Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
032: Sarbanes Oxley 404 (SOX 404) Update: Including Social Media Requirements - published 12/27/2018
7 Plays9 months ago
SOX 404 Update - Agenda
- Intro to Sarbanes Oxley Section 404 (SOX 404)
- Internal Control Framework
- COSO 17 Principles • SEC Requirements
- Assertions Occurrence, Accuracy, Completeness, Cut-off, Classification
- Accounting Risk Assessment
- Risk Assessment • Scoring Models
- SOX Documentation Requirements
- Process Flows • Identifying Control Types
- Assessing Design Effectiveness
- Testing Requirements
- Materiality Discussion
- Governance of Social Media
- Summary & Conclusion
Sarbanes Oxley Act
Extremely comprehensive piece of Legislation that contains 11 sections
- Public Company Accounting Oversight Board (PCAOB) (Peek-a-boo)
- External auditor Independence
- Corporate responsibility
- Enhanced financial disclosures
- Analyze conflict of interest
- Commission resources and authority
- Studies and reports
- Corporate and criminal fraud authority
- White collar crime penalty enhancements
- Corporate tax returns
- Corporate fraud and accountability
SOX 404 Internal Controls - Requirements
- 404 Considered the most costly section of SOX
- 404(a) Companies annually test the effectiveness of Internal Controls over Financial Reporting (ICFR) (Ick' if er)
- 404(a) What companies have to do internally.
- 404(b) External Auditors annually audit internal controls.
- 404(b) Has to do with "accelerated filers".
Recommended
Transcript
COSO Principles and Controls Matrix
00:00:00
Speaker
Good afternoon and welcome to today's live webinar entitled Sarbanes-Oxley 404 Update, including social media requirements. At this time, I would like to turn the call over to your host, Mr. Stephen Jordan. Please go ahead, sir. Thank you, Casey. Good afternoon. It's an honor to be with you today. My pleasure to welcome you to our presentation, Sarbanes-Oxley 404 Update, including social media requirements. This is Steve Jordan for Lorman Education. Polling questions will be launched throughout the presentation. Thank you in advance for your prompt response.
00:00:36
Speaker
This document contains accounting advice. Communication of this advice is not intended to create nor does receipt constitute a legal relationship. Professional judgment, as always, needs to be applied when determining necessary controls that should be included in your compliance program, including some which may be highlighted as most relevant in this document. Images appearing in this presentation are attributed to public domain collections or their respectful owner. If you see an image appearing in this presentation belonging to you and you do not wish for it to appear, please email with a link to said image. It will be promptly removed.
Sarbanes-Oxley Act and Audit Necessities
00:01:16
Speaker
What SOX is aiming to bring to a company, of course, is greater market stability and higher security levels. This is what I'd like to cover today.
00:01:26
Speaker
Audits are necessary because readers of financial statements need to rely on this information to make decisions. For instance, banks extend credit, management assesses risk levels, investors invest in the company, and government levies taxes. Corporate governance has responsibility to investors and participants in the capital markets. So instead of having management deal directly with the users on an individual basis, it's generally accepted as sufficient to have an independent party give an opinion on the financials. Internal auditors are employed by companies to monitor controls and do similar activities as external auditors, but internal audits mandate is broader. An auditor's job has two parts. First, provide independent verification of third party data. Second,
00:02:21
Speaker
apply accounting standards, and use judgment to verify records are accurate and valid. The audit role is shifting more from the first part, independent confirmation of third-party data, to the second part, record authentication validation, and third, distributed ledger technology. Blockchain is a shared digital ledger replicated and synchronized across multiple sites, countries, and institutions with blockchain There is no central administrator or centralized data storage. Instead, a peer-to-peer network and algorithm consensus is required to ensure replication across nodes is supported. All parties must give consensus before a new transaction is added to the network. As blockchain develops, it becomes an audit technique itself, providing the ultimate audit trail.
00:03:17
Speaker
Cryptocurrency exchanges, voter registration, voter count, registry of deeds, medical records, financial institutions, and payment gateways are all but a few of the dozens of industries moving to blockchain as a secure way of storing and verifying data. So the purpose of SOX 404 depends on trusting the underlying technology generating the financials and blockchain improves the validation of technology used. blockchain does not eliminate auditing, it simply means a different approach and requires us to reevaluate where the risk lies. Within a properly designed blockchain, there's going to be less risk. Let's get straight into SOX 404 and the components within 404. 404 requires each company to establish and assess effective internal control over financial reporting.
00:04:15
Speaker
ICFR, ICAFR, as I will refer to it throughout the presentation. 404 involves evaluation of design and testing of ICAFR and is considered the most costly section of SOX. 404 has two sections. 404A
SOX Reporting and Compliance Frameworks
00:04:32
Speaker
is what companies have to do internally, document and test effectiveness of ICAFR. 404B has to do with accelerated filers and the external auditor's attestation of ICAFR. So question number one, which is the most single costly section of Sarbanes-Oxley? SOX 404 involves the evaluation and design and testing of ICAFRA and is considered the most costly section. 302 is management's quarterly certification on internal control design and effectiveness. 906 imposes criminal penalties for financial inaccuracies.
00:05:11
Speaker
Following business scandals and audit failures with Arthur Anderson and their audit of Enron and MCI WorldCom led to calls for enhanced corporate governance and risk management. As a result, in 2002, Congress enacted SOX extending the longstanding requirement for public companies to maintain internal control, management to certify, and independent auditors to attest on the effectiveness of those systems. SOX is a comprehensive piece of legislation containing 11 sections. So what are the basic provisions of the SOX Act? Well, CEOs, CFOs must personally certify their company's financials. These officers are subject to criminal penalties for violations. All members of the board's audit committee must be independent. A company cannot make personal loans to its directors or officers. Executive loans are forbidden. If a company has to restate earnings, the CEO, CFO must reimburse the company for any bonus or profits they received from
00:06:08
Speaker
selling company stock within a year of the release of the flawed financials. Each company must disclose if it has an ethics code and if it does not, why not? It's a felony to interfere with the federal investigation into fraud. Whistleblowing employees are protected. Public Company Accounting Oversight Board, PCAOB pronounced peek-a-boo, has been established to oversee the auditing of public companies and a public ah The accounting auditor must wait one year before going to work for a client as its CFO. Okay, so here's the idea. This is how everyone is related to one another. The SEC sets regulations for public companies as it always has. Excuse me, Peekaboo was formed under SOX to establish auditing and practice standards for registered public companies, excuse me, public accounting firms to follow in an audit.
00:07:05
Speaker
Peekaboo reviews external auditors, not public companies, who are already under purview by the SEC. Even so, every time Peekaboo publishes a new standard, the SEC publishes similar information for public company pursuance. Peekaboo's version is usually more detailed than the SEC's, and auditing standards are the main Peekaboo documents accounting firms follow in the audit of publicly traded companies. In 2018, Peekaboo's SEC approved budget was $260 million, two-thirds of which is payable related.
Evaluating High-Risk Controls
00:07:41
Speaker
It's the publicly traded companies who fund the Peekaboo budget. The Peekaboo budget allocation is based on a ratio of each public company's market capitalization over the New York Stock Exchange total market cap. Currently, there are nearly 2,000 public accounting firms registered with Peekaboo, half of whom
00:08:01
Speaker
are based outside the US s and a quarter of whom conduct audits of broker dealers. Question two, which of the following is the responsibility of Peekaboo? Peekaboo's mission is to oversee audits of public companies in order to protect the interest of investors and further public interest in preparation of informative, accurate, and independent audit reports. This diagram is true for a small or large company. Strong internal control allows for greater reliance by investors on financial reports. At a high level, if I was asked about control objectives, I would always start my answer with the words to ensure that.
00:08:40
Speaker
Control objectives are there to ensure something good happens or to ensure something bad does not happen. For example, with the sales system to ensure we only sell to credit-worthy customers, for the purchase system to ensure goods ordered are actually needed in the business, the payroll to ensure we only pay our employees for work they actually perform, inventory to ensure we store inventory in effective manners to maintain quality, the cash system to ensure there is minimum risk of cash being fraudulently misappropriated by employees and non-current assets to ensure the purchase of any non-current asset is authorized by an appropriate person and there is a business need. Look at the existing controls and ask what key controls are missing. A key control should prevent or detect an error or irregularity. Consider the possibility of a compensating control as another way management could catch an error if
00:09:38
Speaker
There is a control deficiency. Example, you would like to see all sales are approved by a credit manager for customers who are over 90 days outstanding. If you are in a manual environment, maybe that's not timely. But if there's a review on a weekly basis that looks at all sales and then matches to credit approval, there is some control in place. What's the likelihood goods are shipped and management won't be able to recover the goods if a sale is made to a customer who is incapable of paying? Compensating controls aren't perfect in terms of preventing, but they might detect an error. Internal control is a process designed to help achieve objectives, and the controls themselves should be continuous, affected by us, able to provide reasonable assurance, and
Risks in Processes and Material Weakness
00:10:22
Speaker
adapt to different levels of the corporation. Internal control has been out there for a really long time, since the Egyptian days, a checks and balance function. IKFR has the following characteristics, continuous,
00:10:35
Speaker
Since it's not just one single event, but built directly into operations and dynamic to accommodate for an ever-changing environment. Next, affected by people. In other words, it's not going to happen by itself. It's like the US Forest Service old campaign slogan, only you can prevent forest fires. If we introduce risk into the process, then we have to implement a control. Next, able to provide reasonable assurance, not absolute, even the best design controls are subject to limitations we'll talk about later. Ultimately, adaptable to the entire company, particular division, business function, or level of the company. Question three, which of the following is the best definition of internal control? Proper definition of internal control is a process affected by a company structure, work,
00:11:27
Speaker
and authority flow, people and information systems designed to help the company accomplish specific goals and objectives. Answers B, C, D are SOX requirements. Identify key controls, identify material weakness, identify significant deficiency. SOX 404 requires a top-down risk assessment. What management must do, and frankly, this is how we always complete an audit, is management must follow through. Identify financial reporting risk and controls, Next, identify where locations are at risk, then evaluate evidence related to internal control. Judgment is typically the best guide for selecting the most important controls relative to a particular risk for testing. Peekaboo AS-5 introduces a three-level framework describing entity-level controls at varying levels of precision, direct monitoring indirect. As a practical matter, control precision
00:12:25
Speaker
By type of control, in order of most precise to least, may be interpreted as first, transaction-specific, i.e., authorization or review, preventive controls related to specific transactions. Next, transaction summary, review of reports, listing
Management's Responsibilities and Documentation
00:12:43
Speaker
transactions, then period end reporting, journal entry review, account reconciliation, detailed account analysis. Next, direct monitoring. A thorough review of summarized financial and operational results verifying control procedures were completed. Finally, indirect entity level controls such as control environment and that are not linked to specific transactions. Question four, which of the following is not a requirement of 404? Quarterly certification of internal control design is considered part of 302, not 404.
