国际信息安全标准系列之SOX 404 Guidance v1 1

合集下载

SOX404萨班斯法案内容及实施方法

SOX404萨班斯法案内容及实施方法

SOX404萨班斯法案内容及实施方法1. SOX404萨班斯法案出台背景安然、世通等财务欺诈丑闻发生后,导致人们对金融市场信心丧失,并失去对公司会计记录和报告活动的信任,为此,美国国会于2002年7月出台了《2002年公众公司会计改革和投资者保护法案》。

该法案要求上市公司建立关于法人治理和财务报告的新实务。

该法案由美国众议院金融服务委员会主席奥克斯利和参议院银行委员会主席萨班斯联合提出,又被称作《2002年萨班斯—奥克斯利法案》 Sarbanes Oxley (2002) Regulations 。

萨班斯法案是对上市公司影响最广泛的法律之一。

该法案旨在保护在美国证券交易所开展股票交易的公司股东,并加大对这些公司决策人的可查力度。

2. SOX404具体内容是什么?萨班斯法案404条款要求,所有在美国上市的公司必须在其年度报告中披露管理层对公司当年与财务报告相关的内部控制体系有效性的评估报告。

同时外部审计师也需要对上市公司的财务报告相关的内部控制体系有效性发表审计意见。

该评估报告要求包括以下内容:●管理层有责任为企业建立和维护恰当的与财务报告有关的内部控制。

●识别管理层所采用的内部控制框架以便按要求评估公司与财务报告有关的内部控制的有效性。

●对从一上个会计年度末以来与财务报告有关的内部控制的有效性予以评估,其内容也包括有关与财务报告有关的内部控制是否有效的公开声明。

●年度审计报告中,注册会计师事务所发表的财务审计报告,包括管理层对与财务报告有关的内部控制有效性评估的证明报告。

●管理层关于公司针对财务报告内部控制有效性评估的书面结论,应包含在其对财务报告内部控制的报告和其对审计师的信函中。

这一书面结论可采取多种形式,但是管理层对公司面向财务报告的内部控制的有效性必须发表直接意见。

●如果与财务报告有关的内部控制中有一个或多个重要缺陷,管理层将不能对财务报告的内部控制有效性作出评估结论,而且,管理层应该披露自最近一个会计年度末以来财务报告内部控制方面的所有重要缺陷。

数据备份如何应对SOX404

数据备份如何应对SOX404
斯 法 案 的要 求 。 安 然 事 件 以及 9 事 件 所 带来 的 恐 惧 1 1 还 没有褪去。梳理 企业 的规 章制度 ,如何 做好 I系统 T
对业务 活动 的影 响和 针对各 系统 故障紧迫程度 的估计
设置不 同的备份策 略。
4 .备份 或恢 复执 行者应 按 照规定 的信 息系统 的 备份故障及时上报相关技术支持 团队。 5 .相 关技术 支持 团 队应及 时有效 的解 决信 息系
统 用 户 提 出 的 备 份 和 恢 复 请 求 ,并做 出明 细 的 处理 纪
录:
的风险控制 ,成 为Cl 日常工作 中最 多的事务。 下 0们 面作 者将重点 以数据 备份 为例 ,描述如何做 才能应对
SX4 04

6 .信 息主管 单位 应定 期复核 并更 新信 息 系统 备 份管理 制度和相 关备份策 略 ,确 保信息 系统 备份 制度
3 .备份策略中需包括备份 介质 的储存规定 4 .备 份策 略 中需定 义备份 的编 号 方法或命 名 方

5 .备份 策略中需规 定备份 介质 的定期检 查办 法 6 .备份策略 中应 明确 备份 日志的制作和保 留 7 .备份策 略中应包括 异地 备份 策略
四、作为数据安全的最小技术要求
的完备及有效执行。
三、确定信 息系统 的备份对 象
设定 工作 目标
I部 门应与业务部 门沟通 ,确 认备份对 象、最大 T 允许 宕 机 时间 和最 大 允 许丢 失数 据 ,并 以此 制定 备 份策略 ,关键 系统应单 独制定备份 策略 ,还须指 定该 系统 的备 份管理员 ,由其 负责备份 策略 内容 的实施并 保 证备份 数据 的安 全 :其他 则 由I部 门负责制定 备份 T 措 施并责任 保证 已备份 数据 的安全 ;还 应确定 以下内

