Sarbanes Oxley Section 404 Compliance For IT Managers

Transcription

1 SOX-FORUM F O R S M A L L & M I D S I Z E P U B L I C L Y T R A D E D C O M P A N I E S Sarbanes Oxley Section 404 Compliance For IT Managers Darcy Soleil CISA, CISSP

2 Disclaimer The author of Sarbanes Oxley Section 404 Compliance Tips for IT Managers has written the publication primarily as an educational resource for IT professionals. The author makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures including working with your internal audit or legal department in evaluating and designing your internal control system. Copyright 2013, Darcy Soleil CISA, CISSP, CEH All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise without written permission from the author. Adobe Acrobat is a registered trademark of Adobe Systems Incorporated in the United States and other countries.

3 Table of Contents C H A P T E R 1 Overview 6 Who Will Do The Work? 7 Where to Begin 11 Risk Assessment 12 What Are IT Internal Controls 13 C H A P T E R 2 The New Regulations 16 Section The PCAOB 19 C H A P T E R 3 Internal Control Framework 22 What Is COSO 23 COSO For Smaller Companies 24 COSO Components 26 Other Standards 29 C H A P T E R 4 Information Systems Controls 33 General Controls 34 Application Controls 39 C H A P T E R 5 Evaluating Control Effectiveness 41 Internal Control Design 42 Section 404 Audits 46 Section 404 Compliance Project 47

4 Evaluating Control Design 49 Testing Controls 52 C H A P T E R 6 Documentation 57 Documentation Requirements 58 Documentation COSO Components 59 Documentation Control Evaluations 60 Standard Policies & Procedures 61 C H A P T E R 7 Automation 63 Automating IT General Controls 65 What to do First 66 Section 404 Automation 66 C H A P T E R 8 EUC End User Computing 68 C H A P T E R 9 Vendors & Contractors 70 Other Vendor & Contractor Policies 71 C H A P T E R 1 0 Outsourcing 73 Types of Outsourced Services 74 SAS 70 Audit Reports 74 Software Development 75 Provider CMM Certification 76 Outsourcing IT Processes 77 C H A P T E R 1 1 Ongoing Compliance 80 Licensing 81 Security 83 A Secure Environment 83 C H A P T E R 1 2 IT Infrastructure 85 3

5 C H A P T E R 1 3 Conclusion 90 Appendix A Titles 91 Appendix B Articles 92 Appendix C Resources 94 Appendix D Maturity Models 95 4

6 Introduction The second edition of this publication was a result of the authors experience over the last two years with several Sarbanes Oxley compliance projects the PCAOB s additional guidelines published after the first year of SOX audits and the new COSO proposed framework for smaller companies. On October , the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an exposure draft, Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting. Although as of the date of this writing the guide is still undergoing review it is likely to be adopted as the standard for SOX compliance involving smaller public companies. The draft is available for download at The new COSO framework provides more guidance regarding IT controls than does the original COSO internal control framework released in It also makes clear that none of the components of the original framework are eliminated for the smaller firm. The difference is in the way a smaller company implements the framework. Many of the recommendations can well apply to larger companies as well in terms of cost efficient controls. The Section 404 compliance date for smaller companies has been pushed back twice. But it appears now that the new target date for compliance, July 2007 will go ahead as scheduled and there will be no further extensions. The larger public companies or accelerated filers, have gone through two rounds of SOX audits now and many lessons have been learned regarding the scope of these audits and their costs. The second edition of this publication hopes to shed some light on what those lessons are and how small public companies can benefit. 5

7 1 Overview If your company has less than $75 million shares outstanding the compliance date for Sarbanes Oxley Section 404 is July 15, T K E Y T O P I C S his book is intended for IT managers of small and midsize publicly traded companies (SMBs) as an overview and resource for Section 404 compliance. The compliance date for Section 404 of the Sarbanes Oxley Act 2002 is July 15 th 2007 for Sarbanes Oxley Section 404 companies with less than $75 million in shares outstanding. Any financial statements or disclosures filed after that date with the SEC are expected to be in compliance with the new regulations. Auditing Fees Because the new auditing standards for Sarbanes Oxley Section 404 require a much more in depth analysis, public companies CISA can expect their auditing fees to increase. How much of an increase sometimes will depend upon how efficiently companies fulfill the requirements of the new regulations, whether or not auditors can use the work of others and the complexity of the financial reporting systems. The book attempts to show specific examples of ways IT managers of smaller companies can help reduce auditing fees and facilitate Sarbanes Oxley projects within their departments. 6

