財(cái)務(wù)管理咨詢( 108)ppt課件

1、達(dá)盟上海財(cái)務(wù)管理咨詢TMF Services Ltd. SOX Training Agenda1.Overview of Sarbanes-Oxley Act 2.COSO Internal Control Framework3.What Could Go Wrong (Risk) 4.Internal Control 5.Typical mistakes in control identification6.Risk and Control Mapping7.Identification of Key Control8.Control Deficiency9.Walkthrough10.Te

2、st of Control11. Comparison between Walkthrough and Test of Control12.SOX Project Overview13.SOX Documentation and Requirement Overview of Sarbanes Oxley ActGeneral Introduction to the ActWhat were the Causes?Introduction to Various Key SectionsOverview of Sarbanes Oxley ActThe Sarbanes-Oxley Act is

3、 a USlaw enacted by President Bush onJuly 30, 2002 formally known as“The Public Company AccountingReform and Investor ProtectionAct(上市公司會(huì)計(jì)改革與投資者維護(hù)法案).Overview of Sarbanes Oxley ActWhat were the Causes?:1. Why enact Sarbanes-Oxley?EnronWorldComRestore Investor ConfidenceIncreased TransparencyReform A

4、ccounting Industry2. Protecting the interests of:-Shareholders Pension beneficiariesEmployeesOverview of Sarbanes Oxley ActWhat the Act did: Added new financial disclosure requirements Increased CEO/CFO responsibilities and penalties Created a Public Company Accounting Oversight Board (PCAOB), with

5、standard-setting, investigative, and disciplinary authority Strengthened auditor independence rules Added internal control reporting requirementOverview of Sarbanes Oxley ActThe Act contains 11 titles with various sections:Title I: Public Company Accounting Oversight BoardTitle II: Auditor Independe

6、nce Title III: Corporate Responsibility (Section 302)Title IV: Enhanced Financial Disclosures (Section 404)Title V: Analyst Conflicts of InterestTitle VI: Commission Resources and Authority Title VII: Studies and ReportsTitle VIII: Corporate and Criminal Fraud Accountability Title IX: White-collar C

7、rime Penalty Enhancements (Section 906)Title X: Corporate Tax ReturnsTitle XI: Corporate Fraud and Accountability Overview of Sarbanes Oxley ActSection 404 requirement:Requires each annual report to contain an “internal control report,which must include:1. A statement of managements responsibility f

8、or establishing andmaintaining adequate internal controls over financial reporting;2. Managements assessment of the effectiveness of the companysinternal control over financial reporting as of the end of thecompanys most recent fiscal year;3. A statement identifying the framework used by management

9、toevaluate the effectiveness of the internal control over financialreporting; and4. A statement that the external auditor has issued an attestation report on managements assessment.Overview of Sarbanes Oxley ActThe SECs final 404 rules preclude management from concludingthe effectiveness of the inte

10、rnal control over financial reporting if one or more “material weakness is identified.The rules also require management to disclose any“material weaknesses identified in the course of the evaluation.Overview of Sarbanes Oxley ActDeadline for Implementation of SOX 404 Requirement:Company TypeUpdated

11、DeadlineOld DeadlineU.S. Company and accelerated filersForeign private issuers and non-accelerated filersThe Company with aggregate market value of common equity lower than USD$75 millionAnnual report for a fiscal year ending on or after Nov. 15, 2004 (revised in Feb. 2004)Annual report for a fiscal

12、 year ending on or after July 15, 2006 (revised in Mar. 2005)Annual report for a fiscal year ending on or after July 15, 2007 (revised in Sep. 2005)Annual report for a fiscal year ending on or after June 15, 2004Annual report for a fiscal year ending on or after July 15, 2005Annual report for a fisc

13、al year ending on or after July 15, 2005Overview of Sarbanes Oxley ActA company becomes an “accelerated filer (加速呈報(bào)公司) after it first meets ALL 4 of the following requirements as of the end of a fiscal year: The aggregate market value of common equity is USD$75 million or more, measured as of the en

14、d of the companys second fiscal quarter; The company has been subject to the requirements of the Securities Exchange Act for at least 12 months as of the end of the fiscal year; The company has filed at least one annual report on Form 10-K; and The company is not eligible to use Form 10-KSB and Form

15、 10-QSB for its annual and quarterly reports as of the end of the fiscal year SOX Training Agenda1.Overview of Sarbanes-Oxley Act 2.COSO Internal Control Framework3.What Could Go Wrong (Risk) 4.Internal Control 5. Typical mistakes in control identification6.Risk and Control Mapping7.Identification o

16、f Key Control8.Control Deficiency9.Walkthrough10.Test of Control11. Relationship between Walkthrough and Test of Control12.SOX Project Overview13.SOX Documentation and Requirement COSO Internal Control FrameworkCOSO: The Committee of Sponsoring Organizations of the Treadway Commission (美國(guó)反對(duì)虛偽財(cái)務(wù)報(bào)告委員會(huì)

17、的贊助委員會(huì)/美國(guó)反欺詐性財(cái)務(wù)報(bào)告委員會(huì)管理組織)COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public compani

