SOX for Everyone

Brief History of Internal Control,

SOX, and Fundamentals of
Control Frameworks
Source: Brinks Modern Internal Auditing,
Auditing, Robert Moeller, Wiley Publishing

Agenda for Today

What

is internal control and why is it

important for governmental entities?
History of internal control leading up to
SOX
COSO framework
Fundamentals of internal control and
control systems
Wrap up

What is Internal Control?

What is internal control?

General procedures for a well-managed, wellfunctioning business

Components include

Accomplishes its mission

Produces accurate, reliable data
Complies with laws and corporate policies
Results in economical/efficient use of resources
Provides for safeguarding of assets

Internal Control and Governmental

Entities

How do Internal Control objectives translate

into government objectives?
Increase the publics confidence level in
government operations.
Increase managements accountability for financial
reporting and information disclosed to the public.
Reveal the critical need for managements welldefined job requirements.
Reduce fraud and increase accountability.
Source: http://www.governmentauditors.org/content/view/273/123/

Internal Controls Standards:

Background Developments

Earliest definition of internal control:

The organizations plan and actions to

safeguard its assets,

operate efficiently,
adhere to policies, and
accurately and reliably produce accounting data

Internal Controls Standards:

Background Developments
Continued

Foreign Corrupt Practices Act (FCPA)

Response to Watergate scandal
Required management to
Maintain accurate books and records,
Implement a system of internal control
Also prohibited bribes
Excludes grease payments to minor officials

Created a flurry of activity to comply, today is seen

primarily as anticorruption

Efforts Leading to the Treadway

Commission

Cohen Commission (an AICPA commission)

Recommended that management report on internal
controls and auditors opine on fairness of
managements assertion
Resulted in criticism from external auditors; lack of
consistent definitions regarding internal controls,
adequate, etc.
FEI endorsed the Cohen recommendation
As a result, some CEO management letters discussed internal
control; some letters included negative assurance

Efforts Leading to the Treadway

Commission
Continued

SEC 1979 proposal

Based on Cohen Commission and FEI
Called for mandatory management reports on
internal control
Again controversy and criticism centered on lack of
a clear definition of internal accounting control
SEC dropped the proposal, but it established a
need for a management report on internal control
as part of required SEC filings

Efforts Leading to the Treadway

Commission
continued

SAS No. 55 (Stmnt. On Auditing Stds.)

Issued by the AICPA

Defined internal control in terms of the

Control environment
Accounting system
Control procedures

Managements view of internal control is broader and

encompasses the entire control system
External auditors focus on internal control related to
financial statements

Efforts Leading to the Treadway

Commission
Continued

Treadway Committee (National Commission

on Fraudulent Reporting)
Late 1970s and early 1980s were a period of high
inflation, high interest rates, many business failures
despite the company having reported adequate
earnings
Congress proposed but didnt pass bills to correct the
business and audit failures
Treadway Commission formed to identify fraud factors
and propose recommendations

Efforts Leading to the Treadway

Commission
Continued

Treadway Committee, continued

Again, a call for management reports on the
effectiveness of internal control
Most important contribution of Treadway was
raising level of concern and attention directed
toward reporting on internal control

FCPA, Cohen Commission, SEC 1979 Report,

SAS No. 55 and Treadway Commission
Occurred almost in a parallel fashion over a period of 20
and helped redefine internal control

Sarbanes-Oxley Act

Sarbanes-Oxley Act
Passed in 2002
Most significant overhaul to public accounting, corporate
governance and financial reporting since 1930s

Established regulatory rules for public accounting

firms, auditing standards, and corporate
governance
PCAOB established to oversee public accounting
firms and to establish auditing standards

Sarbanes-Oxley Act
Continued

Section

101

Establishes PCAOB
Non-profit, private-sector corporation
PCAOB consists of 5 members appointed by the SEC

AICPA no longer establishes Statements on

Auditing Standards or GAAS
PCAOB now oversees all audits of SECreporting corporations

Sarbanes-Oxley Act
Continued

Section

201

Establishes new rules regarding auditor

independence and prohibited practices
Limitations include financial information system
design and implementation, internal audit
outsourcing, and other services
Tax and other non-prohibited services may be
performed by the external auditor if approved in
advance by the audit committee

