Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS Security, Audit, and Control (Dr. Zhao)

Published byElvin Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "IS Security, Audit, and Control (Dr. Zhao)"— Presentation transcript:

1 IS Security, Audit, and Control (Dr. Zhao)
Background A number of major corporate and accounting scandals Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom Boardroom failure Conflicts of interests: auditor, financial analysts Internet bubble Purpose: Bring honesty, clarity, and speed to corporate financial reporting Restore investors’ confidence Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

2 Sarbanes-Oxley Act of 2002

3 Contents Brief History Objectives of Sarbanes-Oxley Key Points

4 Brief History Created by US Senator Paul Sarbanes (D-Maryland) and US Congressman Michael Oxley (R-Ohio) Signed into law July 30, 2002 Most dynamic securities legislation since the New Deal

5 Objectives In response to the Arthur Anderson, Enron and WorldCom debacle, the Sarbanes-Oxley Act seeks to: Restore the public confidence in both public accounting and publicly traded securities Assure ethical business practices through heightened levels of executive awareness and accountability

6 TITLE I – PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD
Creation of the Public Company Oversight Board (the Board) Created as a non-profit organization, the Board will oversee audits of public companies; it is under the authority of the SEC but above other professional accounting organizations such as the AICPA The Board is comprised of 5 members (appointees), with a maximum of two CPA’s Among its duties are registering existing public accounting firms which prepare audits for publicly traded companies (issuers), reviewing registered public accounting firms (auditing the auditors), establishing and amending rules and standards (in cooperation with other standard setters), and in the event of non-compliance by registered public accounting firms, to try such firms (and/or any related associate(s)) and penalize

7 TITLE II – AUDITOR INDEPENDENCE
Prohibits registered public accounting firms (RPAFs) who audit an issuer from performing specific non-audit services for that issuer, including but not limited to: bookkeeping, financial information systems design, appraisal services, actuarial services, internal audit outsourcing services, management/human resource functions, broker/dealer, legal/expert services outside the scope of the audit In addition to these limitations, audit functions and all other non-audit functions provided to the audit client must be pre-approved by the Board (such as tax services) Audit Partner rotation – Lead partner on 5 years, off 5 years; other partners on 7 years, off 2 RPAFs performing audits to issuers must report to issuer’s audit committees about: (1) critical accounting policies to be used in the audit, (2) any written communication with management, and (3) any deviations from GAAP in financial reporting

8 TITLE II (cont.) A conflict of interest arises and an RPAF may not perform audit services for any issuer employing – in the capacity of CEO, controller, CFO or any other equivalent title – a former audit engagement team member – there is a “cooling-off period” for one year i.e., an employee of an RPAF who works on an audit of an issuer may not turn around and directly go to work for that issuer – they must wait one year Currently under investigation is the possibility of mandatory rotations of audit clients among registered public accounting firms

9 TITLE III – CORPORATE RESPONSIBILITY
Audit Committee (committees est. by the board of a company for the purpose of overseeing financial reporting) Independence Establishes minimum independence standards for audit committees Independence of the audit committee crucial in that it must (1) oversee and compensate RPAF to perform audit, and (2) establish procedures for addressing complaints by the issuer regarding accounting, internal control, etc. (this lays the foundation for anonymous whistleblowing) CEOs and CFOs must certify in any periodic report the truthfulness and accurateness of that report – creates liability Under certain conditions of re-statement of financials due to material non-compliance, CEOs and CFOs will be required to forfeit certain bonuses and profits paid to them as a result of material mis-information

10 TITLE IV – ENHANCED FINANCIAL DISCLOSURES
Issuers must disclose “off-balance sheet transactions” in periodic reports No issuer shall make, extend, modify or renew any personal loan to CEOs, CFOs (limited exceptions include company credit cards) Annual reports will contain internal control reports which state the responsibility of management for establishing such controls and their assessment of the effectiveness of such controls – which must be attested to by the auditor In periodic reports filed, the issuer must disclose its code of ethics for senior financial officers, and if the issuer has not adopted such a policy, must disclose why not Issuer must disclose whether or not its audit committee is comprised of at least one financial expert, and if not, why Member considered financial expert if they have an understanding of GAAP, experience in preparing/auditing financials, experience with internal controls, and an understanding of audit committee functions SEC must review disclosures (in financials) made by any issuer at least once every three years (similar to Board review of registered public accounting firms) Issuers must disclose in real time any additional information concerning material changes in the financial condition or operations of the issuer

