Systechno: May 2018

Thursday, May 31, 2018

Control Environment, Risk Assessment & Control Activities (COSO)

Control Environment
The foundation or bottom level of the COSO internal control framework is what COSO calls the internal control environment. The control environment should be viewed as a foundation for all other components of internal control, and has an influence on each of the three objectives and overall unit and entity activities. The control environment reflects the overall attitude, awareness, and actions by the board of directors, management, and others concerning the importance of internal controls in the enterprise. Senior managers should always try to manage and understand this overall control environment in their organizations.

The essential components of the control environment:
• INTEGRITY AND ETHICAL VALUES
• COMMITMENT TO COMPETENCE
• BOARD OF DIRECTORS AND AUDIT COMMITTEE
• MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE
• ORGANIZATIONAL STRUCTURE
• ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
• HUMAN RESOURCES POLICIES AND PRACTICES
• SUMMARY

Risk Assessment

The next level or layer above the control environment on the COSO internal control framework is risk assessment. An enterprise’s ability to achieve its objectives can be at risk due to a variety of internal and external factors. An understanding and management of the risk environment is a basic element of the internal control foundation, and an enterprise should have a process in place to evaluate the potential risks that may impact attainment of its various objectives. This risk assessment component has its focus on internal controls within an enterprise and has a much narrower focus than the COSO ERM enterprise risk management framework and IT governance risk management issues.

COSO internal control risk assessment should be a forwardlooking process that is performed at all levels and for virtually all activities within the enterprise.

The COSO internal controls framework describes risk assessment as a three-step process:

1. Estimate the significance of the risk.

2. Assess the likelihood or frequency of the risk occurring.

3. Consider how the risk should be managed and assess what actions must be taken.

This COSO risk assessment process places the responsibility on management to assess whether a risk is significant and, if so, to take appropriate actions. COSO internal controls also emphasize that risk analysis is not a theoretical process but often can be critical to an entity’s overall success. As part of its overall assessment of internal control, management should take steps to assess the risks that may impact the overall enterprise as well as the risks over various enterprise activities or entities. A variety of risks, caused by either internal or external sources, may affect the overall enterprise.

The risk assessment element of COSO internal controls is an area where there has been much misunderstanding and confusion because of the similarly named COSO ERM framework. The risk assessment component of the COSO internal control framework includes risk assessments for within an individual enterprise. The COSO ERM framework covers the entire entity and beyond. These are really two separate issues; one is not a replacement for the other

Control Activities

The next layer up in the COSO internal control framework is called control activities. These are the processes and procedures that help ensure that actions identified to address risks are carried out. Control activities exist at all levels, and in many cases may overlap one another. They are essential elements to building and then establishing effective internal controls in an enterprise.

The COSO internal control framework identifies a series of these activities that are generally classified as manual, IT, or management controls, and they are also described in terms of whether they are preventive, corrective, or detective control activities.

While no one set of internal control definitions is correct for all situations, COSO internal controls recommend the following control activities for an enterprise:

• Top-level reviews

• Direct functional or activity management

• Information processing

• Physical controls

• Performance indicators

• Segregation of duties

These control activities represent only a small number of the many performed in the normal course of business operations but involve policies establishing what should be done and procedures to implement them. Even though control activities may sometimes be communicated orally, they should be implemented thoughtfully, conscientiously, and consistently. This is a strong message for reviewing such internal control activities.

Control activities should not be installed just because they seem to be the “right thing to do” even if there are no significant risks in the area where the control activity would be installed. Sometimes there may be control activities in place that perhaps once served some control-risk concern, although the concerns havelargely gone away. A control activity should not be discarded because there has been no recent history of control violations, but management needs periodically to reevaluate the associated relative risks. All internal control activities should contribute to the overall control structure, and IT auditors should keep this concept in mind as they review internal controls and make recommendations.

Frameworks To Support Effective IT Governance

IT Governance and COSO Internal Controls
The need for strong and effective internal controls is a key element of enterprise IT governance. A good general definition for IT governance is that internal control is a process, effected by an entity’s board of directors, management, and other personnel, and designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, the reliability of an enterprise’s financial reporting, and an enterprise’s IT systems and processes, all in compliance with laws and regulations.

Enterprise managers are responsible for implementing and managing internal control processes, while their auditors act as independent parties to both review and perform tests of these internal controls as well as to report to management and other parties whether they are adequate.

An understanding and use of the COSO internal control framework is important for establishing effective IT governance processes. While these rules and procedures have origins in financial reporting and auditing, in today’s IT-centric world, COSO internal controls are important IT governance tools. These are rules that enterprises need to follow in order to assert or attest to regulators that their organizations have effective internal controls in place and that they are operating in compliance with those newer rules.

