SarbanesOxleyFocus.com

The Sarbanes-Oxley Act has many provisions. Sections 101, 302, 404, 409, and 906 are the key sections with relevance and impact on information services departments.

Section 101

In section 101, the PCAOB is established as the governing agency to create auditing standards and rules for public companies. In addition, the PCAOB is given the authority to regulate the accounting firms that audit public companies. The rules issued by the PCAOB and approved by the SEC are referred to as Auditing Standards.

The primary guidance from the PCAOB in regard to auditing internal controls is provided in Auditing Standard No. 2, effective June 17, 2004, entitled, “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” We will explore Auditing Standard No. 2 later in this chapter.

Section 302

Section 302 specifies the legal responsibilities of the company’s CEO and CFO. According to the Sarbanes-Oxley Act, the CEO and CFO are responsible for all internal controls and for reporting quarterly on any significant changes to internal controls that could affect the company’s financial statement. Basically, these two officers must personally certify that they are responsible for and knowledgeable about all financial statements submitted quarterly and annually. They also must certify that they have knowledge of the design and have evaluated the effectiveness of all internal controls and that these controls ensure that complete and accurate information is reported to them. Significant changes to disclosure controls and any deficiencies, weaknesses, or fraudulent acts that may compromise the accuracy of reporting must be disclosed.

Section 302 also defines the external auditor’s role over financial reporting. The external auditor evaluates internal controls to determine if modifications need to be made for accuracy and compliance. The external auditor must attest that he or she has reviewed management’s assessment of internal controls and has approved the process and evaluation of that assessment.

This section also requires that management particularly address any changes to internal controls over financial reporting that has occurred during the last quarter.

Section 404

Under Section 404, the CEO and CFO attest that internal controls are in place, documented, and effective. Management assessment contains four parts. The first three parts cover the following:

Responsibility of management for the existence and rigidity of internal controls

Evaluation of the effectiveness of internal controls

Statement of the framework used to evaluate the effectiveness of controls

Management is prohibited from stating that internal controls are effective if there are one or more material weaknesses in the controls.

The fourth part concerns the external auditor. The company’s external auditor must separately attest that management’s statement concerning the effectiveness of internal controls is accurate.

Note The greatest difficulty most organizations have is furnishing the formal documentation of internal controls and the evidence of the effectiveness of internal controls.

PCAOB Auditing Standard No. 2 On 9 March 2004, the PCAOB approved Auditing Standard No. 2, entitled, “An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” This audit standard establishes the requirements for performing an audit of internal control over financial reporting and provides some important directions on the scope and approach required of corporation management and external auditors. It also provides guidance on the controls that should be considered, including program development, program changes, computer operations, and access to programs and data. PCAOB Auditing Standard No. 2 specifically addresses the financial reporting controls that should be in place for a period before the attestation date and the controls that may operate after the attestation date.

Section 409

Section 409 states that the CEO and CFO will ensure “rapid and current public disclosure” of any material event that could affect the company’s financial or operational performance. Material events could include any type of company restructuring, changes in personage or duties of key personnel, budget overruns on IT projects, and stock sales by corporate officers. It may even be necessary to disclose a major new financial or operational application that is determined to “not work.” “Rapid and current disclosure” essentially requires near-real-time reporting. This can be a huge nightmare for companies with a dependence on batch-oriented processing methods that tend to take longer to complete.

Section 906

Section 906 consists of three parts. First is that every periodic report with financial information must be accompanied by a written statement by the CEO and CFO. The second part specifies that the content of this report fairly represent the financial condition of the company. The last section lays out the fines and imprisonment penalties for either knowingly or unknowingly submitting a false statement. It also sets criminal penalties for failure of corporate officers to certify the financial reports in a timely manner-60 days after end of year in 2004, 45 days after end of year in 2005, and 30 days after end of year in 2006.

Source: IT Auditing: Using Controls to Protect Information Assets by Chris Davis 2007

Popularity: 9% [?]