SOX - the Early Years

Document Sample
SOX - the Early Years Powered By Docstoc
					                                                                     Elegantsolutions.ca



   SOX (Sarbanes-Oxley) – THE EARLY YEARS

      What You Didn’t Know You Don’t Know About Compliance
                And What it Means to You as a Project Manager
                                                                      From a Presentation I made on
                                                           March 29, 2007 at ProjectWorld in Toronto
                                                                         Boyd Carter, PMP
                                                                        elegantsolutions.ca
I have been asked from time to time to send colleagues a copy of this presentation.

While the links have been updated, please note that the content of this document is dated
as at March 29, 2007. the concept is still valid but the regulations may have been
amended since then.
The content is best viewed in Slide Show format; the notes are useful.
                                                                                          Elegantsolutions.ca

Agenda
 What you know you don’t know about compliance
 What you didn’t know you don’t know about
  compliance
 What it means to you as a project manager
 Resources for the Project Manager
         Description of “must have” resource documents
         Links to the best online resources




Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                              2
                                                                                          Elegantsolutions.ca

What You Know You Don’t Know About Compliance

Most people know they don’t know:

     Details of the legislation

     About Assessments and Attestations

     What CEO/CFO Certification means




Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                              3
                                                                                          Elegantsolutions.ca

What You Know You Don’t Know About Compliance (Cont.)

Details of the US Legislation
 Sarbanes-Oxley Act of 2002 (Public Law 107-204---July 30, 2002, 107th
   Congress of the United States of America)
         Title I – Public Company Accounting Oversight Board (PCAOB)
                  Section 102 – Registration with the Board (to prepare and/or issue Audit Reports)
                  AS2 (Auditing Standard No. 2)
         Title II – Auditor Independence
         Title III – Corporate Responsibility
                  Section 302 – Corporate Responsibility for Financial Reports
         Title IV – Enhanced Financial Disclosures
                  Section 404 – Management’s assertion of Internal Control over Financial
                   Reporting (ICFR)
         Titles V – XI
                    V – Analysts Conflicts of Interest
                    VI – Commission Resources and Authority
                    VIII – Corporate and Criminal Fraud Accountability
                    IX – White-collar Crime Penalty Enhancements
                    X – Corporate Tax Returns
                    XI – Corporate Fraud and Accountability


Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                              4
                                                                                          Elegantsolutions.ca

What You Know You Don’t Know About Compliance (Cont.)

Details of the Canadian Legislation
 Bill 198 – An Act to implement budget measures and other initiatives of the
   Government, 3rd Session, 37th Legislature, Ontario, 2002 (and subsequent
   amendments)
             Part XXVII – Amends the Ontario Securities Act
     Ontario Securities Commission – A Self-funded Crown Corporation and the
      Regulator of Ontario’s Capital Markets: Charter of Corporate Governance (The
      OSC administers the Securities Act Ontario and Commodity Futures Act, and is
      empowered to make legally binding rules. )
     CSA – Canadian Securities Administrators is the council of Canada’s thirteen provincial
      and territorial securities regulatory authorities (SRAs).
        NI 52-108 – Auditor Oversight
        MI 52-109 – Certification of Disclosure…
        MI 52-110 – Audit Committees
        MI 52-111 – Reporting on Internal Control… (not implemented)
        CSA Notice 52-313 – Status of MI 52-111 (Decision to not implement) and proposed to
           amend and restate MI 52-109
        CSA Notice 52-317 – Amended the planned effective date of (now) NI 52-109 to be
           financial years ending on or after June 30, 2008


Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                              5
                                                                                             Elegantsolutions.ca

What You Know You Don’t Know About Compliance (Cont.)

What’s the Difference between (SOX) Sections 302 and 404

     SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS.
             (a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic
              reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that
              the principal executive officer or officers and the principal financial officer or officers, or persons
              performing similar functions, certify in each annual or quarterly report filed or submitted under either such
              section of such Act…
     SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
        (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual
          report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C.
          78m or 78o(d)) to contain an internal control report, which shall—
                    (1) state* the responsibility of management for establishing and maintaining an adequate internal
                     control structure and procedures for financial reporting; and
                    (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the
                     effectiveness of the internal control structure and procedures of the issuer for financial reporting.
             (b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal
              control assessment required by subsection (a), each registered public accounting firm that
              prepares or issues the audit report for the issuer shall attest to, and report on, the
              assessment made by the management of the issuer. An attestation made under this
              subsection shall be made in accordance with standards for attestation engagements issued
              or adopted by the Board. Any such attestation shall not be the subject of a separate
              engagement.
Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                                                6
                                                                                          Elegantsolutions.ca

What You Know You Don’t Know About Compliance (Cont.)