IMPORTANCE OF EFFECTIVE INTERNAL CONTROLS AND COSO

Internal controls are one of the most important and fundamental concepts that senior managers and business professionals at all levels must understand. The business professional builds and uses internal controls, while auditors review and test the operational, IT, and financial systems and processes with an objective of evaluating their internal controls.

An enterprise unit or process has good internal controls if it:

(1) accomplishes its stated mission in an ethical manner,

(2) produces accurate and reliable data,

(3) complies with applicable laws and enterprise policies,

(4) provides for the economical and efficient uses of its resources,

(5) provides for appropriate safeguarding of assets.

All members of an enterprise are responsible for the internal controls in their area of operation and for operating them effectively. From an internal control perspective, an enterprise can be compared to our automobile example. There are many enterprise systems and processes at work, such as accounting operations, sales processes, and IT systems. If management does not operate or direct these processes properly, the enterprise may operate out of control. All members of an enterprise should develop an understanding of the appropriate control systems and then determine if they are properly connected to manage the enterprise. These are referred to as the enterprise’s internal control systems.

COSO Internal Control Framework

COSO refers to the five professional auditing and accounting organizations that formed a committee to develop this internal control report; its official title is Integrated Control—Integrated Framework. COSO internal control framework and its use as an IT governance tool for internal controls assessments and evaluations.

COSO provides an excellent description of this multidimensional concept of internal controls, defining internal control as follows:

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with applicable laws and regulations

COSO uses a three dimensional model or framework to describe an internal control system in an enterprise.

Exhibit 4.1 shows this COSO internal control framework as a three-dimensional model with five levels on the front-facing side and the three major components of internal control— effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations— taking somewhat equal segments of the model with slices across its top. The right-hand side of Exhibit 4.1 shows three segments, but there could be multiples of these depending on the structure of the enterprise.

The point of the COSO internal control framework is that we should always consider each identified internal control in terms of how it relates to other associated internal control elements in the three-dimensional framework.

Monday, May 28, 2018

IMPORTANCE OF GRC GOVERNANCE

IMPORTANCE OF GRC GOVERNANCE
The three GRC principles that support IT governance should be thought of in terms of one continuous and interconnecting flow of concepts, with neither G, nor R, nor C any more important than the others. Corporate or enterprise governance is a term that refers broadly to the rules, processes, or laws by which businesses are operated, regulated, and controlled. The term can refer to internal factors defined by the officers, stockholders, or constitution of a corporation, as well as to external forces such as consumer groups, clients, and government regulations.

Exhibit 3.2 shows enterprise governance concepts with an executive group in the center and their interlocking and related responsibilities for establishing controls, a strategic framework, performance, and accountability. The exhibit shows some of the key concepts within each of these responsibility areas. For example, for the strategic framework, there are the elements of corporate planning and business activities, risk management, business continuity, IT and network, and internal audit.

RISK MANAGEMENT COMPONENT OF GRC

A strong set of enterprise-wide GRC principles and components is necessary, and an effective risk management program is a key component of enterprise GRC principles.

There are four interconnected steps in effective enterprise risk management GRC processes, as shown in Exhibit 3.3 and as follows:

1. Risk assessment and planning

2. Risk identification and analysis

3. Exploiting and developing risk response strategies

4. Risk monitoring

Risk management should create value and be an integral part of organizational processes. It should be part of the decision-making processes and be tailored in a systematic and structured manner to explicitly address the uncertainties an enterprise faces based on the best available information. In addition, risk management processes should be dynamic, iterative, and responsive to change with the capabilities of continual improvements and enhancements.

GRC AND ENTERPRISE COMPLIANCE

Compliance is the process of adhering to the guidelines or rules established by government agencies, standards groups, or internal corporate policies.

Adhering to these compliance-related requirements is a challenge for an enterprise and its related stakeholders because:

• New regulations are frequently introduced

• Vaguely written regulations often require interpretation

• There is no consensus on best practices for compliance

• Multiple regulations often overlap

• Regulations are constantly changing

Exhibit 3.4 illustrates some issues an enterprise should consider as it attempts to establish its scope and approach to GRC compliance.

A consistent approach on the use of compliance-driven capabilities and supporting technologies across an enterprise can provide an enterprise with these potential benefits:
• Flexibility
• Reduced total cost of compliance ownership
• Competitive advantage

Effective GRC compliance processes help an enterprise to transform its business operations and gain deeper insight and predictability from its business information as it addresses regulatory-driven requirements. Key business drivers here may include the ability to better manage information assets, demonstrate compliance with regulatory and legal obligations, reduce the risk of litigation, reduce cost of storage and discovery, and demonstrate corporate accountability.