00:13:20
Speaker
Answers A, B, C are requirements of 404. Perform a top-down risk assessment, document process design and control, test the controls. According to Bloomberg, there are about 15,000 public companies in the US. It's reported only half of them are accelerated filers who have public float or share value in the hands of public investors over 75 million. 404 B, requires a publicly held company's auditor to attest and report on management's assessment of VICFR. Under the Jobs Act of 2012, emerging growth companies under $75 million are exempt from 404B for the first five years. Remember, EGCs still need to document and assess internal control annually under 404A. For accelerated filers or non-EGCs,
00:14:19
Speaker
that is companies who do file an annual 10K report, must contain an internal control report, i.e. 404B Attestation, the first complete fiscal year following the IPO. The auditor's focus is ensuring A, correct financial reporting, B, management authorization of transactions, and C, safeguarding assets. After an auditor scrutinizes ICFR at the entity level, He or she should switch focus to significant accounts, disclosures, and relevant assertions, which include, assertations by management to be discussed, existence and occurrence, completeness, valuation, allocation, rights and obligations, presentation, disclosure. Remember, assertions are
Entity-Level Controls and IT Infrastructure
00:15:06
Speaker
the questions to ask. As such, audit walkthroughs are suggested to be performed following a particular transaction through the complete process in combination
00:15:18
Speaker
with other methods of scrutiny such as observation and questioning. Risk is assessed by the auditor at two levels. First, assertion level. This is further subdivided into inherent risk and control failure risk. It's important for the auditor to select controls susceptible to misstatement of a material degree. Audit analytics does a compilation of all SEC filers. These items are where you want to put your effort. For smaller public companies, external auditor adjustments, training, competency of accounting people, ethics, control design, segregation of duties, revenue recognition, closing the books, journal entry controls, account reconciliations, IT controls, authentication, system changes, spreadsheets, applications. Again, these are the ones you should care about for larger public companies
00:16:15
Speaker
accounting documentation, external auditor adjustments, training competency of accounting people, account reconciliation, restatements, non-routine transactions, IT access and security, JE controls, control design, segregation of duty, top management, and tone at the top. Sarbanes-Oxley is aimed primarily at protecting shareholders of corporations and stakeholders of the securities market from negative economic effects when corporate malpractice causes a devaluation or uncertainty in the capital markets. SOX embraces the stakeholder theory and requires corporate governors to take into consideration the interest of external stakeholders other than just shareholders of the corporation, that is employees as well as third parties affected by corporate governance practice.
00:17:10
Speaker
When most people think of SOX, they think of testing internal control. What they don't realize is SOX has many different provisions. There are four key ones where many companies focus their effort and have the most consequences. 301, whistleblower hotline. 302, management's quarterly evaluation and disclosure of controls. 404, internal controls. 906, accurate financials. Here on one page is a summary of the four key provisions of SOX. You may review on your own in detail. Both Section 302 and 906 certifications are required exhibits to SEC reports on Form 10Q and Form 10K. SOX is fairly easy to understand. 404 is right there, 167 words. 404 requires the CEO, CFO to sign off and that they're responsible, not the controller, not the accounting manager. CEO, CFO,
00:18:08
Speaker
can't just sign off without documenting and testing controls. There has to be a reason or basis for signing off. So everything's good. We've documented it. We've tested it. That's basically what 404 says. Most companies already have substantial documentation of their internal control, including audit files, formal policy, accounting procedure, and manuals. Virtually, all public corporations require formal plans to address SOX regs. Centralizing and automating financial reporting can greatly reduce resources needed for 404 compliance. While 404 assessment requires confidence in the IT systems that house, move, and transform data, the COBIT framework control objectives for information and related technology, COBIT, is utilized by many companies to cross cross-reference PIGABOO, COSO, and SOX in achieving 404 compliance. You'll see how this works shortly.
00:19:06
Speaker
Here we have an example of management's report on internal control that complies with 404 and related SEC rules. Under 404, management must report on the effectiveness with regard to internal control and management must include in their annual report, A, management is responsible for effective IKFR, B, management's assessment and explicit statement on effectiveness of internal control, and C, framework used, usually COSO, to evaluate effectiveness of internal control. Question
Risk Evaluation and SEC Guidelines
00:19:39
Speaker
five, under 404, management must report on the effectiveness of the company's internal control. With regard to IKFR, which statement must management include in their annual report?
00:19:55
Speaker
Each answer is a requirement. Management is responsible for effective ICAFR, management's assessment of the effectiveness of ICAFR, and the framework used usually COSO to evaluate effectiveness of internal control. Okay, here's the next buzzword, ICAFR. ICAFR stands for Internal Control Over Financial Reporting. Nobody says that, they just say ICAFR. This implies 404. First of all, the company has to keep detailed records. Okay, fine, everyone does that. second
00:20:27
Speaker
Transactions have to roll up to financials, which have to comply with GAAP. That's what we would expect. Third, if a transaction has been recorded but has not been authorized by management, that's a problem under 404. And finally, the company has to protect the acquisition disposition of its assets. Example, someone diverting cash or forgetting to lock up the inventory warehouse, otherwise you've got to control weakness. Even if you do a physical inventory inventory count each month and write off what's missing, There's still a problem because you haven't protected or safeguarded the assets acquisition or disposition. If you're involved in SOX, these four items are where auditors will ask for more information to make sure the financials are copacetic. Question six, testing should be based on a test plan that incorporates guidance issued by SEC, Peekaboo, and your external auditor. Which best describes the objective of controlled testing?
00:21:27
Speaker
prevent errors from flowing through the accounting system, and detect the correct errors that occur on a timely basis. These are controlled control testing requirements. Peekaboo and external auditors each require testing, but that in and of itself is not an objective of control testing. And control testing does substantiate management's behavior. Here's another term you're going to hear, COSO Cube. Okay, the COSO framework is a pretty standard framework used by companies for internal control. The SEC Securities Exchange Commission requires public companies to comply with COSO. One of the most important parts of 404 is management must choose a control framework by which they are going to do the documentation, design and testing of ICAFRA. Typically, the control framework most companies use is COSO. COSO says effective internal control requires each of the five interrelated components working together
00:22:24
Speaker
And if not, any major deficiency is probably a material weakness. So these five words you have to know on the front of the cube. Control environment, risk assessment, control activities, information communication, monitoring. Operating along three main objectives sitting on the top of the COSO cube, operations reporting compliance, and 17 broad principles provide further guidance to support the three main objectives. Applied across the company, starting at the entity level and running all the way down to the process function. Actually, it's easier than you think. Basically, on the first horizontal layer of the cube, we have the control environment. And what this means is, unless you have an honest ethical company, then nothing else matters. So that's your foundation. It wouldn't matter if you have good procedures and payroll, fixed assets, accounts payable, and you know journal entries are signed off on twice.
00:23:18
Speaker
The control environment is equivalent to an entity-level control, tone at the top, and is the message, tone, attitude, or culture you are sending your employees. However, for function, we may have something such as all disbursements required to signature. zero signatures excuse me So that's a control related specifically to the function of cache disbursements. Now we'll cover the side of the cube. COSO says you must do these processes for every unit and location of the company, not just headquarters. As I said, it's a widely established, widely accepted use framework. It's a layered effect. These are the five components of internal control companies are expected to have, controls addressing each of these components. Question seven. There are three objectives that sit on top of the COSO Cube. Suitable objectives may include all of the following except.
00:24:13
Speaker
By its very nature, risk cannot be reduced to zero. However, an ideal control is a control procedure that ro reduces to practically zero, the risk of an undetected error or irregularity. Answers ACDR COSO objectives, reporting operations compliance.
COSO Framework and Technological Challenges
00:24:33
Speaker
How do you remember this knowledge? Use a mnemonic, C-R-I-M-E. It would be a crime not to have internal control, then map the five letters to each of the components. C, control activities, R, risk assessment, I, information communication, M, monitoring, E, environment. The intersecting circle diagram shows the same objectives across the top of the COSO cube in a different format. Sometimes financial reporting does affect operations. Take, for instance, inventory, which falls under financial reporting and operations.
00:25:09
Speaker
In the diagram, inventory would lie in the area at the intersection of the two respective circles, operations yellow and reporting red, and thus within the scope of SOX. Likewise, in operations, engineers working on specs needed for the next widget we're developing lie in the yellow circle outside the scope of Sarbanes-Oxley. On the other side of the diagram, there are laws that come under reporting in the blue circle. such as Securities Exchange Act. These laws fall within the scope of SOX since they concern reporting. People on the board are going to want to get a consensus about what we're going to include in scope and what we're not. As presented earlier, COSO divides internal control into five components. Remember, C-R-I-M-E? Figure 9 shows all of these need to be in place and integrated to achieve financial reporting and disclosure objectives.