8 Who Will Do The Work? The new law requires public companies, large and small to annually test internal controls over financial reporting. These tests include financial business processes and Information Technology controls. After your company s testing and evaluation of internal controls is completed, independent external auditors will then come in and conduct there own tests to determine the effectiveness of internal controls over financial reporting. So you can expect two rounds of testing. One by your organization and one by the external public accounting firm your company employs. Efficient human resource planning is extremely important for Sarbanes Oxley audits. Not only will auditors be spending more time assessing a company s internal controls so will your employees. One of the differences between Sarbanes Oxley audits and others you may be familiar with is that they require much more active participation from key process owners. You may be used to filling out audit questionnaires or spending a little time with your company s financial auditors. This will be different. You and some of your staff will probably be required to work directly with auditors in providing documentary evidence, fulfilling requests, interviewing, demonstrating processes and verifying findings. You will also be required to do these same things with your internal SOX project team. A lot of money and time can be wasted if resource planning is not efficiently designed. For instance one of your test team or the external auditor requests a meeting with a staff member and for some reason the meeting is cancelled. Or a request is made for a document and the response to the request just sits for a few days because the person responsible has other duties to perform. These delays add up to costs. Your internal SOX project team is wasting time and having a negative effect on productivity and your external auditors are charging you for it. It adds up very quickly. You will need to be able to balance the needs of the business with the needs of the compliance project. You should also be ready for resistance and complaints from employees if you do not inform and review with them how demanding these new audits will be, why they have to be done and why everything (documents, screen shot evidence) seems to be asked for twice. 7

9 It is a good idea to actually hold meetings to educate your staff on what s coming. Having an ongoing training seminar about internal controls, audits and Sarbanes Oxley would have tremendous impact on morale and costs. Also be prepared for confusion and frustration when new controls have to be added or existing controls re-designed. There will be frustration if deficiencies are discovered. People will become defensive and feelings get hurt. It is important to understand that like any other cultural change preparation is in direct correlation to pain. Sarbanes Oxley audits can have a far reaching negative effect on many areas of the business if not managed properly. On the upside, there are many benefits that can be realized from these audits. Automated solutions that make human labor easier and automated solutions that enhance internal controls and make them stronger will probably be considered. Usually these audits do result in purchases of some kind of automated system. Communications and the relationship between the business and IT are usually improved. There is a better understanding of the importance and benefit well designed internal controls provide. Processes you wanted to automate but could not justify the costs now seem very attractive and cost efficient to management when their implementation provides an offset to future audit expenditures. IT managers should take this opportunity during the audits to innovate and implement best practices. Streamline your operations and improve productivity. Training programs that once were impossible to offer employees now become necessary. Skill levels improve and contribute further to a well managed operation. All of these things are possible if you emphasize the positive rather than negative of Sarbanes Oxley testing. The amount or scope of testing performed by your external auditor will vary. The more testing external auditors have to conduct themselves, the more it is going to cost the company. There are ways to decrease the amount of time external auditors will spend testing and evaluating internal controls and defray some of the compliance costs. Firs, an understanding must be acquired regarding the importance of independence and competency of those company employees who will conduct the tests. The actual testing and evaluation of the Business and IT controls should be completed by someone independent of those two functions. Either someone employed by the company or an outside consultant. 8