11 TITLE V – ANALYST CONFLICTS OF INTEREST
National Securities Exchanges and registered securities associations must adopt rules designed to address conflicts of interest that can arise when securities analysts recommend securities in research reports To improve objectivity of research and provide investors with useful and reliable information

12 TITLE VI – COMMISSION RESOURCES AND AUTHORITY
Increase 2003 appropriations for the SEC to $780 million, $98 million to be used to hire an additional 200 employees for enhanced oversight of auditors and audit services SEC will establish rules setting minimum standards for profession conduct for attorneys practicing before it SEC to conduct investigations of any security professional who has violated a security law May censure, temporarily bar or deny right to practice

13 TITLE VII – STUDIES AND REPORTS
The Comptroller General of the US shall conduct a study regarding the consolidation of public accounting firms (e.g. Coopers & Lybrand/Price Waterhouse combine to become PriceWaterhouseCoopers; ToucheRoss/DeloitteHaskins merge to become Deloitte & Touche) since 1989, analyze the past, present and future impact of the consolidations, and create solutions to problems discovered caused by such consolidations The Comptroller General and/or SEC will also explore such issues as (1) the role and function of credit rating agencies in the operation of the securities market, (2) the number of securities professionals (public accountants, investment bankers, attorneys) who have been found to have aided and abetted a violation of securities law and who have not been disciplined, (3) all enforcement actions by the SEC regarding re-statements, violations of reporting requirements, etc., for the five year period prior to the date the Act is passed, and (4) whether investment banks and financial advisers assisted public companies in manipulating their earnings (specifically Enron and WorldCom)

14 TITLE VIII – CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY
To knowingly destroy, create, manipulate documents and/or impede or obstruct federal investigations is considered felony, and violators will be subject to fines or up to 20 years imprisonment, or both All audit report or related workpapers must be kept by the auditor for at least 5 years Whistleblower protection – employees of either public companies or public accounting firms are protected from employers taking actions against them, and are granted certain fees and awards (such as Attorney fees)

15 TITLE IX – WHITE-COLLAR CRIME PENALTY ENHANCEMENTS
Financial statements filed with the SEC by any public company must be certified by CEOs and CFOs; all financials must fairly present the true condition of the issuer and comply with SEC regulations Violations will result in fines less than or equal to $5 million and /or a maximum of 20 years imprisonment Mail fraud/wire fraud convictions carry 20 year sentences (previously 5 year sentences) Anyone convicted of securities fraud may be banned by SEC from holding officer/director positions in public companies

16 TITLE X – CORPORATE TAX RETURNS
Federal income tax returns must be signed by the CEO of an issuer

17 TITLE XI – CORPORATE FRAUD ACCOUNTABILITY
Destroying or altering a document or record with the intent to impair the object’s integrity for the intended use in a securities violation proceeding, or otherwise obstructing that proceeding, will be subject to a fine and/or up to 20 years imprisonment The SEC has the authority to freeze payments to any individual involved in an investigation of a possible security violation Any retaliatory act against whistleblowers or other informants is subject to fine and/or 10 year imprisonment

18 IS Security, Audit, and Control (Dr. Zhao)
Overview Public company accounting oversight board (PCAOB) Auditor Independence Corporate Responsibility Enhanced Financial Disclosures Analyst Conflicts of Interest Commission Resources and Authority Studies and Reports Corporate and Criminal Fraud Accountability White Collar Crime Penalty Enhancement Corporate Tax Returns Corporate Fraud Accountability Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

19 A Central Oversight Board (Section 101-109)
Establishment of PACOB Oversee the audit of public companies Five members (2 CPA), 5 year terms All public accounting firms must register with PACOB Registration fees Annual accounting support fees Responsibilities: standard-setting, inspections (1 year/3 years), investigation SEC have “oversight and enforcement authority over the PACOB”. Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

