Sarbanes-Oxley Compliance: Section 404-Past, Present, and Future



Similar documents
How To Get A Whistleblower Pass On A Corporation

EFFECT OF THE SARBANES-OXLEY ACT OF 2002

Impact of the Sarbanes-Oxley Act on the System of Internal Controls and IS Audit

Addressing SOX compliance with XaitPorter. Version 1.0 Sept. 2014

White Paper Achieving SOX Compliance through Security Information Management. White Paper / SOX

SOX and its effects on IT Security Governance

engage. empower. evolve. SARBANES-OXLEY COMPLIANCE

What Should IS Majors Know About Regulatory Compliance?

Guide to Internal Control Over Financial Reporting

Sarbanes-Oxley and Sage MAS 90, 200, and

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

THE U.S. SARBANES-OXLEY ACT OF 2002: REFORMING CORPORATE GOVERNANCE AND DISCLOSURE

Guide to Public Company Auditing

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Sarbanes-Oxley Control Transformation Through Automation

Fraud-Related Compliance

UC4 Software: HELPING IT ACHEIVE SARBANES-OXLEY COMPLIANCE

Blowing the Whistle on Accounting Fraud: The Sarbanes-Oxley Whistleblower Protections Act At A Glance

Contracts Management Software as a Tool for SOX Compliance

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Sarah Al-Houti MBA. IT Governance and Security. Information Trust and Compliance Issue (SOX) BADM 590

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

February Sample audit committee charter

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, EventTracker 8815 Centre Park Drive, Columbia MD 21045

SOX 404 Compliance Challenges for Small Companies

MANAGE. Sarbanes-Oxley Readiness with Microsoft Dynamics NAV. Microsoft Dynamics NAV 5.0. White Paper

Sarbanes-Oxley: Challenges and Opportunities in the New Regulatory Environment

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

ACCESS MANAGEMENT. IDENTITY and ENABLING SARBANES-OXLEY COMPLIANCE. White Paper July Abstract

Sarbanes-Oxley Act: HR s Role in Ensuring Compliance and Driving Cultural Change Created by BNA Exclusively for ADP

The Credit Research Foundation. The Credit Professional s Duty And Protection With Disclosing Corporate Fraud At The Public Company

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

The Sarbanes-Oxley Act: Time is not on your side

AUDITING AND ITS ROLE IN CORPORATE GOVERNANCE

Sarbanes-Oxley Section 404: Management s Assessment Process

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

A Sarbanes-Oxley Roadmap to Business Continuity

BUSINESS TECHNOLOGY OPTIMIZATION A TOUR OF MERCURY SARBANES-OXLEY IT ASSESSMENT ACCELERATOR

Assessment of SOX implementation - from an Internal Audit perspective

Preparing for a Post Dodd Frank World

Corporate Governance - Implementation, Challenges and Trends

A tour of HP Sarbanes-Oxley IT assessment accelerator. White paper

MORRISON I FOERSTER. Legal Updates & News. A Guide to the Impact of SAS 70 on Outsourcing Projects January 2008 by Alistair Maughan, Susan McLean

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

Sarbanes-Oxley Compliance for Cloud Applications

IFRS in Asia 2008 Driving the Capital Markets of Tomorrow October 2008, Beijing, China

Moving Internal Audit Back into Balance

Common Sense Accounting Reforms

How to use identity management to reduce the cost and complexity of Sarbanes-Oxley compliance*

WHITEPAPER. Identity Management and Sarbanes-Oxley Compliance. T h i n k I D e n t i t y. September 2005

SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners

The Importance of IT Controls to Sarbanes-Oxley Compliance

Sharing of Experience Section 404 Sarbanes-Oxley Act

Risk Management Advisory Services, LLC Capital markets audit and control

DELAWARE GOVERNANCE PRINCIPLES Steptoe & Johnson LLP (Overview) David Roll Richards, Layton & Finger, P.A. Samuel A. Nolen

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

IT Governance Dr. Michael Shaw Term Project

Sarbanes-Oxley Section 404 Implementation Practices of Leading Companies

Compliance Management, made easy

Understanding the Significance of SOX Compliance.

Sarbanes Oxley Section 404 Compliance For IT Managers

How To Set Up A Committee To Check On Cit

The Committee of Sponsoring Organizations of the Treadway Commission

How To Manage Risk At Atb Financial

The Importance of Internal Control Over Financial Reporting For Service Provider

Ensuring Compliance to Sarbanes-Oxley through Privileged Identity & Information Management. White Paper. V Balasubramanian. ZOHO Corp.

