SOX-404 Help Page List of Recommended
SOX Implementation Books
Competitive
Advantage: Linked Management Systems Sarbanes
Oxley Internal Controls A Complete Guide - 2021
Edition by The Art
of Service - Sarbanes Oxley Internal Controls
Publishing | Nov 13, 2020
Paperback Sarbanes
Oxley Manual: A Handbook for the Act and SEC
Rules by CCH Incorporated (2008-02-26) by James HamiltonPaperback
Manager's Guide to
the Sarbanes-Oxley Act: Improving Internal
Controls to Prevent Fraud by Scott Green
| Jan 1, 2004 Hardback
|
Index
Integrating Sarbanes-Oxley Requirements Into A Quality Management System The Internal Controls Auditor's Tasks Information Technology Computer Systems Audit Plan The "Internal" Internal Controls Audit The "External" Internal Controls Audit Internal Controls Audit Report Corrective and/or Preventive Action
This site is a short how-to on integrating the Sabanes-Oxley Act Internal Control Audit (a.k.a. SOX-404) into an ISO9001:2008 Quality System for those needing to meet the requirements of the Sarbanes-Oxley Act without having to go through a public offering to pay for it.. This site explains what I did to find out about the requirements, integrated the requirements into Quality Management System (QMS) and implement the internal controls auditing function. Since this is a recent requirement for Public Corporations, this many be of interest to those in similar circumstances. It should also be noted that an ISO9001 quality system has a lot of similarities to other standards such as ISO14001 and AS9101 and the integration into those systems should be the same. Things were going fine. I had just passed my initial ISO9000:2000 (Now using the ISO9001:2008 amendment) audit after preparing everything to comply with the standard when I was asked to perform the Sarbanes-Oxley Act Internal Controls audits. Since I had set up an anonymous "whistle blower" form that went the Board of Director's Audit Committee, I thought this might be a quick and easy thing or would it? While I haven't had to work as an accountant, I have done a number of product costing activities. Besides managing some engineering, information technology and quality departments and a number of engineering programs and project, I also have a Masters of Business Administration so my boss thought I'd be a good fit. Besides, in a smaller company, no one wants to hire an extra person to work a week or two every quarter. "Why would a CEO ask his Quality Assurance manager to be the person to ensure compliance with the Security and Exchange Commission's requirements"? The information below provided by an external accounting auditors to our Controller explained what needed to be done. The following items below are relevant to understanding the current status:
Since the SEC had not approved the audit framework, the companies that provide this type of training didn't know which framework to provide any guidance, much less what to train. Training will be something was done at a later date, as does our company's Controller's training. Sometimes, you just have to figure it out on your own and hope it's close enough. To that end, I found as much relevant information, both from the external auditor and places on the Internet. The Institute of Internal Auditors has a great deal of information on the topic and is planning training. Training is key to any implementation, however, this is a system and the big picture is not always readily apparent to those responsible for the implementation. While asked to help with the implementation, there were no invitations to any meetings with the external auditor since it was thought that to much time would be taken up asking questions and taking up some very expensive external auditor's time, not to mention that my time is also considered expensive. Only after the external consultants wanted to know about the IT systems was I involved. This means that questions such as how extensive does the training for employees have to be go unanswered. Under the ISO9001 standard, the training means everyone. I assumed under SOA, the same applies, however, management at most companies don't want to do it unless their external auditor tells them they have do it. Again, this is related to cost. The SOA implementation and auditing are divided into two different skill sets. The first is being able to understand the accounting side of the auditing (a.k.a. the COSO requirements) and the second is the Information Technology (IT) systems side (a.k.a. the COBIT® requirements). Both aspects require two different skill sets which could be a problem for smaller companies, though technically, the information is in the COSO and COBIT® frameworks and can be pulled out of them as well as other information on auditing or if you have an understanding of standards.
Due to accounting problems, the National Commission on Fraudulent Financial Reporting that was created in 1985. This is also known as the Treadway Commission. They made a number of recommendations that directly addressed internal controls. A task force, under the auspices of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission conducted a review of internal control literature. The results recommended that COSO undertake a project to provide practical, broadly accepted criteria for establishing internal controls and evaluating their effectiveness.
The COSO study concluded that internal controls consist
of five interrelated components (''Internal Control -
Integrated Framework", Committee of Sponsoring
Organizations of the Treadway Commission, September 1992).
These components are:
The current COSO draft framework has been available for public review and is downloadable as a PDF file and explains the above in more detail.
