sarbanes-oxley section 404 compliance ... section 404 compliance: a guiding framework using igrafx®...
TRANSCRIPT
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
© 2007 Corel Corporation. All Rights Reserved.
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX AcceleratorTOC
Table of Contents
Introduction ................................................................................................ P - 1
Using iGrafx® for SOX Compliance ........................................................... P - 3
1. Select Priority Elements ......................................................................... P - 4
2. Document Processes .............................................................................. P - 4
3. Source Risks ............................................................................................ P - 6
4. Document Controls ................................................................................ P - 8
5. Assess Design .......................................................................................... P - 9
6. Validate Operation ................................................................................ P - 9
7. Report.................................................................................................... P - 10
Summary ................................................................................................... P - 12
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
Introduction
Under Section 404 of the Sarbanes-Oxley Act (SOX), public enterprises are required to
produce an annual report that affirms the establishment and maintenance of an adequate
internal control structure and procedures for financial reporting. The report must also
contain an assessment of the effectiveness of the internal control structure and financial
reporting procedures.
Complying with this mandate has proven to be more demanding than first anticipated.
Many companies underestimated the scope of this effort, and are being faced with
challenges when documenting, evaluating and testing internal controls, as well as
meeting the human resource needs to achieve compliance. As a result, companies are
adopting frameworks provided by independent consultants and vendors to aid them with
these requirements.
Drawing on our experience as a recognized leader delivering business process improvement
software, and utilizing the COSO framework as a basis, iGrafx has developed the iGrafx®
SOX Accelerator, a pre-built model to help organizations document, manage and audit
financial processes and internal controls.
This document utilizes a set of seven steps in order to demonstrate what tasks a company
needs to perform to achieve compliance. Specific iGrafx applications are illustrated, as we
walk the reader through the following summary diagram from Protiviti® Inc.
(www.protiviti.com), a leading international provider of internal audit and risk consulting
services, and a highly regarded expert on Sarbanes-Oxley compliance:
P - 1
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
Note: This diagram is reprinted with permission from Protiviti’s publication on Sarbanes-Oxley Section 404 compliance, Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements.
The following pages describe how iGrafx applications can help managers, auditors and
independent advisors identify, document, and assess controls to ensure SOX compliance.
This publication will show how the iGrafx SOX Accelerator can be used for documenting
financial accounts, mitigating risk, aligning strategies, goals and requirements for the
control model, and creating project plans for testing and measuring the effectiveness of
the controls.
P - 2
A PLAIN ENGLISH SUMMARY
Select PriorityElements
Select the priority accounts and disclosures Consider significance to financial reporting and risk of misstatement
DocumentProcesses
Document the transaction flows that materiallyimpact the priority financial reporting elements
SourceRisks
Use financial reporting assertions to source“what can go wrong” within the processes
DocumentControls
Document entity controls (”tone at the top”) Document the controls at the source of the risk (preventive)
or downstream in the process (detective and corrective)
AssessDesign
Assess effectiveness of controls design at entity and process levels
ValidateOperation
Test effectiveness of controls operation at entity and process levels
Report Conclude Disclose Report
What are the risks?
What are the controls? Who owns the controls?
How is the controls design rated?
How are the controls performing?
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
Using iGrafx® for SOX Compliance
iGrafx provides the modeling and reporting capabilities necessary to ensure enterprise SOX
compliance. Corel® Corporation, the parent company of iGrafx, for example, uses iGrafx
tools to model and report its financial processes and controls to meet its SOX requirements
as a public organization.
iGrafx models include, but are not limited to, the following aspects of an organization:
• Financial accounts
• Processes and activities that affect the financial accounts
• Risks (things that could go wrong with financial processes)
• High-level strategies, goals, and requirements for the control model
• Controls (how to reduce and mitigate risk)
• Project plans describing control tests and measurements of their
effectiveness
In addition, the iGrafx SOX Accelerator provides a best practice starting point for building
the enterprise model. By leveraging the Accelerator while modeling Corel’s finance
department, a team of two individuals completed the Corel SOX model in two months.
The journey to SOX compliance typically involves consultants and auditors to help define
and configure a company-specific model. Auditors help describe the necessary periodic
reports and how those reports should be formatted. Consultants assist with documenting
and defining the list of risks, necessary controls, and other organizational entities.
As described earlier, Protiviti, Inc. represents the path to SOX compliance with the following
stages:
1. Select Priority Elements
2. Document Processes
3. Source Risks
4. Document Controls
5. Assess Design
6. Validate Operation
7. Report
Next, we illustrate how an enterprise may use iGrafx software to implement the
requirements contained in these stages described by Protiviti.
P - 3
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
1. Select Priority Elements
Enterprise modeling for SOX begins by identifying Balance Sheet and Income Statement
financial accounts.
The iGrafx® Enterprise Central™ (a powerful client server solution that is the hub of the
SOX Accelerator) screenshot below shows some typical financial accounts. A few properties
of the “Cash and Cash Equivalents” account are also displayed on the right:
2. Document Processes
After defining the organizational accounts, the SOX team of internal associates and external
consultants work with process owners to document all processes and activities that affect
these accounts.
P - 4
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
The iGrafx screenshot below displays a few activities of the “Accounts Receivable” process.
Some properties of the “SKU Set Up” are displayed on the right side:
Important associations are defined for each activity described. In the screenshot above, for
example, Joe is shown responsible and Stephen is accountable for the “SKU Set Up”
activity.
