sarbox alert

April 2005 Volume 1, Issue 3

Feature ArticlesUsing Risk Frameworks to Manage Sarbanes-Oxley ControlsWhy Use Risk and Control Frameworks?

For public companies, the most immediate reason for using a standardized risk framework is… you have to. In interpreting the Sarbanes-Oxley Act, the SEC has required that managements' evaluations of the effectiveness of the company's corporate internal controls (described in Section 302 of the Act) be based upon an industry-recognized controls framework. Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports explains how the SEC expects CEOs and CFOs to base their opinions. It says:

"We believe that each company should be afforded the flexibility to design its system of internal control over financial reporting to fit its particular circumstances" and then goes on to say "The methods of conducting evaluations of internal control over financial reporting will, and should, vary from company to company. Therefore, the final rules do not specify the method or

(continued next page — see Risk Frameworks)

Managing Fraud as a Type of RiskThe Sarbanes-Oxley Act requires that companies

acknowledge and manage risk. The COSO and COBIT frameworks are useful in that they provide industry standards for classifying areas of interest that need to be safeguarded. They further classify those areas so that leadership and staff can unambiguously identify areas under consideration for the implementation of controls. These frameworks are especially useful in guarding against the types of risk that result from areas "falling through the cracks" and not receiving needed attention. Merely implementing a control framework, however, will not be effective in preventing a special type of risk: fraud.

Fraud is defined in Black’s Law Dictionary as:

An intentional perversion of truth for the purpose of inducing another in reliance upon it to part with some valuable thing belonging to him or to surrender a legal right. A false representation of a matter of fact, whether by words or by conduct, by false or misleading allegations, or by concealment of that which should have been disclosed, which deceives and is intended to deceive another so that he shall act upon it to his legal injury. . . A generic term, embracing all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false

Industry NewsRecord Number of Requests for Extensions

Already this year, 1,769 companies have formally asked the SEC for an extension in filing their annual reports, according to John Heine, an SEC spokesman.

For all of 2004, the number of companies that sought extensions was 2,064. Most of these filings occur before the end of March, the deadline for companies whose fiscal years end Dec. 31.

A number of companies have asked for extensions in order to comply with provisions of the 2002 Sarbanes-Oxley Act that kicked in this year.

- -

Failure Rates are InSo far this year, 7.7 percent of the internal control

assessments filed this proxy season have been given "failing grades" by the companies' external auditor.

These figures come from a study form commissioned Raisch Financial Information Services and Compliance Week.

What companies are failing? The industries with the highest number of "adverse opinions" provided by auditors are computer hardware and software (18.20 percent); metals and mining (17.2 percent), and consumer services (16.7 percent).

What auditor is issuing adverse opinions? According to the study, the Big Four accounting firm that has issued the largest number of

(continued on page 7 — see Industry News

In this issue...Focus: Risk FrameworksArticles Industry News - page 1 Using Risk Frameworks to Manage

Sarbanes-Oxley controls - page 1 Managing Fraud as a Type of Risk -

page 1Sarbox Project Templates - page 11

Reference: The Elements of the COSO Risk Framework

Reference: The Elements of the COBIT Risk Framework

Worksheet: What is the Probability of a problem?

© Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.

S A R B O X A L E R T Volume I, Number 3 page 2

suggestions or by suppression of truth, and includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.

(continued page 5 — see Fraud as Risk

Worksheet: What is the Impact of a problem? Template: a Risk Grid Suggested Language: Expressing the same idea

using "IT speak", "Risk speak" and "Auditing speak"

Crossword Puzzle: Risk Frameworks – page 11



Risk Frameworks – continued from previous page

procedures to be performed in an evaluation."

They go on to discuss the COSO framework:

"...we have modified the final requirements to specify that management must base its evaluation of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.

The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors."

Other reasons to use the COSO framework

It's helpful to remember the reasons that we use internal controls. They exist to provide reasonable assurance regarding the achievement of the following three objectives:

Economy and efficiency of operations (this includes achieving performance goals and safeguarding of assets against loss)

Reliable financial and operational data and reports.

Compliance with laws and regulations.

The original COSO framework was designed as a tool for evaluating internal control systems and to provide a common basis for management teams, directors, regulators, and others to better understand and effectively communicate about enterprise risk management. It was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

From the COSO home page: "COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

Single year subscription : $495.Group subscription inquiries: 212.825.1525 or [email protected]: Contact Igor Lamser at 212.825.1525Publisher: Igor LamserEditor-In-Chief: Gwen ThomasEditorial Office: 82 Wall Street, Suite 707, New York, NY 10005phone: 212.825.1525 fax: 212.825.1530 www.riskcenter.com


The National Commission was jointly sponsored by the five major financial professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives Institute, the Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange."

The original COSO framework contains five control components needed to help assure sound business objectives. The control components are:

Control Environment.

