SOX for Everyone

Brief History of Internal Control,

SOX, and Fundamentals of
Control Frameworks
Source: Brinks Modern Internal Auditing,
Auditing, Robert Moeller, Wiley Publishing
 Agenda for Today
What is internal control and why is it
important for governmental entities?
History of internal control leading up to
SOX
COSO framework
Fundamentals of internal control and
control systems
Wrap up
 What is Internal Control?

What is internal control?

General procedures for a well-managed, well-
functioning business
Components include
Accomplishes its mission
Produces accurate, reliable data
Complies with laws and corporate policies
Results in economical/efficient use of resources
Provides for safeguarding of assets
 Internal Control and Governmental
Entities
How do Internal Control objectives translate
into government objectives?
Increase the publics confidence level in
government operations.
Increase managements accountability for financial
reporting and information disclosed to the public.
Reveal the critical need for managements well-
defined job requirements.
Reduce fraud and increase accountability.
Source: http://www.governmentauditors.org/content/view/273/123/
 Internal Controls Standards:
Background Developments

Earliest definition of internal control:

The organizations plan and actions to
safeguard its assets,
operate efficiently,
adhere to policies, and
accurately and reliably produce accounting data
 Internal Controls Standards:
Background Developments
Continued

Foreign Corrupt Practices Act (FCPA)

Response to Watergate scandal
Required management to
Maintain accurate books and records,
Implement a system of internal control
Also prohibited bribes
Excludes grease payments to minor officials
Created a flurry of activity to comply, today is seen
primarily as anticorruption
 Efforts Leading to the Treadway
Commission
Cohen Commission (an AICPA commission)
Recommended that management report on internal
controls and auditors opine on fairness of
managements assertion
Resulted in criticism from external auditors; lack of
consistent definitions regarding internal controls,
adequate, etc.
FEI endorsed the Cohen recommendation
As a result, some CEO management letters discussed internal
control; some letters included negative assurance
 Efforts Leading to the Treadway
Commission
Continued

SEC 1979 proposal

Based on Cohen Commission and FEI
Called for mandatory management reports on
internal control
Again controversy and criticism centered on lack of
a clear definition of internal accounting control
SEC dropped the proposal, but it established a
need for a management report on internal control
as part of required SEC filings
 Efforts Leading to the Treadway
Commission
continued

SAS No. 55 (Stmnt. On Auditing Stds.)

Issued by the AICPA
Defined internal control in terms of the
Control environment
Accounting system
Control procedures
Managements view of internal control is broader and
encompasses the entire control system
External auditors focus on internal control related to
financial statements
 Efforts Leading to the Treadway
Commission
Continued

Treadway Committee (National Commission

on Fraudulent Reporting)
Late 1970s and early 1980s were a period of high
inflation, high interest rates, many business failures
despite the company having reported adequate
earnings
Congress proposed but didnt pass bills to correct the
business and audit failures
Treadway Commission formed to identify fraud factors
and propose recommendations
 Efforts Leading to the Treadway
Commission
Continued

Treadway Committee, continued

Again, a call for management reports on the
effectiveness of internal control
Most important contribution of Treadway was
raising level of concern and attention directed
toward reporting on internal control
FCPA, Cohen Commission, SEC 1979 Report,
SAS No. 55 and Treadway Commission
Occurred almost in a parallel fashion over a period of 20
and helped redefine internal control
 Sarbanes-Oxley Act
Sarbanes-Oxley Act
Passed in 2002
Most significant overhaul to public accounting, corporate
governance and financial reporting since 1930s
Established regulatory rules for public accounting
firms, auditing standards, and corporate
governance
PCAOB established to oversee public accounting
firms and to establish auditing standards
 Sarbanes-Oxley Act
Continued

Section 101
Establishes PCAOB
Non-profit, private-sector corporation
PCAOB consists of 5 members appointed by the SEC

AICPA no longer establishes Statements on

Auditing Standards or GAAS
PCAOB now oversees all audits of SEC-
reporting corporations
 Sarbanes-Oxley Act
Continued

Section 201
Establishes new rules regarding auditor
independence and prohibited practices
Limitations include financial information system
design and implementation, internal audit
outsourcing, and other services
Tax and other non-prohibited services may be
performed by the external auditor if approved in
advance by the audit committee
 Sarbanes-Oxley Act
Continued

