Professional Documents
Culture Documents
FEU - IT Controls and SOX Overview - Day1
FEU - IT Controls and SOX Overview - Day1
Overview
Agenda
Page 2
SOX Recap
Page 3
SOX or Financial Audit?
1. When a key control fails, the external auditors perform additional procedures
to confirm whether the failure presents risk to the financial statements. Once the
auditors are comfortable that risk to the financial statements is appropriately
mitigated, no additional procedures are performed.
Page 4
SOX or Financial Audit?
Page 5
SOX or Financial Audit?
Page 6
SOX or Financial Audit?
4. A quarterly user access review was not performed during Q3. The external
auditors performed additional procedures to confirm users and access are
appropriate. In addition, the external auditors obtained the Q4 user access
review to confirm it was performed timely.
Page 7
SOX or Financial Audit?
5.The Company’s external auditor tests key controls that prevent or detect error
to mitigate risk. Where controls are not in place or are ineffective, substantive
testing is performed to reach financial statement reliance.
Page 8
SOX or Financial Audit?
6. When a key control fails, a remediation plan is created, put in place, and the
control is retested.
Page 9
SOX or Financial Audit?
Page 10
SOX or Financial Audit?
Page 11
SOX Recap - Keys
Page 12
SOX or Financial Audit?
1. When a key control fails, the external auditors perform additional procedures
to confirm whether the failure presents risk to the financial statements. Once the
auditors are comfortable that risk to the financial statements is appropriately
mitigated, no additional procedures are performed.
FINANCIAL AUDIT
Page 13
SOX or Financial Audit?
SOX AUDIT
Page 14
SOX or Financial Audit?
SOX AUDIT
Page 15
SOX or Financial Audit?
4. A quarterly user access review was not performed during Q3. The external
auditors performed additional procedures to confirm users and access are
appropriate. In addition, the external auditors obtained the Q4 user access
review to confirm it was performed timely.
SOX AUDIT
Page 16
SOX or Financial Audit?
5.The Company’s external auditor tests key controls that prevent or detect error
to mitigate risk. Where controls are not in place or are ineffective, substantive
testing is performed to reach financial statement reliance.
FINANCIAL AUDIT
Page 17
SOX or Financial Audit?
6. When a key control fails, a remediation plan is created, put in place, and the
control is retested.
SOX AUDIT
Page 18
SOX or Financial Audit?
SOX AUDIT
Page 19
SOX or Financial Audit?
FINANCIAL AUDIT
Page 20
SOX vs. Financial Statement Audit
Page 21
SOX vs. Financial Statement Audit
Page 22
Risks & Controls Recap
Page 23
Financial Audit Overview
The purpose of a Financial Statement Audit is to gain reasonable assurance about whether the
financial statements as a whole are free of material misstatement, whether due to fraud or error,
thereby enabling us to express an opinion on whether the financial statements are prepared and
presented fairly, in all material respects, in accordance with an applicable financial reporting
framework.
Page 24
Financial Audit Scoping
Financial Controls
Risks, what IT general
statement Significant ► Automated
can go IT dependent Applications
controls
significant processes ►
wrong? Manual
accounts ►Manual
Substantive
Audit effort
Page 25
Risks & Controls
► What is a risk?
► Risks are measured by their likelihood and impact
► Situation involving exposure to…..(for example):
► Loss of market share / income (Business Risk)
► Misstatement of revenue (Audit Risk)
► Data loss (IT Risk)
► Information processing risks include those related to the completeness, accuracy, and validity of information
► What is a control?
► A process or an action designed to prevent or detect error to mitigate risk
► Control design and operational effectiveness
Page 26
SOX Background
Page 27
Background of SOX
► SOX was enacted as a reaction to a number of major corporate and accounting scandals
(including those affecting Enron, Tyco International, Adelphia, and WorldCom).
Page 28
Background of SOX
► SOX was enacted as a reaction to a number of major corporate and accounting scandals
(including those affecting Enron, Tyco International, Adelphia, and WorldCom).
Page 29
Background of SOX
► SOX was enacted as a reaction to a number of major corporate and accounting scandals
(including those affecting Enron, Tyco International, Adelphia, and WorldCom).
Page 30
Background of SOX
► SOX was enacted as a reaction to a number of major corporate and accounting scandals
(including those affecting Enron, Tyco International, Adelphia, and WorldCom).
