8/14/2019 Sify Sox Familiarization
1/21
PROJECT-SOXPROJECT-SOXCompliance with Sarbanes OxleyCompliance with Sarbanes Oxley
ActAct
Sox Team
8/14/2019 Sify Sox Familiarization
2/21
Stakeholders
Ther
eliab
ilityo
nFina
ncialre
porti
ng
Management certification onthe Effectiveness of Internal Controlby assessing the controls (Fraud and Erro
ManagementCertification
Section 302
ManagementAssessment
Section 404
AuditorAttestation
Section 404
SEC requirement
SEC Requirements 302SEC Requirements 302
& 404& 404
8/14/2019 Sify Sox Familiarization
3/21
Setting the StageSetting the Stage
Relevant SectionsRelevant Sections
Key Requirements Implication
302 CEO and CFO certification ofperiodic SEC filings
Accuracy issues resulting incriminal prosecution of companyofficers must be identified andremoved
404 CEO and CFO certification ofinternal controls with auditorattestation
Requires ongoing documentation,evaluation and remediation offinancial internal controls
409 Rapid and current basisdisclosure of financial andoperating events
Monitoring, prevention and real-time disclosures of materialchanges must be systematic andongoing
802 Retention and protection ofaudit documents and relatedrecords
Digital vaulting and ready accessto historical records, includingcorrespondence and e-mails must
8/14/2019 Sify Sox Familiarization
4/21
Disclosure Controls
and Procedures
Internal Controlsover Financial
Reporting
SOX 302 and 404 -SOX 302 and 404 -
OverviewOverview
Section 302:Quarterly
ManagementCertification
Section 302:Quarterly
ManagementCertification
Section 404:Annual
ManagementAssessment
and Auditor
Attestation
Section 404:AnnualManagement
Assessmentand Auditor
Attestation
8/14/2019 Sify Sox Familiarization
5/21
Management AssessmentManagement Assessment
- 404- 404
Entity Level Controls / IT Governance
Disclosure Controls
Internal Control over Financial Reporting
Anti Fraud Program
Application Controls ITGC
TopD
own
Ap
RiskBased
COSO COBIT
8/14/2019 Sify Sox Familiarization
6/21
Management CertificationManagement Certification
No omission / misrepresentation caused by frauds orerrors
Fair presentation of issuers financial condition withregard to the following:
Completeness
Existence/Occurrence
Allocation/Valuation
Rights & Obligations
Presentation & Disclosure
Statement of responsibility indicating:
Adequate design of disclosure controls
Adequate design of internal controls
Evaluation of effectiveness of disclosure controls
Disclosure of changes to internal controls
8/14/2019 Sify Sox Familiarization
7/21
SOX 404 MethodologySOX 404 Methodology
ReportTest and Monitor
Controls
Prepare Documentation
and Evaluate Controls
Scope
the Project
Evaluation Phases:
Managements
Report
on
Internal
Control
Evaluate Overall
Effectiveness,
Identify Matters for
Improvement, and
Establish Monitoring
Systems
Understand and
Evaluate Internal
Controls at the
Process,
Transaction, or
Application
Level
Evaluate
Internal
Control at the
Entity Level
Organize a
Project Team
to Conduct
the
Evaluation
Understand
the Definition
of Internal
Control
Approach:
The definition in theCOSO report is thebest starting pointfor the evaluation.
Select anappropriate teamand establishground rules.
Begin evaluationby consideringinternal control atthe entity level.
This is a comprehensive, time-consuming process ofdocumenting and understandingthe flows of transactions andrelated controls.
Includes management testing
The final step is to make anoverall assessment based onevaluation results.
Develop a monitoringprocess.
Prepare documentation,conduct detailed testing and
correct control deficiencies
Auditors Examination ofManagements Assertion
Organize process, team,project timing
Business Process Controls ReviewBusiness Process Controls ReviewBusiness Process Controls ReviewBusiness Process Controls Review
COSO Considerations:
1.Efficiency / Effectiveness of Operations
2.RELIABILITY OF FINANCIAL REPORTING
3.Compliance with applicable Laws /Regulations
COBIT Considerations:
1.Security
2.RELIABILITY OF DATA
3.Effectiveness/Efficiency
8/14/2019 Sify Sox Familiarization
8/21
Key Benefits of EffectiveKey Benefits of Effective
internal control overinternal control over
reportingreporting Improved effectiveness/efficiency
of internal control processes
Better information for investors
Enhanced investor confidence
8/14/2019 Sify Sox Familiarization
9/21
What is the flow ???What is the flow ???
