The document outlines the Sarbanes-Oxley Act's requirements for public companies to implement internal controls over financial reporting, emphasizing management's responsibilities under Sections 302 and 404. It details the COSO internal control framework, which includes components such as control environment, risk assessment, and monitoring, along with various types of application controls like input, processing, and output controls. Additionally, it highlights the importance of segregation of duties, supervision, and access control in maintaining effective internal controls.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
28 views1 page
Ais Handouts
The document outlines the Sarbanes-Oxley Act's requirements for public companies to implement internal controls over financial reporting, emphasizing management's responsibilities under Sections 302 and 404. It details the COSO internal control framework, which includes components such as control environment, risk assessment, and monitoring, along with various types of application controls like input, processing, and output controls. Additionally, it highlights the importance of segregation of duties, supervision, and access control in maintaining effective internal controls.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 1
Sarbanes-Oxley and Internal Control g.
Independent Verification procedures are independent checks of
→Requires management of public companies to implement an the accounting system to identify errors and misrepresentations. adequate system of internal controls over their financial reporting IT APPLICATION CONTROLS process. Application controls are associated with specific applications, such as → Includes controls over transaction processing systems that feed payroll, purchases, and cash disbursements systems, and fall into data to the financial reporting systems. three broad categories: input controls, processing controls, and → Management's responsibilities for this are codified in output controls. Sections 302 of SOX requires that corporate management Input controls certify their organization's internal controls on a quarterly and Input controls are programmed procedures, often called edits, which annual basis. perform tests on transaction data to ensure that they are free from 404 of SOX requires the management of public companies errors. to assess the effectiveness of their organization's internal CHECK DIGIT. Data codes are used extensively in transaction controls. processing systems for representing such things as customer SAS 78/COSO INTERNAL CONTROL FRAMEWORK accounts, items of inventory, and GL accounts in the chart of Five components: accounts. 1. Control environment sets the tone for the organization and MISSING DATA CHECK. This edit identifies blank or incomplete influences the control awareness of its management and employees. input fields that should contain data that are required to process The foundation for the other four control components. the transaction. Elements: NUMERIC-ALPHABETIC CHECK. This edit identifies when data The integrity and ethical values of management. in a particular field are in the wrong form. The structure of the organization. LIMIT CHECK. Limit checks are used to identify field values that The participation of the organization's board of directors and the exceed an authorized limit. audit committee, if one exists. RANGE CHECK. Many times, data have upper and lower limits to Management's philosophy and operating style. their acceptable values. The procedures for delegating responsibility and authority. REASONABLENESS CHECK. The error above may be detected Management's methods for assessing performance. by a test that determines if a value in one field, which has already External influences, such as examinations by regulatory agencies. passed a limit check and a range check, is reasonable when The organization's policies and practices for managing its human considered along with data in other fields of the record. resources. VALIDITY CHECK. A validity check compares actual field values 2. Risk Assessment- to identify, analyze, and manage risks relevant against known acceptable values. to financial reporting. Processing Controls 3. Information and Communication - The accounting information Processing controls are programmed procedures to ensure that system consists of the records and methods used to initiate, identify, an application’s logic is functioning properly. analyze, classify, and record the organization's transactions and to Batch controls are used to manage the flow of high volumes of account for the related assets and liabilities. transactions through batch processing system 4. Monitoring is the process by which the quality of internal control Run-to-run controls use the values in the batch control record to design and operation can be assessed. This may be accomplished by monitor the batch as it moves from one programmed procedure separate procedures or by ongoing activities. (run) to another. 5. Control activities are the policies and procedures used to ensure Hash total is used in the preceding discussion, is the summation that appropriate actions are taken to deal with the organization's of a nonfinancial field to keep track of the records in a batch. identified risks. Audit Trail Controls in an IT environment ensure that every Grouped into two distinct categories transaction can be traced through each stage of processing from a. IT controls relate specifically to the computer environment. its economic source to its presentation in financial statements. I. General controls pertain to entity-wide concerns such as TRANSACTION LOGS. Every transaction the system controls over the data center, organization databases, successfully processes should be recorded on a transaction log, systems development, and program maintenance. which serves as a journal. II. Application controls ensure the integrity of specific GFS BACKUP TECHNIQUE Systems that use sequential master systems such as sales order processing, accounts payable, files (whether tape or disk) employ a backup technique called and payroll applications. grandfather-father-son (GFS), which is an integral part of the b. Physical controls - this class of controls relates primarily to the master file update process. human activities employed in accounting systems. The issues Output controls pertaining to six categories of physical control activities: Output controls are a combination of programmed routines and i. The purpose of transaction authorization is to other procedures to ensure that system output is not lost, ensure that all material transactions processed by the misdirected, or corrupted and that privacy is not violated. information system are valid and in accordance with PRINT PROGRAMS. When a printer becomes available, the print management's objectives run program produces hard- copy output from the output file. Print c. Segregation of Duties One of the most important control activities programs are often complex systems that require operator is the segregation of employee duties to minimize incompatible intervention. functions. WASTE. Computer output waste is a potential source of d. Supervision - Implementing adequate segregation of duties exposure. requires that a firm employ a sufficiently large number of employees. REPORT DISTRIBUTION. The primary risks associated with the Achieving adequate segregation of duties often presents difficulties for distribution of sensitive reports include their being lost, stolen, or small organizations. misdirected in transit to the user. e. Accounting Records. The accounting records of an organization END-USER CONTROLS. Once in the hands of the user, output consist of source documents, journals, and ledgers. These records reports should be examined for correctness. Errors the user capture the economic essence of transactions and provide an audit detects should be reported to the appropriate IT management. trail of economic events. Controlling Digital Output Digital output can be directed to the f. Access Control. The purpose of access controls is to ensure that user’s computer screen or printer. The primary output threat is the only authorized personnel have access to the firm’s assets. interception, disruption, destruction, or corruption of the output Unauthorized access exposes assets to misappropriation, damage, message as it passes across the communications network. and theft. Therefore, access controls play an important role in safeguarding assets.