Page 31
Background of SOX
► Sarbanes-Oxley act of 2002 was named after U.S. Senator Paul Sarbanes and U.S.
Representative Michael Oxley. The act was passed on July 30, 2002 by President George W.
Bush
► SOX was introduced and enforced for public companies beginning in 2004 to accomplish the
following objectives:
Increase the accountability of management of public companies
Improve corporate governance
Increase the oversight of public accounting firms
Restore investor confidence in the capital markets
Page 32
History of COSO and SOX
Committee of Sponsoring COSO released PCAOB releases Auditing Standard PCAOB releases Auditing COSO updates PCAOB released
Organisations of the Treadway Internal Control – No. 2 - focused on ICFR coverage Standard No. 5 - top-down, Internal Control Staff Audit Practice
Commission (COSO) formed to Integrated Framework of financial statements risk-based approach – Integrated Alert No. 11 –
address fraudulent financial Framework Considerations for
reporting audits of internal
controls over financial
► Sarbanes-Oxley Act signed reporting
► Established Public Company Accounting Oversight Board (PCAOB)
► Section 302 – Executive Management certification of financial information accuracy
► Section 404 – generated the need to assess internal controls over financial reporting
► Section 906 – penalties for fraudulent reporting
► American Institute of Certified Public Accountants (AICPA) ► Requires focus beyond just financial reporting to
include non-financial reporting
► American Accounting Association (AAA)
► Updated for impact of technology
► Financial Executives International (FEI)
► Codified 17 principles of internal control
► Institute of Internal Auditors (IIA)
► Institute of Management Accountants (IMA)
Page 33
What is Sarbanes-Oxley (SOX)?
► Purpose of SOX:
► In response to a series of corporate fraud cases in the late 1990s and early 2000s, which resulted
in great loss of stakeholder wealth and destroyed the public’s trust in corporate America,
Sarbanes-Oxley (SOX) was enacted by Congress in the U.S.
► SOX was put in place to help boost investor confidence and restore public trust in corporate
America.
Page 34
Key sections of Sarbanes-Oxley
Page 35
Section 302
Page 36
Section 404
► The CEO and CFO are required to report annually on the state of internal controls,
including:
► The framework used to evaluate the effectiveness of ICFR
► Management’s assessment of the effectiveness of internal controls
► Any significant control deficiencies or material weaknesses
► Additionally, the Company’s external auditor must attest to the effectiveness of the
company’s internal controls over financial reporting.
Page 37
Key Control Considerations Under SOX: IPE
► When IPE is used in the performance of controls, the external auditor evaluates whether
the information is sufficiently reliable, including obtaining audit evidence about the
completeness and accuracy of the information
► Under SOX, Management must perform procedures to gain comfort over the completeness
and accuracy of IPE used in the execution of their controls. Steps may include:
► Obtaining and reviewing the query or parameters used to generate a report
► Ticking and tying report totals or row counts back to source data within the system
► Retaining evidence to show that data output from an IT application to the end user computing
(EUC) tool has not been modified or lost in the transfer
Page 38
Key Control Considerations Under SOX: Review Controls
► The external auditor will assess Management’s process and evidence of review:
► How precise and sensitive is the review process (i.e. what level of error would the review detect)?
► Is the review performed at the detail level, e.g. does the reviewer validate user access roles, or just
whether a user is an employee?
► What evidence of review is provided (e.g. email, Excel spreadsheet, annotations on PDFs and Excel,
sign-offs)?
► Is there a second level review?
► Are there conflicting roles for reviewer? If so, what is the mitigation or second level review?
► Is evidence of completeness and accuracy provided to the reviewer?
Page 39
IT General Control Areas
Page 40
IT General Controls
IT General Control (ITGC) procedures are performed to determine whether management has controls in place that can
be relied on to test application and IT-dependent manual controls.
Manage Change
Manage Access
Manage IT Operations
Page 41
Manage Change Controls
► Change monitoring
Page 42
Manage Access Controls
Page 43
Manage IT Operations Controls
Page 44
Impact of IT process conclusions on the financial audit
Substantive
Approach
Rely on
Controls
Page 45
Impact of IT process conclusions on the financial audit
Financial Controls
Risks, what IT general
statement Significant ► Automated
can go IT dependent Applications
controls
significant processes ►
wrong? Manual
accounts ►Manual
Substantive
Audit effort
Page 46
Page 47