20 Public Company Audit Committees (Section 301)
Member: A member of the board of directors of the issuers An independent member Responsibility: Appoint, compensate, and oversee the work of any registered public accounting firm employed by the issuers Confidentially communicate with whistle-blowers. Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

21 Individual Accountability
CEO/CEO need to certify the accuracy and completeness of the financial statement (Section 302) Penalties CEO/CFO knowingly submits a wrong certification $1 million and up to 10 years in jail If the wrong certification is submitted “willfully” Up to $5 million and 20 years in jail Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

22 Reporting and Disclosure
Enhanced reporting requirement for financial transactions (Section 401) Off balance transactions, pro-forma figures, security transactions of corporate officers Timely Disclosure (Section 409) “Issuers must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.” Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

23 What Information Is “Material”
Information is material if there is “a substantial likelihood that a reasonable investor would consider it important in making an investment decision” or if it would be “viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

24 Section 404: Management Assessment of Internal Controls
Requires each annual report of an issuer to contain an ‘internal control report’, which shall: State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. Contain an assessment, as of the end of the issuer’s fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for firnanical reporting. Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

25 IS Security, Audit, and Control (Dr. Zhao)
Auditor Independence Restricts auditing companies from providing non-audit services such as: Services related to the accounting records or financial statement Financial information systems design and implementation Appraisal or valuation Actuarial services Internal audit outsourcing Management functions or human resources Broker or dealer, investment adviser Legal services and expert services unrelated to the audit Audit partner rotation Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

26 IS Security, Audit, and Control (Dr. Zhao)
Costs and Criticism Costs Significant In 2007, the average compliance costs were $1.7 million for firms with average revenues of $4.7 billion Decreases over time Different impacts Centralized vs. decentralized firms Small vs. large firms Criticism Does the compliance benefit exceed the cost? Does SOX deter small firms and foreign firms to register on American stock exchanges? Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

27 IS Security, Audit, and Control (Dr. Zhao)
Implications for IT “The nature and characteristics of a company’s use of IT in its information systems affect the company’s internal control over financial reporting.” (PACOB Auditing Standard No.2) Whether finance understands technology issues involved in SOX compliance? Whether IT understands the business issues? Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

28 IS Security, Audit, and Control (Dr. Zhao)
Implications for IT Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

29 Provisions Applied to IT
302 – Corporate responsibility for financial reporting Is our financial data accurate? Do we have transaction level detail if required? Do we understand all the processes involved? 404 – Annual mgmt assessment of internal controls How does our control structure operate? Who is accountable? Is it monitored? Is it documented? 409 – Real-time disclosure of material changes 802 – Retention of relevant records for audits/reviews Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

30 IS Security, Audit, and Control (Dr. Zhao)
Controls Over IT IT control environment Computer operations Access to program and data Program development and program changes Keep in mind: Not “one size fits all” No need to reinvent the wheel Different controls methods Preventive vs. detective Manual vs. automatic Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

31 IT Control Environment
“The auditor’s preliminary judgment about its effectiveness often influences the nature, timing, and extent of the tests of operating effectiveness considered necessary.” (PCAOB) IT control environment IT governance: IS strategic plan, risk management, compliance and regulatory management, IT policies, procedures and standards Monitoring Reporting Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

32 IS Security, Audit, and Control (Dr. Zhao)
Computer Operations Control over IT infrastructure Acquisition, installation, configuration, integration, and maintenance Control over daily operations Service level management Third-party management System availability Problem and incident management Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

33 Access to Programs and Data
Methods Secure passwords Internet firewalls Data encryption Cryptographic keys Regular review of user profiles Remove unauthorized users, such as terminated employees, immediately Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

34 Program Development and Program Changes
New applications System development methodology Quality assurance methodology Existing applications Change management Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

35 IS Security, Audit, and Control (Dr. Zhao)
Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

36 IS Security, Audit, and Control (Dr. Zhao)
Compliance Road Map 1. Plan and Scope Not all IT processes are relevant Define key systems 2. Risk Assessment Impact and probability 3. Identify significant accounts Accounts that have a significant impact on financial reporting and disclosure Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

