Auditing Internal Controls
In response to the large corporate financial scandals like energy firm Enron Corp, telecommunications giant WorldCom and Tyco International, Sarbanes-Oxley Act (SOX) was introduced, in the USA, in year 2002.
Purpose of the Act was to improve accuracy of financial reporting by establishing formalized system of checks and balances and protect shareholders/ general public from fraudulent practices in the companies.
The SOX is mandatory and applies to all US-based public companies. These companies are required to maintain both good financial practices and data security standards. The Section 404 of the Act mandates rules on “management’s report on internal control over financial reporting”. The section requires all financial reports to include an Internal Control Report. The report provides assurance that the company’s financial data is accurate and adequate controls are in place to safeguard financial data.
To align with the requirements of the SOX, the PCAOB (U.S. Public Company Accounting Oversight Board) provided an updated standard AS 5, in May 2007.The Standard was about “Audit of Internal Controls over Financial Reporting integrated with Audit of Financial Statements”.
The SOX measures seek to govern financial operations and disclosures of the corporate entities. A major part of the SOX regulations is related to the information technology systems. SOX reporting involves IT departments as those departments are responsible for creating corporate records and maintaining archives.
To align with SOX regulations, companies are required to develop and implement comprehensive data security strategy. The strategy should be able to protect financial data prepared, used and stored during normal operations. IT departments must become familiar with the security, access, privilege and log management standards applicable to them.
The security teams use data classification to enforce and monitor corporate policies for data handling. Depending upon sensitivity and applicable regulations data may be encrypted, compressed or saved in a different file format. With the proper policies in place corporations can prevent unauthorized users from viewing regulated data. The security solutions have the ability to safeguard shared data.
Section 302 and 404 of the SOX prevent fraudulent agents (whether internal or external) from tampering with sensitive financial information.
Section 302: Corporate Responsibility for Financial Reports
Section 302 states that the CEO and CFO are directly responsible for documentation, accuracy and submission of all financial reports as well as the internal control structure,
to the SEC (Security Exchange Commission of U.S.A.).
The Commission requires, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934, that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed under either such section of such Act that—
1. the signing officer has reviewed the report;
2. based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
3. based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
4. the signing officers–
a. are responsible for establishing and maintaining internal controls;
b. have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
c. have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
d. have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
5. the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors or persons fulfilling the equivalent function–
a. all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
b. any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
6. the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Section 404: Internal Control Report
The section 404 requires all annual financial reports to include an Internal Control Report. The report states that management is responsible for an adequate internal control structure and includes an assessment by the management of the effectiveness of the control structure. Any shortcomings in these controls must be reported. In addition, registered external auditors must attest to the accuracy of the management assertion that internal accounting controls are in place, operational and effective.
(a) Rule: The rules prescribed by the Commission, require each annual report submitted under section 13(a) or 15(d) of the Securities Exchange Act of 1934, to contain an internal control report, which shall—
i. state responsibility of the management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
ii. contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) Internal Control Evaluation and Reporting: With respect to the internal control assessment required under subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.
An attestation under this subsection shall be made in accordance with the standards for attestation engagements issued or adopted by the Board.
SOX Documentation
While adopting rules to implement Section 404, the SEC expressly declined to prescribe scope of assessment or extent of testing and documentation required by the management. The scope and process of the assessment should be reasonable and assessment including testing should be supported by a reasonable level of evidences. Each company should use informed judgment in documenting and testing its controls to fit its operations, risks and procedures. Management should use their own experience and informed judgment in designing an assessment process that fits needs of that company. Management should not allow the goal and purpose of the internal control over financial reporting provisions which is “production of reliable financial statements”, to be overshadowed by the process.
The key business processes, material transactions and related controls are to be documented. Management should maintain sufficient documentation so that a person with reasonable knowledge can understand the process, how key controls are operating, who is performing controls, time and frequency of operating controls, evidence that the controls were performed and the reports used while applying those controls.
It’s important to establish a change management process which will ensure that the documentation is kept up-to-date as processes and controls change in a business.
The external auditor should agree on the documentation of controls.
SOX Audits
The SOX mandates companies to complete yearly audits and make the results available to stakeholders. Companies hire independent auditors to conduct SOX audit, which must be separate from any other audit, to prevent a conflict of interest.
For audit under section 404, a company must meet the following requirements:
- Management accepts responsibility for effectiveness of the controls
- Controls are suitably designed and implemented to achieve control objective i.e. reliability of financial reporting, using established criteria
- Control objectives and related controls are documented
- Management assesses effectiveness of internal control over financial reporting and reports on design & operating effectiveness of the control.
Auditors compare past financial statements with the current year and may interview personnel to verify if compliance controls are effective. The auditors check with the staff whether their duties match their job descriptions and that they have adequate training to access financial information in a secured manner.
SOX audit process involves the following steps:
1. Define Scope of audit using a Risk Assessment Approach
For performing risk assessment, a top-down approach is recommended. The auditor focuses on entity-level controls and works down to significant accounts, their disclosures and relevant assertions.