CONTINUOUS CONTROLS MONITORING

Information about 2015 Inspections

The Impact of the SarbanesOxley Act and Similar Legislation: Lessons Learned and Considerations for the Future

Sarbanes/Oxley Act: Accounting/Corporate Governance Reform

Measuring Sarbanes-Oxley Compliance Requirements

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

Surviving SOX with Scrum. Integrating Scrum in IT Governance at Allianz

Internal Control Strategies. A Mid to Small Business Guide

HIPAA Compliance and PrintFleet Software Applications

Balance Sheet Integrity The Utopian Close: Creating a low risk, highly effective financial close

Internal/External Audits

Migrating Away From Compliance Quicksand

OBSERVATIONS FROM 2010 INSPECTIONS OF DOMESTIC ANNUALLY INSPECTED FIRMS REGARDING DEFICIENCIES IN AUDITS OF INTERNAL CONTROL OVER FINANCIAL REPORTING

Sarbanes-Oxley Section 404 Work. Looking at the Benefits

[RELEASE NOS ; ; FR-77; File No. S ]

Thomas Ray, Deputy Chief Auditor (202/ ; Laura Phillips, Associate Chief Auditor (202/ ;

THE IMPACT OF THE SARBANES-OXLEY ACT 2002 ON THE INFORMATION SYSTEMS OF PUBLIC COMPANIES

FREQUENTLY ASKED QUESTIONS ABOUT FORM 8- K

SOX105. Sarbanes-Oxley for Dummies- 20 hours. Objectives

The Role of the Board in Enterprise Risk Management

The Sarbanes-Oxley Act : effects on public accounting firms

Oceaneering International, Inc. Audit Committee Charter

STANDING ADVISORY GROUP MEETING

Generally Accepted Recordkeeping Principles

AMPLIFY SNACK BRANDS, INC. AUDIT COMMITTEE CHARTER. Adopted June 25, 2015

PwC. Bill 198 Overview September 2004

Top Ten Ways Your HRIS Data Can Unintentionally Invite A Sarbanes-Oxley Audit

FORTRESS TRANSPORTATION AND INFRASTRUCTURE INVESTORS LLC CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS MAY 11, 2015

Sarbanes-Oxley write up

Should State and Local Governments Strengthen Internal Controls by Applying SOX-Like Requirements?

How To Get A Tech Startup To Comply With Regulations

AUDIT COMMITTEE CHARTER

Charter of the Audit Committee of the Board of Directors of Woodward, Inc.

Transcription:

Sarbanes-Oxley Compliance: Section 404-Past, Present, and Future BADM 590/395 IT Governance MS1 Professor Michael Shaw Submitted by: Amy Smith BA in MIS University of Illinois at Urbana-Champaign Smith 1

Abstract: As internal control monitoring and reporting becomes routine, companies will need to adopt a more comprehensive solution and develop long-term strategies to ensure Section 404 compliance. In my paper I will begin by giving an overview of the Sarbanes-Oxley Act, focusing on Sarbanes-Oxley compliance, specifically Section 404. I will discuss impediments to the process of developing a long-term strategy, as well as proposed solutions, mainly implementing business process management software. I will cover the short-comings of current documentation warehouses as well as the advantages of employing business process management software. Ultimately, I hope to emphasize the need for companies to develop and implement a long-term strategy to ensure Section 404 compliance. Sarbanes-Oxley Act: Overview The Sarbanes-Oxley Act was named after sponsors Senator Paul Sarbanes and Representative Michael G. Oxley. The Sarbanes-Oxley Act of 2002, also called the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox, is a divisive United States federal law passed in response to a number of major corporate and accounting scandals and represents the biggest change to federal securities laws in a long time.. Some of the major companies involved in these scandals were Enron, Tyco International, Peregrine Systems and WorldCom (recently MCI and now currently part of Verizon Business). These scandals resulted in substantial decrease of public trust in accounting and reporting practices. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines Smith 2

which records are to be stored and for how long. The legislation not only affects the financial side of corporations, but also the IT department, whose job it is to store a corporation's electronic records. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. As far as compliance is concerned, the most important sections within these are often considered to be 302, 401, 404, 409, 802 and 906. Supporters of these reforms believe the legislation was necessary and useful; but critics argue that it does more economic damage than it prevents. However, those who have studied the law point out how modest the Act is in comparison to the heavy rhetoric accompanying its passage and adoption. Smith 3

The Sarbanes-Oxley Act's major provisions include the following: Creation of the Public Company Accounting Oversight Board (PCAOB) A requirement that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies "attest" (i.e., agree, or qualify) to such disclosure Certification of financial reports by chief executive officers and chief financial officers Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company's Audit Committee of all other non-audit work A requirement that companies listed on stock exchanges have fully independent audit committees that oversee the relationship between the company and its auditor Ban on most personal loans to any executive officer or director Accelerated reporting of insider trading Prohibition on insider trades during pension fund blackout periods Additional disclosure Enhanced criminal and civil penalties for violations of securities law Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, abatement orders, and reasonable attorney fees and costs. (wikipedia.org/sarbanes-oxley act) Smith 4

