link Between SOX & ERM  Investments in SOX compliance can be leveraged.  Attention to control issues provide a foundation for enterprise risk efforts.  SOX focus is on financial reporting risk. ERM goes further to focus on the following objectives:  Strategic – high-level goals supporting the organization’s mission and vision.  Operations – effective and efficient use of resources.  Reporting – reliable reports (not just financial).  Compliance – compliance with laws and regulations. © 2011 Brown Smith Wallace All Rights Reserved 28
Q&A © 2011 Brown Smith Wallace All Rights Reserved 29
Ron Steinkamp, CPA, CIA, CFE Principal, Risk Advisory Services Brown Smith Wallace LLC 314.983.1238 Direct 314.302.1382 Cell rsteinkamp@bswllc.com 1050 N. Lindbergh Blvd. | St. Louis, MO 63132 www.bswllc.com © 2011 Brown Smith Wallace All Rights Reserved 30

Recommended

Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox complianceAlok Singh
 
THEORY Group Paper TURN IN
THEORY Group Paper TURN INTHEORY Group Paper TURN IN
THEORY Group Paper TURN INCaron Schmidt
 
Team1 so xpresentation
Team1 so xpresentationTeam1 so xpresentation
Team1 so xpresentationbobbyreeder
 
Tip of the Compliance Iceberg
Tip of the Compliance IcebergTip of the Compliance Iceberg
Tip of the Compliance IcebergDwayne Jorgensen
 
Sarbanes oxley act
Sarbanes oxley actSarbanes oxley act
Sarbanes oxley actKetan Rathod
 
Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom IndustryMahesh Panchal
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Sox Compliance Solution
Sox Compliance SolutionSox Compliance Solution
Sox Compliance Solutionguest586cf0
 

Recommended

Cost benefits of sox compliance
Cost benefits of sox complianceCost benefits of sox compliance
Cost benefits of sox complianceAlok Singh
 
THEORY Group Paper TURN IN
THEORY Group Paper TURN INTHEORY Group Paper TURN IN
THEORY Group Paper TURN INCaron Schmidt
 
Team1 so xpresentation
Team1 so xpresentationTeam1 so xpresentation
Team1 so xpresentationbobbyreeder
 
Tip of the Compliance Iceberg
Tip of the Compliance IcebergTip of the Compliance Iceberg
Tip of the Compliance IcebergDwayne Jorgensen
 
Sarbanes oxley act
Sarbanes oxley actSarbanes oxley act
Sarbanes oxley actKetan Rathod
 
Sox In Telecom Industry
Sox In Telecom IndustrySox In Telecom Industry
Sox In Telecom IndustryMahesh Panchal
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Sox Compliance Solution
Sox Compliance SolutionSox Compliance Solution
Sox Compliance Solutionguest586cf0
 
Khazi Sox A
Khazi Sox AKhazi Sox A
Khazi Sox Aahmedjeelani
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Actles561
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industryravindra sharma
 
MMIF Reporting white paper
MMIF Reporting white paper MMIF Reporting white paper
MMIF Reporting white paper Robert McNamara
 
Sarbanes-Oxley Act of 2002-Tairreshel Hill
Sarbanes-Oxley Act of 2002-Tairreshel HillSarbanes-Oxley Act of 2002-Tairreshel Hill
Sarbanes-Oxley Act of 2002-Tairreshel HillTairreshel Hill
 
Sox compliance services brochure 2013
Sox compliance services brochure 2013Sox compliance services brochure 2013
Sox compliance services brochure 2013Rahul Bhan (CA, CIA, MBA)
 
SEC penalizes investment advisers for compliance failures
SEC penalizes investment advisers for compliance failuresSEC penalizes investment advisers for compliance failures
SEC penalizes investment advisers for compliance failuresAndres Baytelman
 
AICPA Conference Recap - Practical Advice for 2012 Reporting
AICPA Conference Recap - Practical Advice for 2012 ReportingAICPA Conference Recap - Practical Advice for 2012 Reporting
AICPA Conference Recap - Practical Advice for 2012 ReportingMHM (Mayer Hoffman McCann P.C.)
 
