For
IT managers and executives who are participating in a SOX compliance project, or who are responsible for IT controls which impact financial reporting in UK companies.
Need
- Understanding of how and why SOX changes corporate governance for UK companies
- Awareness of management responsibilities under SOX
- Operational management support for enhanced controls
- Increased awareness of the concept of risk management and IT controls over financial reporting.
Content
INTRODUCTION TO SOX
The background to SOX
- Introduction to corporate fraud, corruption, negligence.
- The damage caused and the need for counter measures like SOX.
- The background to SOX and its provisions.
- Introduction to the concepts and logic of financial controls and testing for IT professionals
- Introduction to the concepts of risk based controls for IT professionals
- Introduction to corporate governance for IT professionals
- The role of IT in anti-fraud, financial controls, risk management, and governance.
- Coverage of how financial controls can be used to improve information based business processes
Overview of the legal provisions of the Sarbanes Oxley Act. In particular:-
- 302 - the duty of financial officers
- 404 - the internal control report and submission
- 406 - code of ethics
- 802 - penalties for altering documents
- 806 - protection for white collar staff who expose fraud
- 1102 - tampering with a record of impeding a proceeding
The 404 internal control report
- The finished report
- The framework for control
- Internal controls in relation to financial reporting (SEC definition)
- The COSO framework for internal control (ref PCAOB 2)
- The Cobit framework for IT control
A structured approach to section 404 internal control compliance (taking account of the PCAOB guidelines on interpretation issued in May 2005.
Planning and scoping) showing how to :-
- Plan and scope financial systems
- Conduct a risk assessment - adopting a top down Risk approach to controls
- Identify significant controls and accounts
- Document and design controls
- Evaluate controls
- Complete a Process Mapping
- Complete a Controls Matrix
- Evaluate operational effectiveness (testing)
- Identify and remediate control deficiencies
- Document the compliance process
- Attestation
- Build sustainability
The framework for control - Cobit
- Why Cobit is the most common framework
- Introduction to Cobit
- The Control Environment
- Effectiveness
- Ethics
- Testing methodology
- Remediation strategy
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
- Reliability of reporting
- Effectiveness of reporting
- Compliance with applicable laws and regulations
Roles in SOX 404
- CEO and CFO
- SOX project team
- Business unit teams
- IT specialists
PCAOB guidelines on interpretation
- Tone at the top
- Entity level controls
- The risk assessment process
Ethics and Governance
- Ethics policy for CEO and senior finance staff
- The importance of tone from the top
- Establishing an open and ethical management culture
SCOPING AND PLANNING FOR SOX IT COMPLIANCE
Materiality
- What defines materiality - numerical value, qualitative influence
- AICIPAC view - Anything likely to be considered important by investors particularly concerning Significant accounts :-
- o Profit
- o Current assets
- o Working capital
- SEC view - Anything that :-
- o Changes a loss into a profit
- o Masks a change in earnings
- o Hides a failure to meet analysts expectations
- o Affects compliance with loan covenants
- o Increases executive compensation
- Basis of materiality - the use of a percentage figure as a start point, agreement with auditors on benchmarks "what a reasonable person needs to know"
Identification
- Business unit
- Accounts
- Processes
- Application systems
- Computer processing environment
- Service organisations
Controls
- Process level / Company level
- Type - preventative, detective, manual, automatic, IT
- IT Controls
SOX 404 Documentation of Controls
- Documentation
- Business overview
- Process flow maps
- Narrative notes
- Controls matrix
- Policies, procedures, process maps, manuals
- Documentation Guidelines
- Issuer, owner and hand-offs
- Storage
- Version control
- COSO
- Standards
- Control objectives
- Assertions
- Risk assessment
- Review and sign-off
- Documentation of underlying processes
- What is a process and a sub-process
- What should be documented
- Hand-offs
- Tools and standards for documenting processes
- Documenting controls
- Method for storing documentation
- Change control and ownership
- Assessing design effectiveness
- Evaluation by risk or aggregation of risks
- Gathering evidence of testing
- Demonstrating to the link to financial statements
IT Controls for SOX 404
- Relationship to COSO
- COSO type 1 - General Data centre, Operating systems, Access security, System development methodology
- COSO type 2 - Application
- Balancing controls
- Pre-defined data lists
- Date reasonability
- Authorisation
- Tolerance levels
- Cobit
The COBIT framework
- The 34 high-level control objectives
- The 318 specific control objectives
- COBIT Cube
The alignment of frameworks
- ITIL
- ISO/IEC 17799:2000
- ISO/IEC 15408
Outsourced Services
- SAS70 for external service providers
- Reports type 1 & 2
- Risks from outsourced services
- Preparation prior to outsourcing
Significant IT Risks and Issues
- Security
- Spreadsheets
- Identifying spreadsheets used as applications
- Development Lifecycle Controls
- Access Control (Create, Read, Update, Delete)
- Integrity Controls
- Change Control
- Version Control
- Documentation Controls
- Continuity Controls
- Segregation of Duties Controls
- Spreadsheets - Errors
- Spreadsheets and material weaknesses
- Systems Integration
- Business continuity
- Segregation of duties
TESTING IT CONTROLS AND EVALUATION OF OPERATING EFFECTIVENESS
Testing and Evaluation of Operating Effectiveness
- Master list of controls objectives
- Conduct of testing
- Documentation of test results
- Test types
- Corroborative
- Observational
- Documentation
- Re-performance
- Analysis of results
- Classification - Material, Significant, Non Significant, No control
- Ineffective
- Document deficiency
- Identify cause
- Assess significance - aggregated impact, likelihood of recurrence, magnitude
- Effective
- Document test - date, tester, conclusion
- Control Deficiencies
- Issue evaluation
- Compensating controls
- Deficiency assessment
- Resolution plan
- Timing of remediation
- Remediation Plan
- Strengthen, Replace, Redesign
- Timing, Objectives, Allocation of responsibility, Deadline, Time and cost, Progress, Management approval, Audit committee approval
- Attestation based on test results
The use of external agencies in IT testing
- SOX rules on delegation of activities but not responsibility
- Agreement on scope and methodology
Common SOX Remediation for IT
- IT systems upgrades
- Application standardisation
- Systems integration
- Spreadsheet elimination
- Document retention and storage
THE ROLE OF IT IN REDUCING THE COST OF SOX COMPLIANCE
IT activities that reduce the cost of SOX compliance
- Replacement of manual processes with automated processes
- Replacement of manual tests and controls with automated processes and controls
- Elimination of spreadsheets
- Provision of dashboards and monitoring tools to operational managers
Outcome
Attendees will :-
- Possess a clear understanding of the reasons why SOX compliance is a prominent business issue for UK companies.
- Appreciate its importance and support the work involved in achieving compliance.
- Be familiar with the duties that SOX places on IT professionals.
- Be able to take their place in a SOX project and understand and make a positive contribution to the compliance process for IT controls.
Format
Training will consist of lectures, discussions, exercises and tests.
Maximum of 8 attendees per course.
For further information on our courses click here, call +44 870 7743 055 or email
info@quartus-solutions.com