IMPORTANCE OF EFFECTIVE GRC PRACTICES AND PRINCIPLES
An enterprise needs to adopt strong governance, risk, and compliance processes, with the objective of establishing an effective GRC program. Strong IT governance programs are very important to an enterprise, they should be supported by GRC programs of governance, risk management, and overall compliance as well. An enterprise should focus many of its activities strongly on these GRC principles.

Enterprise Governance and GRC Tools

THE ROAD TO EFFECTIVE GRC PRINCIPLES

• All business, and publicly traded corporations in particular have faced governance needs and requirements issues.
• An enterprise always faces risks that it will misinterpret rules or be found in violation of one or another of these multiple laws and regulations.
• There are also risks that an enterprise’s own established governance rules will not achieve the desired results or that the enterprise may face some outside event beyond its control, such as a significanteconomic downturn, a terrorist attack or act of war that impacts its sphere of operations, or a fire in a major facility.
• There is a need to understand and manage all of these risks on an overall enterprise level.
• Enterprises have always been concerned with various governance, risk, and compliance issues,

Business professionals had not even heard about this now increasingly familiar GRC acronym until early in this century. The first letter stands for governance, not just for IT governance but for concerns over the entire enterprise. In short, governance means taking care of business, making sure things are done according to an enterprise’s standards, regulations, board of directors’ decisions, as well as governmental laws and rules. It also means setting forth clearly the stakeholder expectations of what should be done so that all stakeholders are on the same page with regard to how the enterprise is run.

The R from GRC is risk. Everything we do and all aspects of business operations involve some element of risk. When it comes to an individual running across a freeway or a child playing with matches, it’s pretty clear that certain risks should just not be taken. When it comes to business, however, risk factors become a way to both help protect existing asset values and create value by strategically expanding an enterprise or adding new products and services.

The C in GRC is compliance with the many laws and directives affecting businesses and citizens today. Sometimes people will also extend that letter to include controls, meaning that it is important to put certain controls in place to ensure that compliance is happening. GRC is an increasingly recognized term that reflects a new way in which enterprises today are adopting an integrated approach to these aspects of their business. It is important to remember these core disciplines of governance, risk management, and compliance. Each of the disciplines consists of the four basic GRC components: strategy, processes, technology, and people.

Exhibit 3.1 illustrates these GRC concepts. Governance, risk management, and compliance principles should be tightly bound to tie these principles together. The diagram also shows that internal policies are the key factors supporting governance, that external regulations drive compliance principles, and that what we call an enterprise’s risk appetite is a key element of risk management.

Risk appetite is a relatively new term for many business and IT professionals. It refers to the amount and type of risk that an organization is prepared to pursue, retain, or take. For example, an investor who speculates in what are often called very risky “penny stocks” has a high appetite for risk, while an investor holding generally safe money market funds has a low appetite for risk. This same analogy can be translated to many enterprise business decisions.

The triangle diagram in Exhibit 3.1 also shows the components of strategy, effective processes, technologies (including IT), and the people in the enterprise to make all of this work. Off to the left side, the exhibit shows that an enterprise requires management attention and support, and that correct ethical behavior, organizational efficiency, and improved effectiveness are key.

Thursday, May 24, 2018

IT Governance Enterprise Risk Issues

Every enterprise faces a wide range of risks, including enterprise business operations, the business and related market factors, general economic conditions, and an endless list of other enterprise risk factors. In order to have effective IT governance practices, an enterprise needs to have an effective program for assessing and managing overall risks, significant risks within an enterprise, and specific risks facing IT operations. Exhibit 2.5 outlines some IT governance risk issues and summarizes some effective strategies for managing those risks.

The theme of the risk requirements and strategies outlined in Exhibit 2.5 is that an enterprise needs to have an understanding of the various types of IT risks that it faces as well as the costs and alternative strategies for taking corrective actions if such risk events occur. An important term and concept here is what is called risk appetite. That is, how great of a risk is a senior manager and the overall enterprise willing to accept? The individual investor who places his money in AA-rated corporate bonds has a much lower appetite for risk than does the investor in speculative technology stocks. An understanding of enterprise risk issues is a requirement for implementing effectiveITgovernance processes.