最新SOX法案内控分析

最新SOX法案内控分析
v 对于在执行工具包中发现的问题和控制弱点需提出例 外报告。
1.补偿控制措施即要求在执行工具包中发现的不适用于本公 司的问题均需提出补偿控制措施。补偿控制措施包括问题的性 质分析、责任区、责任人以及目标完成时间。
2.更正行动即要求在执行工具包中发现的例外问题均需采 取更正行动。执行工具包所提出的所有问题,均设立了三个答 案:是,不适用,否。“是”是由美国通用汽车公司邀请咨询 师提供的标准流程,该标准流程已充分考虑到公司业务处理中 可能发生的内控弱点,并针对内控弱点设计了关键控制节点; “不适用”意味着当地化战胜了国际化,对于“不适用”于本 公司的问题均需提出补偿控制措施;“否”说明公司的业务处 理流程存在着明显的内控弱点,公司必须采取包括问题的性质 分析、责任区、责任人以及目标完成时间的更正行动并且要求 按月向总公司报告完成情况。
美国通用汽车公司采取的内控措施
v 执行工具包的考察项目主要包括以下五个环节:
1. 支出循环即采购、收货、应付账款、工薪和现金报销; 2. 生产循环即存货、销售成本、报废、工装、产权、工厂和机 器设备; 3. 收入循环即订单录入、信贷批准、出票、销售退回和折让、 其他业务收入、应收、发货、客户记录维护、长期降价协议 以及非现金调整; 4. 会计和报表循环即会计政策、财务报表准备、总账会计; 5. 会计信息系统。
4.确认在内部控制系统中所发现的不足,是否会构成重大 缺陷或实质性漏洞,并就主要发现的内部控制系统不足与相关 方面进行沟通,评估这些主要发现是否与评估结果相一致。
2
内控自我测试
---借款及报账程序
1. 经办人因事先不能取得发票或收据需借款时,应填写借款 单,详细注明借款日期、用途、金额和借款人,借出支票 还须写明对方单位名称及其开户银行和账号,若单位及金 额无法确定的应加注限额,其中金额部分涂改无效;

萨班斯法案404条款对中国上市公司的影响

萨班斯法案404条款对中国上市公司的影响

萨班斯法案404条款对中国上市公司的影响引言美国的萨班斯法案(Sarbanes-Oxley Act,简称SOX)是为了恢复对公众公司财务报告的信任而通过的法案。

SOX法案对于美国公司的财务披露和内部控制有着严格的要求,但是对于中国上市公司也产生了一定的影响。

本文将探讨SOX法案404条款对中国上市公司的影响。

SOX法案404条款的内容及要求SOX法案404条款是关于内部控制的要求,要求公司的管理层对其财务报告的内部控制进行评估,并对这些内部控制的有效性提供认证。

具体要求包括:1. 公司管理层必须对其财务报告的内部控制进行全面的评估,包括评估其设计和落实的有效性;2. 公司必须提供并公开披露其财务报告的内部控制评估的结果;3. 公司年度报告必须附带一份由独立注册会计师事务所出具的关于内部控制的评估报告。

SOX法案404条款对中国上市公司的影响对中国上市公司来说,SOX法案404条款带来了以下几个方面的影响:1. 内部控制强化:中国上市公司需要加强对其财务报告的内部控制的评估和落实。

这涉及到公司制定和执行一系列的制度和流程,以确保财务报告的可靠性和准确性。

内部审计和风险控制也需要得到加强和完善。

2. 成本增加:由于SOX法案404条款对公司的内部控制要求更加严格,中国上市公司需要花费更多的人力和财力资源来评估和维护其内部控制体系。

这增加了公司的运营成本。

3. 市场信任增强:SOX法案404条款对公司的财务报告透明度有着更高的要求,这有助于增强投资者对中国上市公司的信任。

这可以提高中国上市公司的国际形象,吸引更多的国际投资。

中国政府对SOX法案404条款的回应中国政府也意识到萨班斯法案404条款对中国上市公司的影响,并采取了一系列措施来应对:1. 加强监管:中国证监会对上市公司的内部控制和财务报告进行更加密切的监管,加强对公司的日常监督和检查,确保其财务报告的真实性和可靠性。

2. 建立制度:中国政府积极推动上市公司建立完善的内部控制制度,加强内部审计和风险控制体系,提高公司的财务管理水平。

404萨班斯法案.

404萨班斯法案.

美国萨班斯·奥克斯法案302和404条款下内部审计师的职责(部分)一、综述............二、目的............三、背景............四、404遵循性工作中阶段、工作和主要职责的简述五、审计委员会、管理层和外部审计师作用小结........ (一)审计委员会...........(二)管理层...................(三)外部审计师...........六、建议性内部审计作用................(一)项目监督...............(二)咨询和项目支持...(三)持续的监督和测试(四)项目审计...............七、实践的判断(一)咨询的源泉...........(二)作为管理层完成记录或测试的有力助手...(三)作为项目管理层.(四)作为内部控制培训或信息提供者............. (五)作为控制自我评估发起者.....(六)作为披露程序证明者.............八、如何处理对内部审计客观性的妨害..........一、综述随着各个公司逐渐展开对萨班斯·奥克斯法案(以下简称“SOX 法案”)的遵循性工作,内部审计也就其在遵循性工作中的地位和工作遇到一系列问题。