Sarbanes-Oxley Act
Continued

Section

301

Mandates

that all audit committee

members be independent
External auditor reports to, is overseen
by, and is compensated by the audit
committee

Sarbanes-Oxley Act
Continued

Section

302

Requires that the CEO and CFO certify

quarterly and annual financial reports
SOX imposes criminal fines or jail time on
violators

Sarbanes-Oxley Act
Continued

Sections 304 and 305

Designed to eliminate or limit seemingly
outrageous behavior
Earnings restatements may require CEO and CFO to
return bonuses based on bogus numbers
Blackout periods related to trading in 401K and
pension plans apply equally to all employees

Revised rules related to attorney reporting

of corporate misconduct
Controversial due to attorney-client privilege

Sarbanes-Oxley Act
Continued

Section

404

Makes management responsible for

acknowledging its responsibility for
establishing and maintaining internal
control
Makes management responsible for an
annual assessment of internal controls

Sarbanes-Oxley Act
Continued

Other

sections of Title IV

Require the company to adopt a code of

ethics for senior officers
Require a financial expert on the audit
committee
Mandate companies to provide information
about material financial statement issues to
investors ASAP

Sarbanes-Oxley Act
Continued

Other

Titles of SOX
Mandate workpaper retention policies
Provide whistleblower protection
Require CEO and CFO to personally
certify that the financial reports are
fairly presented
Personal penalties for knowingly
falsifying (not corporate responsibility)

REVIEW
Under the 2002 Sarbanes-Oxley Act,
_____________ must certify the
effectiveness of the companys internal
controls each year. If they sign off on
ineffective controls, they could
_______________.
a. CFOs and CEOs; face civil and criminal
penalties.
b. CFO; face civil penalties.
c. CEO; get fired.
d. External auditor; face the Audit Committee.

REVIEW
The primary responsibility for overseeing
the establishment and administration of
internal control rests with
a.The external auditor.
b.The controller.
c.The internal auditor.
d. Senior management.

COSO Internal Control Framework

Common framework for the definition of

internal control and procedures to evaluate
controls
Process affected by BOD, management and others
to provide reasonable assurance regarding
achieving effective and efficient operations, reliable
financial reporting, and compliance with laws

Released in 1992 and has become widely

accepted

COSO Internal Control Framework

Continued

COSO Framework
Pyramid with 5 layered and interconnected
components comprise the overall control system
Control environment: foundation
Risk assessment, control activities and monitoring
are layered on top of the foundation
The 5th element is an interface channel between
the other 4 layers: communication and information

COSO Internal Control Framework

Continued

Source: COSOs Internal Control Integrated framework

COSO Internal Control Framework

Continued

Internal

control environment

Has a pervasive influence on the

organization
Reflects the attitude, awareness and
actions of the BOD, management and
others regarding the importance of internal
control
History and culture play important roles

Tone at the top

COSO Internal Control Framework

Continued

Internal

control environment

Integrity and ethical values

Strong code of conduct communicated
throughout the organization

Commitment to competence
Adequate training, supervision, job descriptions

BOD and audit committee

Independent audit committee

COSO Internal Control Framework

Continued

Internal

control environment

Managements philosophy and operating

style
Risk taker/conservative, seat of the
pants/careful planner

Organizational structure
Centralized/decentralized, reporting
relationships

COSO Internal Control Framework

Continued

Internal

control environment

Human resources policies and practices

Recruitment/hiring, new employee orientation,
evaluation/promotion/compensation, disciplinary
actions

COSO Internal Control Framework

Continued

Risk

Assessment

Evaluation of potential risks to the

organizations ability to achieve its objectives
3-step process
Estimate the significance of the risk
Assess its likelihood
Consider how to manage the risk or actions to
take

COSO Internal Control Framework

Continued

Risk

Assessment

Risks from external factors include

legislation, technology
Risks from internal factors include quality of
hiring/training
Specific activity-level risks include risks
related to specific new products

COSO Internal Control Framework

Continued

Control

Activities

Policies and procedures

Top-level reviews compare results to budget or
other benchmarks
Direct functional or activity management entails
reviewing operational reports or exception
reports and taking corrective action
Information processing entails development of
new systems or access to data

COSO Internal Control Framework

Continued

Control

Activities

Policies and procedures-continued

Physical controls over assets
Performance indicators entails relating
operating data to financial data, and taking
analytical, investigative or corrective action
Segregation of duties