IT Governance Enterprise Organization Issues

IT governance issues and concerns extend well beyond just the IT department and its resources, and must include many enterprisewide issues and concerns. We should always consider the IT resource in an enterprise not as just one unique element but a specialized unit or component of the overall enterprise. Some of these governance issues are outlined in Exhibit 2.6. The message in this exhibit is that although IT management may develop governance processes and procedures affecting their own IT systems and operations, they should always think of them in the much larger context of the overall enterprise.

Exhibit 2.6 also mentions jurisdiction and boundary issues as an IT governance component. Although not too many years ago an enterprise’s IT resources existed behind highly secured locked doors and often as a separate facility island from other enterprise operations, we must always think of IT operations as a key component in the continuous process of other enterprise operations. However, we should always remember that boundaries exist, and IT, finance, and other operations should recognize the boundaries between various areas of responsibility when establishing governance processes.

IT Governance Legislative and Regulatory Issues

Legislative and regulatory rules and issues are important components of effective IT governance processes. Enterprise management should monitor these rules and take steps to assure their compliance.

IT Governance Security Issues

Because enterprise IT operations are connected both internally and to outsiders through the Internet and many other data connections, security matters are major IT governance issues. Many IT consumers and users recognize that their systems and data are vulnerable to a wide range of outside intruders whose interests range from just disrupting someone’s IT operations to sabotaging systems and data for profit or gain. Effective IT security controls are an important element of IT governance. Today’s business executive should have a high-level general understanding of the more significant security issues that are important for effective IT governance. Although there are many and varied issues here, a business manager should understand IT security threats and risks but should seek specialized technical help within the enterprise to more effectively implement the types of IT governance security processes outlined in Exhibit 2.7.

IT Governance Internal, External Threats

To more specific IT governance issues, an enterprise faces a wide range of internal and external security threats. The external threats can range from such matters as terrorist attacks to foreign government espionage to cloud computing risks and more. IT governance internal threat processes can often be better monitored and controlled. While we never know when some totally unexpected intruder will attack our IT systems, we can reduce the risks of internal threats by establishing strong internal policies and procedures.

WHAT IS IT GOVERNANCE?

The discipline of IT governance is a subset and very important element of overall enterprise governance issues.
IT governance means different things to different people:
• IT governance is often used to describe the processes for deciding how money for IT resources should be spent. This IT governance process includes the prioritization and justification of IT investments. It includes controls on spending such as budgets and authorization levels.
• IT governance is often used to describe many different aspects of IT changes. At the low level, it is sometimes used to describe project management and control of a portfolio of IT-related projects.
• IT governance is used to make sure that IT change processes comply with regulatory requirements, both governmental laws and rules as well as professional standards.
• IT governance is the process of aligning IT change and expenditure to business requirements and expenditures. Sometimes it also covers the deployment of IT staff.
• IT governance is also used to describe the management and control of IT services.
• IT governance makes sure that day-to-day problem solving and support of all IT resources are aligned to business needs.

IT governance deals primarily with the connection between an enterprise’s business focus and the IT-related management and operation of the enterprise. The concept highlights the importance of IT-related matters and emphasizes that strategic IT decisions should be owned by the most senior levels of corporate management, including the board of directors, rather than just IT management such as the chief information officer (CIO). Rather than arguing which is the correct definition of IT governance, enterprise senior managers should look at the similarities.

Governance involves a mix of the following:
• Control of all aspects of IT work.
• Coordination between different pieces of IT-related work—such as new systemsdevelopment and IT infrastructure support.
• Measurement of the outcomes of IT systems and processes.
• Compliance with internal IT policies or regulations.
• Justification of the spending for all IT resources.
• IT and enterprise-wide accountability and transparency.
• Strong connections with the needs of IT customers, the broader enterprise, and other stakeholders.

All of the IT governance objectives fit into an overall model, as shown in Exhibit 2.4. IT governance is bounded by performance management, strategic alignment, risk management, and value delivery concepts. In order to implement these, there is a need for strong policy and compliance practices, performance and risk management processes, and an overall understanding of appropriate value delivery. Exhibit 2.4 shows these concepts at a high level, but they will be referenced further in later chapters.

Saturday, May 19, 2018

SOxOfficer Disclosure Sign-off

SOxOfficer Disclosure Sign-off

Exhibit 2.3 is an example of an officer disclosure sign-off type of statement that officers will be requested to sign. While this exhibit is not an official PCAOB form, it is based on SEC documents, showing the types of things an officer will be asked to certify.

TITLE IV: ENHANCED FINANCIAL DISCLOSURES

This title of SOxis designed to correct some financial reporting disclosure problems, to tighten up conflict-of-interest rules for corporate officers and directors, to mandate a management assessment of internal controls, to require senior officer codes of conduct, and other matters.

