logo

Standard banner

SOX for Finance Professionals

For

Financial managers and executives who are participating in a SOX compliance project, or who are responsible for the integrity of financial controls for UK Companies.

Need

  • Understanding of how and why SOX changes corporate governance for UK companies
  • Awareness of management responsibilities under SOX
  • Operational management support for enhanced controls
  • Increased awareness of the concept of risk management and financial control

Content

INTRODUCTION TO SARBANES OXLEY

Background to SOX.

  • Introduction to corporate fraud, corruption, negligence.
  • The damage caused and the need for counter measures like SOX.


Overview of the legal provisions of the Sarbanes Oxley Act. In particular:-

  • 302 - the duty of financial officers
  • 404 - the internal control report and submission
  • 406 - code of ethics
  • 802 - penalties for altering documents
  • 806 - protection for white collar staff who expose fraud
  • 1102 - tampering with a record or impeding a proceeding
  • 201 - prohibited services from auditors
  • 206 - auditor conflict if interest
  • 302 - the duty of financial officers
  • 401 - financial disclosures
  • 402 - conflict of interest
  • 404 - the internal control report and submission
  • 406 - code of ethics
  • 409 - real-time disclosure
  • 802 - penalties for altering documents
  • 806 - protection for white collar staff who expose fraud
  • 90x - penalties
  • 1102 - tampering with a record or impeding a proceeding


The 404 internal control report

  • The finished report
  • The framework for control
    • Internal controls in relation to financial reporting (SEC definition)
    • The COSO framework for internal control (ref PCAOB 2)
    • The Cobit framework for IT control

A structured approach to section 404 internal control compliance (taking account of the PCAOB guidelines on interpretation issued in May 2005) showing how to:-

  • Plan and scope financial systems
  • Conduct a risk assessment - adopting a top down Risk based approach controls over financial reporting
  • Identify significant controls and accounts
  • Undertake a Process Mapping exercise
  • Design and document controls
  • Complete a Controls Matrix
  • Evaluate the design of controls
  • Evaluate operational effectiveness (testing)
  • Identify and remediate control deficiencies
  • Document the process
  • Attestation
  • Build sustainability

The framework for control - COSO

  • Why COSO is the most common framework
    • Introduction to COSO
    • The Control Environment
      • Effectiveness
      • Ethics
      • Testing methodology
      • Remediation strategy
    • Risk Assessment
    • Control Activities
    • Information and Communication
    • Monitoring
  • Reliability of reporting
  • Effectiveness of reporting
  • Compliance with applicable laws and regulations

Roles in SOX 404

  • CEO and CFO
  • SOX project team
  • Business unit teams
  • IT specialists

PCAOB guidelines on interpretation

  • Tone at the top
  • Entity level controls
  • The risk assessment process

Ethics and Governance

  • Ethics policy for CEO and senior finance staff
  • The importance of tone from the top
  • Establishing an open and ethical management culture

SCOPING AND PLANNING

Materiality

  • What defines materiality - numerical value, qualitative influence
  • AICIPAC view - Anything likely to be considered important by investors particularly concerning significant accounts :-
    • Profit
    • Current assets
    • Working capital
  • SEC view - Anything that :-
    • Changes a loss into a profit
    • Masks a change in earnings
    • Hides a failure to meet analysts expecations
    • Affects compliance with loan covenants
    • Increases executive compensation
  • Basis of materiality - the use of a percentage figure as a start point, agreement with auditors on benchmarks "what a reasonable person needs to know"

Identification

  • Business unit
  • Accounts
  • Processes
  • Computer processing environment
  • Service organisations

Controls

  • Process level / Company level
  • Type - preventative, detective, manual, automatic, IT
  • IT Controls

SOX 404 Documentation of Controls

  • Documentation
    • Business overview
    • Process maps
    • Control narratives
    • Controls matrix
    • Policies, procedures, manuals
  • Documentation Guidelines
    • Issuer, owner and hand-offs
    • Storage
    • Version control
    • COSO
    • Standards
  • Control objectives
    • Assertions
    • Risk assessment
    • Review and sign-off
  • Documentation of underlying processes
    • What is a process and a sub-process
    • What should be documented
    • Hand-offs
    • Tools and standards for documenting processes
  • Documenting controls
    • What needs to be documented
    • Method for storing documentation
    • Change control and ownership
  • Assessing design effectiveness
    • Evaluation by risk or aggregation of risks
    • Gathering evidence of testing
    • Demonstrating the link to financial statements

IT Controls for SOX 404

  • Relationship to COSO
  • COSO type 1 - General
  • Data centre, Operating systems, Access security, System development methodology
  • COSO type 2 - Application
  • Balancing controls
    • Pre-defined data lists
    • Data reasonability
    • Authorisation
    • Tolerance levels
  • Cobit
  • Link to financial statements

Outsourced Services

  • SAS70 for external service providers


TESTING AND EVALUATION OF OPERATING EFFECTIVENESS

Testing and Evaluation of Operating Effectiveness

  • Master list of controls objectives
  • Conduct of testing
  • Documentation of test results
  • Test types
    • Corroborative
    • Observational
    • Documentation
    • Re-performance
  • Analysis of results
    • Classification - Material, Significant, Non Significant, No control
    • Ineffective
      • Document deficiency
      • Identify cause
      • Assess significance - aggregated impact, likelihood of recurrence, magnitude
    • Effective
      • Document test - date, tester, conclusion
  • Control Deficiencies
    • Issue evaluation
    • Compensating controls
    • Deficiency assessment
    • Resolution plan
    • Timing of remediation
  • Remediation plan
    • Strengthen, Replace, Redesign
    • Timing, Objectives, Allocation of responsibility, Deadline, Time and cost, Progress, Management approval, Audit committee approval
  • Attestation based on test results

Outcome

Attendees will :-
 

  • Posses a clear understanding of the reasons why SOX compliance is a prominent business issue for UK companies.
  • Appreciate its importance and support the work involved in achieving compliance.
  • Be familiar with the duties that SOX places on senior executives and company management.
  • Be able to take their place on a SOX project.
  • Understand and make a positive contribution to the compliance process.
  • Be aware and able to capitalise on the wider business benefits that SOX can bring to business processes.

 

Format

Training will consist of lectures, discussions, exercises and tests.
Maximum of 8 attendees per course.


Who should attend

Financial executives and managers who are or will be participating in a SOX compliance process for UK companies.

For further information on our courses click here, call +44 870 7743 055 or email

info@quartus-solutions.com

Menu

› Need Help?

Call 0870 774 3055