What’s the Difference between Assessments, Assertions and
  Attestations
     SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
         (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each
          annual report required by section 13(a) or 15(d) of the Securities Exchange Act
          of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which
          shall—
                  (1) state* the responsibility of management for establishing and maintaining an
                   adequate internal control structure and procedures for financial reporting; and
                  (2) contain an assessment, as of the end of the most recent fiscal year of the issuer,
                   of the effectiveness of the internal control structure and procedures of the issuer for
                   financial reporting.
         (b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to
           the internal control assessment required by subsection (a), each registered
           public accounting firm that prepares or issues the audit report for the issuer shall
           attest to, and report on, the assessment made by the management of the issuer.
           An attestation made under this subsection shall be made in accordance with
           standards for attestation engagements issued or adopted by the Board. Any such
           attestation shall not be the subject of a separate engagement.
        *This statement regarding assessment is often referred to as an Assertion

Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                              7
                                                                                           Elegantsolutions.ca

What You Know You Don’t Know About Compliance
What CEO/CFO Certification means
This is what CEO/CFO Certification means to one corporation




                                                                                                Control
                                                                                                Design

                                                                                                Control
                                                                                             Effectiveness

Key Requirements for a Compliance Framework (SOX 404 or NI 52-109)



 Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
 (Permission is granted to use unchanged. elegantsolutions.ca)                                               8
                                                                                          Elegantsolutions.ca

What You Didn’t Know You Don’t Know About Compliance

Most people didn’t know they really don’t know what is required in order
to assert “Internal Control Over Financial Reporting (ICFR or ICOFR)

     Frameworks
     How to develop a Control Design
     How to evaluate Control Effectiveness
     How to provide evidence to support Assertions and Attestations




Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                              9
                                                                                                           Elegantsolutions.ca
   What You Didn’t Know You Don’t Know About Compliance
   - Frameworks




Sarbanes-Oxley Act of 2002           Bill 198
                                                                                                              Auditing Standard 2 (AS2)




     Internal Controls
                                                                                                      ISO 17799       ITIL
             -
                                                                                                       Security     Activities
  Integrated Framework
                                                                                                              COBIT
             (Not ERM)                                                                                   Control Objectives




                                                                   Version 2.0 benefits from
                                                                   lessons learned during the
                                                                   first two years.
   Copyright © 2006-2010 elegantsolutions.ca                                www.elegantsolutions.ca
   (Permission is granted to use unchanged. elegantsolutions.ca)                                                                 10
                                                                                                                  Elegantsolutions.ca
   What You Didn’t Know You Don’t Know About Compliance
   - Frameworks



            Conceptual Level                        COSO               COBIT
                                                                                                                THE CORE FRAMEWORK
                    Framework Level                           COSO                 COBIT                       Pre-populated, fully
                                                             COMPONENT             DOMAIN                       annotated COSO and
                            COSO (Sub-Components) Points of Focus - COBIT High-                                COBIT Control Objectives
                             Level Control Objectives Level
                                                                                                                in increasing levels of
                                     COSO Bullets under Points of Focus – COBIT                                detail.
                                      Detailed Control Objectives Level




THE EXTENDED FRAMEWORK >                                      The company’s detailed processes
                                                              for achieving the Control Objectives
The Compliance Teams may
populate the Processes, Risks,
                                                                                                                       N-C
Controls and Tests at their                                         > Risk of Non-compliance

preferred levels of granularity.
                                                                           > Company Controls
Activity-level guidance is
provided with exemplar sets of                                                         Tests and subsequent Remediation
controls and tests.                                                                     / Remediation Action Plans, if required


   Copyright © 2006-2010 elegantsolutions.ca                               www.elegantsolutions.ca
   (Permission is granted to use unchanged. elegantsolutions.ca)                                                                   11
                                                                                                           Elegantsolutions.ca
   What You Didn’t Know You Don’t Know About Compliance
   - How to Develop a Control Design and Evaluate Control Effectiveness
                                                                                                             Documented at this level are
                                                                                                             the processes of the company