10 This individual(s) should be able to prove their expertise and competency to perform the testing. Although there is no stated requirement in the PCAOB that actually states this, the reality is that the less competent the person performing the tests the more testing the external auditor will conduct. The auditor will not be permitted to use that person s work. On the other hand if you have independent and competent individuals performing the work, your external auditor will be able to use some of that work and not have to directly test certain controls themselves. This means of course they will spend fewer hours testing which translates into decreased auditing costs. This has to do with the ability of your external auditor to use the testing results of your company internal team in lieu of having to conduct their own tests. External auditors will assess the competency level of your evaluators through interviews with them. They will also request resumes for all those involved in testing the company controls. This information will then be used so the external auditor can determine how much direct testing they will actually do. If your company is listed on the NYSE the SEC requires that you have an internal audit function. If you list on NASDQ it is not required. Internal audit, finance/accounting and Information technology will be the primary players in the SOX 404 compliance project. Most often internal audit will be the project lead with the other two functions working together providing information and testing evidence. The internal audit staff may include an individual that is certified to conduct IT related audits. The designation of these individuals are usually noted as a Certified Information Systems Auditor (CISA) or CITP(Certified Information Technology Professional),CIA s (Certified Internal Auditor), CIA s may or may not have the knowledge needed to test IT systems as they are primarily responsible for the financial accounting realm and CISSP (Certified Information Systems Security Professional). Individuals with a CISA designation have been specifically trained to audit computer information systems. Many have backgrounds as programmers, DBA s or network administrators. They are experts in IT internal control systems. For companies without internal audit departments or with no qualified staff to handle IT controls testing should consider hiring an outside consultant (CISA, CISSP or other qualified individual) to help with the work. Your external auditor is prohibited to a great degree when it comes to advising, designing controls etc. Company management is responsible for this. This is one of the elements that are inherent in the Sarbanes Oxley legislation. 9

11 There is also an element of independence regarding external auditors. Although companies usually rely on their external auditors for guidance regarding issues with financial reporting there are restrictions regarding the use of your external auditor services. Auditor independence must be maintained. 32. Independence. The applicable requirements of independence are largely predicated on four basic principles: (1) an auditor must not act as management or as an employee of the audit client, (2) an auditor must not audit his or her own work, (3) an auditor must not serve in a position of being an advocate for his or her client, and (4) an auditor must not have mutual or conflicting interests with his or her audit client.7/ If the auditor were to design or implement controls, that situation would place the auditor in a management role and result in the auditor auditing his or her own work. These requirements, however, do not preclude the auditor from making substantive recommendations as to how management may improve the design or operation of the company's internal controls as a by-product of an audit. 33. The auditor must not accept an engagement to provide internal control-related services to an issuer for which the auditor also audits the financial statements unless that engagement has been specifically pre-approved by the audit committee. For any internal control services the auditor provides, management must be actively involved and cannot delegate responsibility for these matters to the auditor. Management's involvement must be substantive and extensive. Management's acceptance of responsibility for documentation and testing performed by the auditor does not by itself satisfy the independence requirements. 1 When Section 404 goes into effect auditors will be required to take a more hands on approach when conducting an audit. In most instances they can no longer use information provided to them by the company as they have done in the past. Auditors must actually test and evaluate internal controls themselves. This excerpt from the PCAOB auditing standards makes clear the enormous change to previous audit requirements. 79. Performing Walkthroughs. The auditor should perform at least one walkthrough for each major class of transactions (as identified in paragraph 71). In a walkthrough, the auditor traces a transaction from origination through the company's information systems until it is reflected in the company's financial reports. 81. While performing a walkthrough, the auditor should evaluate the quality of the evidence obtained and perform walkthrough procedures that produce a level of evidence consistent with the objectives listed in paragraph 79. Rather than reviewing copies of documents and making inquiries of a single person at the company, the auditor should follow the process flow of actual transactions using the same documents and information technology that company personnel use and make inquiries of relevant personnel involved in significant aspects of the process or controls. To corroborate information at various points in the walkthrough, the auditor might ask personnel to 1 Auditing Standard No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No ; File No. PCAOB , June 17, 2004] 10

12 describe their understanding of the previous and succeeding processing or control activities and to demonstrate what they do. In addition, inquiries should include follow-up questions that could help identify the abuse of controls or indicators of fraud. Examples of follow-up inquiries include asking personnel: What they do when they find an error or what they are looking for to determine if there is an error (rather than simply asking them if they perform listed procedures and controls); what kind of errors they have found; what happened as a result of finding the errors, and how the errors were resolved. If the person being interviewed has never found an error, the auditor should evaluate whether that situation is due to good preventive controls or whether the individual performing the control lacks the necessary skills. Whether they have ever been asked to override the process or controls, and if so, to describe the situation, why it occurred, and what happened. 2 Where to Begin Start first with developing your compliance project plan. The first step is to scope the project. If you have an internal audit department they will have worked with IT management and Finance/Accounting to develop this plan. They begin by identifying the systems (operating systems, applications, databases, end user programs (spreadsheets, databases)) that are involved with the company s financial reporting process and mapped to significant financial/business processes. Most small companies do not have an internal audit department. Usually the SOX project management ends up in Finance/Accounting. IT management is included as part of the project team along with internal evaluators or independent consultants. The phase of the plan usually has IT and Accounting working together to identify those components. Risk Assessment After the systems have been identified a risk assessment is performed to determine what controls need to be in place to mitigate the risks. 2 Auditing Standard No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No ; File No. PCAOB , June 17, 2004] 11