00:26:07
Speaker
COVID provides similar detailed guidance for IT. The five components of COSO beginning with identifying control environment and culminating in monitoring of internal control can be visualized as horizontal layers of a three-dimensional cube with the COVID objective domains across the top of the cube from plan and organized through monitor and evaluate applying to each component individually and in aggregate. Observe section 302 and 404 on the side of the COVID cube. Figure 10 illustrates the IT processes of COVID and maps their relations relationship to the appropriate COSO component. It's immediately evident many COVID IT t processes have relationships with more than one COSO component. This is expected given the nature of general IT controls as they form the basis for relying on application controls. COVID is a freely available framework which aligns with the spirit
00:27:08
Speaker
of Sarbanes-Oxley requirement that any framework used be easy to access and generally acceptable. COVID provides both entity level and activity level objectives along with associated controls and is widely used by companies as a supplement to COSO. This diagram depicts control environment as it relates to financial reporting. As you can see, control environment serves as a umbrella for the entities internal control framework, what things we need to focus on in the control environment, management's integrity and ethical value, commitment to competence board of director and audit committee, management's philosophy and operating style, human resource policy and practice. An example of an entity level control objective is employees are aware of the company's code of conduct. How do you guarantee this? Well, by having each employee sign off, they've read the code of conduct.
00:28:05
Speaker
You first need effective controls at the entity level, such as control environment, code of conduct, management override, and monitoring. Secondly, the same can be said about automated controls. IT controls need to support the COSO framework. There are two categories of IT controls. One, general controls manage integrity of IT. t Two, application controls are around input of data to ensure it is complete and accurate. General controls apply to all aspects of IT functions. Admin, separation of duty, system development, physical-logical access, backup recovery program change, hardware controls. Before you can rely on application controls, you need to evaluate and ensure effectiveness of general controls such as password protection, virus scans, web application, firewalls. Here's a question.
00:29:01
Speaker
How do you demonstrate your database use conforms with SOX? The main issues to be addressed include separation of duty, a SOX audit cannot be corrupted by administrators, accountability, each change to a financial reporting data has to be logged, detail, exact database query and associated response have to be logged, baselines. What's normal activity and what stands out as unusual? Breath. You have to capture all activity and be able to identify any attempt to exploit database vulnerability. Thirdly, controls are established by companies to mitigate risk and control activities mitigate risk, specifically and in turn enable management to make certain as assertations about various transactions, cycles, and balances.
00:29:52
Speaker
So let's talk about an example to give you an idea of what internal control looks like and feels like. We're looking at the sales revenue cycle. Within each cycle, we have a process. Revenue cycle is composed of customer order entry, credit approval, shipment of goods or service, invoicing, cash collection, updating accounts receivable allowance for doubtful accounts. Here we have an illustration of the relationship between general and application controls. The red oval represents general controls. Providing assurance all application controls are effective. Effective of general controls reduce types of risk identified in the green boxes outside the general controls, such as system crash or unauthorized processing, master file update, or change to application software. Management should have controls in place for the three aspects of application controls, input processing, output of transactions. Example.
00:30:51
Speaker
Controls over the input of purchase orders, because a purchase order creates a contract once you send it to the vendor. To give you another idea, controls over the input of customer orders. A control that says for all customer orders that are input, there has to be an approved customer order and approved customer number associated with that customer order. The order cannot be processed unless it's matched against an approved customer number. Let's say all sales to customers who haven't Outstanding balance greater than 90 days have to be held up in a suspense file and cannot be processed. Look to see customers with receivables over 90 days old or not shipped and if they were was a proper approval. Overall objective here is to have accountability over related assets. There are extensions of COSO which cover in more detail the IT environment especially for highly automated companies who may have enterprise-wide systems like
00:31:49
Speaker
SAP or Oracle. COSO does a great job reflecting the importance of technology. And if you think about what's really happening in industry right now, really two things have started to increase and continue to escalate is movement to the cloud and movement away from traditional computing. By that, I mean mobility. There's entire workforces moving to bring their own device or tablet for their day-to-day workforce enablement. This creates significant challenges from an internal control perspective, especially with, as I mentioned, BYOD or consumerization of technology. Very difficult to have a control framework applied to a device you don't physically own as a business. If you let your employees bring their own tablets and cell phones, what if you don't issue company-issue devices and you interact with software not resident within your four walls or within your data centers?
00:32:42
Speaker
significant concerns and these two shifts are already happening and they're going to continue to evolve. COSO does a terrific job by pointing you in the right direction and really make sure you're looking at it holistically and taking into account the fact that the reality is your business process and technology for any company that wants to grow are now inextricably linked. As I mentioned, the 2013 COSO Compendium Model has five components formalized now with 17 principles. Underneath the principles, each principle has points of focus to be considered and then underneath that you'll have your controls. So that's the organization of the components all the way down to the controls. Question eight, which of the following describes the new compendium model within the COSO 2013 framework? The new 2013 COSO framework formalizes fundamental concepts underlying the five components of internal control with 17
00:33:41
Speaker
separate principles, each with points of focus. The COSO integrated framework utilizes the idea of principles which articulate and expand upon the components. COSO components and principles are suitable for all companies. All 17 principles apply to each of the three objectives as well as sub-objectives within a category. These principles have been around and included in the 1992 framework developed by the Committee of Sponsoring Organizations of the Treadway Commission, a joint initiative to combat corporate fraud. COSO was established in the US in 1985 by five private sector organizations, including AICPA and Institute of Internal Auditors. Two help companies and auditors conform to the Foreign Corrupt Practices Act of 1977. And really, what happened was in 2013, after a 20-year hiatus,
00:34:37
Speaker
the principles were brought back into the forefront to be revisited. And what the committee felt was financial reporting alone makes it really far too narrow, and we really should be looking at various other activities on strategy, compliance, and operations. You can see the 17 principles are pervasive in how they map to each of the components. There's an expectation these 17 principles will be adopted by users of the framework. If I take an example of a principle, This is an abbreviated version, but for information communication uses relevant information number 13. What you'll see in the framework is an expansion of using relevant information the company obtains or generates and uses to support internal control functions. And then underneath that, you'll have your points of focus and then examples and approaches. Question nine, why did COSO choose to update its framework?
00:35:37
Speaker
COSO felt it had been more than 20 years since the original framework was developed with changes in global economy and business along with emphasis on technology.
COSO Framework Update and Control Effectiveness
00:35:46
Speaker
COSO felt it was appropriate to update the framework. The new 2013 COSO framework shifts requirements from a specific documented process to identifying gaps where the control process can be improved upon or updated. COSO principles are included in the 1992 framework. And the SEC does require public companies to comply with COSO. According to SOX, it is not mandatory for a company to follow COSO. However, it is the easiest, most effective, and efficient way to comply with the requirements of SOX. COSO components are not meant to operate each in a separate silo, but instead collating from multiple layers. It's expected each of the components have been integrated and are operating together.
00:36:34
Speaker
If they are not operating together present and functioning, this would be considered a major deficiency. If you're using the framework for SOX, then it's considered a material weakness if one of the five components, C-R-I-M-E, are not present and functioning. This format lists existing controls down the left-hand column, y-axis, and COSO control principles across the column headings, x-axis. Then check off where existing controls address COSO principles within a matrix of cells like this. Control Matrix Checklist. Are existing controls hitting the principles? You need to hit the principles in order to hit the points of focus. In this example, Principle 1 is covered by Control C, Principle 2 covered by Control A, Principle 3 covered by Controls A, B, D, and so on. Question 10.
00:37:30
Speaker
When assessing effectiveness of process design for 404 utilizing COSO, which of the following should be considered? All are necessary to adequately assess effective process design. Effective internal control requires each of the five components. Principles must be present, functioning, operating together. If a component is not present and functioning or not operating together, a major deficiency would exist. Let's look at this for just a second. As you can see at the very top, we have step one, accounting risk assessment. If you remember, Peekaboo AS5 replaced AS2, emphasizing top-down risk-based approach, TDRA, looking at account transactions having material impact on financials. TDRA complies with 404. Peekaboo AS5, together with SEC guidance, is the gold standard for
00:38:28
Speaker
top-down risk-based assessment control auditing. Identify priority accounts on the balance sheet or income statement to be reviewed and identify significant controls. The mantra for TDRA is what could go wrong in a particular account or process. Identify any significant risk that could happen and map those accounts. Then perform a walkthrough and document the process as required and expected by SOCs. Understand the flow of transactions. Next, once you know the risk, you can say, okay, these are the risks. What controls do we have in place to mediate the risk? That's how AS5 once controls documented. Companies really need to focus on key controls. Every single single control need not be documented, but we want to appreciate key controls to ensure a significant deficiency doesn't happen. Once you have key controls documented,
00:39:24
Speaker
You're able to look at the design of the specific process and you're supposed to ask, okay, is the design adequate to mitigate an issue that may occur? This is the design validation portion. Wow. We have some black holes in our process. Then the intent is to go back and fix those gaps rather than just start into your testing. You fix the gaps and from there you develop appropriate tests. So that's validating control design. Once you verify the design, you have validated the control. The last segment is reporting. This includes 10K and 10Q reporting to the SEC as well as action your company uses internally to communicate deficiencies identified. Then explain to management controls in place and working appropriately or here are some areas for improvement needed.