Section 301
Mandates
that all audit committee
members be independent
External auditor reports to, is overseen
by, and is compensated by the audit
committee
 Sarbanes-Oxley Act
Continued

Section 302
Requires that the CEO and CFO certify
quarterly and annual financial reports
SOX imposes criminal fines or jail time on
violators
 Sarbanes-Oxley Act
Continued

Sections 304 and 305

Designed to eliminate or limit seemingly
outrageous behavior
Earnings restatements may require CEO and CFO to
return bonuses based on bogus numbers
Blackout periods related to trading in 401K and
pension plans apply equally to all employees
Revised rules related to attorney reporting
of corporate misconduct
Controversial due to attorney-client privilege
 Sarbanes-Oxley Act
Continued

Section 404
Makes management responsible for
acknowledging its responsibility for
establishing and maintaining internal
control
Makes management responsible for an
annual assessment of internal controls
 Sarbanes-Oxley Act
Continued

Other sections of Title IV

Require the company to adopt a code of
ethics for senior officers
Require a financial expert on the audit
committee
Mandate companies to provide information
about material financial statement issues to
investors ASAP
 Sarbanes-Oxley Act
Continued

Other Titles of SOX

Mandate workpaper retention policies
Provide whistleblower protection
Require CEO and CFO to personally
certify that the financial reports are
fairly presented
Personal penalties for knowingly
falsifying (not corporate responsibility)
 REVIEW
Under the 2002 Sarbanes-Oxley Act,
_____________ must certify the
effectiveness of the companys internal
controls each year. If they sign off on
ineffective controls, they could
_______________.
a. CFOs and CEOs; face civil and criminal
penalties.
b. CFO; face civil penalties.
c. CEO; get fired.
d. External auditor; face the Audit Committee.
 REVIEW
The primary responsibility for overseeing
the establishment and administration of
internal control rests with
a.The external auditor.
b.The controller.
c.The internal auditor.
d. Senior management.
 COSO Internal Control Framework

Common framework for the definition of

internal control and procedures to evaluate
controls
Process affected by BOD, management and others
to provide reasonable assurance regarding
achieving effective and efficient operations, reliable
financial reporting, and compliance with laws
Released in 1992 and has become widely
accepted
 COSO Internal Control Framework
Continued

COSO Framework
Pyramid with 5 layered and interconnected
components comprise the overall control system
Control environment: foundation
Risk assessment, control activities and monitoring
are layered on top of the foundation
The 5th element is an interface channel between
the other 4 layers: communication and information
COSO Internal Control Framework
Continued

Source: COSOs Internal Control Integrated framework

 COSO Internal Control Framework
Continued

Internal control environment

Has a pervasive influence on the
organization
Reflects the attitude, awareness and
actions of the BOD, management and
others regarding the importance of internal
control
History and culture play important roles
Tone at the top
 COSO Internal Control Framework
Continued

Internal control environment

Integrity and ethical values
Strong code of conduct communicated
throughout the organization
Commitment to competence
Adequate training, supervision, job descriptions
BOD and audit committee
Independent audit committee
 COSO Internal Control Framework
Continued

Internal control environment

Managements philosophy and operating
style
Risk taker/conservative, seat of the
pants/careful planner
Organizational structure
Centralized/decentralized, reporting
relationships
 COSO Internal Control Framework
Continued

Internal control environment

Human resources policies and practices
Recruitment/hiring, new employee orientation,
evaluation/promotion/compensation, disciplinary
actions
 COSO Internal Control Framework
Continued

Risk Assessment
Evaluation of potential risks to the
organizations ability to achieve its objectives
3-step process
Estimate the significance of the risk
Assess its likelihood
Consider how to manage the risk or actions to
take
 COSO Internal Control Framework
Continued

Risk Assessment
Risks from external factors include
legislation, technology
Risks from internal factors include quality of
hiring/training
Specific activity-level risks include risks
related to specific new products
 COSO Internal Control Framework
Continued

Control Activities
Policies and procedures
Top-level reviews compare results to budget or
other benchmarks
Direct functional or activity management entails
reviewing operational reports or exception
reports and taking corrective action
Information processing entails development of
new systems or access to data
 COSO Internal Control Framework
Continued

Control Activities
Policies and procedures-continued
Physical controls over assets
Performance indicators entails relating
operating data to financial data, and taking
analytical, investigative or corrective action
Segregation of duties
 COSO Internal Control Framework
Continued