13 This step is especially significant in terms of reducing auditing costs. A risk evaluation if done correctly can further reduce the amount of testing that needs to be done by both the company and external auditors. After the first year of SOX audits were conducted the PCAOB issued more guidelines to external auditors regarding risk assessment. Many times a risk assessment was not addressed and resulted in over testing of controls, testing wrong controls or not testing key controls. This situation greatly increased the costs for the first year SOX audits that were conducted for the accelerated filers. Realizing this, the PCAOB produced additional guidelines to auditors advising that a top down risk assessment approach should be the basis for identifying key controls. Normally IT will work with internal audit or accounting/finance on completing the risk assessment. This is usually when the key controls are identified. The risk assessment process is normally a judgmental i.e. qualitative method that simply ranks each recognized risk as high, medium, or low. Only the controls identified as high risk will need to be tested. This is one reason the risk assessment is so important. It is an opportunity to reduce costs by decreasing what needs to be tested and gain a much better understanding of the interrelationship between IT and the business. Once risks and key controls are identified an analysis will be conducted to determine if the design of the key controls that are currently in place mitigate the risk in an operational and cost effective manner. This is usually called a gap analysis. If the control design is found to be insufficient the control will be re-worked. If a control is missing it will have to be designed and implemented and evaluated. There are various information technology risk assessment frameworks and methodologies that can be employed to assess types of risks specific to information systems available such as OCTAVE, The NIST publications and Cobit. A listing is provided in Appendix C of this publication. Understanding the relationship between high level risks and internal controls is the key to creating an efficient and cost effective Sarbanes Oxley compliance process. What are IT Internal Controls One of the easiest ways to understand what is meant by the term internal control is to refer to recognized standards for IT controls, best practices and processes. These standards can also provide a starting place for designing controls that are considered critical and currently do not exist in your organization. 12

14 Many of the standards were created out of a need to improve the methodological problems facing the new and rapidly developing technology industry in the 1990 s. Using these standards and leveraging the technology you already have in place will help facilitate your compliance efforts. Adopting a set of standards doesn t have to lead to an inflexible environment often feared by IT professionals. The standards represent best practices in all areas of information technology. Many of the standards focus on information technology internal control systems and can provide a recognized framework that can be used to evaluate and develop your own internal controls. Of course there will be changes and adjustments to your IT processes. The amount of adjusting will depend on what you currently have in place in terms of an internal control system. If you have very little formalized internal controls a sizable adjustment might be required to how things are currently done in your department. On the other hand if your department has already instituted certain internal control systems, for instance RUP for your SDLC or have attained a CMM level 3 or implemented the Cobit internal control framework or ITIL will find compliance to be less of a burden. Throughout the book references are made to various IT internal control and security standards such as COSO, CIS, IEEE, CERT ISO 9000 and 17799, CobiT, ITIL, SEI CMM, CMMI and BS7799. It is one of the goals of this book is to identify resources for the IT manager to refer to and use as guidance for establishing and evaluating their department s internal control system. All of the above mentioned standards provide guidelines representing best practices for information technology management and should be considered anyway regardless of the new regulations. If after the risk assessment is completed it is found that controls are missing and need to be designed and implemented these standards can help you in developing controls. Whether you are working with external consultants or your own internal audit department, if you aren t already, you should become familiar with the COSO and Cobit frameworks. Almost all companies are mapping the COSO internal control framework to the Cobit framework. The new COSO guidelines for small businesses can also provide some strategies for designing and implementing an Information Technology framework. The new regulations require that your company s top-level management take responsibility for establishing and implementing a system of internal controls over financial reporting and then certifying the reliability of financial reports. In addition, management must also declare in their Internal Control Report, which is filed with their annual reports to the SEC, what internal control framework was used to evaluate internal control effectiveness. 13