Risk Assessment.

Control Activities.

Information and Communication.

Monitoring.

The Original COSO Cube

2004 COSO Document: Enterprise Risk Management (ERM) COSO Framework

The new Enterprise Risk Management (ERM) COSO framework (COSO-ERM) emphasizes the importance of identifying and managing risks across the enterprise. The new COSO framework consists of eight components:

Internal control environment (from original COSO)

Objective setting (new component)

Event identification (new component)

Risk assessment (from original COSO)


http://www.riskcenter.com/


Risk response (new component)

Control activities (from original COSO)

Information and communication (from original COSO)

Monitoring (from original COSO).

The COSO-ERM Cube

Why You Need Both An Accounting Framework And An IT Framework

In most companies of any size, data moves between multiple business groups and IT systems on its way from initial transactions to the reports to which the CEO and CFO must attest.

Attesting to the accuracy of the data requires confidence in accounting procedures and controls. These are addressed within the COSO framework. COSO's primary role is fiduciary.

The SOX 404 attestation also requires confidence in the IT systems that house, move, and transform data. This requires confidence in the processes and controls for those IT systems and databases. Neither the SEC nor the U.S. Public Company Accounting Oversight Board has openly endorsed a specific information technology control framework. However, the COBIT framework was designed to complement COSO by addressing information criteria: quality requirements, fiduciary requirements, and security requirements.

Quality Requirements:

Quality

Cost

Delivery

Fiduciary Requirements (COSO Report):

Effectiveness and Efficiency of operations

Reliability of Information

Compliance with laws & regulations

Security Requirements:

Confidentiality

Integrity

Availability



Because COSO focuses on fiduciary controls and COBIT addresses broader information criteria as they are affected by IT, COSO and COBIT do not seamlessly map to each other. In using them for Sarbanes-Oxley compliance, companies should remember that compliance is their goal – not checking off every item in lists created for other purposes.

The COBIT framework

COBIT (Control Objectives for Information and Related Technologies) is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. It's an IT control framework built in part upon the COSO framework. It approaches IT control by looking at information that is needed to support business requirements and the associated IT resources and processes.

COBIT addresses information quality and security requirements in seven overlapping categories: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information. These categories form the foundation of COBIT's 34 control objectives. These objectives (and corresponding control activities) are organized into four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring.

COBIT was designed as a framework comprehensive enough to provide a point of reference

for any IT decision, control point, or auditing discussion. As such, it contains many areas that do not apply to Sarbanes-Oxley concerns. In applying COBIT to Sarbox, users and auditors must determine the relevance to Sarbox of a significant IT process or IT-dependent process by assessing its primary contribution to internal controls over financial reporting. Relevant processes should be assigned appropriate controls from COBIT and other IT control models such as the ISO/IEC 17799 Code of Practice for Information Security Management, established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

COBIT documents are free for download from http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/COBIT_Publications/COBIT_Components.htm .

Using COSO and COBIT to Manage Sarbanes-Oxley Controls

Whether you use COSO or COBIT to address a particular area that falls within the Sarbanes-Oxley area of interest, you'll follow the same essential steps: identify a risk and prioritize it, decide upon a risk management strategy, identify controls to implement, provide governance and stewardship to ensure that controls are applied consistently.

- -


http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/COBIT_Publications/COBIT_Components.htm




http://www.itgovernance.org/


Fraud as Risk – continued from page 1



What does this mean? While many types of risk occur because of accidents, errors, or omissions, fraud occurs because someone intentionally did something wrong. Most controls that companies put into place are designed to prevent, detect, or correct accidents, errors, or omissions. It often takes a special approach – and special controls – to prevent or detect fraudulent actions.

Types Of Fraud

According to Big Four Auditing company PriceWaterhouseCoopers, fraud generally falls into one of four categories: (source: Key Elements of Antifraud Programs and Controls)

Fraudulent financial reportingMost fraudulent financial reporting schemes involve earnings management, arising from improper revenue recognition, and overstatement of assets or understatement of liabilities.

Misappropriation of assetsThis category involves external and internal schemes, such as embezzlement, payroll fraud and theft.

Expenditures and liabilities for improper purposesThis category refers to commercial and public bribery, as well as other improper payment schemes.

Fraudulently obtained revenue and assets, and costs and expenses avoidedThis category refers to schemes where an entity commits a fraud against its employees or third parties, or when an entity improperly avoids an expense, such as tax fraud.

Responsibility For Fraud

It is the responsibility of the company Board of Directors to put in place programs to deter and detect fraud. Specifically, the board's Audit Committee has responsibility for:

1. Monitoring the financial reporting process

2. Overseeing the internal control system

3. Overseeing the internal audit and independent public accounting functions, and

4. Reporting findings to the Board of Directors.

Control Environment

Why is a control environment important? It has a pervasive influence on the way business activities are structured, objectives are established, and risks are assessed. It also influences risk assessment, control activities, information and communication systems, and monitoring activities.