CEO Magazine 09 05
CEO Magazine 09 05CEO Magazine 09 05
CEO Magazine 09 05Dwayne Jorgensen
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley ActCarmen Neghina
 
Fraudulent reporting in nigeria
Fraudulent reporting in nigeriaFraudulent reporting in nigeria
Fraudulent reporting in nigeriaAlexander Decker
 
Session One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony WongSession One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony Wonganthonywong
 
A Brief Overview of the Sarbanes-Oxley Act
A Brief Overview of the Sarbanes-Oxley ActA Brief Overview of the Sarbanes-Oxley Act
A Brief Overview of the Sarbanes-Oxley ActBergstein Enterprises
 
The sarbanes oxley act of 2002
The sarbanes oxley act of 2002The sarbanes oxley act of 2002
The sarbanes oxley act of 2002Sonali Garwal
 
Fortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processFortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processBill Velasco
 
Form internal control
Form internal controlForm internal control
Form internal controlHaryo Utomo
 
sarbanes oxley master file
sarbanes oxley master filesarbanes oxley master file
sarbanes oxley master filecman Kwok
 
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014Visiongain
 
Compliance Overview
Compliance OverviewCompliance Overview
Compliance OverviewWilliam Hodge
 
1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docx1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docxdrennanmicah
 
COSO Deck
COSO DeckCOSO Deck
COSO DeckRon Steinkamp
 

More Related Content

What's hot

Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Actles561
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industryravindra sharma
 
MMIF Reporting white paper
MMIF Reporting white paper MMIF Reporting white paper
MMIF Reporting white paper Robert McNamara
 
Sarbanes-Oxley Act of 2002-Tairreshel Hill
Sarbanes-Oxley Act of 2002-Tairreshel HillSarbanes-Oxley Act of 2002-Tairreshel Hill
Sarbanes-Oxley Act of 2002-Tairreshel HillTairreshel Hill
 
SEC penalizes investment advisers for compliance failures
SEC penalizes investment advisers for compliance failuresSEC penalizes investment advisers for compliance failures
SEC penalizes investment advisers for compliance failuresAndres Baytelman
 
AICPA Conference Recap - Practical Advice for 2012 Reporting
AICPA Conference Recap - Practical Advice for 2012 ReportingAICPA Conference Recap - Practical Advice for 2012 Reporting
AICPA Conference Recap - Practical Advice for 2012 ReportingMHM (Mayer Hoffman McCann P.C.)
 
Fraudulent reporting in nigeria
Fraudulent reporting in nigeriaFraudulent reporting in nigeria
Fraudulent reporting in nigeriaAlexander Decker
 
Session One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony WongSession One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony Wonganthonywong
 
A Brief Overview of the Sarbanes-Oxley Act
A Brief Overview of the Sarbanes-Oxley ActA Brief Overview of the Sarbanes-Oxley Act
A Brief Overview of the Sarbanes-Oxley ActBergstein Enterprises
 
The sarbanes oxley act of 2002
The sarbanes oxley act of 2002The sarbanes oxley act of 2002
The sarbanes oxley act of 2002Sonali Garwal
 
Fortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processFortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processBill Velasco
 
Form internal control
Form internal controlForm internal control
Form internal controlHaryo Utomo
 
sarbanes oxley master file
sarbanes oxley master filesarbanes oxley master file
sarbanes oxley master filecman Kwok
 
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014Visiongain
 

What's hot (20)

Khazi Sox A
Khazi Sox AKhazi Sox A
Khazi Sox A
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance Presentation
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Act
 
S O X In Telecom Industry
S O X In Telecom IndustryS O X In Telecom Industry
S O X In Telecom Industry
 
MMIF Reporting white paper
MMIF Reporting white paper MMIF Reporting white paper
MMIF Reporting white paper
 
Sarbanes-Oxley Act of 2002-Tairreshel Hill
Sarbanes-Oxley Act of 2002-Tairreshel HillSarbanes-Oxley Act of 2002-Tairreshel Hill
Sarbanes-Oxley Act of 2002-Tairreshel Hill
 