15 Without stable and efficient information technology infrastructure, accomplishing the level of reliability required by the new regulations will be impossible. Underestimating the role of the company s IT department in the compliance effort is not a good idea. Another one of the goals of this book is to show IT managers how they can leverage existing technologies already in place and use these technologies in different ways to comply with Sarbanes Oxley Section 404, at least initially. Note In the future as efficiencies evolve you ll want to migrate away from this approach to more automated solutions. The more your internal control system is automated the less you ll pay in auditing fees. For example, information systems aren t always configured with full functionality available. Whether or not this is a deliberate decision or because no one is aware of the additional functionality available, situations like these offer opportunities to comply and save money by simply implementing the unused functionality. For instance logging and auditing of internal security events. Additional functionality can sometimes be found in modules the software manufacturer has available. You are encouraged to research and find out if the vendor for an application or system you already own offers tools that can be used for compliance with Sarbanes Oxley Section 404. For some, compliance will be an ongoing effort of continuous improvement over time whereby automated controls gradually replace manual controls. For others, Section 404 compliance will be relatively simple and may not require the same all out effort of a total revamp of your internal control system. A lot will depend on the complexity of the business and the complexity of the information systems that support the business processes. The key IT General controls that were identified and tested this year will be tested again next year and for the years going forward. As the business changes new controls will be added to the control matrix and old ones discarded. Eventually Sarbanes Oxley compliance will be come just process and not a project that been internalized as another business function. Whatever the case, it is important to understand that Sarbanes Oxley Section 404 is not just a bunch of recommendations or an idealistic vision for the future, but a body of new laws with which companies are required to comply. 14

16 Chapter 2 The New Regulations Compliance with Section 404 of the Sarbanes Oxley Act is not just about documenting internal controls. T he Public Company Accounting Reform and Investor Protection Act, commonly known as the Sarbanes Oxley Act 2002 mandates new regulations for publicly traded companies. The act contains 11 titles and covers corporate governance standards, new auditing rules and stricter requirements for processes associated with financial reporting. (See Appendix A for titles listing). K E Y T O P I C S SEC PCAOB ICR Section 404 CEO s and CFO s under Section 404 are required to attest to the effectiveness of their company s internal controls over financial reporting. Along with the usual annual SEC filings an Internal Control Report (ICR) must be filed and signed by the CEO and CFO stating that the internal controls over financial reporting are effective and financial reports are reliable. Links to a complete copy of the Sarbanes Oxley Act in its entirety and final rulings with latest news can be found at the Securities and Exchange Commission s website under the laws and regulations pages. The Sarbanes Oxley Act of 2002 was created to restore investor confidence and to protect investors from unsound and fraudulent business practices. One way of looking at the Sarbanes Oxley Act of 2002 is what it is intended to do, mitigate the risks for individuals investing in public companies. The way Sarbanes Oxley Act intends to accomplish this is through mandates that will strengthen internal checks and balances thereby creating a business environment that is not only more efficient but reliable in terms of financial reporting. It is important to understand that compliance is not just establishing and documenting your internal control structure as so many managers I ve talked to seem to believe. 15

17 The new rules require not just the establishment and documentation of a company wide internal control system over financial reporting but that you assess the risks, document, test, evaluate, monitor and assess the effectiveness of your internal controls. In addition evidence must be supplied to auditors that this is indeed the case. Half hearted attempts at compliance will not work. It won t matter how much documentation you have if the rest of the compliance requirements are not met. If your company s C-level executives cannot provide a valid basis for the assessment of the internal control structure the company will fail the audit. You must provide evidence that policies and procedures are being followed and that documented controls over financial reporting actually exist and work correctly. The consequences of non-compliance or a negative auditor opinion regarding the effectiveness of your company s internal controls can result in a filing that shows a weakness in internal control. Your company s reputation in terms of efficiency and competence will come under scrutiny and will very likely have a negative effect on the price of the company s stock. New penalties for breaking the Sarbanes Oxley Section 404 rules have been established and are much harsher with longer prison sentences and larger fines if fraud is involved. If a company has to restate their earnings with an amended filing of financial statements the reason for doing so might result in some jail time. This booklet focuses on two areas: Section 404 of the Sarbanes Oxley Act: Management Assessment of Internal Controls and the PCAOB Auditing Standard No.2 released June 2004 by the PCAOB. Section 404 SEC MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. (a) RULES REQUIRED. The Commission shall prescribe rules Requiring each annual report required by section 13(a) or 15(d) Of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) To contain an internal control report, which shall (1) State the responsibility of management for establishing And maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues 16