Section 404: Management Assessment of Internal Controls Section 404 is historically the most argues of the Sarbanes Oxley Act sections as companies stive to meet compliance. All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. If there are any shortcomings in these controls, they must also be reported. In addition, registered external auditors must attest to, or bear evidence of, the accuracy of the company management s contention that internal accounting controls are in place, operational and effective. A direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 404: (a) Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall: (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance Smith 5

with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. (http://www.sarbanes-oxley-101.com/sox- 404.htm) The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more suitable standards of measure. This framework focuses on information technology processes while keeping in mind the big picture of COSO's "control activities" and "information and communication". However, there are certain aspects of COBIT that are outside the boundaries of Sarbanes-Oxley regulation. Smith 6

SOX 404 Compliance: Past Most organizations have implemented paper and MS Excel-based processes to document and test internal controls over financial reporting to comply with Section 404 of the Sarbanes-Oxley Act. These organizations spend a large amount of time and effort in: scheduling tests manually testing the internal controls identifying and tracking remediation compiling and cataloging evidence implementing change control managing the entire process. Companies are coming to the realization that such an approach is markedly resource intensive and significantly increases the cost of compliance. In addition, it increases the risk of noncompliance, where penalties can be severe. They include prison, fines, firings, accounting overhauls, public censure, stock devaluation and bankruptcy. By following the steps mentioned below companies can lower their SOX 404 compliance costs, reduce their non-compliance risk and free up their personnel to focus on activities that deliver real benefit to the bottom line. integrating the design and testing of internal controls over financial and IT processes providing a risk-based approach to rationalizing controls automating the testing of certain financial and IT controls providing a mechanism to increase visibility and control over the entire compliance process Smith 7

Limits of a Documentation Warehouse: Because of Sarbanes-Oxley, companies are now required to maintain documentation of significant business processes and their related controls. As business processes change, two things must happen: The existing controls related to the previous business process must be evaluated and, if necessary, changed to reflect the new process, and The company s documentation must be updated to reflect the changes to both the process and the control The problem with a data warehouse solution is that these two tasks are not automated, which requires manual intervention. Over the long term, the inability to accommodate evolutions in the company s business process will increase the costs of SOX 404 compliance. Changes to business processes require the reevaluation and possible change to the control procedures that ensure processing accuracy. As business processes change, the necessary changes to internal control insulate, not being implemented until after processing errors occur. The second problem that may occur is that the company makes changes to its processes but fails to simultaneously update its warehouse of process and control descriptions. Under the Sarbanes- Oxley rules, documentation that does not reflect the company s current procedures is also a control deficiency that the company may have to report to its shareholders. In effect, the limits of a data warehouse solution create an extra level of required controls to ensure that controls are reevaluated and modified when business processes change and that the Smith 8

documentation database is updated accurately and on a timely basis when changes do occur. It is an unnecessary and cost-ineffective level. A spreadsheet solution, which many companies have adopted in the first year of implementing SOX 404, does not solve the problems inherent in a compliance tracking solution. In fact, because of their lack of report writing capabilities and relative inability to pre-define the form and content of input, spreadsheets may create more problems in the long run than they solve in the short run. Invariably, the quality of the information will vary greatly, depending on who did the input, and management will grow wary of scrolling through endless columns of detail to find the information they need to assess control effectiveness. The whole process is very inefficient. Sarbanes-Oxley Section 404: Looking Ahead Business process management software automates the process of evaluating old controls and updating outdated documentation. Smith 9

Benefits of automating the SOX process: Reduced Compliance Costs: By automating the SOX processes, companies significantly reduce the time being spent by internal staff and/or consultants on SOX related activities. Employees will be able to carry out team activities in a much more productive manner with the collaborative environment that automation provides. Typical expected savings through automation of SOX processes can range from 25-40%. Smith 10

Improved Control on the Process: Automation can enforce a consistent process across the enterprise, eliminating any deviations and error that cost the company in terms of additional cost and time associated with repeated processes and multiple checks that need to be performed. Better Resource Utilization: With the entire SOX process streamlined and automated, companies can better utilize its resources by moving many tasks down the responsibility chain. Process owners can take direct responsibility for managing internal controls, and auditors can focus on testing key controls and project oversight. The dependence (and costs) on external auditors will also be significantly reduced. Lower Exposure: Executive dashboards provide enterprise-wide visibility into the compliance process and highlight issues that need to be addressed immediately. The solution has the ability to track design status, process ownership, assessment plans, etc. on graphical charts that can be accessed globally and display real-time information. The complete visibility provided by automation lowers the risk of non-compliance and associated penalties. Executives can be assured of higher customer and investor confidence. Streamlined Change Control: Integrated document management provides access control and change control capabilities. Access control ensures only the right people can access or change the data/documents. Change controls keep documentation and processes in sync and significantly reduce the amount of redo of documentation in following years. Smith 11

