Transcript Management 188 Introduction to Management Information Systems

MIS 3090:
IT for Financial Services
Technology Brief:
The role of the SEC
Investigating the Implications of
Sarbanes-Oxley for Corporate IT
July 16, 2015
Role of the SEC

Protect investors; maintain integrity in the securities markets:




All investors, whether large institutions or private individuals, should have
access to certain basic facts about an investment prior to buying it.
SEC requires public companies to disclose meaningful financial and other
information to the public, which provides a common pool of knowledge for all
investors to use to judge for themselves if a company's securities are a good
investment. Only through the steady flow of timely, comprehensive and accurate
information can people make sound investment decisions
Oversees key participants in the securities world, including stock exchanges,
broker-dealers, investment advisors, mutual funds, and public utility holding
companies.
Concerned primarily with promoting disclosure of important information,
enforcing the securities laws, and protecting investors who interact with these
various organizations and individuals.
July 16, 2015
2/12
Information Gathering & Retention

EDGAR (Electronic Data Gathering, Analysis, and Retrieval)



Automated collection, validation, indexing, acceptance, and forwarding of
submissions by companies and others who are required by law to file forms
with the SEC
Accelerating the receipt, acceptance, dissemination, and analysis of timesensitive corporate information
Required documents



Form 10-K or 10-KSB is required to be filed on EDGAR
Only documents submitted to the EDGAR system in either plain text or
HTML are official filings. PDF documents are unofficial copies of filings.
Filers may not use the unofficial PDF copies instead of plain text or HTML
documents to meet filing requirements
Filers may choose to voluntarily submit documents in eXtensible Business
Reporting Language (XBRL) – see xbrl.org site;

XBRL automates processing and makes reports more interactive
July 16, 2015
3/12
XBRL
XML-based industry language for finance and accounting

Uses paired tags and commonly defined elements
22 working groups…GL, Tax, etc. (see xbrl.org)
Sample raw XBRL for operating costs report (2000)
<numericContext id="rg.cy00.hkd" cwa="false" precision="4">
<entity> <identifier scheme='http://www.gov.hk'>rg</identifier>
</entity> <period> <startDate>2000-01-01</startDate>
<endDate>2000-12-31</endDate> </period> <unit>
<measure>iso4217:hkd</measure> </unit>
</numericContext>
<gaap:opc numericContext="rg.cy01.hkd">-3583000000.</gaap:opc>
July 16, 2015
4/12
The Plot Thickens…
Why did Corporate America fall asleep at the wheel?

A litany of sob stories…>$500B lost because of…








(Latin American subsidiary anomalies)
(blame it on the shredder)
(shower curtains and pool-side birthday parties)
(free loans available: apply within)
(market timing based on posted NAV)
Where was IT?


Xerox
Enron and Arthur Andersen
Tyco
MCI / WorldCom
Mutual Funds
Don’t we have controls to catch this sort of thing?
Why did internal audit not spot these irregularies sooner?
Prevention is better than cure (we now know with hindsight)
Would enhanced IT help to prevent financial wrongdoing
in future; what would IT look like?
July 16, 2015
5/12
Background to Sarbanes-Oxley


Sarbanes-Oxley Act (2002) was a reaction to emerging corporate
accounting scandals and the ensuing loss of investor confidence
The “law” is derived from a combination of:





Applies to any existing or prospective publicly traded company


Sarbanes Oxley Act of 2002 (H.R. 3763)
Pending and final rules of the Public Company Accounting Oversight Board
(PCAOB)
Pending and final Rules of the SEC (as regards trading/listing constraints)
Studies by the GAO and others that may result in new laws and/or new rules
Private firms and not-for-profit firms are off the hook for the moment
Senior executives are directly responsible for financial statements



“See no evil, hear no evil” is not an acceptable excuse
(max) $1,000,000 fine and 10 year sentence for officers who certify financial
statements knowing them to be inconsistent with the Sarbanes-Oxley Act.
Increases to $5,000,000 fine and 20 year prison sentence for officers who
willfully certify…
July 16, 2015
6/12
Title III: Corporate Responsibility
Section 302: Requires CEO and CFO to:

Certify fairness of financial statements



Officers must make disclosures regarding:




Certify that the content is accurate, complete and fairly presented
Take responsibility for maintaining and evaluating controls and procedures
The absence and prevention of fraud
Deficiencies, material weaknesses, changes in systems of internal controls
Evaluation of the effectiveness of the disclosure controls and procedures
Companies must establish and maintain an overall system of
disclosure controls and procedures so that the CEO and CFO can



Supervise and review periodic evaluations of the disclosure system
Effectiveness of disclosure controls and procedures must be assessed within
90 days prior to filing dates of quarterly and annual reports
Failure to maintain adequate disclosure controls and procedures may result
in SEC action even if it doesn’t lead to flawed financial statements
July 16, 2015
7/12
Title IV: Enhanced Disclosure
Section 404: Management Assessment of Internal Controls

Requires management to establish and maintain adequate
internal controls and procedures for financial reporting

SEC defines internal controls and procedures for financial reporting as
controls that provide reasonable assurances that:




Transactions are properly authorized
Assets are safeguarded against unauthorized or improper use
Transactions are properly recorded to permit the preparation of financial
statements that are presented consistent with GAAP
Each annual report must include a statement that:



Describes management’s responsibility for internal controls and procedures
for financial reporting
Documents management’s assessment of the effectiveness of the controls
and financial reporting procedures
Incorporates the independent auditor’s review of management’s assessment
of internal controls and financial reporting procedures
July 16, 2015
8/12
General Controls

Manage and control the IT activities and computer
environment:





Information security – both physical and logical access
Maintenance of existing systems (e.g., program change controls – see below)
Computer operations, data centers, backup tape facilities, etc.
Development and implementation of new systems
Examples include:






Authentication of users (e.g., use of user-ids and passwords)
Password controls (e.g., password expiry, minimum length, etc.)
Security administration (e.g., user set-up, removing employees, password resets)
Security monitoring (e.g., procedures to follow up security breaches)
Physical security of computers and business facility (e.g., swipe cards)
Program change controls (e.g., authorized, testing, segregation of duties)
July 16, 2015
9/12
Application Controls (CAVR)
Completeness
Controls to ensure financial transactions and
data are complete.
e.g., control totals, sequencing
Accuracy
Controls to ensure financial transactions and
data are accurate.
e.g., logic tests, check sums
Validity
Controls to ensure financial transactions and
data are valid.
e.g., maintain record trail, electronic signatures
Restricted Access
Controls to ensure restricted access to data
and financial transactions.
e.g., passwords, asset tags, locks, approval forms
July 16, 2015
10/12
Controls and Financial Statements
Business
Objectives
Business
Risks
related to
achieving
Objectives
……
……
……
Business Process A
Completeness
Accuracy
Validity
Restricted Access
Business Process B
Completeness
Accuracy
Validity
Restricted Access
Business Process C
Completeness
Accuracy
Validity
Restricted Access
Account
Balances and
Transactions
Account
Balances and
Transactions
Financial Statement
Assertions
Completeness
Accuracy
Rights & Obligations
Existence / Occurrence
Valuation / Allocation
Presentation / Disclosure
Cutoff
Account
Balances and
Transactions
General Computer Controls
Source: PWC
July 16, 2015
11/12
IT Organization Requirements
Get ready! Don’t leave it all to the “C” types
 Hire some security specialists – e.g., CISA, ESIC
 Brush up on your accounting skills
 Training courses in ethics, responsible management
 IT Audit: become a watch dog, not a blood hound
 Audit by exception – impossible to check everything
 Pass bad news up the chain of command FAST!
 Controls evolve: keep on top of things

July 16, 2015
12/12
Cost of SOX Compliance
~$3M/year for medium-large firms
As high as $1.4T if measuring lost market
value of firms
78% of firms say it’s not worth cost
Opportunity costs of foreign firms choosing
not to list in U.S.

Offset by implied benefits for those that do list?
July 16, 2015
13/12
For Next Class…

Read
−
−
Read the Merrill Lynch case carefully – be prepared to answer
questions in class on the case (to be posted shortly).
Read through the articles listed on the class website.
July 16, 2015
14/12