     > The company’s detailed processes
       for achieving the Control Objectives
                                                                                                             Documented at this level are
                                                                                                             specific risks associated with
                                                                                                             the process
             > Risk of Non-compliance                                                    N-C
                                                                                                              Documented at this level are
                                                                                                              specific controls associated
                        > Company Controls
                                                                                                              with the mitigation of risk

                                                                                                             Documented at this level are
                              > Tests                                                                        specific tests associated with
                                                                                                             the control
                                   > Remediation
Achieving
Operational
Effectiveness                                > Remediation Action Plans
                                                                                                                If remediation is required,
                                                                                                                action plans are executed
                                                                                                                and the control re-tested.
                                                                                                                The current state of
                                                                                                                remediation (and future
          Certifications typically take place after remediation is completed, but remediation could
          be cut off at a point in time and status certified at that point in time. (“Certification” is         activity, if required) is
          certification of status at a point in time, not certification of compliance.)                         documented at the time of
                                                                                                                certification.


   Copyright © 2006-2010 elegantsolutions.ca                                     www.elegantsolutions.ca
   (Permission is granted to use unchanged. elegantsolutions.ca)                                                                     12
                                                                                            Elegantsolutions.ca
What You Didn’t Know You Don’t Know About Compliance
- How to provide evidence to support Certifications and Attestations
“THE” Best Practices                                 “THE” Best Practices Project Plan
   Frameworks                                              The Compliance Road Map from IT Control Objectives
     COSO – The Committee                                  for Sarbanes-Oxley, Second Edition
      Of Sponsoring
      Organizations of the
      Treadway Committee
     COBIT – Control
      Objectives for
      Information and Related
      Technology, Version 4


“THE” Best Practices
   Guidance
     IT Control Objectives
      for Sarbanes-Oxley,
      Second Edition
                     and


Copyright © 2006-2010 elegantsolutions.ca                         www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                               13
                                                                                           Elegantsolutions.ca
What it Means to You as a Project Manager

- How to provide evidence to support
  Certifications and Attestations

Road Map Items 1 & 2




 Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
 (Permission is granted to use unchanged. elegantsolutions.ca)                                             14
                                                                                           Elegantsolutions.ca
What it Means to You as a Project Manager

- How to provide evidence to support
  Certifications and Attestations

Road Map Items 3 & 4




 Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
 (Permission is granted to use unchanged. elegantsolutions.ca)                                             15
                                                                                           Elegantsolutions.ca
What it Means to You as a Project Manager

- How to provide evidence to support
  Certifications and Attestations

Road Map Items 5 & 6




 Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
 (Permission is granted to use unchanged. elegantsolutions.ca)                                             16
                                                                                                Elegantsolutions.ca
Resources for the Project Manager

     Description and links to “must have” resource documents                             (Remember, links are active only
      when the presentation is in “slide show mode”)
             AICPA (for COSO) http://www.aicpa.org/
             ISACA (for COBIT) http://www.isaca.org/
             ITIL (IT Infrastructure Library) http://www.itil-officialsite.com/home/home.asp
             ISO (International Organization for Standardization) http://www.iso.org/iso/en/prods-
              services/popstds/informationsecurity.html
             SEC on SOX http://www.sec.gov/spotlight/sarbanes-oxley.htm
             PCAOB Latest News http://www.pcaob.org/
             OSC List of Regulations http://www.osc.gov.on.ca/en/SecuritiesLaw_legislation_index.htm
             The Canadian Securities Administrators http://www.csa-acvm.ca/home.html




Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                                                17
                                                                                          Elegantsolutions.ca
Resources for the Project Manager
Final thoughts – buy these products for educational and project management purposes


     COSO Small Public
      Companies Download




     COSO Internal Controls –
      Integrated Frameworks
      download

     COBIT4 Download and
      subscribe to COBIT Online




     It Control Objectives for
      Sarbanes-Oxley, Version 2

     Mapping Documents from
      ISACA – some require
      registering and/or
      membership (Example –
      COBIT4 to PMBOC)

Copyright © 2006-2010 elegantsolutions.ca                       www.elegantsolutions.ca
(Permission is granted to use unchanged. elegantsolutions.ca)                                             18

				
DOCUMENT INFO
Shared By:
Stats:
views:15
posted:4/9/2012
language:English
pages:18