00:40:15
Speaker
Give management the overall determination as to where your control design and operations are. These are the primary components of 404, and you can use this slide as a summary and understanding of how the process works itself. Working with the financial business control team, a checklist of in-scope SOX applications and related subsystems should be developed by identifying applications that relevant application controls support as shown in Figure 4. Typically, applications which support online authorization, complex calculation, valuation, or are responsible for maintaining integrity of significant account balance, such as inventory fixed asset loan balance, should be determined in this phase. By having a checklist of in-scope applications as well as the IT process,
00:41:10
Speaker
that manage and drive the application, an IT t control team can identify applications and supporting subsystems to be considered, including databases, servers, operating systems, and networks. Everything we've talked about so far is summarized in this pyramid. Management must ensure controls are in place to minimize risk and ensure financial reporting is reliable. COSO helps identify controls to comply with SOX. 99% of US companies have chosen COSO as an internal control standard because it's the only framework in the US. Canada uses COCO, criteria of control framework, developed by CPA Canada. Europe, UK, and Wales use the Turnbull report. Turnbull was drawn up in 1999 with the London Stock Exchange for listed companies to inform directors of their obligation under the combined code
00:42:05
Speaker
with regard to keeping good internal control in their companies as well as having good audits and checks to ensure quality financial reporting and catch any fraud before it becomes a problem. The U.S. Securities Exchange Commission has identified COSO, COCO in Canada, and Turnbull in the U.K. as suitable frameworks for complying with U.S. requirements to report on ICAFR as set out in SOCS 404. Question 11, which of the following control frameworks is typically utilized by companies when performing their 404 work? COSO is typically utilized by companies when performing their 404 audit work. COVID sets guidelines and provides SOX 404 guidance for IT. PICABU regulates external auditors. 404 attestation.
00:42:58
Speaker
is a 100% control-based approach. No comfort from substantive or analytical procedures. You must evaluate and test controls across business and functional areas to ascertain effectiveness. It's broader and deeper. Lack of errors or material adjustment historically in the financials is not de facto evidence unto itself of an appropriate internal control structure. This chart depicts a parent company located in the US with subsidiaries spread around the world. Each location keeps its own general ledger. Each GL contains hundreds of accounts. The column highlighted in turquoise shows the expenditure cycle, including preparation of requisition, receipt of goods, receipt of invoice from vendor, matching invoice to receiving report, and payment. Each process is connected to the next in the cycle
00:43:54
Speaker
Therefore, documentation must be explicit to clearly understand the boundaries of each process. Clear delineation of processes eliminates reviewing elements of one process twice or skipping others entirely. The small green boxes to the right of the processes represent employees carrying out activities within each process. In general, employees tend to think little about the overall process, focusing solely on their piece of the puzzle. Some employees will perform activities creating transactions appearing in the financials. Example, when an employee pays a bill, he or she will debit accounts payable and credit cash. This appears in the financials as would issuing a purchase order, debit expense, credit ah accounts payable. While another transaction such as preparing a purchase requisition does not. However, even if a process contains no transactions appearing in the financials,
00:44:52
Speaker
The auditor must include a process in scope if the company relies upon controls within it. Just as if an employee receiving goods relies upon having a valid purchase order, which in turn relies upon a requisition signed by the manager, then the PO process must be included in scope for testing. Transactions later in the cycle rely upon controls on previous transactions and previous processes. To revisit an earlier example, the PO process might contain risk of someone stealing blank purchase order forms and forging a signature to order goods or service without authorization. Keeping PO forms locked in a cabinet is a control for this risk. This would be a manual control. Similarly, if an employee in receiving could claim an entire shipment was received when in reality only half of it arrived,
00:45:47
Speaker
and there is no control to prevent this from happening, the auditor has found a design deficiency. Perhaps someone in accounts payable can forge an invoice that looks valid and enter it into the AP system. This risk might have an IT control. The company may program the computer to accept only vendor invoices that match valid purchase orders. IT controls are known as automated controls, controls that combine manual and automated aspects. such as having an employee review reports generated by the IT system are called hybrid controls. When you're testing, if you have high risk, test more. If you have low risk, you can test less. Or you can rely upon work of others by having internal audit checked. If you have multiple multiple locations at a high risk location, gather more evidence at a low risk location, same level of evidence isn't required.
00:46:46
Speaker
Within a location, you may need to look at not only the location as a whole but what kind of operation you have in place. Example, if you're measuring locations by revenue and you have a location in India doing software development where engineering expense is going to be high but they don't sell anything so they have no revenue virtually, You need to look at the routine occurring at the subsidiary or remote location, not just total revenue, total assets, or total number of employees, and look beyond. So in India, you may test payroll. Remember, unpaid federal payroll taxes are a red flag. This type of fraud offers doubt as to a company's ability to continue as a going concern. So what's a material weakness?
00:47:41
Speaker
There are hallmarks of a material weakness, and one of them is senior management fraud. If you don't have a good control environment and your CEO is under indictment by grand jury, you've got a problem. Remember, significant deficiency is not material weakness. SDs are not told to the stockholders, just to the board and audit committee. If external auditors find an SD, management can report it to the audit committee, or if not, external auditors will write an SD letter to the audit committee. If you have a significant deficiency year after year and nothing is done about it or when you're trying to fix SDs, you have a material weakness. And the reason you do is because it's an indication management doesn't care. So if you have a significant deficiency, make sure you at least show progress. Ineffective audit committee, they never meet. At the meetings, they don't discuss the agenda to be covered. Here's a big one.
00:48:38
Speaker
Restatements due to corrections. So you've gone into the next quarter or the next year and all of a sudden now you figured out you did something wrong and you have to restate it. If an error is big enough to require restatement, we already know it's material because otherwise you wouldn't be doing a public restatement. If so fact though, you don't have a good control in place. If you had good controls, it wouldn't have happened in the first place. Anytime you see a restatement, a material weakness has got to go with it. Remember what we said about those three intertwining circles, operations, compliance, and reporting? Securities Exchange Commission is now saying if you're in a regulatory environment such as banking, healthcare, waste management, chemical disposal, and you're regulated by the EPA, FDA, or other agency, if your regulatory compliance is nonexistent, that's a material weakness. Of course, give the investor the effect of the impact
00:49:35
Speaker
Don't just say we had a material weakness, reveal what you're doing about it, and this is why it won't happen again. Concluding on material weakness, identification of fraud whether or not material by senior management. It doesn't necessarily have to meet a material dollar threshold, but if it's senior management committing fraud, you have a material weakness. Identification of a material misstatement by an auditor in the current period where indications of a misstatement should have been detected by ICAFR. So when the auditors come in and do their substantive testing and find a deviation in a revenue recognition calculation and that deviation should have been detected by ICAFR, but it wasn't, you have a material weakness. Identify controls that address material misstatement risk, and MMR. For each MMR, management ascertains which control or controls address the risk
00:50:31
Speaker
sufficiently, precisely, or effectively enough to mitigate it. The word mitigate in this context means the control or controls reduce likelihood of a material error presented by the MMR to a remote probability. This level of assurance is required because it's a material because a material weakness must be disclosed if it's possible or probable of happening. in a significant account, even though multiple controls may bear on a risk, only in-scope key controls that mitigate it require testing. Question 12, which of the following is a requirement of management in relation to 404? Management must evaluate IKFR under 404. Material weakness is is disclosed to shareholders. Significant deficiency is disclosed to the board
00:51:27
Speaker
and audit committee. External auditors are overseen by Peekaboo. Although external audit engagement partner is required to change every five years, it's not a requirement of management. Peekaboo says, document and identify controls designed to prevent and detect fraud, focusing on fraud controls. So basically, Peekaboo says, if you say you got it, you have to be able to prove it. You need to demonstrate through testing and documentation of processes Initiation, authorization, recording and reporting that design of your controls over relevant assertions related to significant accounts and disclosure is solid. Peekaboo considers key controls over period end closing as a primary area of focus. Controls over safeguarding of inventory and other assets within the company are considered primary to ongoing objectives of your company.
00:52:24
Speaker
Question 13, what elements are important to document within a process for 404 compliance? Process documentation should include understanding each significant process over each major class of transaction and its significant accounts, initiation, authorizing, recording. Separate applications such as Excel, Word, and Visio can be used to test and document a 404 project, controls, can be placed into a database table just once and normalized for authorized use by the audit team. How to document an audit, flow charts, narratives, matrices, GL cross-reference, IT t general control, segregation of duty, test plans, testing, schedule and status, deficiency list, process improvement ideas. Using a database to store work documents the audit generates,
00:53:19
Speaker
is a convenient method to organize the hundreds of files created during a SOX project. This allows audit team members to quickly locate any files generated through Word, Excel, or Visio for very large projects a librarian may be enlisted to manage the files. Before jumping into transaction-level controls, it's a good idea to look at this entity-level control list taken from COSO IKIFER Guidance 2013. As it can help the auditor minimize detailed test work at the transaction level. You may substitute entity level controls if they are sensitive enough and documented for some transaction level controls. The best control to rely on is the one closer to the financial statement because something could always go wrong secondarily at the journal entry level. The first entity level control is CEO CFO review of gross margin
00:54:15
Speaker
gross margin percent. This can reveal potential problems. If the review is sensitive enough to reveal significant deficiencies using a pre-established materiality threshold, for example, variants of five percent for net income, half percent for revenue, two percent for current asset and equity. The next entity level control is CEO CFO should be required to formally approve any major commitment of company funds. merger and acquisition would require a board of director endorsement. Likewise, a $500,000 major purchase requires chief executive consent. An obvious risk would be a member of a major disbursement group who is both requesting and signing off on a given purchase. CFO should review all judgmental reserve movements each month. The auditor
00:55:05
Speaker
is examining the journal entry process, he or she wants to ensure one employee prepares the entry and a different employee approves and posts it. Monthly closing checklists from each location should be reviewed and signed off by the local controller before submission to the CFO. The review should include prior year versus current year, budget versus actual, and standard checks. If the review is sensitive enough, and well-documented, a company can use it as an effective control. Such a review allows the auditor to verify management has approved any differences between budget and actual numbers. Peekaboo requires audit standards number 8 through number 15 underlying the entire audit process. A higher dollar magnitude account should have higher risk assigned to it. Watch the ending balance.