Sox compliance services brochure 2013
Sox compliance services brochure 2013Sox compliance services brochure 2013
Sox compliance services brochure 2013
 
SEC penalizes investment advisers for compliance failures
SEC penalizes investment advisers for compliance failuresSEC penalizes investment advisers for compliance failures
SEC penalizes investment advisers for compliance failures
 
AICPA Conference Recap - Practical Advice for 2012 Reporting
AICPA Conference Recap - Practical Advice for 2012 ReportingAICPA Conference Recap - Practical Advice for 2012 Reporting
AICPA Conference Recap - Practical Advice for 2012 Reporting
 
CEO Magazine 09 05
CEO Magazine 09 05CEO Magazine 09 05
CEO Magazine 09 05
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Act
 
Fraudulent reporting in nigeria
Fraudulent reporting in nigeriaFraudulent reporting in nigeria
Fraudulent reporting in nigeria
 
Session One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony WongSession One Forces For Regulatory Change Anthony Wong
Session One Forces For Regulatory Change Anthony Wong
 
A Brief Overview of the Sarbanes-Oxley Act
A Brief Overview of the Sarbanes-Oxley ActA Brief Overview of the Sarbanes-Oxley Act
A Brief Overview of the Sarbanes-Oxley Act
 
The sarbanes oxley act of 2002
The sarbanes oxley act of 2002The sarbanes oxley act of 2002
The sarbanes oxley act of 2002
 
Fortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-processFortifying-the-close-to-disclose-process
Fortifying-the-close-to-disclose-process
 
Form internal control
Form internal controlForm internal control
Form internal control
 
sarbanes oxley master file
sarbanes oxley master filesarbanes oxley master file
sarbanes oxley master file
 
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014
Top 20 Military Electro Optical Infrared (EO/IR) Technology Companies 2014
 
Compliance Overview
Compliance OverviewCompliance Overview
Compliance Overview
 

Similar to Sox Ima

1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docx1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docxdrennanmicah
 
SOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for ImplementationSOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for ImplementationCIMCON Software
 
CIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance SolutionsCIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance SolutionsCIMCON Software
 
Tip Of The Compliance Iceberg
Tip Of The Compliance IcebergTip Of The Compliance Iceberg
Tip Of The Compliance IcebergDwayne Jorgensen
 
Sarbanes oxley act overview-v4-final v1
Sarbanes oxley act overview-v4-final v1Sarbanes oxley act overview-v4-final v1
Sarbanes oxley act overview-v4-final v1Vijay Kumar C.A.
 
Need For Corporate Governance
Need For Corporate GovernanceNeed For Corporate Governance
Need For Corporate GovernanceDwayne Jorgensen
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002SARVJEET KAUSHAL
 
01 linkage of risk to governance processes
01 linkage of risk to governance processes01 linkage of risk to governance processes
01 linkage of risk to governance processesveritama
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsCorporate Compliance Seminars
 
The Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit CommitteesThe Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit Committees4Good.org
 
INTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOXINTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOXMahmoud Elbagoury
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013SARVJEET KAUSHAL
 
990025 p executive-summary-final-may20
990025 p executive-summary-final-may20990025 p executive-summary-final-may20
990025 p executive-summary-final-may20Thoriq Rivaldi
 
SOX Compliance for Ireland subsidiaries
SOX Compliance for Ireland subsidiariesSOX Compliance for Ireland subsidiaries
SOX Compliance for Ireland subsidiariesFergal O'Rourke Esq.
 

Similar to Sox Ima (20)

1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docx1Emerging Auditing IssuesByWeek .docx
1Emerging Auditing IssuesByWeek .docx
 
COSO Deck
COSO DeckCOSO Deck
COSO Deck
 
SOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for ImplementationSOX Compliance Checklist Steps for Implementation
SOX Compliance Checklist Steps for Implementation
 
CIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance SolutionsCIMCON Software - SOX Compliance Solutions
CIMCON Software - SOX Compliance Solutions
 
Tip Of The Compliance Iceberg
Tip Of The Compliance IcebergTip Of The Compliance Iceberg
Tip Of The Compliance Iceberg
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ss
 
