- Finance
Finance TopicsFinanceOperationsFinancial Planning & AnalysisEquity FinancingDebt FinancingM&A and Joint VenturesCorporate GovernanceStock OptionsMarketingTaxMoreFinance News
Switzerland's second-largest bank, Credit Suisse Group AG, recently announced that it plans to cut 109 - Accounting
Accounting TopicsAccountingAccounting ConceptsAccounting StandardsFinancial StatementsAuditRevenue RecognitionAccounting RegulationsAccounting Close ProcessAccounting Policies & ProcessesTechnical AccountingAccounting News
The financial crisis of 2008 considerably altered debate over economic growth and prosperity. Now, it appears that the events of the last ... - Treasury
Treasury TopicsTreasuryElectronic PaymentsWorking Capital ManagementCurrency & Foreign Exchange (FX)Treasury Services ManagementShort Term InvestmentsTreasury News
In response to the increased use of mobile banking - Technology
Technology News
The United States government will soon begin deploying customized Android OS-powered mobile devices to federal agency and military ... - Careers
Careers News
The chief financial officer of Hibbett Sports, a sporting goods retailer, recently announced that he plans to retire on June 1, and the company ... - Directory & Reviews
- Expert Advice and Guidance
- Exclusive Tips and Tools
- Latest News and Info
- Networking with Peers
- Noise-Free and Professional
- It's all FREE
General Content
- Go to Group home page
Posts in this group are public
Events
-
Feb-08 - WebinarUnlocking the Value of Dynamic Financial Planning
-
Feb-16 - WebinarCurrent and Emerging Cloud Trends
Browse Our Library of White Papers
Browse our extensive library of free white papers focusing on the latest financial, technology and business issues.
Subscribe to our newsletter
Sarbanes Oxley- Internal Controls and Procedues Checklist
Posted Mon, 03/29/2010 - 10:47am by Simon Westbrook ( CFO)
Details
I am working with a Company that really hasnt addressed the issue of formal internal controls, documentation and compliance. Does anyone have a check list, advice, or a good reference to facilitate the process of organisation?
- Sarbanes-Oxley
- 2910 reads
© 2012 Proformative, Inc.
Comments
SOX Checklist, or guidance.
Most checklists were based on audit checklists which were based on AS-2 or AS-5 auditing standards. In general they do not work for the company assessment - but run up significant expense. See http://tinyurl.com/ybwp6tp for discussion.
SOX, be careful
Agree with J. Finn comment.
I have threatened to write a book on how to not implement SOX 404, it can be a huge waste of time and money if not done at the right process level and focused on the right risks.
The key here is to do a risk based approach and to look at financial reporting risk as an operational risk which means assessing PEOPLE, PROCESSES, and SYSTEMS.
Here is a link to a presentation on this, has a hedge fund focus but much applies across industries:
http://www.slideshare.net/sllzurich/112010-ops-risk?from=share_email
Happy to discuss further if you like.
SOX be Careful and SOX checklists
You are taking the right approach. In fact focusing on just about anything other than a naive belief that there are "discrete" controls is appropriate. I have spent over 30 years doing workflows and am convinced "a control" is a continuous process performed by people - not a discrete activity. See http://tinyurl.com/ybwp6tp for discussion.
Jim Finn
SOX Checklist
I would take a look at the COSO publication, Internal Control over Financial Reporting – Guidance for Smaller Public Companies. Also, and it has been a couple of years since I looked, there are several applications with templates for developing internal controls from scratch. Last time I looked they were all offered by the AICPA.
Several years ago when we did our implementation we found it easier to just start from scratch on the documentation and fit best practices to our situation. If there were weaknesses, and there always are when you are working with a small staff, we documented the weakness along with our procedure for mitigating the risk.
SOX Internal Controls and Procedures
Want to comment on and agree with posts by Scott Lane and Randy Rutledge, From my experience, both have hit on the issues.
