For most organizations, IT services are now a vital part of the financial reporting process. The applications and services support creation, storage, processing, and reporting of financial transactions. Therefore, Sarbanes-Oxley compliance also must include controls for the use of technology in data handling, processing, and reporting. General computing controls thus are critical to the overall financial reporting process in ensuring data integrity and secure operations. IT departments now must formally address the design, documentation, implementation, testing, monitoring, and maintaining of IT internal controls.
The CEOs and CFOs look to the information services department to ensure that the general and specific internal controls for all applications, data, networking, contracts, licenses, telecommunications, and physical environment are documented and effective. Overall risk and control considerations are assessed at the departmental level of information services and then at the entity level. Entity-level review may vary depending on the following questions: (more…)
Popularity: 10% [?]
Controls surrounding third-party services should ensure that roles and responsibilities of third parties are clearly defined, adhered to, and continue to satisfy requirements. Control measures are aimed at reviewing and monitoring existing contracts and procedures for their effectiveness and compliance with organization policy. The dissolution of a major contract could have significant impact on financial reporting. Thus it would fall within the guidelines for disclosure by the company officers.
During an audit, company organizations often will contend that they are not responsible for a given control because either the function is outsourced or the software was purchased from and maintained by a third party. According to legislative guidelines, a company can outsource service but not the responsibility for control of that service. It is next to impossible for a company to outsource problems and expect the problems to go away.
Documentation of the third-party controls is required for attestation by the independent auditor, so an assessment must determine the effectiveness and completeness of the service organization’s internal controls. If SAS 70 or similar audit opinions do not include controls testing, results of the testing, and the third-party service auditor’s opinion on control effectiveness, the reports are not sufficient for Sarbanes-Oxley compliance. Companies should be sure to note whether the specific environment, platforms, and applications used in fulfillment of the outsourced services are covered by the SAS 70 (or similar audit) reports. (more…)
Popularity: 9% [?]
Everyone talks about Sarbanes-Oxley (SOX), but it’s certainly not the only law shaping governance today. Numerous countries have enacted legislation to improve governance. As with the United States, many of these countries have passed legislation in response to the outcry over corporate scandals. Although they differ by name, the laws passed by various countries have similarities, namely with regard to establishing internal controls and effecting improved financial reporting:
Japan: J-SOX:
On June 7, 2006, Japanese legislators passed the Financial Instruments and Exchange Law, part of which includes the so-called J-SOX requirements. The two main components of the J-SOX legislation are the “Evaluation of and Reporting on Internal Control for Financial Reports,” which forces management to assume responsibility for developing and operating internal controls, and the “Audit of Internal Control for Financial Reports,” in which a company’s external auditor, aside from its regular auditing duties, must conduct an audit of management’s evaluation of the effectiveness of internal control for financial reports. The J-SOX requirements took effect starting in April 2008.
Canada: Bill 198:
Bill 198, also known as CSOX, became effective on October 1, 2003. Its formal name is “Keeping the Promise for a strong Economy Act (Budget Measures), 2002.” This bill requires companies to “[create and] maintain a system (more…)
Popularity: 12% [?]
The Sarbanes-Oxley Act has many provisions. Sections 101, 302, 404, 409, and 906 are the key sections with relevance and impact on information services departments.
Section 101
In section 101, the PCAOB is established as the governing agency to create auditing standards and rules for public companies. In addition, the PCAOB is given the authority to regulate the accounting firms that audit public companies. The rules issued by the PCAOB and approved by the SEC are referred to as Auditing Standards.
The primary guidance from the PCAOB in regard to auditing internal controls is provided in Auditing Standard No. 2, effective June 17, 2004, entitled, “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” We will explore Auditing Standard No. 2 later in this chapter.
Section 302
Section 302 specifies the legal responsibilities of the company’s CEO and CFO. According to the Sarbanes-Oxley Act, the CEO and CFO are responsible for all internal controls and for reporting quarterly on any significant changes to internal controls that could affect the company’s financial statement. Basically, these two officers must personally certify that they are responsible for and knowledgeable about all financial statements submitted quarterly and annually. They also must certify that they have knowledge of the design and have evaluated the effectiveness of all internal controls and that these controls ensure that complete and accurate information is reported to them. Significant changes to disclosure controls and any deficiencies, weaknesses, or fraudulent acts that may compromise the accuracy of reporting must be disclosed. (more…)
Popularity: 12% [?]
Because of European corporate scandals comparable with those in the United States, the EU Commission is imposing similar requirements for improvement in auditing standards, oversight, and responsibilities by creating directives related to corporate governance, transparency, audit, accounting standards, and information services. A major difference is that the U.S. Sarbanes-Oxley Act carries fines and criminal sanctions, whereas the EU Commission does not recommend that level of enforcement.
Although the Sarbanes-Oxley legislation originated in the United States, there are ramifications for companies headquartered in other countries. Emerging European professional standards such as those established by the International Accounting Standards Board and the Basel II Capital Accord also will affect many multinational companies. (more…)
Popularity: 8% [?]