Control Activities
Integrating risk assessment and control
activities
Appropriate control activities are established to
address specific risks
May need to prune dumb controls
 COSO Internal Control Framework
Continued

Control Activities
Controls over information systems
General controls that ensure control over all
applications (locks on door to computer center)
Application controls apply to specific programs
Organization needs to consider evolving
technologies and new/modified controls
 COSO Internal Control Framework
Continued

Communications and Information

Information systems can be formal or
informal, internal or external
COSO emphasized that they be
Strategic, consistent with the organizations
goals (not outdated)
Integrated with other operations
 COSO Internal Control Framework
Continued

Communications and Information

COSO suggests and SOX requires that
information be
Timely
Accurate
Current
Accessible
Appropriate
 COSO Internal Control Framework
Continued

Communications and Information

Internal systems
Most important component may be communication
from senior management, tone at the top
Each person needs to know how he fits into the
organization, otherwise may think errors dont matter
Each person needs to know limits, what is
unethical/improper
Communication must flow up and down
 COSO Internal Control Framework
Continued

Communications and Information

External systems
Include a mechanism to capture and act
upon complaints, source of potential control
issues
Communication must flow in both directions
 COSO Internal Control Framework
Continued

Monitoring
Historically the role of internal auditors
COSO expands to include ongoing
assessments of and adjustments to internal
control as circumstances warrant
Many routine business functions are
considered monitoring activities, such as
reconciliations
 COSO Internal Control Framework
Continued

Monitoring
Separate internal control evaluations (in addition to
ongoing monitoring) need to be performed
periodically
Can be done by management
Identified internal control deficiencies (no
matter how theyre identified) should be
reported, investigated, and appropriately acted
upon
 REVIEW
Which of the following are elements included in
the control environment?
a. Organizational structure, management
philosophy, and planning.
b. Risk assessment, assignment of
responsibility, and human resource practices.
c. Competence of personnel, backup facilities,
laws, and regulations.
d. Integrity and ethical values, assignment of
authority, and human resource policies.
 REVIEW
Which of the following fits most directly under
the control activities component of the
COSO Internal Control framework?
a. Company-level controls dealing with tone at
the top.
b. Accounting for shipping documents to
ensure that all sales are recorded.
c. Overall methods for assigning authority and
responsibility.
d. The control environment.
Understanding, Using, and Documenting
COSO Internal Controls
SOX 404 requires that organizations
understand, document, test, and
evaluate internal controls of major
processes and systems
COSO is the suggested tool for this
process
 Fundamentals of Internal Controls
Definition of a control system
The car is an example, if the accelerator or brakes
arent used properly, the car operates out of control
An organization is similar, all the parts have to
operate/be directed properly or the organization is
out of control
Internalcontrol system should attain or
maintain a desired state
 Fundamentals of Internal Controls
Continued

Elements of a control system

Detector/sensor element measures the system
being controlled (often the auditor)
Selector or standard element is the base used to
compare/evaluate whats detected (standards,
best practices)
Controller element changes the behavior based
on comparison of detector and standard
Communications network element transmits
messages between the controller element and
the thing being controlled
 Fundamentals of Internal Controls
Continued

Types of control techniques, a combination of

all 3 assure a process is operating properly
Preventive controls
Locked doors, passwords
Detective controls alert management that a
problem has occurred
Door alarms, account reconciliations
Corrective controls assist in recovery from
problems
Insurance policy
 Fundamentals of Internal Controls
Continued

Preventive, detective and corrective controls

operate on 3 levels
Steering: preventive controls designed to attract
management attention and prompt action (respond
to falling market share)
Yes-No: protective controls designed to ensure
adherence to a pre-established control (approvals)
Post-action: requires managements after-the-fact
action, may require correcting detective, preventive
or corrective controls (reassign an employee,
repair damaged products)
 REVIEW
Controls may be classified according to the
function they are intended to perform; which
of the following is a detective control?
a. Dual signatures on all disbursements over a
specific amount.
b. Recording every transaction on the day it
occurs.
c. Monthly bank statement reconciliations.
d. Requiring all members of the internal audit
staff to be CPAs.
 REVIEW

Controls designed to deter undesirable

events from occurring are
a.Preventive controls.
b.Directive controls.
c.Detective controls.
d.Output controls.
WRAP UP
Questions?