COSO Internal Control Framework

Continued

Control

Activities

Integrating risk assessment and control

activities
Appropriate control activities are established to
address specific risks
May need to prune dumb controls

COSO Internal Control Framework

Continued

Control

Activities

Controls over information systems

General controls that ensure control over all
applications (locks on door to computer center)
Application controls apply to specific programs

Organization needs to consider evolving

technologies and new/modified controls

COSO Internal Control Framework

Continued

Communications

and Information

Information systems can be formal or

informal, internal or external
COSO emphasized that they be
Strategic, consistent with the organizations
goals (not outdated)
Integrated with other operations

COSO Internal Control Framework

Continued

Communications

and Information

COSO suggests and SOX requires that

information be

Timely
Accurate
Current
Accessible
Appropriate

COSO Internal Control Framework

Continued

Communications and Information

Internal systems
Most important component may be communication
from senior management, tone at the top
Each person needs to know how he fits into the
organization, otherwise may think errors dont matter
Each person needs to know limits, what is
unethical/improper
Communication must flow up and down

COSO Internal Control Framework

Continued

Communications

and Information

External systems
Include a mechanism to capture and act
upon complaints, source of potential control
issues
Communication must flow in both directions

COSO Internal Control Framework

Continued

Monitoring

Historically the role of internal auditors

COSO expands to include ongoing
assessments of and adjustments to internal
control as circumstances warrant
Many routine business functions are
considered monitoring activities, such as
reconciliations

COSO Internal Control Framework

Continued

Monitoring
Separate internal control evaluations (in addition to
ongoing monitoring) need to be performed
periodically
Can be done by management

Identified internal control deficiencies (no

matter how theyre identified) should be
reported, investigated, and appropriately acted
upon

REVIEW
Which of the following are elements included in
the control environment?
a. Organizational structure, management
philosophy, and planning.
b. Risk assessment, assignment of
responsibility, and human resource practices.
c. Competence of personnel, backup facilities,
laws, and regulations.
d. Integrity and ethical values, assignment of
authority, and human resource policies.

REVIEW
Which of the following fits most directly under
the control activities component of the
COSO Internal Control framework?
a. Company-level controls dealing with tone at
the top.
b. Accounting for shipping documents to
ensure that all sales are recorded.
c. Overall methods for assigning authority and
responsibility.
d. The control environment.

Understanding, Using, and Documenting

COSO Internal Controls
SOX

404 requires that organizations

understand, document, test, and
evaluate internal controls of major
processes and systems
COSO is the suggested tool for this
process

Fundamentals of Internal Controls

Definition

of a control system

The car is an example, if the accelerator or brakes

arent used properly, the car operates out of control
An organization is similar, all the parts have to
operate/be directed properly or the organization is
out of control

Internal

control system should attain or

maintain a desired state

Fundamentals of Internal Controls

Continued

Elements

of a control system

Detector/sensor element measures the system

being controlled (often the auditor)
Selector or standard element is the base used to
compare/evaluate whats detected (standards,
best practices)
Controller element changes the behavior based
on comparison of detector and standard
Communications network element transmits
messages between the controller element and
the thing being controlled

Fundamentals of Internal Controls

Continued

Types of control techniques, a combination of

all 3 assure a process is operating properly
Preventive controls
Locked doors, passwords

Detective controls alert management that a

problem has occurred
Door alarms, account reconciliations

Corrective controls assist in recovery from

problems
Insurance policy

Fundamentals of Internal Controls

Continued

Preventive, detective and corrective controls

operate on 3 levels
Steering: preventive controls designed to attract
management attention and prompt action (respond
to falling market share)
Yes-No: protective controls designed to ensure
adherence to a pre-established control (approvals)
Post-action: requires managements after-the-fact
action, may require correcting detective, preventive
or corrective controls (reassign an employee,
repair damaged products)

REVIEW
Controls may be classified according to the
function they are intended to perform; which
of the following is a detective control?
a. Dual signatures on all disbursements over a
specific amount.
b. Recording every transaction on the day it
occurs.
c. Monthly bank statement reconciliations.
d. Requiring all members of the internal audit
staff to be CPAs.

REVIEW
Controls designed to deter undesirable
events from occurring are
a.Preventive controls.
b.Directive controls.
c.Detective controls.
d.Output controls.

WRAP UP
Questions?