Sarbanes oxley act overview-v4-final v1
Sarbanes oxley act overview-v4-final v1Sarbanes oxley act overview-v4-final v1
Sarbanes oxley act overview-v4-final v1
 
IFC Act White paper
IFC Act White paperIFC Act White paper
IFC Act White paper
 
13 internal controls
13 internal controls13 internal controls
13 internal controls
 
Need For Corporate Governance
Need For Corporate GovernanceNeed For Corporate Governance
Need For Corporate Governance
 
Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002Coso guidance on_monitoring_intro_online1_002
Coso guidance on_monitoring_intro_online1_002
 
Oxley-Act
Oxley-ActOxley-Act
Oxley-Act
 
01 linkage of risk to governance processes
01 linkage of risk to governance processes01 linkage of risk to governance processes
01 linkage of risk to governance processes
 
Introduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance SeminarsIntroduction to COSO 2013 - Corporate Compliance Seminars
Introduction to COSO 2013 - Corporate Compliance Seminars
 
The Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit CommitteesThe Increasing Role of Board Governance and Audit Committees
The Increasing Role of Board Governance and Audit Committees
 
INTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOXINTERNAL AUDITING’S ROLE IN SOX
INTERNAL AUDITING’S ROLE IN SOX
 
Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013Coso internal control frameword executive summary_2013
Coso internal control frameword executive summary_2013
 
990025 p executive-summary-final-may20
990025 p executive-summary-final-may20990025 p executive-summary-final-may20
990025 p executive-summary-final-may20
 
SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013SOX 2016 - PART I - COSO 2013
SOX 2016 - PART I - COSO 2013
 
SOX Compliance for Ireland subsidiaries
SOX Compliance for Ireland subsidiariesSOX Compliance for Ireland subsidiaries
SOX Compliance for Ireland subsidiaries
 