Moving toward a SOX 404 Business Management Solution To be suitable for Sarbanes-Oxley compliance, business process management tools must, at a minimum, be capable of the following. Capture Necessary Information: The detailed rules implementing the Sarbanes-Oxley requirements describe specific requirements for the contents of a company s documentation of its processes and controls. Any software solution management adopts for Sarbanes-Oxley must be able to capture these required elements efficiently. Reporting Flexibility: Ultimately, a company must evaluate the effectiveness of its internal control system as a whole. To make that kind of overall assessment requires management to look at different groupings of individual controls. For example, it may need to look at all controls related to the sales/accounts receivable cycle or all those affected by its order entry system. The best software solutions currently available have robust report writing capabilities, which must be matched if business process management software is to be effective. Audit Trails: To take full advantage of all the benefits that a business process solution provides, the software must be able to generate a variety of audit trails. The system must capture and promptly report to management all changes to business processes and controls. It also must track the processing of all transactions and identify all instances where established procedures were not performed timely for subsequent follow up. Security: Sarbanes-Oxley requires companies to appoint an external auditor to audit its controls. Smith 12

This audit requirement elevates the importance of the company s processes and controls, and the related documentation becomes vital information whose integrity must be protected. Logical access control features should be built in to the software to ensure that only authorized changes are made to company processes and controls. Implementation Guidance and Training: As with any significant software application, the users of a Sarbanes-Oxley business process management solution must have guidance and training on both the use of the software and the proper design of business processes and related accounting controls. Without this guidance and training, business process owners may design systems that are perfectly documented and implemented but ultimately fail to comply with Sarbanes-Oxley due to a design flaw. (M. Ramos http://www.bpmg.org/zpost977.php) The Future of SOX 404 2004 was the year in which compliance with Section 404 of Sarbanes-Oxley became required for the first time. One of the initial hurdles in meeting the law s requirements demanded that companies develop comprehensive documentation of its internal controls. Not surprisingly, the first generation of automated tools were aimed at facilitating the collection, storage and retrieval of information required for compliance. This approach resulted in the creation of a warehouse of control information, separate and distinct from the underlying business process. While these tools achieved the goal of efficiently implementing Section 404, maintaining the existing prototype of manual business processes and a separate store of process documentation will prove to be both inefficient and ineffective in the long run. Smith 13

Sarbanes-Oxley is not going away any time soon. Company management should seek to implement solutions that provide long-term value. Software applications that manage the company s business processes building controls in rather than bolting them on may prove to be the long term answer companies need. Impediments to the process of achieving sustainable compliance include: "Project mindset: many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point." "Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed." "Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward" Smith 14

"Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year." "Underestimation of technology impacts and implications: IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls. IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting a critical requirement at most large and complex enterprises." "Ignored risks: Effective internal control is predicated on risk. The controls themselves exist expressly for the purpose of minimizing the risk of financial reporting errors. In year one, risk assessment was treated as an afterthought if addressed at all." The future of SOX 404 will depend on the ability of businesses to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the "Sustained Compliance Solution Framework": Effective and efficient processes for evaluating, testing, re-mediating, monitoring, and reporting on controls Integrated financial and internal control processes Technology to enable compliance Smith 15

Clearly articulated roles and responsibilities and assigned accountability Education and training to reinforce the "control environment" Adaptability and flexibility to respond to organizational and regulatory change. (Deloitte Touche Tohmatsu, Under Control ) Smith 16

References The IIA Research Foundation: Sarbanes-Oxley Section 404 Work: Looking at the Benefits. Larry E. Rittenberg (Ernst and Young) & Patricia K. Miller (Deloitte) January 2005 Business Process Management: The Future of SOX 404. Michael Ramos. February 2005. http://www.bpmg.org/zpost977.php Under Control: Sustaining Compliance with Sarbanes-Oxley in Year Two and Beyond. Deloitte 2005. http://www.iasplus.com/dttpubs/0503undercontrol.pdf The Practical Guide to Sarbanes-Oxley Compliance: http://www.ecora.com/ecora/whitepapers/register/idrs_soxcompliance.asp Sarbanes-Oxley: The Road to Compliance. Dennis Callaghan. February 16, 2004. http://www.eweek.com/article2/0%2c4149%2c1527933%2c00.asp Seven Steps to Sarbanes-Oxley Compliance: SearchCIO.com. Barney Beal. November 24, 2003. http://searchcio.techtarget.com/originalcontent/0,289142,sid19_gci938537,00.html Sarbanes-Oxley Section 404: An Overview of the PCAOB s Requirements. KPMG LLP. April 2004. http://www.kpmg.de/library/pdf/040413_sox404_pcaob_requirements_en.pdf Smith 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information