00:56:00
Speaker
because you may have an account that has a low ending balance but has a high volume of transactions going through the account during the month. Think about the number of transactions and potential for fraud or error. The first factor in identifying inherent process risk is susceptibility to error or fraud. Example, a process involving wire transfers or cash is susceptible to fraud. The second risk factor is complex accounting, GAAP, making it very easy for employees to make mistakes simply due to complexity of procedures. Many companies have complicated tax issues, including short-term, long-term tax provisions. A third set comes from processes involving estimates, judgments, contingency, reserves, or intangible assets. A fourth risk factor, even if GAAP is not complex, some processes
00:56:56
Speaker
contain manifold transactions. Example, company might have several distribution layers in its sales process. Salesperson sells to an agent who then holds inventory and sells to distributors. Revenue recognition rules about who holds title, who paid for the shipment, who bears risk of loss, and who has right of return create a delicate movement. Lack of automation is the fifth risk factor. The more IT controls a company has means greater certainty A process will be completed correctly every time it takes place. Another important factor, spreadsheets increase risk. A process change is a point where risk can develop. Contingent liabilities are similar to estimates. Related party transactions increase risk because of potential for conflict of interest. Example, a company president leasing space or equipment to the company is inherently risky. Shades of Enron.
00:57:54
Speaker
Lastly, environmental factors such as technology or economic development can increase risk. Example, a bank with processes involving interest rate change or exposure to subprime mortgages has a high risk factor. Question 14, what are the most significant items management should consider when identifying significant accounts of disclosures under 404?
00:58:20
Speaker
Under PIGABOO AS 5, the auditor is required to ascertain whether an account is significant or not significant, i.e., yes or no, based on a series of risk factors related to the likelihood of financial statement error and dollar magnitude of the account. Significant accounts and disclosures are in scope for assessment, so management typically includes this information in its documentation and generally performs analysis for review by the auditor. This documentation may be referred to in practice as significant account analysis. Accounts with large balances are generally presumed to be significant, i.e. in scope, and require some form of testing. Under new SEC guidance is the concept of rating each significant account for misstatement risk, low, medium, or high, based on similar factors used to ascertain significance. The misstatement risk ranking
00:59:17
Speaker
is a key factor used to ascertain nature, timing, and extent of evidence to be obtained as risk increases. Expected testing evidence accumulated for controls related to significant accounts increases. The Assertation defines the risk. Risk being the inverse of the Assertion. Example, Existence Occurrence means quite simply, assets exist. A Balance Sheet item exists, and Income Statement Transaction exists. If an employee stole money and recorded it as an expense, or if an employee recorded the transaction too early and the shipment did not come in, or if an incorrect amount was recorded for a transaction, a valid transaction did not occur. This last example might seem like valuation allocation, but in fact comes down to existence occurrence because the proper transaction does not exist, only the incorrect transaction had been recorded.
01:00:16
Speaker
If completeness is relevant to a particular process, the risk is the process may be incomplete. Case in point, in accounts payable, a transaction could be missing from the AP ledger. Valuation allocation only concerns judgments and estimates. Improper calculation on an invoice resulting in discrepancies between what was billed and what was paid or problems with existence occurrence. Rights and obligations is quite easy. A company owns its asset. and owes its liabilities. Presentation disclosure is related to compliance with GAAP. Presentation disclosure is a relevant assertion in every process. Anytime a company applies GL account coding or GL distribution, an employee must record the transaction according to GAAP. A missing footnote is a problem under presentation disclosure. Transaction assertions. Example, accounts payable, cash account processing and payroll
01:01:15
Speaker
Inherently, ability to manipulate these accounts and create ghost vendors or ghost employees can be high. ah Accounts payable, cash, and payroll have higher susceptibility to fraud than a very stable property, plant, and equipment account. Question 15, which is important consideration when performing accounting risk assessment? AS5 says your audit approach should be a top-down risk-based approach, TDRA. Assertain entity level and transaction level controls which address risk, then ascertain nature timing extent of testing in-scope controls. Determining adequate design of internal control is part of design evaluation, and we do not want to eliminate detailed documentation. Everyone will take a little different approach, so this is just a thought process.
01:02:08
Speaker
You can use it to develop what is most pertinent to your company. Consider the control type, whether it's preventive, detective, manual, or automated. This will play into the assurance you place on the control. A manual control is inherently more risky than an automated control because you've got people doing it over and over again. Whereas an automated control built into the network and software application such as passwords, data entry validation check, and batch totals are more reliable and cost effective than a manual control. The same with preventive versus detective controls. We place more assurance on preventive controls, manager approval, because it's going to stop the error from happening in the first place. Detective controls on the back end rely on someone to catch it through their monitoring process.
01:03:06
Speaker
Normally, areas with lower risk have more tolerance because the risk of a material deviation is diminished. In areas of high risk, tolerance is going to be smaller because you want to be sure something is caught before it goes wrong. One thing that should come to mind is a strong human resource department. A key element of this top-down approach related to ICFR, human resource, is bringing in the correct people. They make sure the people match the jobs, and creating this environment where we have a code of conduct. We are able to have fraud prevention. We're able to have consistent application of standards throughout the whole company. As an auditor, and frankly as management, we ascertain IKFR. As we ascertain IKFR, there's no question one of the first stops is going to be topped out approaching human resource. Next, controls over management override.
01:04:02
Speaker
This is a critical element related to overall entity level controls. We may have very strong controls related to transactions and account balances within the general ledger. But the question becomes, what happens to the financial statement after it leaves the general ledger? We've uploaded the data into an experiment an Excel file where management is preparing the final adjustments to the financials. Any adjustments made on this top side should actually be reflected in the general ledger journal entries. We want to be sure management is not doing what we call top-sided entries where they make adjustments to the financials that are not recorded in the general ledger in an appropriate journal entry. The issue we want to be aware of is there should be very specific controls over management related to their ability to generate transactions. In a very strong control system, the senior accountant
01:04:57
Speaker
would initiate man manual journal entries. These would then be approved by either the controller or director of finance. While the CFO has the ability to view all data, he or she actually has read-only access, read-only access to the data. So he or she is not able to make any changes to the financials. It's critical we understand the control structure when looking at manual journal entries and who has access to initiate transactions. who has access to approved journal entries, making sure any manual journal entry is recorded, documented, and signed off on. Mapping simply means identifying accounts affected by each assertion. The auditor does this by listing all of the GL accounts in the first column and all of the assertions in a row across the top of the spreadsheet. Then the auditor can check off assertions involved in each account.
01:05:54
Speaker
After completing the mapping exercise, the auditor is cognizant of assertions for each GL account and scoring, such as low, medium, or high risk such as magnitude of account, potential for fraud, related party transaction, will help identify accounts where testing is necessary. Then you're going to link each account to a process or cycle, for instance, The cash account is linked to the revenue cycle and procurement cycle. You may then rank findings into low, medium, or high. This chart maps processes to financial statement groupings. In the first column, you see the process or cycle. The second column lists any subprocess within each process, and the row at the top of the chart lists financial statement accounts within each cell
01:06:50
Speaker
showing H or M for high or medium risk. To summarize, the first step is to map assertions to GL accounts, trial balance, and footnotes. It's good practice to include footnotes from other data sources such as outstanding stock shares. The auditor can use the COSO ICAFER guidance to identify relevant assertions for each general ledger account. Secondly, connect processes to GL accounts. Finally, By turning assertions into objectives and objectives into risks a negative, the auditor has a systematic means for identifying all risk he or she must document. Again, risk is simply the inverse of the assertion. So there's your triangle of logic. Swim lanes are rows on the chart and show each position's task for a given process.
01:07:47
Speaker
when lane flowcharts work well because they allow the auditor to account for the information communication aspect of COSO. The vertical arrows show communication passing between two employees. This chart shows key controls in the numbered circles. According to new guidance, the auditor is only required to identify key controls. SOCKS requires documenting the process and the point in the process where the control occurs. Two more reasons to use swim lane flowcharts is they allow the auditor to visualize exactly where a control is implemented and if it occurs in more than one place. Lastly, swim lane flowcharts are an excellent way to show segregation of duty. The auditor can simply look across a row to see if one person is doing the majority of tasks in a process further
01:08:45
Speaker
This type of chart allows the auditor to identify problems such as when one employee does most of the tasks in a process, but very few controls cover the tasks done by that employee. Such a picture would signal an issue with segregation of duty in the given process. You see this building block of IT t controls? This wedding cake diagram represents a similar visualization of the COSO cube. The bottom layer of the cake shows entity level controls toned at the top. This happens to be the top layer of the COSO cube called control environment. The next layer up the cake is IT infrastructure, which includes network use, data center, servers, operating systems, intrusion detection, and backup. In short, all of the concerns of an IT department. The layer above IT infrastructure is IT applications.
01:09:40
Speaker
These are the software packages the company uses such as GL, AP, and payroll modules. The reason for the distinction between IT infrastructure and IT applications is business processes, the top layer of the cake, which relies seriously upon IT applications. Example, a company relies upon many different reports, completing an allowance for bad debts requires producing an aging report from the order processing system in the accounts receivable module. Because of the close relationship between business process and IT application, the auditor must consider these two layers in tandem during the documentation phase. This slide comes from IT Governance Institute. There's something called COBIT or how to run an IT department.