18 the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. 3 Sarbanes Oxley Section 404 requires corporate executives, CEO s and CFO s to be directly responsible for establishing, evaluating and monitoring the effectiveness of their company s internal controls over financial reporting. There are various penalties that can be incurred by these individuals if it is found that management s attestation is deliberately fraudulent or if the external auditor s opinion is not in agreement with management s opinion. It is the evidence of the effectiveness of internal controls that presents the greatest challenge for many SMBs. If you have no ongoing program to test your internal controls and evaluate their effectiveness or monitor controls, you will be focusing a good deal of your efforts in these areas. For most companies the IT department and the technology it supports will be fundamental to achieving compliance. How does this mandate over internal controls effect IT departments? Financial reporting processes are dependent upon for the most part, IT systems. These systems are involved in the initiating, recording, processing and reporting of financial transactions. They are tied to the overall financial reporting process and will be assessed for compliance with Sarbanes Oxley Section 404. The IT department will be responsible for various internal control processes related to IT functions such as the design, documentation, implementation, testing, monitoring and maintaining of IT internal controls related to financial reporting. Most IT departments of publicly traded companies do have internal control systems in place. More often than not system security, access and systems availability are usually addressed. What is lacking in many cases is formal documentation of these controls and evidence of their effectiveness. In the past companies were only required to provide answers to auditors questions about internal control structure for annual SEC filings. If you stretched the truth a little about certain procedures you were supposed to have in place but really didn t, now is the time to set things right. When Sarbanes Oxley Section 404 kicks in next year the audits will be quite different. Proof of the existence and effectiveness of your internal controls will have to be provided to auditors. 3 Title Four Section 404 Management Assessment of Internal Controls Sarbanes Oxley Section 404 Act

19 Auditors in some instances will not be allowed to use the work of others as they have in the past. Things such as internal audit department reports and self-assessments may be reviewed but no longer used to evaluate effectiveness of internal controls. Auditors will actually be mapping critical transactions related to financial reports from initiation to recording and follow the data flows of these transactions through your information systems. They won t just be asking questions or sending questionnaires for you to fill out. The Public Company Accounting Oversight Board (PCAOB) The PCAOB auditing standard has made it clear what auditors will be doing when performing a Section 404 audit. 79. Performing Walkthroughs. The auditor should perform at least one walkthrough for each major class of transactions (as identified in paragraph 71). In a walkthrough, the auditor traces a transaction from origination through the company's information systems until it is reflected in the company's financial reports. 4 The Public Company Accounting Oversight Board or PCAOB is the governing agency established by Congress to create auditing standards and rules and to ensure that the firms, which audit public companies adhere to the new standards. As the title implies this organization oversees the activities of others. In this case the others are Accounting firms that audit public companies. Any accounting firm that provides this type of service to 100 or more publicly traded companies annually must register with the PCAOB. As part of Section 404 compliance an auditor must attest to management s evaluation of the effectiveness of internal controls over financial reporting. They are not just analyzing a company s internal control system for compliance and effectiveness but verifying whether or not management has made a correct assessment as to the effectiveness of the internal control system. This is an important distinction. According to PCAOB Standard No. 2, the auditor must understand and evaluate management s assessment process. The PCAOB released in March of 2004 its final auditing standards and guidelines for Sarbanes Oxley Section 404 compliance. This standard contains detailed auditing methodology and identification of what focus the new audits should take. 4 Auditing Standard No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No ; File No. PCAOB , June 17, 2004] 18

