Sarbanes-Oxley and Internal Control
Independent Verification procedures are independent checks of
→Requires management of public companies to implement an
adequate system of internal controls over their financial reporting
process.
→ Includes controls over transaction processing systems that feed
data to the financial reporting systems.
→ Management's responsibilities for this are codified in
 Sections 302 of SOX requires that corporate management
certify their organization's internal controls on a quarterly and
annual basis.
 404 of SOX requires the management of public companies
to assess the effectiveness of their organization's internal
controls.
SAS 78/COSO INTERNAL CONTROL FRAMEWORK
Five components:
1. Control environment sets the tone for the organization and
influences the control awareness of its management and employees.
The foundation for the other four control components.
Elements:
 The integrity and ethical values of management.
 The structure of the organization.
 The participation of the organization's board of directors and the
audit committee, if one exists.
 Management's philosophy and operating style.
 The procedures for delegating responsibility and authority.
 Management's methods for assessing performance.
 External influences, such as examinations by regulatory agencies.
 The organization's policies and practices for managing its human
resources.
2. Risk Assessment- to identify, analyze, and manage risks relevant
to financial reporting.
3. Information and Communication - The accounting information
system consists of the records and methods used to initiate, identify,
analyze, classify, and record the organization's transactions and to
account for the related assets and liabilities.
4. Monitoring is the process by which the quality of internal control
design and operation can be assessed. This may be accomplished by
separate procedures or by ongoing activities.
5. Control activities are the policies and procedures used to ensure
that appropriate actions are taken to deal with the organization's
identified risks.
Grouped into two distinct categories
a. IT controls relate specifically to the computer environment.
I. General controls pertain to entity-wide concerns such as
controls over the data center, organization databases,
systems development, and program maintenance.
II. Application controls ensure the integrity of specific
systems such as sales order processing, accounts payable,
and payroll applications.
b. Physical controls - this class of controls relates primarily to the
human activities employed in accounting systems. The issues
pertaining to six categories of physical control activities:
i. The purpose of transaction authorization is to
ensure that all material transactions processed by the
information system are valid and in accordance with
management's objectives
c. Segregation of Duties One of the most important control activities
is the segregation of employee duties to minimize incompatible
functions.
d. Supervision - Implementing adequate segregation of duties
requires that a firm employ a sufficiently large number of employees.
Achieving adequate segregation of duties often presents difficulties for
small organizations.
e. Accounting Records. The accounting records of an organization
consist of source documents, journals, and ledgers. These records
capture the economic essence of transactions and provide an audit
trail of economic events.
f. Access Control. The purpose of access controls is to ensure that
only authorized personnel have access to the firm’s assets.
Unauthorized access exposes assets to misappropriation, damage,
and theft. Therefore, access controls play an important role in
safeguarding assets.
g.
the accounting system to identify errors and misrepresentations.
IT APPLICATION CONTROLS
Application controls are associated with specific applications, such as
payroll, purchases, and cash disbursements systems, and fall into
three broad categories: input controls, processing controls, and
output controls.
Input controls
Input controls are programmed procedures, often called edits, which
perform tests on transaction data to ensure that they are free from
errors.
 CHECK DIGIT. Data codes are used extensively in transaction
processing systems for representing such things as customer
accounts, items of inventory, and GL accounts in the chart of
accounts.
 MISSING DATA CHECK. This edit identifies blank or incomplete
input fields that should contain data that are required to process
the transaction.
 NUMERIC-ALPHABETIC CHECK. This edit identifies when data
in a particular field are in the wrong form.
 LIMIT CHECK. Limit checks are used to identify field values that
exceed an authorized limit.
 RANGE CHECK. Many times, data have upper and lower limits to
their acceptable values.
 REASONABLENESS CHECK. The error above may be detected
by a test that determines if a value in one field, which has already
passed a limit check and a range check, is reasonable when
considered along with data in other fields of the record.
 VALIDITY CHECK. A validity check compares actual field values
against known acceptable values.
Processing Controls
Processing controls are programmed procedures to ensure that
an application’s logic is functioning properly.
 Batch controls are used to manage the flow of high volumes of
transactions through batch processing system
 Run-to-run controls use the values in the batch control record to
monitor the batch as it moves from one programmed procedure
(run) to another.
 Hash total is used in the preceding discussion, is the summation
of a nonfinancial field to keep track of the records in a batch.
 Audit Trail Controls in an IT environment ensure that every
transaction can be traced through each stage of processing from
its economic source to its presentation in financial statements.
 TRANSACTION LOGS. Every transaction the system
successfully processes should be recorded on a transaction log,
which serves as a journal.
 GFS BACKUP TECHNIQUE Systems that use sequential master
files (whether tape or disk) employ a backup technique called
grandfather-father-son (GFS), which is an integral part of the
master file update process.
Output controls
Output controls are a combination of programmed routines and
other procedures to ensure that system output is not lost,
misdirected, or corrupted and that privacy is not violated.
 PRINT PROGRAMS. When a printer becomes available, the print
run program produces hard- copy output from the output file. Print
programs are often complex systems that require operator
intervention.
 WASTE. Computer output waste is a potential source of
exposure.
 REPORT DISTRIBUTION. The primary risks associated with the
distribution of sensitive reports include their being lost, stolen, or
misdirected in transit to the user.
 END-USER CONTROLS. Once in the hands of the user, output
reports should be examined for correctness. Errors the user
detects should be reported to the appropriate IT management.
 Controlling Digital Output Digital output can be directed to the
user’s computer screen or printer. The primary output threat is the
interception, disruption, destruction, or corruption of the output
message as it passes across the communications network.