PROJECT-SOX

Compliance with Sarbanes Oxley

Act

Sox Team
 SEC Requirements –302
& 404

in g
Stakeholders ort
p
l re
ia
nc
F ina
y on
ilit
liab
e re Management certification on
Th the Effectiveness of Internal Control
by assessing the controls (Fraud and Error

Management Management Auditor

SEC requirement Certification Assessment Attestation
Section – 302 Section –404 Section –404
Setting the Stage
Relevant Sections
Key Requirements Implication
302 CEO and CFO certification of Accuracy issues resulting in
periodic SEC filings criminal prosecution of company
officers must be identified and
removed

404 CEO and CFO certification of Requires ongoing documentation,

internal controls with auditor evaluation and remediation of
attestation financial internal controls

409 Rapid and current basis Monitoring, prevention and real-

disclosure of financial and time disclosures of material
operating events changes must be systematic and
ongoing

802 Retention and protection of Digital vaulting and ready access

audit documents and related to historical records, including
records correspondence and e-mails must
SOX 302 and 404 -
Overview
Section 302:
Quarterly
Management
Disclosure Controls
“Certification”

Internal Controls
over Financial
Reporting
Section 404:
Annual
and Procedures Management
“Assessment”
and Auditor
Attestation
Management Assessment
- 404

Entity Level Controls / IT Governance Anti Fraud Program

COSO COBIT
Disclosure Controls

Internal Control over Financial Reporting

des a B ksi R
p An wo Dpo T

Application Controls ITGC

Management Certification
• No omission / misrepresentation caused by frauds or
errors
• Fair presentation of issuer’s financial condition with
regard to the following:
• Completeness
• Existence/Occurrence
• Allocation/Valuation
• Rights & Obligations
• Presentation & Disclosure
• Statement of responsibility indicating:
• Adequate design of disclosure controls
• Adequate design of internal controls
• Evaluation of effectiveness of disclosure controls
• Disclosure of changes to internal controls
SOX 404 Methodology
COSO Considerations: COBIT Considerations:
1.Efficiency / Effectiveness of Operations 1.Security
2.RELIABILITY OF FINANCIAL REPORTING 2.RELIABILITY OF DATA
3.Compliance with applicable Laws /Regulations 3.Effectiveness/Efficiency
Business
Business Process
Process Controls
Controls Review
Review
Approach:
Scope Prepare Documentation Test and Monitor Report
the Project and Evaluate Controls Controls

Evaluation Phases:

Evaluate Overall
Understand and Management’s
Effectiveness,
Organize a Evaluate Internal Report
Understand Evaluate
Project Team Controls at the on
the Definition Internal Identify Matters for
to Conduct Process, Internal
of Internal Control at the Improvement, and
the Transaction, or Control
Control Entity Level
Evaluation Application
Establish Monitoring
Level
Systems

• The definition in the • Select an • Begin evaluation • This is a comprehensive, time- • The final step is to make an
COSO report is the appropriate team by considering consuming process of overall assessment based on
best starting point and establish internal control at documenting and understanding evaluation results.
for the evaluation. ground rules. the entity level. the flows of transactions and • Develop a monitoring
related controls.
process.
• Includes management testing

Organize process, team, Prepare documentation, Auditor’s Examination of

project timing conduct detailed testing and Management’s Assertion
correct control deficiencies
Key Benefits of Effective
internal control over
reporting
• Improved effectiveness/efficiency
of internal control processes
• Better information for investors
• Enhanced investor confidence
 What is the flow ???

Disclosures Financial Reporting Stakeholders

US GAAP Adjustments Indian GAAP

GL Closure Trial Balance Adjustments

Closure of AR,AP,FA Completion - Finance Transaction - Business

Steps in Top Down
Approach
HIGH RISK
Deployment of Resources
AREAS

 Identify, understand and evaluate the design of entity-

wide controls
 Identify significant accounts and relevant assertions
 Identify significant processes & major classes of
Transactions
 Identify points at which errors or fraud could occur
 Identify controls to test that prevent or detect errors or
fraud on a timely basis
 Clearly link individual controls with the significant
accounts and assertions to which they relate
Sox universe – A bird’s eye
view

Entity
Financial Statements

Significant Management
Locations
Accounts Assertions

Disclosure
Fraud
SOX
Significant Processes / Sub Processes

Applications/Transactions

ITGC
ITGC
Key Areas for Auditor’s
Certification

• Entity Level Controls & Disclosure

Controls
• Finance Closure Process
• Accounting Estimates and Judgments
• General Computer Controls
Entity-wide Controls….A
most pervasive
• Control Environment
• Risk Assessment
• Information & Communication
• Monitoring
• Control Activities
Entity Level Controls Audit
Program
• Integrity and Ethical Values
• Management Commitment to competence
• An effective Board of Directors
• Management’s philosophy and operating style
• Organizational structure
• Assignment of Authority and responsibility
• Organization around the Human resource Department
• Entity Level objectives
• Process Level objectives
• Risk identification and analysis
• Managing change
• Quality of Information
• Effectiveness of communication
• Process Controls
• Ongoing monitoring activities
• Evaluation of internal control system
• Reporting Deficiencies
Anti Fraud Control -
Program
 Evaluation based on Fraud Indicators
 Whistle Blower Policy
 Management Responsibilities
 Audit committee oversight
 Internal/External Audit
 Code of conduct
Disclosure controls

• Controls which ensure the quality and

timeliness of information included in
securities filings

• Includes controls over recording, processing

and summarization of information disclosed in
filings

• Policies to ensure completeness of

information are important
Examples of Disclosure
Controls
• Policy
• Disclosure Committee
• Review of disclosures by:
• Senior management
• Board / Audit Committee
• Communications strategy
• Requirements strategy
• Cascading certification
Tying IT All Together
Control
Environme
nt Executive
Management Applicati
on

Business Process
Business Process
Business Process

Business Process
Manufacturing
Controls

Logistics
Finance

Etc.
IT Services
OS/Data/Telecom/Continuity/Networks

IT General Controls
Source: IT Governance Institute
IT Control Components

Systems planningCollaboration

IT Considerations Governance Information

Sharing
Enterprise policies
in Control Operating style
Code of Conduct
Fraud Prevention

Environment
Systems Security /
IT General Controls Access
Change Management
System Development
Computer Operations

Authorization
Configuration / account
mapping
Application Controls Exception / edit reports
Interface / conversion
System access
MANAGEMENT FINAL THOUGHTS
…
Anti Fraud Assessment Anti Fraud Assessment

Control Framework COSO COBIT

Entity Level Controls Disclosure ICOFR - FCP IT

Process

Financial Statements

Significant Management What Can

Locations
Accounts Assertions Go Wrong?

Significant Processes / Sub Processes Mitigating

Walkthrough Testing
Controls
Applications/Transactions Control Deficiency Management Report

IT General Controls Significant Deficiency Management Report

Material Weaknesses SEC Report – 20F
Clear Audit Report Qualified Audit Report
Thank you