37 IS Security, Audit, and Control (Dr. Zhao)
Compliance Map 4. Document Control Design The design of control Transaction flows Fraud prevention and detection Management testing and evaluation 5. Evaluate Control Design Maturity stage: Nonexistent, initial, repeatable, defined, managed and measurable, optimized Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

38 IS Security, Audit, and Control (Dr. Zhao)
Compliance Map 6. Evaluate Operational Effectiveness How IT affects the financial reporting process Control external service organizations for outsourced services 7. Identify and Remediate Deficiencies 8. Document Process and Results 9. Build Sustainability A continuous process Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

39 IS Security, Audit, and Control (Dr. Zhao)
Discussion What’s happening now? Bear Sterns, Lehman Brothers, Merry Lynch Freddie Mac, Fannie Mae AIG, Washington Mutual… Any system wide risks? Thoughts on regulatory controls? Fall, 2008 IS Security, Audit, and Control (Dr. Zhao)

Download ppt "IS Security, Audit, and Control (Dr. Zhao)"

Similar presentations

Building on Our Core Values Building on Our Core Values © 2003 by the AICPA The Sarbanes-Oxley Act.

Building on Our Core Values Building on Our Core Values © 2003 by the AICPA The Sarbanes-Oxley Act.
Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
1 4 th session: Corporate Governance – Sarbanes Oxley Performance Evaluation IMSc in Business Administration October-November 2009.

1 4 th session: Corporate Governance – Sarbanes Oxley Performance Evaluation IMSc in Business Administration October-November 2009.
Accountants Legal and Ethical Responsibilities. Legal Federal Securities Law Federal Securities Law Contract Contract Negligence Negligence Racketeering.

Accountants Legal and Ethical Responsibilities. Legal Federal Securities Law Federal Securities Law Contract Contract Negligence Negligence Racketeering.
Forces of Change Don H. Hansen Health Care Services Partner 425.303.3013.

Forces of Change Don H. Hansen Health Care Services Partner
Professional Ethics Chapter 4.

Professional Ethics Chapter 4.
Sarbanes-Oxley Act of 2002.

Sarbanes-Oxley Act of 2002.
Case 6.1 Enron Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill.

Case 6.1 Enron Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill.
Corporate Governance: The New Age The Expanded Role of Outside Counsel and Standards of Professional Conduct for Attorneys March 10, 2003 Turnaround Management.

Corporate Governance: The New Age The Expanded Role of Outside Counsel and Standards of Professional Conduct for Attorneys March 10, 2003 Turnaround Management.
Sarbanes-Oxley Act of 2002. 2 Benefits of Act Three quarters of the financial executives in the Oversight Systems survey said that their company had realized.

Sarbanes-Oxley Act of Benefits of Act Three quarters of the financial executives in the Oversight Systems survey said that their company had realized.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
Copyright © 2010 South-Western/Cengage Learning

Copyright © 2010 South-Western/Cengage Learning
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
15-1. 15-2 15 Fraud and SOX Compliance McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Fraud and SOX Compliance McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Sarbanes Oxley Act. WHY? Public Company Accounting Reform and Investor Protection Act of 2002 Response to a number of major corporate and accounting scandals.

Sarbanes Oxley Act. WHY? Public Company Accounting Reform and Investor Protection Act of 2002 Response to a number of major corporate and accounting scandals.
Chapter 1 Accounting: The Key to Success. What’s so important about Accounting? Accounting is at the heart of every business It is the means through which.

Chapter 1 Accounting: The Key to Success. What’s so important about Accounting? Accounting is at the heart of every business It is the means through which.
The Current Status of Corporate Governance in the USA An overview of the cause and effect of recent legislation.

The Current Status of Corporate Governance in the USA An overview of the cause and effect of recent legislation.
Sarbanes-Oxley: where Information-Technology, Finance and Ethics Meet

Sarbanes-Oxley: where Information-Technology, Finance and Ethics Meet
COMPLIANCE & SOX.

COMPLIANCE & SOX.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Similar presentations

Ads by Google