01:10:34
Speaker
The auditor must choose among different frameworks available for documentation and testing of IT infrastructure. The framework published by ITGI is a subset of COVID, the IT t equivalent of COSO. ITGI developed its control framework through a comparison of COVID and peekaboo controls. By cross-referencing the two, ITGI produced a subset of COVID controls. This chart shows the comparison process ITGI cross-reference peekaboo IT t general controls with COVID controls as justification for the subset. And this is an example of COVID's control guidance. This figure here is great. ITGI gives you the control, requests for program system change. They give you the objective. They rationalize it. Here's an example of a control and an example of the tests they want you to do. If you're a public company,
01:11:33
Speaker
You do want IT governance to follow this. COVID is like COSO in the sense it describes an entire testing structure. A CIO following COVID will have a strong IT department. ITGI wrote many management practices into COVID. Although it would be good management practice, the SOX Auditor need not follow all of them. ITGI framework is useful for large and small companies. The four frameworks listed are all important standards for evaluating IT infrastructure. Here again, we see the risk ranking for the revenue cycle is ranked high. What are some of the key inherent risks here? Revenue recognition, authorization, billing accuracy, compliance. Using judgment, risk assessment of in-scope control applications and related subsystems
01:12:30
Speaker
allows companies to prioritize efforts in higher risk areas and reduce efforts in lower risk areas. Remember to clearly document, particularly where any system is excluded from scope, document why it's excluded. Included in the AS5 standard are two types of risk, inherent process risk and control failure risk. This chart shows inherent risk in the light blue box to the right of processes and control failure risk to the right of the controls box. In both cases, materiality is separated from risk. Example, a company installs a new accounts payable module. ah new A new AP system would create inherent risk. Yes, auditors must ascertain the amount of materiality flowing through the process in order to evaluate importance of a particular process in relation to other processes.
01:13:27
Speaker
On the other hand, if the control on this process has failed in the past or if a new employee is responsible for for the control, the process itself is not necessarily risky, but control failure risk would be high. High inherent risk combined with high control failure risk compounds any situation in a given process. So how much evidence do you need to establish IKFR is effective? Sufficiency of evidence is based on IKFR risk. SOCS guidance includes the concept of a heat map. The heat map audit risk matrix is a tool that represents relationship between risk and necessary level of testing. The idea is high inherent risk shown in the chart's red zone as material misstatement risk, MMR on the y-axis, coupled with higher control failure risk, CFR on the x-axis,
01:14:27
Speaker
indicates a need for more rigorous testing. In such a case, auditors should gather more evidence and test larger samples. The opposite is true as well. If a process has low inherent risk and a low risk of control failure shown in the chart's green zone, auditor can save time and effort by reducing test work. Securities Exchange Commission lists control characteristics that contribute to control failure, including type of control, manual or automated, complexity of control, management override, judgment required to operate control, competence of personnel performing or monitoring control, any change in key personnel performing or monitoring control, nature and materiality of misstatement, control is intended to prevent or detect, and degree to which control relies on effectiveness of other controls. Finally, evidence of operation of control from prior years.
01:15:26
Speaker
The key SEC principle regarding evidence decisions can be summarized as follows. Quote, align the nature, time, and extent of evaluation procedures on those areas that pose the greatest risk to reliable financial reporting, unquote. SEC has indicated sufficiency of evidence required to support assessment of specific MMR should be based on two factors, MMR itself and CFR. These two concepts together um MMR and CFR equal IKFR risk and should be associated with in-scope controls as the diagram emphasizes. Now let's look at our risk response. There are four potential ways we can deal with risk identified on the heat map. Avoidance, reduction, transferring, acceptance. Avoidance means we divest of the activity giving rise to the
Outsourcing and Risk Management Strategies
01:16:20
Speaker
risk. Example, if we're worried about challenges of production,
01:16:24
Speaker
we could choose to outsource production to someone else and let them assume the risk. Reduction means we take action to reduce risk. This is a common approach for many risks as it's often difficult to avoid risky activity altogether. Transferring or sharing means we offload a portion of risk to someone else, ensuring our business with commercial liability, fire, and property insurance. Business interruption insurance provides a company with compensation when an adverse event happens. At times, acceptance is all that can be done, though rarely should be an acceptable rationalization. The decision to accept risk should be driven by cost benefit analysis. Those risks in the green zone are candidates for acceptance. Consider the risk of losing a certain staff member for a variety of reasons unrelated to our HR policy
01:17:23
Speaker
For instance, due to pregnancy, personal circumstance or illness. In such a case, it's not economic to address this sort of risk. The threshold for action is driven by risk appetite and philosophy. One comment though, we implicitly want to avoid risk in the red zone. Finally, risk avoidance is not always possible or desirable. In fact, taking on risk is the very nature of business. As long as you're being compensated for taking on incremental risk, you may very well choose acceptance as a viable strategy for a critical risk. Question 16. Which of the following would be considered a method of risk mitigation as opposed to risk testing? Avoidance means way we divest of the activity giving rise to the risk. Answer A, B, and C are types of audit testing. Re-performance inspection observation.
01:18:24
Speaker
management must develop sufficient documentation to support assessment of effectiveness of ICAFR. This may take many forms, electronic files, policies, job descriptions, flow charts.
Audit Documentation and Control Testing
01:18:35
Speaker
You notice here there is a requirement for this documentation. So within the finance department, there needs to be a sub department within the finance area and internal audit department where they're responsible for examining and documenting internal control structure in such a way that when auditors come in, they're actually able to see what this internal control group has been doing in regards to documenting internal control and why are we doing this. We're doing this because this is a requirement. This is something management must sign off on as part of the financial statement. This simply means there need to be adequate records to establish an audit trail that can be followed for each transaction. Some principles for proper design and use of documentation include
01:19:23
Speaker
Documents should be pre-numbered consecutively or automatically numbered to ensure everything is recorded and nothing is missed. Documents should be be prepared at time the transaction takes place to eliminate mistakes from memory lapse. And documents should be well-designed and easily understood to encourage correct preparation. This chart depicts COSO's Principle 11. Select and develop general controls over technology. It reveals steps CPAs can use to understand a company's IT system and controls in order to ascertain effectiveness of IT controls. The flowchart can be applied to any business process, large or small, complex or simple. The first step is to understand IT t domain. Please consider the four green boxes. IT infrastructure and components, servers, networks, internet, Wi-Fi interface applications. next
01:20:20
Speaker
end computing devices, laptops, mobile devices and spreadsheets, then IT t cloud applications and offsite service providers. Fourth, how is IT managed across the company? Understanding these four sectors of IT is accomplished using procedures such as inquiry of personnel, analytical procedures, observation of processes, walkthroughs and inspection of documents. Out of these areas of IT t testing, you would be tempted to test the three major ones in bold are the most important.
01:20:57
Speaker
System access and account maintenance. Don't share user profile identification, administrative or otherwise. If somebody leaves the company, you've got to get them out of the system because those people know how to work the system. You don't want them in your general ledger. There's more chance of an ex-employee hacking your GL or payroll than there is some hacker that wants to get in and make a journal entry. Program change management. If you're changing the way a program works, you need to do user acceptance testing. The user group has to check out the program before it gets put into production. Backup and restore. A company must have secure, properly functioning backup and restoration modules.
01:21:41
Speaker
With reliable backup systems, a company can remedy problems by returning to backup files. If a company has good controls in these three areas, the remaining areas of IT infrastructure should fall into line. And a company runs a lower risk of harmful consequences to financial reporting. If you can always go to a backup, you're good. Make sure program changes do not distort the financials, Make sure people who are not, who should not be in the system are not granted access, and people that are terminated are taken out right away. Those are the main things we want to watch for, and how do hackers get in? Typically holds in the Wi-Fi security, which is the low-hanging fruit. We talked about IT benchmarking, where if you have a change in a control, you can still rely upon application controls again and again.
01:22:40
Speaker
Initially, application benchmarking involves documenting and testing the relevant controls embedded within the financial application to support the financial statement to confirm their design and operating effectiveness. Once these controls have been identified and tested, they qualify for benchmarking, which essentially allows for a reduction in frequency of testing as long as certain conditions are met noted in peekaboo guidance. So when you do IT t testing, these are generally the kind of things you look for. Approvals and oversights are self-explanatory. Documents retained, record keeping in place. System controls are built in and functioning. A company must have an employee monitor system alerts and logs. Someone is getting a log of when someone tries to hack the system. Security software will give a printout of the intrusion attempts. Hopefully someone follows up.
01:23:39
Speaker
With respect to segregation of duty, huge internal control. if there's not proper If there's not proper segregation of duty, that's going to be a significant weakness. There are four guidelines for separation of duty to prevent both error and fraud. What you want to see at a minimum are, one, custody of asset from accounting, two, authorization of transactions from custody, three, operational responsibility from record keeping, four, IT duties from user departments, In a word, you have to separate custody from accounting. The overall objective and separation of duties is you want to prevent a person or persons from perpetrating the fraud and then covering it up. Question 17, which of the following best describes documentation needs for process initiation? Initiation is supported by input documentation. Answers B, C, and D describe authorizing,
01:24:37
Speaker
recording and reporting respectively. We're going to discuss three different three different techniques you can use for segregation of duty testing. First, think of SOD conflicts when preparing a risk control matrix. Second, prepare a separate ah SOD matrix by talking to process owners. Third, export system access data and combine with manual activities. For each risk, You have to have at least one control. Sometimes you're able to use the same control to prevent several risks, and that's really where you want to be. That's the holy grail of socks and risk assessment. Stick with a control that gives you a lot of coverage. Ask yourself, are you relying on the control at the time the transaction takes place? Controls are listed down the left-hand column Y axis and risk across the column headings X axis.
