Transcript Sarbanes-Oxley Act - Open Universiteit

Sarbanes-Oxley Act
Effectivity of Internal Control
on financial reporting
Han Levink
March 7, 2006
Why Sarbanes-Oxley?

The SOA was enacted in 2002, largely in
response to a number of major corporate
and accounting scandals involving some of
the most prominent companies in the US

These scandals have resulted in a great loss
of public trust in corporate accounting and
reporting practices
Section 302
‘Corporate Responsibility for
financial reports’
Statement (‘verklaring’):
 Inhoud van (niet-)financiële rapportages is
juist en volledig
 Rapportagesystemen zijn betrouwbaar
 Tijdige rapportage
Objective:
 Transparantie van financiële informatie
Section 404
‘Management Assessment of internal
controls’
Management is verantwoordelijk voor
opzetten en handhaven van een adequaat
Internal Control Framework (ICF) en
adequate procedures met betrekking tot de
financiële verslaglegging
 Oordeel over de effectiviteit van het ICF en
procedures in een ‘statement’

Implications
of sections 302 and 404


Cijfermatige weergave van de prestaties op een
juiste en eenduidige wijze in het jaarverslag
Aantonen dat deze cijfers op een betrouwbare en
controleerbare manier tot stand zijn gekomen:
Consequentie: Controle op controle
 Omslag van ‘Trust me and Tell me’ naar
‘Show me and Prove me’
 The external auditor has attested to, and reported
on, management’s evaluation of internal controls
Effects of SOA on ICF
Show me and prove me:
in Internal Control Framework (ICF)
 No material weaknesses
 No significant deficiencies
in key controls
Material weakness

Defined as a condition in which the design or
operation of one or more of the internal control
components does not reduce to a relatively low
level the risk that misstatements caused by error or
fraud in amounts that would be material in relation
to the financial statements may occur and not be
detected within a timeley period by employees in
the normal course of performing their assigned
functions
Effects of implementation of
SOA on an organisation
Organisational
 Investments and benefits
 Culture and people
 Statements

Significant factors of
SOA impact on an organisation




Quality of excisting ICF:
Processes in which key controls are present should
be clearly described and should be actual
Damage to image:
Problems on e.g. capital market, labor market
CPA’s are reserved:
Sanctions by Public Company Accounting
Oversight Board (PCAOB)
Feeling of comfortabilty of management:
See next pages
Organisational effects





Higher risk awareness of employees
Higher awareness of employees regarding their
tasks and responsibilities
Tasks and responsibilities are made more
explicitly and if necessary made more
standardized
Increase of importancy of culture and way of
working as a control system
Efficiency advantages by uniformization of
(redundant) processes
Organisational effects
Focus on describing of relations and handover-moments between departments
 Clear definition of key controls
 SOA activities as part of daily work (CSF
would be the embedding in organisation)
 Documentation (seven years: project and
test plans, description of processes, control
documentation sheets, testscripts, testfiles)
 Reallocation of priorities (by law) despite of
customer projects (ROI might decrease)

Investments and benefits



Dutch survey: in 2004 on average 2000 internal
mandays were used (app. 1 million Euro) and ITinvestments range from 0.3 to 3 million Euro.
USA (Johnson Group): annual expenses on SOA
2.5 % of salesvolume
University of Illinois: in USA in 2004 in total 120
million hours on Section 404 and CPA’s in total 12
million hours: estimate of total of expenses 10
Billion Dollar
Culture and people


Effect of implementation of an ICF on organisational
culture differs from company to company
Implementation of ICF should be an objective, not a
tool (not creating a bureaucratic culture)
Need for an entrepeneur culture:
 Initiatives taken by employees
 Being respected by management


This requires:
internal communication and
training
Culture and people
Objective of internal communication and
training:

Mindset of management and employees:
in fact change management should be
executed smoothly
Internal communication and
training in an entrepeneur culture
CEO / CFO:
Effect of SOA on work:
 Signing for SOA compliance
 Controlling of annual SOA process
Mindset:
 Attention for creating risk awareness employees
Required Knowledge:
 SOA and COSO (Committee of Sponsoring
Organizations of the Treadway Commission)
 Annual (signing)process
Internal communication and
training in an entrepeneur culture
Business Unit Manager
Effect of SOA on work:
 Final responsibility SOA compliance for the BU
 Building/executing testing strategy and test plans
Mindset:
 Recognize and propagate interest of SOA
 Give priority to and sponsor SOA
Required knowledge:
 See CEO/CFO + annual test proces
 Secure SOA criteria in other / new projects
Internal communication and
training in an entrepeneur culture
Head of department
Effect of SOA on work:
 Keeping ICF up to date
 Change management as a result of tests and audits
 keeping control matrices actual
 Risk analysis and designing IC measurements
 Securing of SOA criteria in other / new projects
Mindset: see BU manager
Required Knowledge:
 See BU Manager + ICF reference documentation
 Be able to judge processes and controls
 Be able to design IC measurements
Internal communication and
training in an entrepeneur culture
Employees
Effect of SOA on work:
 Cooperate in test activities
 Execute and judge IC measurements and IT controls
Mindset:
 Understand interest of ‘being in control’
 Recognizing interest of testing
 Involved with change management
Required Knowledge:
 What is SOA + different kind of controls
 Familiar with test processes, test directives
 Familiar with processes and IC’s in own department
Statements
After updating ICF an approval procedure starts:
 Each division / unit / department states that processes,
IC measurements, applications and IT-infrastructure
are in control
 Resulting in a network of statements
 But each statement should be reviewed and signed
 CEO/CFO rely on statements before final sign-off
Cultural aspect:
 In case of fear culture: unreliable statements
 In case of bureaucratic culture: time consuming
 Best result in an entrepeneur culture
Recommendations by SEC
for bookyear 2005





Gebruik zowel kwantitatieve als kwalitatieve controls bij
de bepaling van significante accounts en hanteer een topdownaanpak
Hanteer een risico-gebaseerde aanpak die de grootste
risicogebieden eerst afdekt
Richt aandacht niet alleen op financiële, maar ook op
operationele controls
Verbeter de effectiviteit van de financiële controls door ze
met de bedrijfsprocessen te integreren
Zie SOA niet als een compliancy-verplichting maar als
kans om gehele business performance te verbeteren;
gebruik hierbij het ICF als ‘bril’ voor analyse en
verbetering.
Internal Control Framework

In the US, the most broadly accepted framework
for internal control is provided by the Committee
of Sponsoring Organizations of the Treadway
Commission (COSO)

COSO defines ‘Internal control’ as a process –
effected by an organization’s board of directors,
management, and other personnel – that provides
reasonable assurance regarding achievement of
objectives in three catogories
COSO: objectives in 3 categories



Effective and efficient operations: focuses on key
objectives, such as performance and profitability
goals and the safeguarding of company assets
Reliable financial reporting: covers the
preparation of reliable financial statements and
other financial information
Compliance with apllicable laws and regulations:
to avoid damage to a company’s reputation or
other negative outcomes
COSO’s 5 components to achieve
the internal control objectives





Control environment: serves as the foundation for
an ICF by providing structure, policy, code of
conduct, etc.
Risk assessment: identification and analysis of
business risks and how they should be managed
Control activities: specific policies and procedures
to ensure that objectives are achieved
Information and communication: suport all other
components by communicating control
responsibilities to employeees
Monitoring: covers the oversight of internal
controls by management
Requirements to report on the
effectiviness of internal controls
for financial reporting
Purpose of IC for financial reporting (SEC) is to ensure
that companies have processes designed to provide
reasonable assurance that:
 Transactions are properly authorized
 Assets are safeguarded against unauthorized or
improper use
 Transactions are properly recorded and reported
to permit the preparation of the financial
statements in conformity with GAAP
SOA: no rules for reporting on IC

Although rules and standards for reporting on
internal controls and procedures for financial
reporting pursuant to §404 and §103 of SOA have
not been established, companies still need to
establish reasonable guidelines and bounderies as
a basis for identyfying, designing, and maintaining
controls and procedures for financial reporting
Within this context the COSO framework can be
very helpful as a reference point in avoiding
material weaknesses and significant deficiencies
Criteria for effective internal
control
According to COSO, determining whether a
particular IC systeem is ‘effective’ is a
subjective judgement resulting from an
assessment of whether the 5 components are
present and functioning effectivily
 Controls can differ in the degree to which
they address a particular risk, so that
complementary controls can be satisfactory

Conclusion
Only heading for compliance will lead to a negative
cost/benefit
Implemetation of SOA should have positive side effects:
 Rationalization of ICF and IT
 Optimization of processes
 More transparancy of controlling the business
Required:
 Profound preparations
 Focus on and securing of cummunication and training