20 You can view and download a copy of the PCAOB standard at this website Concessions aren t made for the size of a company The PCAOB in its auditing standards Appendix E60 states essentially that there is no concession for the size of the issuer and that all SMB s must adhere to the same level of compliance as the larger corporations. E60. Striking an appropriate balance regarding the needs of smaller issuers is particularly challenging. The Board considered cautionary views about the difficulty in expressing accommodations for small and medium-sized companies without creating an inappropriate second class of internal control effectiveness and audit assurance. Further, the Board noted that the COSO framework currently provides management and the auditor with more guidance and flexibility regarding small and medium-sized companies than the Board had provided in the proposed Appendix E. As a result, the Board eliminated proposed Appendix E and replaced the appendix with a reference to COSO in paragraph 15 of the standard. The Board believes providing internal control criteria for small and medium-sized companies within the internal control framework is more appropriately within the purview of COSO. Furthermore, the COSO report was already tailored for special small and medium-sized company considerations. The Board decided that emphasizing the existing guidance within COSO was the best way of recognizing the special considerations that can and should be given to small and medium-sized companies without inappropriately weakening the standard to which these smaller entities should, nonetheless, be held. If additional tailored guidance on the internal control framework for small and medium-sized companies is needed, the Board encourages COSO, or some other appropriate body, to develop this guidance. 5 regarding the level of compliance for Section 404. Small companies must comply the same as large. There is no allowance for size. However the PCAOB also states in its final rulings this about internal control. Internal control is not one-size fits all. And the nature and extent of the controls that are necessary depend, to a great extent on the size and complexity of the company. 6 Essentially as long as there is reasonable assurance that financial reports are reliable what may be necessary in terms of an internal control system at a large company may not be required at a smaller. However if the business is very complex, size becomes an irrelevant matter. 17. Management's assessment of the effectiveness of internal control over financial reporting is expressed at the level of reasonable assurance. The concept of reasonable assurance is built 5 Auditing Standard No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No ; File No. PCAOB , June 17, 2004] 6. Auditing Standard No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No ; File No. PCAOB , June 17, 2004] 19

21 into the definition of internal control over financial reporting and also is integral to the auditor's opinion.4/ Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. Although not absolute assurance, reasonable assurance is, nevertheless, a high level of assurance. 7 The concept of reasonable assurance should be a constant theme during compliance projects beginning with the design of internal controls through to the evaluation of their effectiveness. You cannot guarantee 100% elimination of risk; but you can do all that is reasonably possible to mitigate it. Keep that in mind when it comes time to sign the check for an elaborate control system you may not need. As the saying goes, don t spend $10,000 to protect a dime. 7 Auditing Standard No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No ; File No. PCAOB , June 17, 2004] 20

22 Chapter 3 Internal Control Frameworks & Standards The issuer s must declare the internal control framework that is being used in their assessment of the effectiveness of controls over financial reporting. I process. nternal controls are procedures and processes that help to mitigate business risks. Understand that documents are not internal controls. They communicate the internal control activities of a business process and mandate policies. In order for policies and procedures to be effective they must be enforced and they must be auditable. K E Y T O P I C S COSO Internal Controls COBIT Other Standards Reliability of financial reporting is at the heart of Section 404 compliance. In order for financial reports to be judged reliable the processes that produce them must be such that errors and fraud do not occur. Internal controls help accomplish this. There are several widely accepted and comprehensive internal control frameworks and standards specific to information technology that can be implemented to ensure that information systems are less likely to produce errors in the financial data that these systems store and Free Information As mentioned earlier in this report there is an enormous amount of free information, tools, selfassessment methodologies, benchmarks and metrics at many of the standards organizations websites. Utilizing these valuable resources is not only cost effective in terms of your Section 404 compliance project but also educational. A complete list of the websites for all of the organizations mentioned in this book can be found in Appendix C. Inform your staff about these sites and encourage them to visit. 21

23 Basically there are three types of controls: preventive, detective and corrective. Preventive Controls include controls over access security, controls to prevent fraud and intrusion detection software. Detective Controls are those that function after the fact such as exception reports audit logs and automated data integrity checks. Corrective Controls include incident response. Automated Preventive controls are considered the most reliable. Detective controls can provide risk mitigation only after the fact. Corrective controls are applied when preventive controls fail. For example requesting access to an IT system, and having the request approved according to a company s security policy is a control procedure. It protects against the risk of unauthorized access to company information. If designed correctly it should prevent unauthorized access. Just being able to detect unauthorized access is a less desirable control design in this case. But the two go together when it is taken into account that unauthorized access to systems can be gained by other means. What Is COSO? As mentioned earlier in the chapter one of the mandates of Sarbanes Oxley Section 404 is that the issuer s management must declare the internal control framework that is being used in their assessment of the effectiveness of internal controls over financial reporting. This framework must be a widely used standard with recognized legitimacy. Both the SEC and PCAOB make mention of only one framework. It is called the COSO framework. 14. In the United States, the Committee of Sponsoring Organizations ("COSO") of the Treadway Commission has published Internal Control Integrated Framework. Known as the COSO report, it provides a suitable and available framework for purposes of management's assessment. For that reason, the performance and reporting directions in this standard are based on the COSO framework. Other suitable frameworks have been published in other countries and may be developed in the future. Such other suitable frameworks may be used in an audit of internal control over financial reporting. Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass, in general, all the themes in COSO. 22