根据404条款的要求,管理层需要建立、健全财务报告内部控制,并对其进行评价,同时外部审计师要对上述评价进行再评价。

302条款不仅要求管理层每季度对财务报告相关内部控制进行评价,而且对信息披露方面的控制和程序也要进行评价。

保证对SOX法案302、404及其他条款的遵循性是公司管理层不可推卸的责任。

帮助管理层履行上述职责是内部审计的职责。

参与公司404遵循性工作是内部审计的重要工作,但是上述工作要与内部审计总体目标和章程相一致。

无论内部审计涉入404遵循性工作中的层次和性质是什么样的,都不应该违背内部审计的客观性和其监督公司主要风险区域的职能。

SOX_404_实施介绍

SOX_404_实施介绍

机 职构 能
中海油内控框架 公司
整体控制
业务流程控制
IT管理控制
404前
财务部制度 销售部制度 人力部制度
预算 规划 ……
14
实施方法与步骤
确定内 控框架
选定 实
施范 围
梳理 记
录流 程
控制 有
效性 测 试
缺陷 评
价整 改
编制 内
控报 告
15
选定实施范围
通过“重要性水平”确定重要业务流程
金额(利润5%) 性质重要
9
IT层面测试
测试领域 公司层面的IT控制、IT一般控制(包括开发、变更、运行维护、访问
安全、电子表格计算)、IT应用控制;控制点数量:1142 关键对象
2套应用系统(ORACLE、MAXIMO)、3套操作系统(Solaris\winNT\win 2000 server)、1套数据库(ORACLE)以及安全管理体系(NOKIA防火 墙、CISCO路由器)等 测试频率
萨班斯法案404 节所关注的内控 范围
控制环境 风险评估
机 构 职 能
5个要素: 控制环境 风险评估 控制行为 信息与交流 监督
由萨班斯法案 404节引起的对 内部审计的关注
404 节要求之 外的内部审计
控制行为 信息与交流
监督
参照美国注册会计师协会审计标准AU319, 内部审计的定义 (第十三段)
由萨班斯法案 404节引起的对 内部审计的关注
404 节要求之 外的内部审计
控制行为 信息与交流
监督
参照美国注册会计师协会审计标准AU319, 内部审计的定义 (第十三段)
13
确定内控框架
结合COSO框架及公司内控实际,建立中海油的内控框架

SOX 404 实施介绍

SOX 404 实施介绍
16
选定实施范围
通过“重要性水平”确认实施范围和关注重点
中国海洋石油有限公司
中海石油(中国)有 限公司
中国海洋石油(新 加坡)有限公司
中国海洋石油国际 有限公司
湛江 天津
上海 深圳
印尼 加拿大 ……
尼日利亚
澳大利亚
缅甸
全面测试
部分测试
404范围外
测试范围:总资产的97%,收入的100%
17
实施方法与步骤
流程名称 控制目标
确保销售的客户 是可信任和 有效的。 HQ_C1 销售管 理
风险因素
销售给虚假客 户或信用差 的客户。
实际控制
HQ_c1.1a.1公司《信用风险管理 规定》对客户及其信用管理 做了规定,包括批准新客户 、信用风险监控和应收款项 跟踪等的程序。
测试 结 论
有效
HQ_C1 销售管 理
确保销售的客户 是可信任和 有效的。
SOX404实施方法与流程介绍
项目办公室 2007年6月
提 纲
概述 公司层面测试 IT层面测试 业务流程层面测试
2
概 述
404测试的目的、价值和局限性
目的
对与财务报告相关的内控有效性做出评估,满足上市监管要 求
价值
保障财务报表的合理性和准确性 明确与财务报告相关的风险 发现内部控制薄弱点,促进健全内控体系 建立内控评估的规范程序和方法
Location Significant Process Sub-process 北京 HQ_C1销售及应收款项 HQ_C1.1A客户数据库与信用管理 销售部总经理郑保国 Sub-process Owner 资金融资部风险控制岗经理刘俊侠 资金融资部总经理黄晓峰
风险联席会

oecd 404 标准

oecd 404 标准

oecd 404 标准OECD 404标准简介OECD 404标准是经济合作与发展组织(OECD)制定的一个重要准则,旨在确保企业在进行贸易和投资活动时遵守环境规范和道德标准。

