sox ima

1050 N. Lindbergh Blvd. | St. Louis, Missouri 63132 | 314.983.1200 1551 Wall St., Ste. 280 | St. Charles, Missouri 63303 | 636.255.30001000 Broadway, Ste. 300 | Highland, IL 62249

888.279.2792 | www.bswllc.com

The Institute of Management AccountantsSt. Louis Chapter

SOX LESSONS LEARNEDSeptember 20, 2011

© 2011 Brown Smith Wallace All Rights Reserved


1

Agenda

SOX Background

Internal Control

2010 Sarbanes-Oxley Compliance Survey

Recent Research

Steps to Achieve SOX Efficiency

Integrating SOX & ERM


2

SOX Background


3

Refresher

Sarbanes-Oxley Act of 2002

Enacted January 23, 2002

Passed in response to financial scandals – Enron, WorldCom, etc.

Purpose - protect investors by improving the accuracy and reliability ofcorporate disclosures made pursuant to the securities laws, and for otherpurposes.

Administered by the Securities and Exchange Commission (SEC), whichdeals with compliance, rules and requirements.

Created a new agency, the Public Company Accounting Oversight Board(PCAOB) which is in charge of overseeing, regulating, inspecting, anddisciplining accounting firms in their roles as auditors of public companies.


4

Refresher

Key Sections of the Act

201 – Prohibited Auditor Activities

302 – CEO/CFO Responsibilities

404 – Assessment of Controls

409 – Real Time Disclosure

802 – Penalties for altering documents

806 – Whistleblower Protection

807 – Penalties - Fraud


5

Section 404

Required the SEC to develop and publish rules for amanagement assessment of Internal Controls over FinancialReporting (ICFR).

Completed in June 2003.

Updated in June 2007.

Removed the requirement for external auditor to assess management’s process forassessing the system of ICFR.

Revised the definitions of significant deficiency and material weakness.

PCAOB followed with AS 2 approved by the SEC in June 2004and then replaced with AS 5 in March 2007.


6

Section 404

SEC Rules and PCAOB standard require that:

Management perform a formal assessment of controls over financialreporting, including tests that confirm the design and operatingeffectiveness of controls.

Management include in its annual report on Form 10-K an assessment ofICFR.

The external auditors provide two opinions as part of a single integratedaudit of the company:

An independent opinion on the effectiveness of the system of ICFR.

The traditional opinion on the financial statements.


7

Section 404

Management’s assessment:

Management is responsible for the system of internal control.

Not the internal or external auditor

Responsibility of the CEO, CFO and senior executive team.

The assessment must be made using a recognized internal controlframework.

Most U.S. companies have used the Committee of Sponsoring Organizations of theTreadway Commission (COSO) framework.

Some use Control Objectives for Information and related Technology (COBIT)framework as a supplement to COSO for IT controls.

The assessment is annual and as of year-end.

The external auditor must perform specified work (AS 5) in relation tomanagement’s assessment.


8

Internal Control


9

http://www.amazon.com/gp/reader/0471768464/ref=sib_dp_pt

What is an Effective System Per 404?

Scope and quality of management’s identification, assessment,and testing of key controls is sufficient to address all majorrisks to the integrity of the financial statements.

No material weaknesses are identified.


10

Who is Responsible?

Sections 302 and 404 make it clear that management –specifically the CEO and CFO – is responsible for the adequacyof internal controls.

Oversight is provided by the Audit Committee.

Leadership is normally provided by the CFO.

Internal Audit provides much of the support.


11

2010 Sarbanes-Oxley Compliance

Survey


12

2010 SOX Survey

Conducted by Protivti.

Surveyed 400 executives and professionals.

All industry segments represented.

Major findings:

The cost of SOX compliance is down 50% when compared to year 1 costs.

Most respondents indicated benefits now exceed costs.

Most respondents believe external audit costs would decrease by as muchas 30% if SOX was no longer required.

Nearly half perform all of their SOX compliance work in-house.

Outsourcing of SOX is highest during the initial years of compliance and fallssteadily as an organization gains experience and confidence in its SOXcompliance process.


13

2010 SOX Survey

Internal audit has the primary responsibility for SOX compliance, followedby executive management and the audit committee. In largerorganizations, process owners and a project management organization(PMO) play an important role.

SOX compliance program has matured across many organizations and hasbecome more sustainable; consequently, reliance by external audits on SOXwork performed internally has increased.

There are opportunities to automate more controls. Nearly 40% ofrespondents have only automated 20%-50% of their controls.

Most respondents indicated they have minimal plans to automate additionalcontrols.