Expanded Conflict-of-Interest Provisions, Disclosures, and Codes of Ethics

As an important element of enterprise governance, SOxrequires that corporations must adopt a code of ethics for their senior financial officers and disclose compliance with this code as part of their annual financial reporting. SOxdoes not address the content of these enterprise-wide codes of ethics, but focuses on the need for the same standards for senior officers as for all employees in the enterprise. SOx specifically requires that an enterprise’s code of ethics or conduct for its senior officers must reasonably promote:

• Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships;

• Full, fair, accurate, timely, and understandable disclosure in the enterprise financial reports; and

• Compliance with applicable governmental rules and regulations.

Codes of Ethics

If an enterprise has a code of conduct, management should assure that this code applies to all members of the enterprise, is consistent with SOx, and that these ethical rules are communicated to all members of the enterprise, including the officers. The key governance issue here is making sure that the existing code of conduct covers the above SOxrules, that it has been communicated to senior management, and that these officers have agreed to comply with it.

Other SOxRules and Requirements

SOxalso includes a large and complex set of rules covering such areas as audit committee governance requirements, security analyst conflicts of interest, and other financial disclosure rules.

Thursday, May 17, 2018

SOx TITLE III: CORPORATE RESPONSIBILITY

SOx TITLE III: CORPORATE RESPONSIBILITY

SOx’s Title III regulations contain major regulatory rules for audit committees and prescribe audit committee performance standards and a large set of corporate governance rules. The firm’s external audit firm is to report directly to the audit committee, which is responsible for their compensation, oversight of the audit work, and the resolution of any disagreements between external audit and management.

Financial Expert

SEC regulations define a “financial expert” as a person who, through education and experience, has:

• An understanding of generally accepted accounting principles and financial statements;

• Experience applying such generally accepted accounting principles in connection with the accounting for estimates, accruals, and reserves that are generally comparable to the estimates, accruals, and reserves, if any, used in the registrant’s financial statements;

• Experience preparing or auditing financial statements that present accounting issues that are generally comparable to those raised by the registrant’s financial statements;

• Experience with internal controls and procedures for financial reporting; and

• An understanding of audit committee functions.

SOxTitle III

In some respects, an audit committee member is being asked to put herself or himself in the potential line of fire if the enterprise is ever questioned regarding some financial or internal control decision. The SOxlegislation also calls for audit committees to establish procedures to receive, retain, and treat complaints and handle whistleblower information regarding questionable accounting and auditing matters.

The signing officer, as part of what is referred to as Section 302, must certify that:

• The signing officer has reviewed the report.

• Based on that signing officer’s knowledge, the financial statements do not contain any materially untrue or misleading information.

• Again based on the signing officer’s knowledge, the financial statements fairly represent the financial conditions and results of operations of the enterprise.

• The signing officer is responsible for:

- Establishing and maintaining internal controls.

- Having designed these internal controls to ensure that material information about the enterprise and its subsidiaries was made known to the signing officerduring the period when the reports were prepared.

- Having evaluated the enterprise’s internal controls within 90 days prior to the release of the report.

- Having presented in these financial reports the signing officer’s evaluation of the effectiveness of these internal controls as of that report date.

The signing officer should disclose to the external auditors, audit committee, and other directors that any significant deficiencies in the design and operation of internal controls that could affect the reliability of the reported financial data have been disclosed to the enterprise’s auditors. The signing officer should also indicate whether there were internal controls or other changes that could significantly impact those controls, including corrective actions, subsequent to the date of the internal control evaluation.

Monday, May 14, 2018

AS5 Rules and Internal Audit

AS5 Rules and Internal Audit

Shortly after SOx became law in the United States, the PCAOB released its AS2 guidance that called for external auditors to take very conservative and detailed approaches on their audits of financial statements. AS2 mandated a “look-at-everything” detailed audit approach, and enterprise external audit bills became much more expensive in those first SOx years. AS5 is a set of standards for the external auditors who review and certify published financial statements, and these rules are also important for internal auditors as well. AS5 introduces risk-based rules with an emphasis on the effectiveness of internal controls that are more oriented to enterprise facts and circumstances. In addition, AS5 calls for external auditors to consider including reviews of appropriate internal audit reports in their financial statement audit reviews. It allows external auditors to place more emphasis on management’s ability to establish and document key internal controls.

AS5

AS5 has three broad objectives:

1. Focus internal control audits on the most important matters.
2. Eliminate audit procedures that are unnecessary to achieve their intended benefits.
3. Make the financial audit clearly scalable to fit the size and the complexity of any enterprise.