01:25:34
Speaker
Then mark off where controls address risk within a matrix of cells like this. In this example, risk A is covered by control 3, risk B covered by control 1, risk C covered by controls 1, 2, and 4, and so on. Each risk is typically addressed by several controls, and each control typically contributes to covering several risks. This format supports these many-to-many relations conveniently. Two pieces of data the auditor must include in the risk control matrix are control number and name of the control owner. This helps the auditor build the flowchart. Knowing the name of the control owner tells the auditor in which swim lane to place the control. ah signing Assigning a control number avoids necessity of writing out the control in longhand on the flowchart. Easiest practice
01:26:30
Speaker
is the number of controls in order they occur within a process. Invariably, company will make changes, omit some controls, and move others. If changes are made to a control or its location, auditor should update them in the control matrix and change the flowchart. Because this method relies on the process owner's self-report, a risk control matrix should not be your only evaluation tool to address segregation of duty. This is called a sereation segregation of duty matrix. You can see the employee names across the top row. It charts the relationship between employees and functions within a process. This is preferable to using risk control matrix alone. The principle here is certain employees authorize transactions, other others record transactions or have custody of assets, and still others perform controls.
01:27:30
Speaker
This is the expenditure cycle. A company wants to avoid situations in which someone authorizes and records transactions or any combination of different functions such as authorizing in custody or recording in custody. Ideally, each employee should only perform functions in one color segment. This is a real simple thing to do. When a given employee's duties fall into into two categories or two colors, as in the case of the functions circled on the chart, auditor should explain whether or not the given situation poses a problem. This is a good method of but evaluating segregation of duty, but it still cannot capture all possibilities. Like a risk control matrix, it too relies upon employees' self-reports. You're asking people what they can do, and employees may not remember all of their privileges granted by the IT system.
01:28:28
Speaker
So
Material Weakness in SOX Audits
01:28:29
Speaker
the auditor must check the IT system as well to catch any access privileges the employee may have omitted. Employees may forget duties that require system access on an infrequent basis. Look inside the IT system and see what screens the GL accountant has access to. The most sophisticated and complete method of documenting and testing segregation of duty involves combining data from the IT system with a list of manual activities for a given cycle. Example of a manual activity is reconciling bank accounts. An IT system cannot identify who completes this task. However, an audit team can create a database to combine IT t privileges with manual responsibilities and generate a report identifying a conflict. SOX audits are based on materiality.
01:29:27
Speaker
The auditor examines amount of materiality flowing through a process, not necessarily the balance in an account. The process and its relationship to a general ledger account is most important here. Think of a process as activities people perform within their job description involving transactions ultimately reported in the company financials. Like water flowing through a p pipeline One can measure annual volume of transactions involved in a given process. Take payroll. A SOX auditor can easily find a company's annual payroll figure. Auditor then compares annual payroll with materiality factor at this company. There will be some activities that are not material. For instance, company travel and entertainment expense may not be high enough to be material and varies for each company.
01:30:23
Speaker
Although SOX auditors use a standard for materiality in a substantive audit, this is not necessarily the same standard for materiality as in an internal audit. There's three levels of severity when we find something wrong in SOX. Deficiency, significant deficiency, material weakness. What is a control of weakness? It means either a design issue or an operational issue. Design issue means the control is not properly designed or it's missing. Operational issue means the control is in place, but it's not operating as designed, or the person responsible for it is not authorized or qualified. If a control deficiency becomes a significant deficiency, we have to decide on the likelihood of whether or not it will rise to the level of a material weakness. If it results in a material weakness, it's a reportable item. Question 18. A deficiency or a combination of deficiencies
01:31:22
Speaker
in IC such that there is reasonable possibility ah material a material misstatement of a company's financial statement will not be prevented or detected and corrected on a timely basis should be reported externally is a material weakness is a deficiency or combination of deficiencies in ICAVER such that there is a reasonable possibility more than remote that a material misstatement of the company's annual or interim financials This will not be prevented or detected on a timely basis. As illustrated in this slide, the auditor must consider two dimensions of a controlled deficiency. First dimension, likelihood, reasonably possible, x-axis. Security's Exchange Commission defines probability in terms of FASB 5, accounting for contingencies. Remote, chance of the future event occurring as slight.
01:32:19
Speaker
Reasonably possible, chance of the future event occurring is more than remote but less than likely. Probable, future event is likely to occur. Second dimension, magnitude, insignificant, significant or material, y-axis. What we see here is we have a matrix of magnitude and likelihood. On the x-axis, likelihood being remote, on the left, We're not talking about remote right now. Almost anything is more than remote and all the way to the right where we have possible or probable. Then on the magnitude side, on the y-axis, we're looking at things not material or significant, then material but significant, finally material. So what we're saying here is if the deficiency is not material or significant or not material but significant, we are reporting to the audit committee and to management.
01:33:14
Speaker
but we're not recording externally. It's only when we have a material weakness that's going to be reported externally as part of our ICAFER audit. A material weakness will result in an auditor's adverse opinion or disclaimer opinion and withdrawal. This usually means management has not documented ICAFER. Significant deficiency, example, inadequate segregation of duty over IT access controls. Next, several instances of transactions that were not properly recorded in subsidiary ledger, although transactions were not materially were not material either so individually or in aggregate. Next, lack of timely reconciliation of an account balance. Based on these facts, auditors should ascertain if combination of these significant deficiencies taken together represents a material weakness.
01:34:12
Speaker
Inconsequential. is a control gap, but there's no material impact on financials. It may just be a minor exception. Material weakness is the thing every everybody worries about. Your company needs to have a detailed talk with your audit committee and understanding of what your external auditors are looking for. Most companies will try to define material weakness at a little bit lower level than that of the external auditors because they want to find it before external auditors do.
01:34:43
Speaker
A material weakness may literally be a control environment issue where people are not qualified to perform their job duties or audit committee to not properly oversee aspects of internal audit. Management must attest at a point in time, virtually at year end. As long as you remediate deficiencies appropriately during the year and can prove they are working correctly at year end, you may attest at year end. Management must disclose any change in controls that have a material impact on IKFR in quarterly reviews or quarterly filings with the SEC.
Control Testing and Evidence Collection
01:35:20
Speaker
Example, suppose you change financial reporting systems. If you get a better system, the assumption is quarterly testament lets people know any change of legal elements during the quarter which impact IKFR from the previous period.
01:35:37
Speaker
Management has significant flexibility regarding nature, timing, and extent of testing in the context of ICAFR related to a given control. Sample size should increase proportionally to ICAFR risk. Inquiry observation inspection re-performance of the four evidence types listed in order of sufficiency. Evidence beyond inquiry, typically inspection of documents is required for testing the controls operating effectiveness. Re-performance would be expected for highest risk controls such as period and reporting process. For fully automated controls, excuse me, either a sample size of one or a benchmarking test strategy may be used. If IT general controls related to program change management are effective,
01:36:33
Speaker
And the fully automated control has been tested in the past. Annual testing is not required. However, the benchmark must be periodically reestablished. Scope of roll forward testing performed at an interim date prior to year end. As risk increases, roll forward testing is likely to be necessary to extend the effect of interim testing to year end. Lower risk controls. would not require rule forward testing. Strong entity level controls, particularly control environment, act as a pervasive counterweight to risk across the spectrum, reducing sufficiency of evidence required in lower risk areas. Cumulative knowledge from prior assessment regarding particular controls that have a history of working effectively require less external evidence.
01:37:30
Speaker
Here's a matrix again. So just like documentation, testing is not a one-time event. It's an ongoing process. Once your controls are identified, consider whether you need to do inquiry, observation, inspection, walkthrough, or re-performance. For a high-level risk factor, substantiate your test work to ensure requirements are fulfilled and traceability is established regarding what's been done, who's done it, and when it's done. The timing and frequency of testing may depend on the timing of when the transaction occurs. Regular transactions that happen on a monthly, weekly, daily basis may be tested monthly. Transactions that occur at the end of your close period or at year end dealing with consolidation or disclosure may be tested on a quarterly basis. Speak with your external auditors regarding tolerance level. Inquiry.
01:38:30
Speaker
is often used when there's little or no evidence the control was performed. Inquiry about the control in and of itself is not sufficient testing. You have to have some combination of another test because you could ask Linda, did you reconcile this account? Linda says yes, and then you're taking her word for it. So you have to provide some level of secondary evidence the control was performed. This could be inspection, a sample of transactions to validate the operation, matching or comparing items, or vouching the transaction occurred. Then there's observation, which is used for physical inventory testing to verify existence of the control. Re-performance is used to validate a control. Auditors often retest bank reconciliations or retest a particular physical inventory count. These are aggressive, meaning small sample sizes.
01:39:31
Speaker
coordinate with external auditors. Your test plan should include the control description, population used for sampling, sample size, procedure to test, conclusion. As mentioned earlier, make sure you understand the difference between a test sample exception versus failure. An exception means a portion of your sample failed. A failure means there were enough exceptions to indicate the control itself isn't working well enough to mitigate the issue. Evaluate operating effectiveness of the control as designed and person's competence authority. Example, Linda is the person performing the control and she's at a certain level in the company. But Linda is on sick leave at a temp who doesn't have adequate training or knowledge, performs the key control. Could this result in a deficiency?
01:40:27
Speaker
There are four steps to meet remediate control failure. One, auditor's reason for failing. Is it an isolated incident in Singapore or something else? Two, manager's evaluation. What should be done? Documentation may have to change because a new control changed. Three, process owner's remediation. Meet with IT and get things worked out. Four, evaluation sign off by disclosure committee. Because spreadsheet totals can result in entries to the general ledger, good Excel spreadsheet controls are a critical component of strong ICAFER.