The use of a risk-based testing approach, establishing process owneraccountability and maximizing lessons learned from previous years/peerswere employed by a majority of organizations.


14

2010 SOX Survey

Key inefficiencies that exist in many companies include:

High dependency on spreadsheets for data accumulation to record accountingtransactions, prepare manual journal entries or support financial disclosures.

General ledger close-cycle exceeding five days.

Majority of respondents reported that regardless of market capitalization,public companies should not be exempt from Section 404(a) compliance.


15

Recent Research


16

Recent Research

Article in the September 2011 issue of the Journal ofAccountancy titled “Highlights of Corporate GovernanceResearch” points related to post-SOX implementation:

Companies with adverse 404 opinions had CFOs with weaker accountingqualifications and were more likely to receive better SOX 404 opinions afterhiring new CFOs with more accounting knowledge.

The audit committee is more involved: Meet with auditors over 6 times per year compared to 2-3 times per year before

SOX. Auditors report more questions and discussions of accounting and auditing issues. Independence and expertise have increased. Internal auditor now reports more frequently to the Audit Committee.

Management certification has had a positive impact on the integrity offinancial statements.


17

Steps to Achieve SOX Efficiency


18


19

Efficiency

1. Operating management must take ownership of theirprocesses and documentation.

2. Operating management must update all processes andcontrol documentation promptly throughout the year aschanges occur.

3. A change management process must be in place thatincludes a timely assessment of process changes for theirimpact on key controls.

4. Operating management must be committed to assess andremediate all control deficiencies promptly.


20

Efficiency

5. The fewer the controls to test, the lower the cost. A topdown, risk-based approach should be used to identify keycontrols.

Management must be confident that identified key control are truly key.

The design of the related processes should be reviewed to determine ifchanges can result in fewer and more effective controls.

Rely more on automated controls or on high-level controls (continuousmonitoring, detailed reconciliations, etc.)


21

Efficiency

6. Management of the Section 404 program should be at a highlevel within the organization to:

Influence operating management relative to completion of theirresponsibilities.

Communicate effectively with executive management on progress andpotential issues.

Negotiate as needed with the external auditor to: Increase reliance on management testing. Agree on key controls early. Address concerns as they arise.


22

Efficiency

7. Optimize the use of internal resources (internal auditors) toperform testing or to validate testing performed bymanagement.

8. Work to optimize reliance of external auditor onmanagement testing.

9. Ensure the external auditor is following a top-down, riskbased approach as required by AS 5.


23

Efficiency

10. Create a detailed project plan that:

Includes a walk-through of all significant processes early in the year.

Ensures all key controls are tested by mid-year, with additional testing toupdate the results scheduled closer to year-end.

Includes all key activities required to complete the project, such as fraudrisk assessment, consideration of IT issues, assessment of SAS 70 (SSAE16) reports from service providers, etc.

Details all required resources, including specialists, so they can bescheduled early.

Includes regular reporting to senior management that focuses on keymetrics and issues.


24

Efficiency

11. Communicate and coordinate with all service providers toensure that a SAS 70 (SSAE 16) report will be available atthe appropriate time and that early warning is provided ofpotential issues identified during the SAS 70.

12. Assess the Section 404 program for effectiveness on acontinuing basis to ensure it is improved as the organizationlearns from experience and benefits from changes inregulations and interpretations.


25

Integrating SOX & ERM


26

ERM Defined

ERM = Enterprise Risk Management

ERM is a continuous process that identifies, mitigates, andmonitors potential events that create uncertainty for anorganizations achievement of it’s objectives.


27

The Link Between SOX & ERM

Investments in SOX compliance can be leveraged.

Attention to control issues provide a foundation forenterprise risk efforts.

SOX focus is on financial reporting risk. ERM goes further tofocus on the following objectives:

Strategic – high-level goals supporting the organization’s mission andvision.

Operations – effective and efficient use of resources.

Reporting – reliable reports (not just financial).

Compliance – compliance with laws and regulations.


28

Q & A


29

Ron Steinkamp, CPA, CIA, CFE

Principal, Risk Advisory Services

Brown Smith Wallace LLC

314.983.1238 Direct

314.302.1382 Cell

[email protected]

1050 N. Lindbergh Blvd. | St. Louis, MO 63132

www.bswllc.com


30

http://www.bswllc.com/

mailto:[email protected]

sox ima

Documents

brown smith wallace

assessment of icfr

rights reserved1050

managements assessment

formal assessment of

rights reserved6 section

rights reserved7 section

rights reserved5 section