国际信息安全标准系列之SOX 404 Guidance v1 1
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
SOX 404 Implementation Guidance October 2003
STRICTLY FOR INTERNAL CIRCULATION ONLY
Contents
Page 1Sarbanes-Oxley, 2002, Section 404 (“SOX 404”) 3 1.1Management’s attestation requirement under SOX 404 3 1.2Management’s attestation 3 2Overview of the COSO framework 4 2.1COSO Framework 4 2.2Components of COSO framework 5 3Internal control 6 3.1Who 6 3.2Objective 6 3.3Effective internal controls 6 4IINV’s SOX 404 Framework 7 4.1SOX 404 framework 7 4.2Entity Assessment Questionnaires 7 4.3Controls performed at the Corporate Office 8 4.4Controls not documented or not formalised 8 5Financial Statements and Disclosure Assertion 9 5.1The Six assertions 9 5.2Financial statement caption 10 5.3Assertion Risk 10 5.4Mitigating controls 10 5.5Examples of control techniques 11 6Documentation 12 6.1Routine transactions 12 6.2Non-routine transactions 13 6.3Estimations 13 6.4Informal controls 14 6.5Some sources of Control Documentation 14 7How to address deficiencies 15 8Roles and responsibilities 16 8.1Unit management 16 8.2Unit Internal Assurance 16 8.3External Auditors 16
SOX 404 – Implementation Guidance
October 2003
9Corporate Assistance 17 9.1Contacts 17 9.2Further guidance 17
Appendices
1 2 Management Attestation to be signed by the Unit CEO and CFO
Sample template for control documentation
SOX 404 – Implementation Guidance
October 2003
1 Sarbanes-Oxley, 2002, Section 404 (“SOX 404”)
1.1 Management’s attestation requirement under SOX 404
The SEC Rules implementing SOX 404 require that each annual report of an SEC registrant should include an internal control report by management which contains the following:
State responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting.
Statement identifying the framework used by management to evaluate the effectiveness
of internal control
Contain an assessment of the effectiveness of the internal control structure and
procedures for financial reporting.
External auditors are required attest management’s assertion on effectiveness of
internal controls and procedures for financial reporting.
1.2 Management’s attestation
A sample of the attestation is given in Appendix 1 of this guidance note.
SOX 404 – Implementation Guidance
October 2003
2 Overview of the COSO framework
2.1 COSO Framework
A SOX 404 assessment requires a suitable criteria for an effective internal control system.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed an internal control framework in 1992 (“COSO Framework”). IINV has chosen the COSO framework due to the following reasons:
In the SEC rule to implement SOX 404, SEC has suggested COSO to be preferred
framework;
Draft AICPA guidelines for evaluation of internal control for SOX 404 recommends the
use of the COSO framework to provide the attestation.
Suitable, recognised control framework developed through due process including public
comment.
The COSO Framework is illustrated below:
SOX 404 – Implementation Guidance
October 2003