AS5 calls for an assessment of the competence and objectivity of the internal auditors at an enterprise. Competence means the attainment and maintenance of a level of understanding and knowledge that enables persons to perform the tasks assigned to them, and objectivity means the ability to perform those tasks impartially and with intellectual honesty. AS5 calls for an external auditor evaluation of whether factors are present that either inhibit or promote a person’s ability to perform with the necessary degree of objectivity the work the auditor plans to use.

OTHER SOx RULES—TITLE II: AUDITOR INDEPENDENCE

Internal and external auditors have historically been separate and independent resources. External auditors were responsible for assessing the fairness of an enterprise’s internal control systems and the resultant published financial reports, while internal auditors served management in a wide variety of other areas.

Limitations on External Auditor Services

SOx prohibits public accounting firms from providing other services, including:

• Financial information systems design and implementations.

• Book keeping and financial statement services.

• Management and human resources functions.

• Other prohibited services.

The overall SOx theme here is that external auditors are authorized to audit the financial statements of their client enterprises, and that is about all. SOx allows that beyond the prohibited activities listed, external auditors can engage in other non-audit services only if those services are approved in advance by the audit committee.

Audit Committee Preapproval of Services

Section 202 of SOx’s Title I specifies that the audit committee must approve all audit and non-audit services in advance. This would relieve the strain of lengthy audit committee business matters, but put even more responsibility on a few audit committee members over and above the many new legal responsibilities mandated by SOx.

External Audit Partner Rotation

External auditors have always communicated regularly with their audit committees in the course of the audit engagement, as well as for any other matters of concern. External auditors are required to report on a timely basis all accounting policies and practices used, alternative treatments of financial information discussed with management, the possible alternative treatments, and the approach preferred by the external auditor. External auditors must report to their audit committee any alternative accounting treatments, the approach preferred by the external auditors, and management’s approach.

Conflicts of Interest and Mandatory Rotations of External Audit Firms

It had once been common for members of the external audit firm team to get job appointments for senior financial positions at their audit clients. This really says that an audit partner cannot leave an audit engagement to begin working as a senior executive of the same firm that was just audited. While staff members and managers can still move from the public accounting firm team to various positions in the auditee enterprise, this prohibition is limited to public accounting partners.

Sunday, May 13, 2018

SOx Section 404 Rules

SOx Section 404 Rules

SOx Section 404 rules state that an enterprise is responsible for reviewing, documenting, and testing its own internal accounting controls, with those review results then passed on to the enterprise’s external auditors, who are charged with reviewing and attesting to that work as part of their review of the reported financial statements.

Section 404 Internal Controls Assessments

Management always has had the overall responsibility for designing and implementing internal controls over their enterprise’s operations. SOx Section 404 requires an annual internal controls report, with the following information elements, as part of an SEC-mandated Form 10K annual report:• A formal management statement acknowledging the enterprise’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and• An assessment, as of the end of the most recent fiscal year, of the effectiveness of the enterprise’s internal control structure and procedures for financial reporting.

The external audit firm that issued the supporting audit report is required to review and report on management’s assessment of its internal financial controls. Management is required to report on the quality of their internal controls, and their public accounting firm must audit or attest that management developed an internal controls report in addition to their normal financial statement audit. Management has always been responsible for preparing their periodic financial reports, and the external auditors then audited those financial numbers and certified that they were fairly stated. With SOx Section 404, management is responsible for documenting and testing their internal financial controls as well as to report on their effectiveness. External auditors then review the supporting materials leading up to that internal financial controls report to assert that the report is an accurate description of the internal control environment.

Under SOx Section 404, management is required to report on the adequacy of their internal controls, with their external auditors attesting to the management-developed internal control reports. Under Section 404 procedures, the enterprise builds and documents its own internal control processes, then an independent party such as internal audit reviews and tests those internal controls, and finally the external auditors review and attest to the adequacy of this process.

Identifying Key Processes to Launch a Section 404 Compliance Review

Whether based on IT systems or primarily manual procedures performed on a regular basis, every enterprise has basic processes that are normally considered in terms of their basic accounting cycles, including:

• Revenue cycle. Processes dealing with sales or other enterprise revenue.
• Direct expenditures cycle. Expenditures for material or direct production costs.
• Indirect expenditures cycle. Operating costs that cannot be directly tied to production activities but are necessary for overall business operations.
• Payroll cycle. Covers all personnel compensation.
• Inventory cycle. Although inventory will eventually be applied as direct production expenditures, time-based processes are needed for holding inventory until applied to production.
• Fixed assets cycle. Property and equipment require separate accounting processes, such as periodic depreciation accounting over time.
• General controls IT cycle. This set of processes covers IT controls that are general or applicable to all IT operations.