Cybersecurity and Fraud Prevention
01:41:09
Speaker
This table lists 12 controls that mitigate risk of material misstatement in the financials due to spreadsheet error. Implementing strong spreadsheet controls begins with a checklist of critical spreadsheets to include
01:41:24
Speaker
ensuring there's a formal process for testing and approving changes prior to reuse of the spreadsheet. Just as there would be a formal process for changes made to the company ERP system, managing spreadsheets in the same manner will mitigate spreadsheet control risk. Many individuals may have access to a shared network drive at the company. To maintain control over data, the company should implement version control and access control. Version controls ensure the current version is used, which is important when a spreadsheet is revised or updated periodically. Establishing access control for authorized use only is imperative. Implement restricted access through network workstations or use passwords to protect individual workbooks and spreadsheets. Lock
01:42:21
Speaker
or protect sensitive cells used in formulas or master data. Have an independent user verify and document spreadsheet logic. In meeting compliance regulations, you want to ensure you have an email system that is secure and whose storage can survive disk failure, power outage, or a corrupted operating system. Email servers should have functional, comprehensive archiving and indexing of all the emails and attachments, fast and easy search and retrieval capability, policy management through user-defined rules and legal goals. You need an audit trail and a user-friendly web-based interface with full reporting and statistic capability. Worst thing to do is nothing. It's imperative you start now. In October 2018, Securities Exchange Commission issued a report titled Cyber-related Frauds
01:43:19
Speaker
perpetrated against public companies and related internal accounting control requirements. The victims were one of two variants of schemes involving spoofed or compromised emails from persons purporting to be company executives or vendors. The first type of email compromise was emails from fake executives, specifically person's not affiliated with the company purporting to be company executives. The penetrators of this scheme emailed the victim's finance department using spoofed email domains and addresses of an executive, typically CEO, appearing as if the email were legit. And all of the frauds, the spoofed email directed the company's finance department to work with a purported outside attorney
01:44:15
Speaker
identified in the email who then directed the company's finance personnel to initiate quote time sensitive unquote large wire transfers to foreign bank accounts controlled by the perpetrators the second type of cyber related fraud involved emails from fake vendors impersonating the company's vendor this scam was far more sophisticated than the spoof executive emails because the schemes involved intrusions into the email accounts of the company's foreign vendors. After hacking the existing vendor's email account, the penetrators inserted illegitimate requests for payment and payment processing details into emails that were otherwise for look legitimate transaction purpose. The perpetrators of this scam corresponded with the unwitting company's purchasing department
01:45:12
Speaker
so the scammers could gain access to information about actual purchase orders and invoices. The penetrators then requested purchasing personnel to initiate changes to the vendor's banking information and attached falsified invoices reflecting new fraudulent account information. Purchasing then relayed this information to accounting responsible for maintaining vendor data. As a result, The company made payments on outstanding invoices to foreign accounts controlled by the impersonator rather than the account of the real vendor. Victims only learned of the scam months later when the real vendor raised concerns about nonpayment on outstanding invoices.
Social Media and SEC Regulations
01:46:03
Speaker
SEC compliance and disclosure interpretations, CDIs, now permit use of social media, Twitter, LinkedIn, and Facebook. CDIs permit use of an active hyperlink to satisfy the cautionary legend requirement. Messages retransmitted by unrelated third parties are not attributable to the issuer. Therefore, issuer is not required to ensure third parties retransmission complies with guidance. Requirements regarding cautionary legends by these CDIs
01:46:39
Speaker
apply to both issuers and soliciting parties in proxy fights or tender offers, and allow communication with shareholders and potential investors via social media. Companies should remain mindful of regulation FD, full disclosure, in their use of social media. Companies should consider whether A, their website is a recognized channel of distribution B, posting of information on website disseminates information in a manner making it available to the securities marketplace. And C, has there been reasonable waiting period for investors and the market to react to the post of information? Companies need to demonstrate they are exercising due diligence, promoting ethical conduct, and preventing criminal conduct in social media.
01:47:35
Speaker
One major provision of SOX is publicly traded companies must make timely disclosure of material information about their business. Social media, in particular Twitter, is the most rapid means by which a company can publicize its material changes. SOX 409 specifically addresses social media, rapid disclosure to the public of any major change in financial conditions. SEC rules include fair disclosure, so you need to consult a securities and social media attorney who will recommend what to include in your policy depending on the nature of your business. Your corporate compliance and ethics program should include a social media component. Please refer to the excellent Intel Corporation's social media guidelines. The link is cited in the references. Don't try to prohibit
01:48:30
Speaker
lawful protected activities such as complaining about work conditions, compensation benefits or whistleblowing. Employees should be advised of the importance of communicating any possible wrongdoing at the company through established internal channels so an appropriate investigation can be conducted. Social media can expose companies to numerous business risk. Most of this risk results from a combination of organizational weakness or vulnerability exposed through data misuse or data sharing, accidental or malicious. Here's a perfect example. Elon Musk is being sued by the SEC for securities fraud. SEC alleges Mr. Musk made false and misleading statements without shareholder vote for which he had no basis about Tesla going private
01:49:27
Speaker
causing market confusion and disruption. NASDAQ did not receive advanced notification as required before the infamous tweet. On August 7, 2018, Elon Musk wrote, quote, and considering taking Tesla private at 420, funding secured, unquote. It came as shares were already surging on news Saudi Arabia's Arabia's sovereign wealth fund had made a 2 billion stake in Tesla over the past few months. After the tweet, Tesla stock price soared. The problem lies in whether some investors learn material information from Tesla sooner than others, allowing them to make money by buying or selling the stock before investors who were, quote, out of the loop can react. In the case of Mr. Musk's private tweet,
01:50:19
Speaker
Tesla stock instantly shot up as much as 7% before trading was temporarily halted by NASDAQ. That hurt short sellers who make money by borrowing stock, selling it, then buying it back at a cheaper price. The rapid surge in Tesla's stock price forced short sellers to buy shares at elevated levels, putting those who heard the news later in an even worse position.
01:50:49
Speaker
The Securities Exchange Commission looks at social media announcements through the lens of fair disclosure requirements, as defined in a rule known as Regulation FD, which says a company's communication methods must be reasonably designed to provide broad, non-exclusionary distribution of information to the public. Elon Musk routinely blocks people from following him on Twitter. Mr. Musk blocks anyone who says anything negative about Tesla. If you say, I don't like your cars, you're blocked. And Mr. Musk really has a pattern of blocking a lot of people, which raises particular questions about whether Mr. Musk has turned an open channel back into a selective channel. The point is to make sure everyone knows, but when you start blocking, that changes the equation because it becomes a selective disclosure
01:51:44
Speaker
If you're not letting anyone who wants to follow you, follow you and creates problems. What is the Reed Hastings rule? The SEC first rules ruled on use of social media for disclosing material information after Netflix Inc. CEO Reed Hastings wrote in July 2012 on a Facebook post that views on his company's video streaming service that exceeded 1 billion hours for the first time. Securities Exchange Commission determined Mr. Hastings would not face enforcement action and declared most social media perfectly suitable for communicating company information as long as investors are alerted and access is not restricted. Going back to Mr. Musk, a similar controversy played out on the national stage as to whether as to whether it is illegal
01:52:43
Speaker
for President Trump to block people on Twitter. A federal judge ruled on May 2018, Mr. Trump's actions violated the First Amendment, although DOJ is appealing a decision, as in the Trump ruling, Mr. Musk should be forced to mute and not block. In this figure, we show a governance organizational chart, which provides an idea for lines of reporting and roles Each function can play in identifying, assessing, and managing a particular risk. From the bottom up, marketing department may be focused on brand reputation risk, while legal and audit are accountable for privacy and fraud, respectively. Strategy manages intellectual property disclosure, while HR manages conduct. Social media manager reports risk, trains personnel, and audits processes. Risk management
01:53:40
Speaker
integrates social media into enterprise risk management while corporate communications sets policy and identifies social platforms and channels. IT implements and secures data technology. Executive defines social media's role in the company and sets risk tolerance levels.
SOX 404 Compliance and Conclusion
01:54:03
Speaker
We've reached the end of this session on 404. Thank you for your attention. We've covered SOX 404 including social media considerations. Companies will continue to adjust to meet regulations and COSO will continue to provide a framework while Peekaboo's ongoing inspections will assist in guidance. Compliance with SOX mitigates severe consequences for any business from high risk of financial misstatement, operational or financial sanction of penalty,
01:54:35
Speaker
to a major negative capital market reaction. To review, here are a few of the key points we covered. Most important is the implementation of a top-down risk-based what could go wrong approach. Following this concept, the audit team should evaluate each company location, parent and subsidiaries based upon its level of risk. Next, identify processes within each location that trigger financial transactions in the trial balance, then identify risk in each process. Next, identify controls that prevent the risk from happening. Finally, test and remediate to make sure controls are in working order. Plan to work with external auditors so they can rely upon the quality of evidence produced internally. Use entity controls where they are strong enough to allow for time and money savings on the project.
01:55:32
Speaker
Concentrate on eliminating any step that does not influence financial reporting. Swim Lane flow charts offer many benefits over creating a narrative to document a given business cycle. Under AS5, you can omit non-key controls from the project. Lastly, when testing IT infrastructure, emphasize system access, program change control, backup systems and benchmarking, These key areas can abrogate testing other parts of IT infrastructure. Next, segregate approval of transactions from custody of assets from record keeping of assets. Example, a credit manager responsible for approving credit should not be approving the write off of uncollectible accounts. The following conditions are necessary for a company to be auditable
01:56:31
Speaker
under 404. Management accept accepts responsibility for effectiveness of ICAFER. Controls are suitably designed and implemented to achieve control objectives, i.e. reliable financial reporting. Management assesses effectiveness of ICAFER and reports there on both design and effectiveness of controls. Finally, as we've seen, establishment and evaluation of ICAFER should accompany process documentation efforts. Documentation of controls is an outgrowth of documentation of the underlying process. Review your current controls against the related points of focus to ensure you've not missed anything. Lorman, thanks for having me back. It's always a lot of fun. Thank you for your attention. Much success to you. Enjoy the rest of your day.