What's in a control environment?

Intangible aspects

integrity, ethical values

competence of management and staff

management’s philosophy and operating style

Tangible Aspects

how management assigns authority and responsibility

how people are organized

development opportunities and training for management and staff

definition of the role of the audit committee and board of directors.

If fraud occurs – or if a company gets into other types of trouble – auditors are going to look at the company's control environment as they assess whether the problem under consideration was an isolated instance or the result of a an inadequate control environment. Consequences to the company will generally be much greater if the control environment is deemed poorly designed or implemented. And so, it is critical that great attention be given to the control environment. From the Board of Directors down to every staff member involved in Sarbanes-Oxley implementation, there should be a mechanism for reporting any real or perceived inadequacy. (This is an example of the old maxim that perceptions may be reality.)

To advertise inSARBOX ALERT,

or for group subscriptions,

contact Igor Lamser

at 212.825.1525

[email protected].

If your company gets into trouble, the U.S. Sentencing Guidelines Manual may be brought into play. Chapter 8 states that an “effective program to prevent and detect violations of law” means a program that has been reasonably designed, implemented and enforced so that it generally will be effective in preventing and detecting criminal conduct.

This means that it is not enough to design an anti-fraud program. It must be implemented and enforced. Start with your Code of Conduct/Ethics. Consider having representative staff review it and discuss it so you can develop a strong confidence level that your employees will understand what it says and interpret it the way your legal and compliance groups intended, and that you have a clear path for implementing it and enforcing your code.

PriceWaterHouseCoopers recommends the following additional steps that should be implemented


mailto:[email protected]


regarding the Code of Conduct (source: Key Elements of Antifraud Programs and Controls).

The code of conduct also must be communicated effectively (through the employee handbook, policy manual, intranet, etc.) on a periodic basis to all covered persons. Ineffective communication prevents even a comprehensive code of conduct from being effective and contributing to an appropriate “tone at the top.”

Employees should evidence their receipt and reading of the code. This is generally accomplished through a confirmation process. Annual confirmations from the covered persons regarding their compliance (or lack thereof) with the code of conduct, including appropriate follow-up regarding lack of response and any exceptions noted, provide adequate evidence.

Requiring attendance at training at the time of hiring and periodically thereafter evidences the entity’s commitment to ensuring that the employees understand the code. Training should address the “tone at the top,” code of conduct, and the individual’s duty to communicate or report actual or suspected fraud or misconduct. Interactive training may provide evidence that a code has been communicated, and that employees have received, read and understood the code.

Both management and the audit committee are required to monitor the code of conduct. Meeting minutes should evidence their ongoing or periodic monitoring.

Identifying Risk

In defining a system of controls and in assessing their effectiveness, special attention should be given to controls against fraud. Because much fraud occurs at

senior levels of the organization, it makes sense for the Board of Directors to be involved in assessing controls aimed at fraud. They should give attention to:

The process for identifying and documenting fraud risk

The types of fraud considered by management (fraudulent financial reporting, misappropriation of assets, unauthorized or improper receipts and expenditures, and fraud by senior management)

The level at which risk is considered (company-wide, business unit and significant account)

The level of likelihood of fraud (probable, reasonably possible and remote)

The level of significance of fraud (inconsequential, more than inconsequential or material)

Another area of special attention is the requirement for a confidential employee hotline as part of a Sarbanes-Oxley Whistleblower Program. SarboxAlert has devoted an entire issue to this: see Volume 1 Number 2, published March, 2005.

Other Considerations

It is important that the audit committee has taken steps to ensure that the organization has implemented what will be interpreted as an effective ethics and compliance program that is properly and periodically tested.

Fraud often happens when a member of management or staff is able to override internal controls, so all Sarbanes-Oxley staff – from implementation teams to the audit committee – should work to ensure that internal controls address the appropriate risk areas and are functioning as designed.

- -

\\



Industry News – Continued from Page 1

adverse opinions is PricewaterhouseCoopers, which failed 9.3 percent of its 398 internal control audits. KPMG appears to be the easiest "grader," failing only 5.5 percent of its 348 SOX 404 audits.

- -

March Internal Control Disclosures 116 companies have disclosed material

weaknesses in their internal controls during the month of March. That's up from 23 in February 2005. Most interpretation say that increase is largely due to the high volume of companies filing their annual reports in March. In March 2004, only 28 companies made similar disclosures.

What are the issues?

Financial systems and procedures. Problems with financial systems and procedures accounted for 70 percent of all weakness disclosures. Those problems typically involved the financial close process, account reconciliation, or inventory processes. 2004 disclosures showed only about half of the disclosures were related to financial systems and procedures.