Internal Audit’s Role

Even though SOx does not give specific responsibilities to internal audits, they are an important resource for the completion of Section 404 internal control assessments. Under SOx, a separate and independent function within the enterprise—often internal or IT audit—reviews and documents the internal controls covering key processes, identifies key control points, and then tests those identified controls. External audit would then review that work and attest to their adequacy. For many enterprises, IT audit can be a key resource for performing these internal controls reviews for technology-based processes.

Section 404 Internal Control Review

Exhibit 2.2 outlines some planning considerations for a Section 404 internal control review to be performed by an enterprise’s internal auditors, who can play a major role in helping senior management establish Section 404 compliance. Our objective is not to provide internal audit guidance but to give a senior manager an idea of these IT internal audit processes.

Fundamental Governance Concepts and Sarbanes-Oxley Rules

Enterprise IT Governance

The term enterprise IT governance is not new, but is a concept that has a meant different things to different people. As a response to ongoing cycles of business frauds and failures particularly in the latter decades of the past century, there has been an increased emphasis on embellishing enterprise codes of conduct and establishing what are called corporate ethics departments. Strong enterprise governance emphasized general operations and with little emphasis on IT systems and operations.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act is a U.S law enacted in 2002 to improve public company financial reporting, audit, and enterprise governance processes. It first had a major impact on businesses in the United States and now is recognized worldwide. Although SOx’s auditing and internal control rules have directly changed many external auditor and IT financial practices, Sox has also had a major impact on IT governance. A general understanding of SOx, with an emphasis on its Section 404 internal accounting control rules, is a key knowledge requirement for all senior managers.

Sarbanes-Oxley Act Key IT Governance Elements

The official name of SOx is the Public Accounting Reform and Investor Protection Act. It become law in 2002, with most of the final detailed rules and regulations. Its title being a bit long and mostly refer as SOx, SOX, or Sarbox. SOx introducted a series of totally changed processes for external auditing and gave new governance responsibilities to senior executives and board members. SOx established the Public Company Accounting Oversight Board (PCAOB), a rule setting authority under the Securities and Exchange Commission (SEC) that issues financial auditing standards and monitors external auditor governance.

SOx Key Provisions Summary

Exhibit 2.1 summarizes the major titles or section of SOx Titles I and IV. Our intent is not to describe all sections of SOx or to reproduce the full text of this legislation – it can be found on the Web – but to highlight portions of the law that are most significant to interested business professionals.

SOx Title I: Public Company Accounting Oversight Board

SOx introduced significant new rules for external auditors. Prior to SOx, the American Institute of Certified Public Accountants (AICPA) had guidance-setting responsibility for all external auditors and their public accounting firms through its overall responsibility for the Certified Public Accountant (CPA) certification. While state boards of accountancy actually licensed CPAs, the AICPA previously had overall responsibility for the profession. External audit standards also were set by the AICPA’s Auditing Standards Board (ASB). Although basic standards—called generally accepted auditing standards (GAAS)—have been in place over the years, newer auditing standards were released as numbered Statements on Auditing Standards (SASs). Much of GAAS was just good auditing practices, such as that accounting transactions must be backed by appropriate documentation, while the SASs covered specific areas requiring better definition.

SOx Title I External Audit Process rules:

• PCAOB administration and public accounting firm registration.
• Auditing, quality control, and independence standards.
• Audit workpapers retention.
• Scope of internal control testing.

Title IV: Enhanced Financial Disclosures and Section 404

SOx Title IV is designed to correct some financial reporting disclosure problems, to tighten up conflict-of-interest rules for corporate officers and directors, to mandate a management assessment of internal controls, to require senior officer codes of conduct, and other matters. The most significant nugget for most senior managers is Section 404 on Management’s Assessment of Internal Controls. SOx requires that all annual 10K reports must contain an internal controls report stating management’s responsibility for establishing and maintaining an adequate system of internal controls as well as management’s assessment, as of the fiscal year ending date, on the effectiveness of those installed internal control procedures.

Importance of IT Governance for All Enterprises

In the early 1960s, it was a new business technology and many companies were offering competing computer hardware and software products to major corporations. Companies at all levels wanted to get up to speed with this new technology, and massive investments were made in installing new systems and hiring and training the programmers and analysts to build and launch them. Despite some failures along the way, we are all using and benefiting today from these types of computer hardware and software products.