24 Therefore, the auditor should be able to apply the concepts and guidance in this standard in a reasonable manner. 8 The committee is a private organization made up of auditors, accountants and business executives whose mission is to create ways to improve the reliability of financial reporting and corporate governance. It was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector organization often referred to as the Treadway Commission. Information about COSO and the internal control framework can be found at this website: The New COSO Framework As mentioned in the introduction of this report, in and around November of 2005 COSO released a draft of an internal control framework for smaller businesses which included more guidance regarding Information Technology internal controls related to financial reporting reliability. The draft is called Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting. This guide is to be used as a supplement to COSO s Internal Control Integrated Framework, originally published in 1992 it does not supersede or replace the original framework. The draft, not yet approved, will probably go through a few rounds of fine tuning before it is adopted. Therefore further comment on its future is not appropriate. However, the ideas expressed in the draft have high merit and can be used by IT Managers to educate themselves. The contents of the document pretty much mirrors what the reality and key controls for IT in the world of SOX testing is currently about. The draft can be downloaded at the COSO website listed above. Most of the document focuses on the 5 COSO elements and how they can be achieved in different ways by smaller businesses. One of the main differences between the COSO framework for smaller businesses and the original framework is an increased emphasis on monitoring activities and the control environment. These two elements are discussed below in the five COSO components section. 8 Auditing Standard No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No ; File No. PCAOB , June 17, 2004] 23

25 Although COSO is the only framework mentioned by name in the PCAOB and SEC mandates there is no prohibition on using other suitable frameworks. Specifically, a suitable framework must: be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company's internal control; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal controls are not omitted; and be relevant to an evaluation of internal control over financial reporting. 9 The Committee of Sponsoring Organizations formulates activities related to reliability in financial reporting and corporate governance. One study that was conducted focused on the development of an internal control framework that businesses could adopt which will help ensure the integrity of financial information and reports, improve efficiency, reduce the risk of asset loss and enable compliance with laws and regulations. The result of this study was a report called Internal Control Integrated Framework. Among other things it states: Internal control is broadly defined as a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations. 10 Note Under Sarbanes Oxley Section 404 a company s management is only responsible for the second COSO objective: Reliability of Financial Reporting. Understanding this part of the regulation will help you establish the scope of your Sarbanes Oxley project. The reliability of financial reporting will be assessed not your operations efficiency or your compliance with other laws and regulations. 9 SEC Final Rule August 14, 2003 Definition of Internal Control 10 Internal Control - Integrated Framework the Committee of Sponsoring Organizations of the Treadway Commission. 24

26 The COSO internal control standard consists of five inter-related components: COSO Components The Control Environment Risk assessment Control activities Information and Communication Monitoring According to COSO in order to be effective, an internal control system must address all five of these components. The new audit standards require that all of the components are addressed by the auditor as the criteria used to reach conclusions about the issuer s reliability of financial reporting. Companies show through their various policies, procedures, control activities and other behaviors that what they report about their financial position is reliable. Implementing a recognized internal control framework or IT management system like Cobit, ITIL or CMMI would give further evidence of a strong control environment. The idea that an effective internal control must include the five COSO components is sometimes difficult to understand. It is fairly simple to grasp the notion of control activities, as they are the things most tangible because they represent the policies and procedures that dictate how we conduct ourselves in the business environment. Risk assessment and monitoring of events are also easy to grasp. Communicating the Information about an internal control in a timely manner may be a new concept but not difficult to understand. The concept of the control environment is the foundation for the other four. COSO Components Defined T H E C O N T R O L E N V I R O N M E N T Is a mentality and resultant behavior that recognizes inherent and overt business risks and sets a tone of mindfulness in terms of the attitude toward managing that risk. Because of the pervasive effect of the control environment on the reliability of financial reporting, the auditor's preliminary judgment about its effectiveness often influences the nature, timing, and extent of the tests of operating effectiveness considered necessary. Weaknesses in the control environment should cause the auditor to alter the nature, timing, 25