18、es and their independent auditors, for the SEC and other regulators, and for educational institutions.The National Commission was jointly sponsored by five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountant

19、s, Financial Executives International, The Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public acc

20、ounting, investment firms, and the New York Stock Exchange.The Chairman of the National Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber Incorporated and a former Commissioner of the U.S. Securities and Exchange Commission. (Hence, the popular name Tr

21、eadway Commission). Currently, the COSO Chairman is Larry E. Rittenberg.How is COSO related to SOX 404?Guidance from SEC provides that management is required to base its assessment of the companys internal control over financial reporting on a suitable and recognised control framework.COSO Framework

22、 to help client assess the effectiveness of the internal control environment and hence achieve compliance with SOX 404.COSO Internal Control FrameworkCOSO Internal Control FrameworkThe integrated framework defined by COSO:Internal Control-Integrated Framework (issued in 1992)Enterprise Risk Manageme

23、nt-Integrated Framework (issued in Sep. 2004)1. Control environment1. Internal environment2. Objective setting3. Event identification2. Risk assessment4. Risk assessment5. Risk response3. Control activities6. Control activities4. Information and communication7. Information and communication5. Monito

24、ring8. MonitoringCOSO Internal Control FrameworkThe control environment sets the tone of an organization, influencing the control consciousness of its peopleIntegrity & Ethical ValuesCommitment to CompetenceBoard of Directors / Audit CommitteeManagements Philosophy & Operating StyleOrganizational St

25、ructureAssignment of Authority & ResponsibilityHuman Resource Policies & PracticesCOSO Internal Control FrameworkEvery entity faces a variety of risks from external and internal sources that must be assessed.A pre-condition of risk assessment is the establishment of objectives.Risk assessment if the

26、 identification and analysis of relevant risks to achievement of the objectives, thus forming a basis for determining how the risks should be managed.COSO Internal Control FrameworkControl activities are policies and procedures that help ensure management directives are carried outEnsures that actio

27、ns are taken to address the risksThese actions are carried out at all levels of the organisation and include a range of activities such as approvals, authorisations, verifications, reconciliations, segregation of duties etc.COSO Internal Control FrameworkPertinent information must be identified, cap

28、tured and communicated in a form and timeframe that supports all other control components InformationObtaining external & internal informationProviding information to the right people at the right timeDevelopment / revision of information systemsCommunicationExternal & internal communication policy,

29、 e.g. employees roles & responsibilitiesChannels of communication for people to report suspected improprietiesReceptivity of management to employees performance improvement suggestionsOpenness & effectiveness of communication with external partiesExtent to which outside parties have been made aware

30、of the entitys ethical standardsTimely and appropriate follow-up by management on complaintsCOSO Internal Control FrameworkInternal control systems need to be monitored a process that assesses the quality of the systems performance over timeOngoing monitoringSeparate EvaluationsReporting deficiencie

31、sCOSO Internal Control Framework SOX Training Agenda1.Overview of Sarbanes-Oxley Act 2.COSO Internal Control Framework3.What Could Go Wrong (Risk) 4.Internal Control 5.Typical mistakes in control identification6.Risk and Control Mapping7.Identification of Key Control8.Control Deficiency9.Walkthrough

32、10.Test of Control11. Relationship between Walkthrough and Test of Control12.SOX Project Overview13.SOX Documentation and Requirement What Could Go Wrong?What Could Go WrongFor each significant account assertion ask where in the processing of tractions can be error that wouldbe material?What Could G

33、o Wrong?Definition of AssertionsAssertions are representations by management that are embodied in financial statement components. The only difference between an assertion and a potential error is how each is stated. An assertion is a positive statement (e.g., all transactions are recorded) whereas a

34、 potential error is the inverse, or a negative statement (e.g., all transactions are not recorded). Management uses assertions (or potential errors) to identify “what can go wrongs to determine whether management has placed into operation control activities sufficient to meet the risks to financial

35、reporting. What Could Go Wrong?1. Existence or Occurrence - Assets, liabilities and ownership interests exist at a specific date; recorded transactions represent events that actually occurred during the period.2. Completeness - All transactions & other events & circumstances that occurred during a s

36、pecific period & should have been recognized in the period have, in fact, been recorded.3. Valuation or Measurement - Assets, liabilities, revenue & expense components are recorded at appropriate amounts in conformity with company policy and applicable statutory financial accounting and reporting ru

37、les & regulations. Transactions are mathematically correct and appropriately summarized and recorded in the entitys books and records.4. Rights and Obligations - Assets are the rights, and liabilities are the obligations of the entity at a given date.5. Presentation and Disclosure - Items in the fin

38、ancial statements (ABACUS financial reporting package) are properly described, sorted and classified.6. Safeguarding - Assets are adequately safeguarded from misappropriation or use.7. Segregation of Duties - Authorization, custody, recording, and controlling are adequately segregated.SOX Project Ov

39、erview Assertion Potential Error Existence or occurrence Not business reality Completeness Incomplete Not timely Valuation or allocation InaccurateNot objective Inconsistent with selected principlesNot consistent from period to period Rights and obligations Not authorized Presentation and disclosure