What has to happen next? Since I don't work in the Finance or Accounting departments, I didn't have to write the Accounting Processes and Internal Controls Procedures, though I did do a document review on the initial draft to assist the accounting department. The documentation for the specific accounting procedures task fell on the Controller as his task was to determine where the risks were based on size of the accounts, the number number of transaction, risks as percent of revenue and value of the assets. It's better to have the people that actually perform the functions create the procedures. The procedures and policies need to be carefully tailored for the company. The use of screen shots with in the procedures is now common for most quality system procedures. One thing that the external auditors will do is want to go through the process, though focus will be primarily on the controls, the transactions and what happens if something goes wrong. I other words, the auditors are looking at the controls within the company and not necessarily whether the numbers add up correctly since that aspect is what the regular audit does. It is also recommended to create flowcharts for the processes. Identifying the process owners, documents created and the internal controls for the system on the flowchart are also recommended. This makes it easier for the internal controls auditor to follow the process and makes it easier for the external auditors to follow. It also saves possibly having the external auditor to create a flowchart - that you pay for having it done). My job was to integrate the COSO framework requirements into the quality system documentation and to audit. Since a number of procedures were common as were the records being created, there was a good start. Only the accounting and finance procedures needed to be integrated into the Quality Managment System and they were already partially there.
Integrating Sarbanes-Oxley Requirements Into A Quality Management System In reviewing the COSO requirements I noticed that COSO had a number of similarities to an ISO9001:2000 quality system. The easiest item any Quality Auditor can relate to is probably auditing, however, the financial areas have not had to be integrated into any process approach structure until now so you will need to highlight the similarities so they will see where the quality system can be used to leverage the Sarbanes-Oxley (SOX) implementation. Using the 5 five key COSO elements -
Control Environment, Information & Communication; Risk
Assessment & Monitoring and Control Activities, I
modified my quality system procedures so that they could
be used for both the quality system and the financial
system.
The Internal Controls Auditor's Tasks To find out the requirement, execute the audit and write report, I had to do the following:
Reviewed the available data from the external public accountant on the internal controls. In my case, it was Ernst & Young. Materials are typically provided by the external auditor , if asked. There was an Internal Controls Guide for Management's
Assessment PDF available for Ernst & Young, however,
they have pulled it from their web site. This
document was provided to their customers and may still be
available to them. The International Finance
Corporation (IFC) has a PDF handbook posted here
that is an excellent resource. One of the first things was to determine the "tone" of the company. Tone refers to what the climate for the executives and employees of the company. This can be determined by interviews to find out the answers or having a survey filled out. There are two prevalent surveys that I ran across. 1.) The El Paso Survey and 2.) the ALLTEL Control and Risk Self-Assessment Process. I chose the ALLTEL Survey because it helped me understand whether the risk assessment by the Controller was accurate as well as helped determine the "tone" of the company. The ALLTEL survey was also shorter than the El Paso Survey and I thought more understandable for employees of a small company. I decided to create a form using the ALLTEL Survey and dumped the data to a flat file so I could manipulate it. I then had the employees take the intranet on-line survey.
The ALLTEL Survey was used to see if there were any issues related to the "Tone" or with the activities that were being performed within the company relative to control and risks. I also followed up by trying to determine the frequency of the transactions and whether there were enough high dollar activities to determine if any were actually material. Besides the "Tone" assessment, the Controller typically also creates a risk assessment for the external auditors to review. This should also be reviewed as part of the internal audit to ensure that the areas being audited are material.
Since I was using this audit as a baseline I chose to audit all the aspects for the accounting system rather than just focusing on the high risk items. This included reviewing the financial statements and going through each process and procedure to find out what could go wrong, if the responsibilities were identified correctly and that the duties were adequately segregated (e.g. So the same person who validates payment of invoices isn't the same person who writes the check). In order to ensure that our company was on track, the CEO decided to hire some consultants to ensure we were on track. One of the first thinks that the consultants said was that the SOA internal controls auditor from the external accounting firm would not be looking at whether the numbers all added up. That was the regular external auditors job. The Internal Controls Auditor is looking at and testing controls.
Consultants can be an expense that your company may not
wat to pick up. If this is the case, hopefully,
you've made an investment in some good training. Why
would your company want to use consultants? At this
point, there still is a lot of gray area concerning he SOA
implementation and consultants, while not always the
lowest cost solution, can clear up the fog. After meeting the consultants for our implementation, I've observed the following: Consultants tend to want to start from square one (i.e. want to treat every client as someone who has no knowledge of what the requirements are and what to set everything up as an implementation
At the time of implementation, we had an opinion from the consultant's that we have no material findings and found that we had done an excellent job in implementing the requirements for the financial and information technology aspects and in preparing for the audit. I believe that integrating the SOX requirements into the Quality System has saved our company money and proved to be the right combination of resources to meet the compliance objective. There may be tangible benefits for going through the process, however, because we have an existing Quality System, it's difficult to identify and quantity what these benefits are. Improvements I noticed that could have been made our implementation is in the collection and organization of the working papers and "evidence" of compliance. The method used to organize the working papers by the consultants was very meticulous and made it easier for the external auditor to follow than my original approach.
Testing refers to either running or reviewing
transactions to see if they were done correctly. I
randomly pick transactions for different days and followed
the process though to see if the transactions were done
correctly, looked for items that would trigger if
something happened and if there were any, looked for some
evidence to see that the procedure was actually being
followed when triggering items occurred. Another
method is to generate correct and wrong entries using a
"sandbox" (a.k.a. a practice database) and printing out
the forms and reports to verify the transactions and data.