From 2003 to 2007 I was consulting, largely on SOX404 projects. In the earlier days, it was not unusual to find clients that misgauged requirements resulting in "false starts" or they started late, creating a time crunch emergency.
SOX needs to be a risk based assessment. Companies need to undestand this, and evaluate the risks inherent to their business as it relates to their financial reporting. One of the challenges is to appropriately define and segregate what actually area financial reporting risks vs. operational and regulatory risks.
It is an effort to understand the alignment of people - processes - systems. I view this between how companies deal with transactional processing activites and events.
Typically companies capture most activities through daily transactional processing. Month-Quarter-Year End closings result in evaluating the transactions recorded, and adjusting estimates accordingly.
Events occur when significant changes occur. Typically are one-off, non-recurring issues. These could result in needing to change the underlying processes. Events are evaluated for their impact on the Balance Sheet valuation, adjustments likely result, or at least disclosure.
The referenced Small Company Internal Control document is a good listing of risks and areas to focus upon. I've recommended this before in this post.
Their is a logical process to complete the SOX 404 setup. Many of my clients thought they knew everything going on in their business, and learned things didn't necessarily happen the way they assumed or intended.
Randy
SOX Checklists (or guidance ???)
While Randel and Randy make some interesting points regarding the COSO framework, it is not intended as guidance for a companies actual SOX compliance. That is why the SEC produced the "interpretative guidance" for companies. The COSO framework makes interesting general reading on the five major components of an internal control environment, but it does not provide specifics on how a company can perform an assessment that will "legally" meet the SEC requirements for companies to comply with SOX assessments (Section 404).
The interpretative guidance is available in the Federal Register at SECURITIES AND EXCHANGE
COMMISSION
17 CFR Part 241
[Release Nos. 33–8810; 34–55929; FR–77;
File No. S7–24–06] "
and contains the following declaration on the first page "SUMMARY: The SEC is publishing this
interpretive release to provide guidance
for management regarding its evaluation
and assessment of internal control over
financial reporting. The guidance sets
forth an approach by which
management can conduct a top-down,
risk-based evaluation of internal control
over financial reporting. An evaluation
that complies with this interpretive
guidance is one way to satisfy the
evaluation requirements of Rules 13a–
15(c) and 15d–15(c) under the Securities
Exchange Act of 1934.
DATES: Effective Date: June 27, 2007.
COSO is sort of like "Apple Pie", but the SEC document is a "Recipe"
James Finn
SOX; Misunderstood, and no Instruction Manual
After reading the comments and concerns of those interested in this issue, I wish to make a "Summarizing" comment based on my last seven years experience with over a dozen SOX programs at separate companies.
1. Prior to 2007 there was no recognized useful guidance for a companies management to address "SOX Compliance". As a result most companies got overwhelmed with auditing checklists and control minutia by chasing the elusive " assertions" required by AS-2. Many companies have not recovered or cleaned up their excess AS-2 documentation yet. Even today, only individuals who are working these issues on a daily basis are familiar with the value of the interpretative guidance from the SEC or the application of a similar risk based approach focused on viewing financial reporting as a "report production process" that needs managements evaluation for quality control, and an assessment for confirmation of their control effectiveness.
2. COSO is a framework not a specification and it is effective at the highest conceptual level of the control environment. It is an outline that needs to be filled in by the company, but it is not a specification for the SOX section 404 compliance assessment requirement. If your SOX section 404 concepts are "pre 2007" you should reevaluate them in light of the most recent authoritative developments
3. The first practical steps to create a foundation for section 404 compliance are adequate documentation of the financial reporting process (workflow) procedures, and a risk based analysis and assessment in accordance with the SEC interpretative guidance.
Anything else is of a lessor authoritative level for a companies management, and may be biased by outside financial interests. The SEC is the best authoritative source for managements ICFR assessment as required by SOX section 404.
Jim Finn