40、 MisleadingSafeguarding Inadequately safeguarded Segregation of duties Inadequately segregated What Could Go Wrong?Example:Lets discuss “What Could Go Wrong? to the following sub-process:Fixed Assets acquisition;Fixed Assets disposal;Fixed Assets safeguarding;Segregation of duty. SOX Training Agenda

41、1.Overview of Sarbanes-Oxley Act 2.COSO Internal Control Framework3.What Could Go Wrong (Risk) 4.Internal Control 5.Typical mistakes in control identification6.Risk and Control Mapping7.Identification of Key Control8.Control Deficiency9.Walkthrough10.Test of Control11. Relationship between Walkthrou

42、gh and Test of Control12.SOX Project Overview13.SOX Documentation and Requirement Internal ControlInternal control is broadly defined by COSO as:A process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of

43、 objectives in the following three categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulationsInternal ControlInternal control over financial reporting is a process designed by management to provide reasonable assurance re

44、garding the reliability of financial reporting and the preparation of financial statements in accordance with generally accepted accounting principles (US GAAP / the A&RG) and includes those policies and procedures that:(1) Pertain to the maintenance of records that accurately and fairly reflect our

45、 daily financial transactions (including dispositions of assets),(2) Provide reasonable assurance that transactions are recorded as necessary and that receipts and expenditures are made only in accordance with authorizations of management and directors; and(3)Provide reasonable assurance regarding p

46、revention or timely detection of unauthorized acquisition, use or disposition of assets.Internal ControlAn activity that mitigates business risk.Examples include:Authorization controlsSystem configuration and account mapping controlsException/edit reportsKey performance indicatorsManagement reviewRe

47、conciliationSegregation of dutiesSystem access controlsPhysical assets safeguardTrainingInternal ControlDocumentation of Actual internal Control: Who performs the controls (competence/experience of the individuals), including whether appropriate segregation of duties is achieved and, if not, how the

48、 associated risks are mitigated?How the actual controls effectively meet the related control objective(s)?How often the controls are performed?How detected exceptions are followed up?Internal ControlInternal control Type:1. Manual2. Automated3. IT-dependentWe can also classify Internal control as:A.

49、 Prevent controlB. Detect controlInternal ControlManual Prevent ControlsManual Prevent controls are controls thatAre not performed by the computerAre not reliant on computer generated information Prevent errors from occurring during transaction processingExamples include:Approving a manual purchase

50、order (e.g., physical signature on a manual purchase order) Contracts are kept in a locked cabinet by a specified staff.Internal ControlManual Detect ControlsManual Detect Controls are controls that:Are not performed by the computerAre not reliant on computer generated information Detect and correct

51、 errors that may have occurred in processed transactions on a timely basisExamples include:Prepare the bank reconciliation manually and investigate the significant reconciling items.Re-performance of a calculation.Internal ControlComparison of Manual Prevent v Detect controlsPreventDetectTakes place

52、 before an error occursNormally applies to a single transactionTakes place after an error occursNormally applies to a population of transactionsInternal ControlIT-Dependent controlsIT-Dependent controls are controls that use computer-produced information. They are therefore a hybrid control with bot

53、h a computer and human element. The computer-produced information is often referred to as electronic evidence. Examples include:Manual balancing/review of computer-produced information such as a bank reconciliation that uses computer-generated cash receipts and cash disbursements detailManual review

54、 and follow up of items on an exception or variance report such as management review of monthly variance report and follow-up on significant variances.Internal ControlIT-Dependent controls (continued)Because the IT-dependent control relies on computer-produced information or reports, it is important

55、 that appropriate controls are in place to ensure that the computer-produced information is complete and accurate. SOX Training Agenda1.Overview of Sarbanes-Oxley Act 2.COSO Internal Control Framework3.What Could Go Wrong (Risk) 4.Internal Control 5.Typical mistakes in control identification6.Risk a

56、nd Control Mapping7.Identification of Key Control8.Control Deficiency9.Walkthrough10.Test of Control11. Relationship between Walkthrough and Test of Control12.SOX Project Overview13.SOX Documentation and Requirement Typical mistakes in control identificationWho perform the control segregation of dut

57、y2.Control vs Activity3.Control vs PolicyControl vs Activity vs Policy1. Who perform the control?Risk:All changes to the master vendor file are not captured, input, recorded, and processed into the information system.Only independent check / review is considered to be “controlControl 1: VMM can only

58、 create / change the master vendor file based on approved forms and then the VMM double check the creation / change. Control 2: VMM runs SAP run vendor master change log and new vendor creation change log weekly, then deputy of VMM check the change log against the approved application form. PControl

59、 vs Activity vs Policy2. Control vs ActivityRisk: Changes to customer data file did not actually take place.Not all activities are “controlControl 1: Sales staff updates SAP based on the approved SAP Customer creation / change form with information of customers name, address, telephone no, fax no.,

60、proposed payment terms and order amount when opening a new customer account.Control 2: Sales staff runs SAP run customer master change log and new customer creation change log weekly, then deputy of sales staff checks the change log against the approved Customer creation / change form.PControl vs Ac