Sox Ima

  • 1. The Institute of Management Accountants St. Louis Chapter SOX LESSONS LEARNED September 20, 2011 1050 N. Lindbergh Blvd. | St. Louis, Missouri 63132 | 314.983.1200 1551 Wall St., Ste. 280 | St. Charles, Missouri 63303 | 636.255.3000 1000 Broadway, Ste. 300 | Highland, IL 62249 888.279.2792 | www.bswllc.com © 2011 Brown Smith Wallace All Rights Reserved
  • 2. © 2011 Brown Smith Wallace All Rights Reserved 1
  • 3. Agenda  SOX Background  Internal Control  2010 Sarbanes-Oxley Compliance Survey  Recent Research  Steps to Achieve SOX Efficiency  Integrating SOX & ERM © 2011 Brown Smith Wallace All Rights Reserved 2
  • 4. SOX Background © 2011 Brown Smith Wallace All Rights Reserved 3
  • 5. Refresher  Sarbanes-Oxley Act of 2002  Enacted January 23, 2002  Passed in response to financial scandals – Enron, WorldCom, etc.  Purpose - protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.  Administered by the Securities and Exchange Commission (SEC), which deals with compliance, rules and requirements.  Created a new agency, the Public Company Accounting Oversight Board (PCAOB) which is in charge of overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. © 2011 Brown Smith Wallace All Rights Reserved 4
  • 6. Refresher  Key Sections of the Act  201 – Prohibited Auditor Activities  302 – CEO/CFO Responsibilities  404 – Assessment of Controls  409 – Real Time Disclosure  802 – Penalties for altering documents  806 – Whistleblower Protection  807 – Penalties - Fraud © 2011 Brown Smith Wallace All Rights Reserved 5
  • 7. Section 404  Required the SEC to develop and publish rules for a management assessment of Internal Controls over Financial Reporting (ICFR).  Completed in June 2003.  Updated in June 2007.  Removed the requirement for external auditor to assess management’s process for assessing the system of ICFR.  Revised the definitions of significant deficiency and material weakness.  PCAOB followed with AS 2 approved by the SEC in June 2004 and then replaced with AS 5 in March 2007. © 2011 Brown Smith Wallace All Rights Reserved 6
  • 8. Section 404  SEC Rules and PCAOB standard require that:  Management perform a formal assessment of controls over financial reporting, including tests that confirm the design and operating effectiveness of controls.  Management include in its annual report on Form 10-K an assessment of ICFR.  The external auditors provide two opinions as part of a single integrated audit of the company:  An independent opinion on the effectiveness of the system of ICFR.  The traditional opinion on the financial statements. © 2011 Brown Smith Wallace All Rights Reserved 7
  • 9. Section 404  Management’s assessment:  Management is responsible for the system of internal control.  Not the internal or external auditor  Responsibility of the CEO, CFO and senior executive team.  The assessment must be made using a recognized internal control framework.  Most U.S. companies have used the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework.  Some use Control Objectives for Information and related Technology (COBIT) framework as a supplement to COSO for IT controls.  The assessment is annual and as of year-end.  The external auditor must perform specified work (AS 5) in relation to management’s assessment. © 2011 Brown Smith Wallace All Rights Reserved 8
  • 10. Internal Control © 2011 Brown Smith Wallace All Rights Reserved 9
  • 11. What is an Effective System Per 404?  Scope and quality of management’s identification, assessment, and testing of key controls is sufficient to address all major risks to the integrity of the financial statements.  No material weaknesses are identified. © 2011 Brown Smith Wallace All Rights Reserved 10
  • 12. Who is Responsible?  Sections 302 and 404 make it clear that management – specifically the CEO and CFO – is responsible for the adequacy of internal controls.  Oversight is provided by the Audit Committee.  Leadership is normally provided by the CFO.  Internal Audit provides much of the support. © 2011 Brown Smith Wallace All Rights Reserved 11
  • 13. 2010 Sarbanes- Oxley Compliance Survey © 2011 Brown Smith Wallace All Rights Reserved 12
  • 14. 2010 SOX Survey  Conducted by Protivti.  Surveyed 400 executives and professionals.  All industry segments represented.  Major findings:  The cost of SOX compliance is down 50% when compared to year 1 costs.  Most respondents indicated benefits now exceed costs.  Most respondents believe external audit costs would decrease by as much as 30% if SOX was no longer required.  Nearly half perform all of their SOX compliance work in-house.  Outsourcing of SOX is highest during the initial years of compliance and falls steadily as an organization gains experience and confidence in its SOX compliance process. © 2011 Brown Smith Wallace All Rights Reserved 13
  • 15. 2010 SOX Survey  Internal audit has the primary responsibility for SOX compliance, followed by executive management and the audit committee. In larger organizations, process owners and a project management organization (PMO) play an important role.  SOX compliance program has matured across many organizations and has become more sustainable; consequently, reliance by external audits on SOX work performed internally has increased.  There are opportunities to automate more controls. Nearly 40% of respondents have only automated 20%-50% of their controls.  Most respondents indicated they have minimal plans to automate additional controls.  The use of a risk-based testing approach, establishing process owner accountability and maximizing lessons learned from previous years/peers were employed by a majority of organizations. © 2011 Brown Smith Wallace All Rights Reserved 14