Tax issues. In March 2005, more than 22 percent of the disclosures mentioned problems with tax accounting. (That’s up from just 3 percent in 2004.) Some instances related to personnel (e.g., understaffed accounting departments, or employees that lacked appropriate expertise), but most of the tax problems were tied to financial systems and procedures (e.g., lack of appropriate controls related to income tax accounting).

Accounting for leases and loans. Approximately 14 percent of the problems with financial systems and procedures in March dealt with accounting for leases and loans. Generally these were related to lease accounting practices or errors, loan loss allowances, or depreciation assumptions. ------

From the Wires: IGate Gets Delisting Notice From Nasdaq

04.11.2005, 05:10 PM (Associated Press) - Technology company IGate Corp. said Monday said it received a delisting notice from the Nasdaq because it has yet to complete an accounting review as part of compliance efforts under the Sarbanes-Oxley Act.

The company said the delisting notice gives it until April 14 to either complete a review of its internal accounting controls or request a hearing on the matter. IGate said it has already made an appeal, and requested a hearing to stay the delisting action."

"The company is working diligently to complete its management report on internal control over financial reporting and expects to file its report and the related attestation report of the independent registered public accounting firm in an amendment to the Form 10-K prior to May 2, 2005," IGate said in a statement. "There

can be however no assurances that Nasdaq will grant the company's request for continued listing."

Shares of IGate fell 25 cents, or 6.5 percent, to close at $3.60 on the Nasdaq.

- - Sarbox Project Templates

Sarbox Project Templates to complement the topics covered in this issue's features are available as stand-alone Microsoft Word documents. Download the following Sarbox Project Templates – as well as others – from the SARBOX ALERT download section at www.riskcenter.com:

Reference: The Elements of the COSO Risk Framework

Reference: The Elements of the COBIT Risk Framework

Worksheet: What is the Probability of a problem?

Worksheet: What is the Impact of a problem?

Template: a Risk Grid

Suggested Language: Expressing the same idea using "IT speak", "Risk speak" and "Auditing speak"

Crossword Puzzle: Risk Frameworks

- -

Next Issue:Sarbox, SAS 70s, and Outsourcers

Articles: A SAS 70 Primer Using Your Sarbox and Governance

Programs to Maintain Control Over Outsourcers

Sarbox Project Templates: Reference: Comparison of SAS 70

Types 1 and 2 Audits Checklist: SAS 70 Control Points Roles and Responsibilities Chart:

Maintaining Control Over Outsourcers

Visual Aid: A Governance and Stewardship Framework for Matrixed Organizations

Visual Aid: Placing Governance and Stewardship Control Points Into Your Outsourcers' Organization




Sarbox Project Template

Crossword Puzzle: Control Frameworks

1 2

3

4 5

6

7

8

Created with EclipseCrossword — www.eclipsecrossword.com

Across

1. A reason to use COSO: Economy and ____ of operations

3. COSO component that deals with tone from the top: • Control

5. Control Objectives for Information and Related Technologies

6. They believe "each company should be afforded the flexibility to design its system of internal control over financial reporting to fit its particular circumstances"

7. What COSO says you do to manage risk: Control ____8. A component shared by COSO and COBIT

Down

2. COBIT security requirements: ___, Integrity, Availability

4. Publisher of COBIT


Key to Last Issue's Puzzle: Whistleblowing

1 2

3 4

5 6

7

8

9

10

Created with EclipseCrossword — www.eclipsecrossword.com

R

S

E

N

T

E

N

C

I

N

G

T

C

A

A

N

O

T

L

E

F

N

T

I

E

O

F

F

E

A

D

R

R

I

S

T

E

A

U

D

I

T

I

T

N

U

E

A

N

O

N

Y

M

O

U

S

D

N

T

N

I

T

I

K

C

I

O

P

L

A

N

A

N

O

L

W


Yes! Please send me one year of SARBOX ALERT at the SPECIAL RATE of $495.

Name Title Organization

Address City State Zip Code

Phone Fax E-mail (required)

Payment enclosed Charge my:

Mastercard Visa American Express Discover

Account Number Expiration Date Signature

Make all checks payable to RiskCenter, LLCClient agrees to pay any and all applicable sales tax.

Suggestions for additional coverage are always welcome. In fact, we encourage it! This is one of the reasons RiskCenter stays on top of market trends.

If you have an idea or two on new issues, trends, interview subjects - anything really - in this new market,feel free to jot down your thoughts in the space below.

We will likely take your suggestions to heart. Use the space below or send us an email [email protected]. Thank you in advance for your comments. - The Editor

SARBOX ALERT – published by RiskCenter, LLC82 Wall Street, Suite 707, New York, NY 10005

phone: 212.825.1525 fax: 212.825.1530www.riskcenter.com


Comments:


sarbox alert

Documents