The purpose is to help auditor identify potential risks and sources, their impact on the business and whether internal controls will provide reasonable assurance that a material fraud/error will be prevented or detected.
2. Determine Risks related to Material Accounts & Processes
The auditor will:
- Identify material items in the financial statements.
- Determine locations having material account balances.
- Review financial statements of those locations.
- Verify details of the transactions in material account balances. Check how transactions occurred and how they were recorded. Auditor may also meet with the concerned persons such as process owners, financial controller etc.
- Identify financial reporting risks for material accounts and the possible impact they may have on the account balances.
3. Identify SOX Controls
During materiality analysis auditor should identify & document SOX controls which can detect or prevent transactions from incorrect recording. Those are the key controls. The auditor should differentiate key controls from non-key controls and also identify manual and automated controls.
4. Test Key Controls
Testing key controls validates design and operating effectiveness of the controls in place. Controls testing involve inspection of documentation, evaluation, observation, inquiries with process owners, walkthrough the transaction and re-performance of the process etc.
5. Perform Fraud Risk Assessment
An effective system of internal controls is in place where internal controls reduce the opportunity to commit a fraud and also help with the assessment of possible frauds. Examples of effective internal controls are segregation of duties, reconciliation of bank accounts at regular intervals, investigation of employees’ expenses reimbursements etc.
6. Manage Documentation of Processes and Controls
Key operating processes and controls should be properly documented.
7. Assessing Deficiencies
During testing auditor may come across deficiency or gap in the sample selected. The deficiency/gap should be identified & corrected. The auditor should also review whether the deficiency/gap was due to design failure or operational failure of the control.
8. Deliver Management’s Report on Controls
A large amount of data and information is collected during testing of SOX controls.
The information gathered is useful for the management’s report on internal controls.
Auditing IT Systems
During SOX audit, review of internal controls related to IT assets such as computers, network, hardware and other electronic equipment that the financial data passes through, form a major part of the audit.
While auditing IT systems auditors review following internal controls:
i. Access: Access includes both physical controls such as doors, badges, locks on file cabinets and electronic controls like login policies, least privilege access and permission audits. Least privilege access model is an excellent example of access control which means each user only has the access necessary to do his/her job. The function of the user and not his/her identity, controls assignment of access rights.
Another good control is Permission audit. Permission audits are about review of permissions e.g. who has permissions to what, basis of getting that permission and whether the person is acting in a responsible manner. Auditors examine if current permissions are recorded & any changes to the permissions are verified and recorded.
ii. Security: Security controls ensure that the company has protection against data breaches.
iii. Data Backup: Maintaining off-site backups of all financial records is a SOX compliance requirement.
iv. Change Management: is having defined processes to add and maintain users, install new software and make any changes to database or applications which manage company’s financial information.
SOX compliance checklist
SOX compliance checklist is a tool for evaluation of compliance with SOX, reinforcing information technology & security controls and to uphold legal financial practices. A SOX compliance checklist includes the following steps:
2. To record timelines for key activities company has systems which can apply timestamps to all financial & other related data. The data is encrypted if required and stored at a remote, secure location.
3. Establish verifiable controls to track data access i.e. a system that can receive data messages from virtually unlimited number of sources including files, FTP transfers and databases and tracks who accessed or modified the data.
4. To ensure that safeguards are operational systems are implemented which can issue & distribute daily reports to selected officials in the organization, confirming that the SOX control measures are working properly.
5. Report periodically on effectiveness of safeguards implement system which generates reports periodically, on data, including report of all messages, critical messages, alerts and uses a ticketing system that archives security incidents occurred and how they were addressed.
6. To detect Security Breaches security system is in use which can analyze data in real-time, identify signs of a security breach and generate meaningful alerts, automatically updating incident management system.
7. To disclose security breaches company has a system which is capable of detecting and logging security breaches and allow security staff to record their resolution of each incident.
8. To disclose security safeguards to the auditor systems should be in place which can provide role-based access to the auditor, allowing him/her to view data and reports without making any changes.
9. A system to disclose failure of security controls to the SOX auditor. The system should enable auditor to view reports having details of the security control failure incidents, the incidents resolved successfully and the ones which could not be resolved.
Protecting the whistleblower
SOX encourages disclosure of corporate frauds by protecting employees who report fraud and testify in court against their employers. Companies are not allowed to change the terms and conditions of their employment. They can’t reprimand, fire, or blacklist the employee. Whistleblowers can report any corporate retaliation against them. SOX makes it a crime for a person to knowingly retaliate against a whistleblower for disclosing truthful information to a law enforcement officer. It authorizes the Department of Justice to criminally charge those responsible for the retaliation.
Firms conducting SOX Audits
The SOX also regulates accounting firms which conduct SOX audits. The PCAOB has set standards for the audit reports. It requires all auditors of public companies to register with them. The PCAOB inspects, investigates, and enforces compliance of these firms. It prohibits accounting firms from doing business consulting with the companies they are auditing. They can still act as tax consultants but the lead audit partners must rotate off the account after five years.