  • 16. 2010 SOX Survey  Key inefficiencies that exist in many companies include:  High dependency on spreadsheets for data accumulation to record accounting transactions, prepare manual journal entries or support financial disclosures.  General ledger close-cycle exceeding five days.  Majority of respondents reported that regardless of market capitalization, public companies should not be exempt from Section 404(a) compliance. © 2011 Brown Smith Wallace All Rights Reserved 15
  • 17. Recent Research © 2011 Brown Smith Wallace All Rights Reserved 16
  • 18. Recent Research Article in the September 2011 issue of the Journal of Accountancy titled “Highlights of Corporate Governance Research” points related to post-SOX implementation:  Companies with adverse 404 opinions had CFOs with weaker accounting qualifications and were more likely to receive better SOX 404 opinions after hiring new CFOs with more accounting knowledge.  The audit committee is more involved:  Meet with auditors over 6 times per year compared to 2-3 times per year before SOX.  Auditors report more questions and discussions of accounting and auditing issues.  Independence and expertise have increased.  Internal auditor now reports more frequently to the Audit Committee.  Management certification has had a positive impact on the integrity of financial statements. © 2011 Brown Smith Wallace All Rights Reserved 17
  • 19. Steps to Achieve SOX Efficiency © 2011 Brown Smith Wallace All Rights Reserved 18
  • 20. © 2011 Brown Smith Wallace All Rights Reserved 19
  • 21. Efficiency 1. Operating management must take ownership of their processes and documentation. 2. Operating management must update all processes and control documentation promptly throughout the year as changes occur. 3. A change management process must be in place that includes a timely assessment of process changes for their impact on key controls. 4. Operating management must be committed to assess and remediate all control deficiencies promptly. © 2011 Brown Smith Wallace All Rights Reserved 20
  • 22. Efficiency 5. The fewer the controls to test, the lower the cost. A top down, risk-based approach should be used to identify key controls.  Management must be confident that identified key control are truly key.  The design of the related processes should be reviewed to determine if changes can result in fewer and more effective controls.  Rely more on automated controls or on high-level controls (continuous monitoring, detailed reconciliations, etc.) © 2011 Brown Smith Wallace All Rights Reserved 21
  • 23. Efficiency 6. Management of the Section 404 program should be at a high level within the organization to:  Influence operating management relative to completion of their responsibilities.  Communicate effectively with executive management on progress and potential issues.  Negotiate as needed with the external auditor to:  Increase reliance on management testing.  Agree on key controls early.  Address concerns as they arise. © 2011 Brown Smith Wallace All Rights Reserved 22
  • 24. Efficiency 7. Optimize the use of internal resources (internal auditors) to perform testing or to validate testing performed by management. 8. Work to optimize reliance of external auditor on management testing. 9. Ensure the external auditor is following a top-down, risk based approach as required by AS 5. © 2011 Brown Smith Wallace All Rights Reserved 23
  • 25. Efficiency 10. Create a detailed project plan that:  Includes a walk-through of all significant processes early in the year.  Ensures all key controls are tested by mid-year, with additional testing to update the results scheduled closer to year-end.  Includes all key activities required to complete the project, such as fraud risk assessment, consideration of IT issues, assessment of SAS 70 (SSAE 16) reports from service providers, etc.  Details all required resources, including specialists, so they can be scheduled early.  Includes regular reporting to senior management that focuses on key metrics and issues. © 2011 Brown Smith Wallace All Rights Reserved 24
  • 26. Efficiency 11. Communicate and coordinate with all service providers to ensure that a SAS 70 (SSAE 16) report will be available at the appropriate time and that early warning is provided of potential issues identified during the SAS 70. 12. Assess the Section 404 program for effectiveness on a continuing basis to ensure it is improved as the organization learns from experience and benefits from changes in regulations and interpretations. © 2011 Brown Smith Wallace All Rights Reserved 25
  • 27. Integrating SOX & ERM © 2011 Brown Smith Wallace All Rights Reserved 26
  • 28. ERM Defined  ERM = Enterprise Risk Management  ERM is a continuous process that identifies, mitigates, and monitors potential events that create uncertainty for an organizations achievement of it’s objectives. © 2011 Brown Smith Wallace All Rights Reserved 27
  • 29. The Link Between SOX & ERM  Investments in SOX compliance can be leveraged.  Attention to control issues provide a foundation for enterprise risk efforts.  SOX focus is on financial reporting risk. ERM goes further to focus on the following objectives:  Strategic – high-level goals supporting the organization’s mission and vision.  Operations – effective and efficient use of resources.  Reporting – reliable reports (not just financial).  Compliance – compliance with laws and regulations. © 2011 Brown Smith Wallace All Rights Reserved 28
  • 30. Q&A © 2011 Brown Smith Wallace All Rights Reserved 29
  • 31. Ron Steinkamp, CPA, CIA, CFE Principal, Risk Advisory Services Brown Smith Wallace LLC 314.983.1238 Direct 314.302.1382 Cell rsteinkamp@bswllc.com 1050 N. Lindbergh Blvd. | St. Louis, MO 63132 www.bswllc.com © 2011 Brown Smith Wallace All Rights Reserved 30