IT systems supported by ever-changing and improving technologies are a major component of almost all business activities. IT activities have not been supported by some of the same standards and procedures found in other business areas. Ex. Accounting systems and financial standards are supported by recognized accounting principles that are reviewed by independent auditors and follow governmental financial accounting rules. Similar best practices rules and standards exist for other areas of business activity, such as in many aspects of marketing and quality control.

Despite the fact that IT operations are facing increasing governmental and professional compliance requirements and face a wide range of systems-related risks, there is an ongoing need for better IT governance practices today.

Enterprise governance from the roles and activities of senior management and the board of directors, but IT functions in those earlier enterprises were just viewed as very important support functions and not as major business activities.

Senior managers, IT managers, and practitioners think of IT governance in many varying but different ways. Some see IT governance as “command and control” rules over IT initiatives imposed by internal auditors, non IT executives, and outside consultants; other consider it a corporate mechanism that implements a Big Brother approach to apply top down constraints to overall IT activities.

1. IT Governance

Good IT Governance is a set of policies and best practices that should serve as a strategic enabling force to improve enterprise business operations. Good IT Governance aligns an enterprise strategically to support the evolution of an IT architecture that delivers consistent an scalable business value. IT Governance helps measure a business’s growth and success, including its financial health. IT Governance is about way an enterprise accomplishes the delivery of mission critical business capabilities using IT strategies, goals and objectives. IT Governance is concerned with the strategic alignment between the goals and objectives of the business and the utilization of its IT resources to effectively achieve the desired results.

2. IT Governance Concepts

EXHIBIT 1.1 IT Governance Concepts

Exhibit 1.1 shows this IT governance concept and how it fits in with overall enterprise strategies. It shows IT governance concepts in the center but within overall enterprise strategies and operations. Although IT operations are usually critical to overall business operations, they must fit into overall business activities and strategies. Although the head of IT, the enterprise CIO may feel that he or she has the best idea for some change or improvement in IT operations, that idea should be subservient to other corporate activities. Ex. If senior management does not like the idea, CIO should accept senior management’s direction and go forward and make other improvements where possible. Enterprise IT architecture sets the overall big picture rules for enterprise activities and IT governance.

3. Important for Improving IT Governance

IT governance disseminates authority to the various layers in the organizational structures within the business, while ensuring appropriate and prudent use of that authority. Network structures allow for specialization, teaming and building infrastructure to support teams in corporate operations. Network structures allow for specialization, teaming and building infrastructure to support teams in corporate operations. IT governance is not only for large organizations. Smaller enterprise have a need for good IT governance practices. IT governance affects business performance, and it ideally helps an enterprise to outperform its competition. A key theme is that IT governance defines business performance, specifically the performance of IT resources as they are applied to the business’s strategies objective. Good IT governance leads directly to increased productivity, higher quality and improved financial results.

Poor IT governance, often leads to programmatic waste, bureaucracy, lower morale, and diminished overall financial performance. To underscore the importance of good IT governance practices, consider the production of goods or services for typical enterprise business customers whom have visibility into a business only where they interface for the purpose of ordering or making requests, receiving value through the sale or production of products, or providing information through surveys or marketing analyses.

The efficiency and coordination of internal business processes that compare end to end customer experience, this is an aspect of business performance and should be measured and improved. In order to positively impact business performance, IT governance process must have focus and visibility on these overall end to end business processes with which customers interact. Poor IT governance loses sight of customer in favor of satisfying regulations, standards, and policies in isolation. Good IT governance addresses whole end to end business processes and coordinates the activities of the enterprise over time and across organizational boundaries.

Whether enterprise IT governance processes have grown unintentionally through evolving process improvements or grown intentionally through a deliberate project. The questions a senior manager should ask include: “How good are my IT governance processes at effectively delivering strategic business value year after year?” and “Are my processes repeatable, predictable and scalable, and are they truly meeting the needs of my business (outside of IT) and my customers?”

A number of IT governance related processes must be considered, which this integrated collection of available IT governance processes we describe as IT governance landscape. IT governance is a subset of enterprise governance, which at the highest level drives and sets what needs to be accomplished by improving overall management processes. IT governance itself encompasses systems, the overall IT infrastructure and communications. Product development governance, like IT governance is a subset of enterprise governance and overlaps with IT governance. Product development governance is targeted for enterprise that develop products (as opposed to IT service delivery) . IT development governance should be applied to development organizations and programs, and is a subset of IT and product development governance.

4. Frameworks and Concepts

Many important frameworks and concepts with names such as COBIT or ITIL that are well understood by many IT professionals but may be less familiar to the senior enterprise exclusive. In our IT centric world today, the senior enterprise executive should understand why IT governance and the related concepts of IT related compliance activities and risk management are important.