Professional Documents
Culture Documents
Certify Reports Are Complete
Certify Reports Are Complete
Certify Reports Are Complete
SOX of 2002 established corporate governance regulation activity and emphasizes the importance of controls
and standards for public companies with the SEC designed to prevent or detect fraud that could lead to
Sec 302: material misstatement of the financial statements
- requires corporate management, including the CEO, Section 404:
to certify financial and other information contained in Requires management to provide the external auditors with
the organization’s quarterly and annual reports (certify documented evidence of functioning controls related to
reports are complete) selected material accounts in its report on control
- Requires to certify internal controls over financial effectiveness.
reporting. Section 302:
- Certifying officers are required to design internal Auditors have responsibility regarding mgt’s quarterly
controls or cause such internal controls to be certifications of internal controls.
designed and provide reasonably assurance as to the Auditors must perform the following procedures quarterly to
reliability of financial reporting process. identify any material modifications in controls over financial
- Must disclose any material changes in company’s reporting:
internal control. - Interview mgt regarding any significant changes in the
Section 404 design or operation of internal control that occurred
- Requires the management of public companies to subsequent to the preceding annual audit or prior
assess the effectiveness of their organization’s review of interim financial information.
internal controls over financial reporting - Evaluate the implications of misstatements identified
- Management is required to provide an annual report by the auditor as part of the interim review that relate
addressing the ff: to effective internal controls.
Flow transactions (including IT aspects) - to identify - Determine whether changes in internal controls are
points at which misstatement could arise likely to materially affect internal control over financial
Assess both Design and operating effectiveness of reporting.
selected internal control (using risk-based Computer Fraud
approach) Data Collection – first operational stage in the information
Assess potential for fraud in the system & evaluate system. Control objective is ensure that event data entering
controls designed to prevent or detect fraud the system are valid, complete, and free from material
Evaluate and conclude adequacy of controls over misstatement
FS reporting process Fraudulent act involves:
Evaluate entity-wide controls that corresponds to - Entering falsified data into the system
SAS 78/COSO framework - Deleting, altering, or creating a transaction
Relationship between IT controls and financial reporting - Disburse cash in payment of a false account payable
Application controls – ensure the integrity of specific Network systems expose organizations to transaction
systems frauds from remote locations:
- Are to ensure validity, completeness, and accuracy of - Masquerading - a perpetrator gaining access to the
financial transactions system from a remote site by pretending to be an
- Designed to be Application specific authorized user
General controls (AKA general computer controls/ - Piggybacking- technique in which the perpetrator at a
information technology controls) – controls that pertain to remote site taps in to the telecommunications lines
entity-wide concerns such as controls over the data center, and latches on to an authorized user who is logging in
organization databases, systems development, and to the system
program maintenance. - Hacking - may involve piggybacking or masquerading
General computer controls – are specific activities techniques
performed by persons or systems designed to ensure that Data Processing - Tasks include mathematical algorithms
business objectives are met. used for production scheduling applications, statistical
Information technology controls – includes controls over IT techniques for sales forecasting, and posting and
governance, IT infrastructure, security, and access to summarizing procedures used for accounting applications.
operating systems and databases, application acquisition Program Fraud includes techniques such as
and development, and program changes. - Creating illegal programs that can access data
Audit Implications of Sections 302 and 404 files to alter, delete, or insert values into
Prior to SOX, External auditors are not required to test accounting records;
internal controls. - Destroying or corrupting a program’s logic using
Auditors are permitted to simultaneously render a qualified a computer virus;
opinion on management’s assessment of internal controls - Altering program logic to cause the application to
and an unqualified opinion on FS process data incorrectly
PCAOB Standard No. 5 specifically requires auditors to Operation Fraud – misuse or theft of the firm’s
understand transaction flows, including the controls computer resources.
pertaining to how transactions are initiated, authorized, Database management - The organization’s database is its
recorded, and reported. physical repository for financial and nonfinancial data
Database management fraud includes: altering, Access controls – controls that ensure that
corrupting, destroying or stealing an organization’s only authorized personnel have access to
data the firm’s asset.
A common fraud technique is to access the database Separating New Systems Development from Maintenance
from a remote site and browse the files for useful Inadequate Documentation:
information that can be copied and sold to competitors - Poor quality systems documentation (chronic IT
Information Generation - is the process of compiling, Problem)
arranging, formatting, and presenting information to users. Reasons:
Steal, misdirect, or misuse computer output - Documenting systems is not as interesting,
Scavenging – involves searching through the trash of professional prefer to move to an exciting new
the computer center for discarded output. project
Eavesdropping – involves listening to output - Job security: when system is poorly documented,
transmissions over telecommunication lines. it is difficult to interpret and debug. Thus,
IT Governance Controls programmer who understands (coded it)
IT governance – a broad concept relating to the decision maintains bargaining power.
rights and accountability for encouraging desirable
behavior in the use of IT Program Fraud
Not all elements of IT Governance relate specifically to - Original programmer of a system is also
control issues that SOX addresses and that are outlined in assigned maintenance responsibility, the
the COSO framework potential for fraud is increased.
Organizational structure controls - Involves making unauthorized changes to
Operational tasks should be separated program modules for the purpose of committing
1. Segregate the task of transaction authorization from an illegal act.
transaction processing A superior Structure for systems development
2. Segregate record keeping from asset custody - Systems development function is separated into
3. Divide transaction-processing tasks among individuals two independent groups: new systems
so that fraud will require collusion between 2 or more development and systems maintenance
individuals This structure helps resolve the two control problems:
Segregation of duties within the centralized firm 1. Improved documentation standards because maintenance
group will require adequate documentation to perform their
maintenance duties.
2. denying the original programmer future access to the
application code deters program fraud