Accounts affected by activities are also identified:
iGrafx Enterprise Central displays processes in both tree and diagram views. iGrafx®
FlowCharter™ users draw the diagrams or iGrafx Enterprise Central automatically generates
process maps described by the tree view.
P - 5
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
Here is an example of a generated process map of the Sales Transactions activity:
3. Source Risks
After financial processes are documented, the SOX team works with consultants to define
the list of things that could go wrong with these processes and adversely impact the
financial accounts. This list is modeled by the Risk Catalog shown below:
P - 6
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
The Risk Catalog contains multiple Risk Templates that describe each risk and how it relates
to high-level financial reporting assertions (goals) and controls (described later). For
example, the Risk Template named “What ensures that cash and cash equivalents are
recorded and complete?” is associated with the Completeness assertion (goal) below:
Within the product user interface, associations are navigated by clicking an object name (i.e.
“Completeness”) and then clicking “Jump to…” as shown below:
The “Completeness” goal is one of six Financial Statement assertions:
A set of high-level requirements (control objectives) are linked to specific controls that
mitigate the documented risks:
P - 7
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
“Segregation of Duties” is one objective that reduces risk. It’s associated to multiple
controls in the “Is Requirement for” property:
4. Document Controls
A SOX model may have hundreds of financial controls. Here some typical controls:
Using iGrafx, each control is associated to its:
• Responsible party
• Risk(s) mitigated
• Processes and activities under control
• Control objective
• High-level assertion
P - 8
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
Each control is also described by a summary and has these custom properties defined:
• Control type
• Frequency
• IT Application (Yes or No)
• Key Control (Yes or No)
• Test Required (Yes or No)
For example, for each control, the “Validation Object” property shows the risks mitigated
and the “Validation Point” property shows the activities under control:
All elements of the organization internal control structure required for SOX compliance are
now modeled. The iGrafx model describes how financial data is stored and modified, where
it’s stored, when it’s stored, who can view it, and who can change it.
5. Assess Design
The model design is assessed by publishing and reporting of the model to communicate
its design to key constituents. All iGrafx tools include sophisticated features for publishing
models to the web and Microsoft® Office applications.
6. Validate Operation
The SOX Act also includes requirements for testing the effectiveness of key controls. The
iGrafx Enterprise Central Project Plan model describes SOX tests and stores their results.
For example, the “Log bank transfers” project activity describes a bank transfer monitor.
This test plan activity is linked to the model object that describes the bank transfer activity:
P - 9
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
The current value of the latest test measurement is shown in the Measurement field of the
“Log bank transfers” object:
The iGrafx Enterprise Central Application Programming Interface reads the current
measurement value (99.98 in the screenshot above) from an external application that
measures this activity or measurements are manually entered into the model. These values
are included in the SOX report.
7. Report
Public firms include an ICR (Internal Control Report) as part of their annual report. Building
this report can be a time-consuming task. Using iGrafx, an ICR is automatically generated in
seconds to save time and reduce errors. A simple iGrafx wizard builds the report:
P - 10
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
The Excel report is reviewed to confirm that the organization is in compliance. The wizard
uses model relationships to build an easy-to-read report with the following data:
• The Operating Resource column shows financial accounts
• The Control column gives the name of the control that affects those accounts
• The next two columns show the relationship to the assertions and control objective
• The Risk column shows the risks mitigated by the control
• Each control has a description
• The Validation Point column displays processes and activities where the control is in place
• The Responsible column shows ownership of a control
• Finally, the custom data values for the control are displayed
A portion of the SOX Report:
Using iGrafx, organizations benefit from reuse of the model whenever necessary. The
enterprise maintains and updates the model as the organization changes. When it’s time to
create a new ICR, a single command rebuilds it for the auditor.
SOX auditors appreciate this capability because it gives them confidence in the validity and
reliability of the ICR.
P - 11
Sarbanes-Oxley Section 404 Compliance: A Guiding Framework using iGrafx® SOX Accelerator
Summary
iGrafx significantly reduces the time and expense to maintain SOX compliance. iGrafx
makes it easy to document financial processes, risks and controls while improving
communication, reliability, and compliance report quality. iGrafx models are simple to
maintain and accessible for rapid auditing.
Using iGrafx for SOX Compliance is only one benefit of the iGrafx product line. The iGrafx
suite of business process improvement software allows users to document, analyze, refine
and communicate processes in the pursuit of corporate goals and objectives. Whether
complying with mandatory regulations such as Sarbanes-Oxley, ISO or Basel II, aligning
business activities with IT, or implementing Six Sigma or Lean, iGrafx establishes and
manages the process information that will ensure your success. By creating a collaborative
process mapping and analysis environment, iGrafx links initiatives with the implementation
environment for measurable productivity improvements.
For more information, visit the iGrafx web site at www.iGrafx.com.
© 2007 Corel Corporation. All rights reserved. Corel, iGrafx, iGrafx FlowCharter, iGrafx Process, iGrafx Process for Six Sigma, and iGrafx Enterprise Central are trademarks or registered trademarks of Corel Corporation and/or its subsidiaries in Canada, the U.S. and/or other countries. Other products and company names may be trademarks or registered trademarks of their respective companies.
Reproduction or dissemination of this publication in any form without prior written permission is forbidden. Corel disclaims all warranties as to the accuracy, completeness or adequacy of this publication. Corel shall have no liability for errors, omissions or inadequacies in the information contained herein. The opinions expressed herein are subject to change without notice.
P - 12