Professional Documents
Culture Documents
SOX For Everyone: Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks
SOX For Everyone: Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks
SOX For Everyone: Brief History of Internal Control, SOX, and Fundamentals of Control Frameworks
Section 101
Establishes PCAOB
Non-profit, private-sector corporation
PCAOB consists of 5 members appointed by the SEC
Section 201
Establishes new rules regarding auditor
independence and prohibited practices
Limitations include financial information system
design and implementation, internal audit
outsourcing, and other services
Tax and other non-prohibited services may be
performed by the external auditor if approved in
advance by the audit committee
Sarbanes-Oxley Act
Continued
Section 301
Mandates
that all audit committee
members be independent
External auditor reports to, is overseen
by, and is compensated by the audit
committee
Sarbanes-Oxley Act
Continued
Section 302
Requires that the CEO and CFO certify
quarterly and annual financial reports
SOX imposes criminal fines or jail time on
violators
Sarbanes-Oxley Act
Continued
Section 404
Makes management responsible for
acknowledging its responsibility for
establishing and maintaining internal
control
Makes management responsible for an
annual assessment of internal controls
Sarbanes-Oxley Act
Continued
COSO Framework
Pyramid with 5 layered and interconnected
components comprise the overall control system
Control environment: foundation
Risk assessment, control activities and monitoring
are layered on top of the foundation
The 5th element is an interface channel between
the other 4 layers: communication and information
COSO Internal Control Framework
Continued
Risk Assessment
Evaluation of potential risks to the
organizations ability to achieve its objectives
3-step process
Estimate the significance of the risk
Assess its likelihood
Consider how to manage the risk or actions to
take
COSO Internal Control Framework
Continued
Risk Assessment
Risks from external factors include
legislation, technology
Risks from internal factors include quality of
hiring/training
Specific activity-level risks include risks
related to specific new products
COSO Internal Control Framework
Continued
Control Activities
Policies and procedures
Top-level reviews compare results to budget or
other benchmarks
Direct functional or activity management entails
reviewing operational reports or exception
reports and taking corrective action
Information processing entails development of
new systems or access to data
COSO Internal Control Framework
Continued
Control Activities
Policies and procedures-continued
Physical controls over assets
Performance indicators entails relating
operating data to financial data, and taking
analytical, investigative or corrective action
Segregation of duties
COSO Internal Control Framework
Continued
Control Activities
Integrating risk assessment and control
activities
Appropriate control activities are established to
address specific risks
May need to prune dumb controls
COSO Internal Control Framework
Continued
Control Activities
Controls over information systems
General controls that ensure control over all
applications (locks on door to computer center)
Application controls apply to specific programs
Organization needs to consider evolving
technologies and new/modified controls
COSO Internal Control Framework
Continued
Monitoring
Historically the role of internal auditors
COSO expands to include ongoing
assessments of and adjustments to internal
control as circumstances warrant
Many routine business functions are
considered monitoring activities, such as
reconciliations
COSO Internal Control Framework
Continued
Monitoring
Separate internal control evaluations (in addition to
ongoing monitoring) need to be performed
periodically
Can be done by management
Identified internal control deficiencies (no
matter how theyre identified) should be
reported, investigated, and appropriately acted
upon
REVIEW
Which of the following are elements included in
the control environment?
a. Organizational structure, management
philosophy, and planning.
b. Risk assessment, assignment of
responsibility, and human resource practices.
c. Competence of personnel, backup facilities,
laws, and regulations.
d. Integrity and ethical values, assignment of
authority, and human resource policies.
REVIEW
Which of the following fits most directly under
the control activities component of the
COSO Internal Control framework?
a. Company-level controls dealing with tone at
the top.
b. Accounting for shipping documents to
ensure that all sales are recorded.
c. Overall methods for assigning authority and
responsibility.
d. The control environment.
Understanding, Using, and Documenting
COSO Internal Controls
SOX 404 requires that organizations
understand, document, test, and
evaluate internal controls of major
processes and systems
COSO is the suggested tool for this
process
Fundamentals of Internal Controls
Definition of a control system
The car is an example, if the accelerator or brakes
arent used properly, the car operates out of control
An organization is similar, all the parts have to
operate/be directed properly or the organization is
out of control
Internalcontrol system should attain or
maintain a desired state
Fundamentals of Internal Controls
Continued