Financial ReportingDisclosures
US GAAP Adjustments Indian GAAP
AdjustmentsTrial BalanceGL Closure
Closure of AR,AP,FA Completion - Finance Transaction - Business
Stakeholders
8/14/2019 Sify Sox Familiarization
10/21
Steps in Top DownSteps in Top Down
ApproachApproach
Identify, understand and evaluate the design of entity-
wide controls Identify significant accounts and relevant assertions
Identify significant processes & major classes ofTransactions
Identify points at which errors or fraud could occur
Identify controls to test that prevent or detect errors orfraud on a timely basis
Clearly link individual controls with the significantaccounts and assertions to which they relate
Deployment of Resources HIGH RISKAREAS
8/14/2019 Sify Sox Familiarization
11/21
Sox universe A birds eyeSox universe A birds eye
viewview
Financial Statements
Significant
Accounts
Management
Assertions
Significant Processes / Sub Processes
Locations
Applications/Transactions
ITGC
SOX
Entity
ITGC
Fraud
Dis
clo
su
re
8/14/2019 Sify Sox Familiarization
12/21
Key Areas for AuditorsKey Areas for Auditors
CertificationCertification
Entity Level Controls & Disclosure
Controls Finance Closure Process
Accounting Estimates and Judgments
General Computer Controls
8/14/2019 Sify Sox Familiarization
13/21
Entity-wide Controls.AEntity-wide Controls.A
most pervasivemost pervasive Control Environment
Risk Assessment
Information & Communication Monitoring
Control Activities
8/14/2019 Sify Sox Familiarization
14/21
Entity Level Controls AuditEntity Level Controls Audit
ProgramProgram Integrity and Ethical Values
Management Commitment to competence An effective Board of Directors
Managements philosophy and operating style
Organizational structure
Assignment of Authority and responsibility
Organization around the Human resource Department Entity Level objectives
Process Level objectives
Risk identification and analysis
Managing change
Quality of Information Effectiveness of communication
Process Controls
Ongoing monitoring activities
Evaluation of internal control system
Reporting Deficiencies
8/14/2019 Sify Sox Familiarization
15/21
Anti Fraud Control -Anti Fraud Control -
ProgramProgram Evaluation based on Fraud Indicators
Whistle Blower Policy
Management Responsibilities Audit committee oversight
Internal/External Audit
Code of conduct
8/14/2019 Sify Sox Familiarization
16/21
Disclosure controlsDisclosure controls
Controls which ensure the quality andtimeliness of information included in
securities filings
Includes controls over recording, processingand summarization of information disclosed in
filings
Policies to ensure completeness ofinformation are important
8/14/2019 Sify Sox Familiarization
17/21
Examples of DisclosureExamples of Disclosure
ControlsControls
Policy
Disclosure Committee
Review of disclosures by: Senior management
Board / Audit Committee
Communications strategy
Requirements strategy
Cascading certification
8/14/2019 Sify Sox Familiarization
18/21
Tying IT All TogetherTying IT All Together
ControlEnvironme
ntApplication
Controls
IT General Controls
IT ServicesIT Services OS/Data/Telecom/Continuity/NetworksOS/Data/Telecom/Continuity/Networks
B
usine
ss
Proce
ss
B
usiness
Pro
ce
ss
Fin
ance
Fin
ance
B
usine
ss
Proce
ss
B
usine
ss
Pro
ce
ss
Manu
fa
ct
urin
g
Manu
fa
ct
urin
g
B
usine
ss
Proce
ss
B
usiness
Pro
ce
ss
Lo
gis
tic
s
Lo
gis
tic
s
B
usine
ss
Proce
ss
B
usine
ss
Pro
ce
ss
Et
c.
Et
c.
ExecutiveExecutiveManagementManagement
Source: IT Governance Institute
8/14/2019 Sify Sox Familiarization
19/21
IT Control ComponentsIT Control Components
IT Considerationsin ControlEnvironment
Systems planningGovernanceEnterprise policiesOperating style
IT General ControlsSystems Security /AccessChange ManagementSystem DevelopmentComputer Operations
Application Controls
AuthorizationConfiguration / accountmappingException / edit reportsInterface / conversionSystem access
CollaborationInformationSharingCode of ConductFraud Prevention
MANA EMENT FINAL TH U HT
8/14/2019 Sify Sox Familiarization
20/21
MANA EMENT FINAL TH U HT
Anti Fraud Assessment
Control Framework
Entity Level Controls
Anti Fraud Assessment
COSO
Process
COBIT
Disclosure ITICOFR - FCP
Financial Statements
Significant
Accounts
Management
Assertions
Significant Processes / Sub Processes
Locations
Applications/Transactions
What Can
Go Wrong?
MitigatingControls
Walkthrough Testing
Control Deficiency
Significant Deficiency
Material Weaknesses
Management Report
SEC Report 20F
Management Report
Qualified Audit ReportClear Audit Report
IT General Controls
8/14/2019 Sify Sox Familiarization
21/21
Thank youThank you
Top Related