As most Quality Assurance auditors are aware, creating a plan with a schedule is a requirement for any successful audit. My plan was to run the Internal Controls audit concurrently with my quarterly internal ISO9001:2000 audit since there are a number of areas that have procedures and records that co-inside with the COSO framework. I covered the areas of the COSO Framework as well as to audit the overall general accounting practices, the internal controls and do a detailed process audit on the individual accounting processes and procedures. I included my audit objectives, scope and activities for the audit. I also audited the information technology computer systems as an area to audit.
Information Technology Computer Systems Audit Area Since computer systems are now the essence of most companies processes, things that become important are whether the computer system software has been verified and validated prior to implementation. One key item is to ensure that the software is verified for it's intended use. Once the verification criteria is determined, the idea is to verify that the software is functioning as stated, that the data integrity imported into the system is correct. A key point is to ensure that you have documented that the system is verified and validated. Since management is to control the implementation for financial software and subsequent changes (i.e. show change control) so use of a software change control system (or a document change control system) to show that management is controlling the changes adds validity to the system as well as is a key item to look for on the internal controls audit. A good source of information on what should be looked at by the internal controls auditor for the information technology aspect can be located on the IT Governance Institute web site at http://itgi.org and it's associate, the Information Systems Audit and Control Association's web site at http://www.isaca.org. While the SEC has not stated a specific standard to use, that the use of the COBIT® (Control Objectives for Information and related Technology is a good starting point. See the downloads at http://www.isaca.org for a complimentary copy of the COBIT® framework. One of the areas that needed additional effort to comply with the Sarbanes-Oxley and Cobit® framework for my company was in the information technology area. The security aspect for the computer systems needed to be documented, training provided and evidence of training retained.
To perform the audit, I found some general and internal controls checklists that I modified that were at a college web site and then creating my own detailed checklists pertaining the procedures. Ultimately, few checklists are going to be able to reflect a complicated decision process that a company must consider, and they are really poor at reflecting what happens the a day or so after the list was filled out. Things in common include requirements for document control/documentation of processes, auditing to the "process model" management objectives, shipping and handling of product & finished goods, purchasing procedures, records requirements, monitoring, human resources requirements for communications, competence (can be Performance Evaluations) and training. I also found an information technology checklist from a was from a major IT company. Information technology requirements for the COSO framework are similar to the both the document control and infrastructure requirements for the ISO9001:2000 standard. I tailored the IT checklist using the COBIT® framework to fit our much smaller company to audit the computer systems. The general headings and items to be covered applied, however, with an IT staff of one, there are some things that will not apply for your business. To ensure completeness, in my opinion, it is easier to take a more extensive checklist and tailor it to the procedures being audited. Another element in doing this correctly is in selecting the appropriate sample sizes (e.g. a daily activity would use a 25 transaction sample, a monthly would use 10).
The "Internal" Internal Controls Audit Perform the audit checking the following:
The "External" Internal Controls Audit As our external auditor laid out what would happen during the audit. The approach is similar to an ISO9001:2000 process audit, however, the documents reviewed relate to the internal controls, what can go wrong, how they are mitigated to reduce risk, what testing was done on the system, to include sample sizes and results as well as evidence to show that you are meeting the requirements. The following is a generic outline of the Management Documents
Internal Controls Audit Report The final task is to write the audit report. Items I included in the report were outlined as followed:
The report is typically distributed the President, CFO, Controller and the Board of Director's Audit Committee. Corrective and/or Preventive Action The COSO framework, like ISO9001:2008 has the a number of aspects in common including ensuring that human resources are competent which means even the internal controls auditor needs a job description. Fortunately, my ISO system has them so it wasn't to hard to write another. Another similarity is the customer satisfaction element and is looking for some form of corrective action system as well. Since an ISO9001:2008 system already has a corrective and preventive action system, no need to reinvent the wheel. Just put the non-compliances and preventive actions for the accounting and finance issues as well. In the case of the SOA audits, findings are termed as significant or material. While having an additional responsibility put upon a quality auditor may not seem to make a lot of sense to the uninitiated, after becoming familiar with the COSO framework, it is possible to plan and do the audit. The initial emphasis would be to get the procedures and processes documented. If they can be integrated into your existing Quality and Document Control systems without a lot of difficulty if you have a good Quality Managment System (QMS) to work with. For those needing help with other areas relating to aspects needed to implement the Internal Controls Audit function, visit other related web sites by the author as follows: Performance Appraisal Tips Help Page Total Quality Management (TQM) Tutorial/Help Page Procedure / Process Writing Tips
Recommended Reading:
COBIT® is a registered trademark of the Information Systems Audit and Control Association.
|
![]() |
If you have questions or comments relating to this information, please click here to email the author.
Copyright © Dexter A. Hansen