这一标准被广泛认可为全球企业社会责任的基准之一。

OECD 404标准要求企业在其业务活动中尽力避免对环境造成有害影响。

它涵盖了多个方面,包括环境影响评估、资源管理、废物处理、土地使用以及生态系统保护等。

企业需要确保其所采取的行动符合最佳实践,以减少不可避免的环境损害并改善环境绩效。

符合OECD 404标准对企业而言带来了多重益处。

首先,它有助于树立企业的良好声誉。

通过遵守环境规范,企业能够树立自己作为负责任市民和可持续发展倡导者的形象。

这种形象能够吸引顾客、投资者和合作伙伴,从而带来商业机会和竞争优势。

其次,符合OECD 404标准有助于降低企业的环境风险。

环境问题不仅可能导致法律诉讼和罚款,还可能对企业的经营造成长期不可逆转的影响。

通过严格遵守标准,企业可以减少环境事故和违规行为的发生,降低潜在的财务和声誉损失。

另外,符合OECD 404标准也有助于推动可持续发展目标的实现。

这个标准鼓励企业采用清洁生产技术和可再生能源,减少温室气体排放,保护生物多样性,促进资源的循环利用。

通过这些措施,企业可以为全球环境保护做出贡献,为经济可持续发展做出努力。

总之,OECD 404标准对企业而言是一个重要的参考框架,它提供了在贸易和投资活动中遵循环境道德和规范的具体指引。

符合这一标准不仅有助于树立企业的声誉和降低环境风险,还可以促进可持续发展目标的实现。

因此,企业应该认真对待并积极履行OECD 404标准所要求的各项要求。

SOX404-关键业务系统数据管理制度word

SOX404-关键业务系统数据管理制度word

版本页标题:信息技术管理制度主题:关键业务系统数据管理制度文档编号:版本说明:第1页.共6页第一条第二条第三条第四条第五条第六条第七条第八条第九条第十条关键业务系统数据管理制度第一节总则为规范数据管理工作,降低数据被非法生成、变更、泄露、丢失及破坏的风险,特制定本制度。

本制度中数据是指信息系统中的各种业务和财务数据。

本制度所指数据管理包含涉及数据修改、导入、提取,数据处理处理过程中对数据真实性的保证,数据内、外部传输的工作。

第二节数据保存管理对于与财务报告相关的各种业务数据,须保存10年。

重要的业务数据要保证物理上的安全,存放数据的介质必须放在安全的地方,非授权人员不得访问。

关于数据备份的管理,参见《备份管理制度》。

第三节数据导入和修改数据导入指信息技术部指定的lT人员应数据拥有部门要求,通过后台数据库,将数据导入运行环境的操作。

对于发生在批处理中的自动数据导入,请参参见《批处理操作管理及监控制度》中的相关内容。

数据修改指信息技术部指足的lT人员应数据拥有部门要求,对公司信息系统中的数据在后台数据库中进行的修改。

数据修改包含数据内容的修改以及数据库结构的变更。

数据拥有部门提交《数据导入/修改/提取申请表》(附件一),申请表中需要具体描述导入/修改的原因和内容,申请表需经过数据拥有部门负责人审批。

系统管理员(兼任数据库超级用户)收到申请表后,应与申请部门再次核对申请表内容,若是数据导入申请,对要导入的数据来源进行检验,确保其有效性和安全性;然后,分析导入/修改可行性及后果,若可以导入/修第2页.共6页第十一条第十二条第十三条第十四条第十五条第十六条第十七条改,进一步提供导入/修改方案。

方案中须提供准确性和完整性的检查办法和对错误数据录入/修改的处理办法。

最后,把这些结果提交lT系统主管审批。

IT系统主管根据系统管理员提供的意见决定是否接受数据导入/修改申请。

如不接受申请,出具理由,并告知申请部门;若接受申请,须进一步根据导入/ 修改方案的复杂程度,确定是否需要先在测试环境中测试,以保证数据导入/ 修改改方案的准确性。

SOX 404遵从指南(小企业)[1]

SOX 404遵从指南(小企业)[1]

SECURITIES AND EXCHANGE COMMISSION17 CFR PARTS 210, 228, 229, 240 and 249[RELEASE NOS. 33-8760; 34-54942; File No. S7-06-03]RIN 3235-AJ64INTERNAL CONTROL OVER FINANCIAL REPORTING IN EXCHANGE ACT PERIODIC REPORTS OF NON-ACCELERATED FILERS AND NEWLY PUBLIC COMPANIESAGENCY: Securities and Exchange Commission.ACTION: Final rule; extension of compliance dates; request for comment on Paperwork Reduction Act burden estimates.SUMMARY: We are extending further for smaller public companies the dates that were published on September 29, 2005, in Release No. 33-8618 [70 FR 56825], for their compliance with the internal control reporting requirements mandated by Section 404 of the Sarbanes-Oxley Act of 2002. Under the extension, a non-accelerated filer is not required to provide management’s report on internal control over financial reporting until it files an annual report for its first fiscal year ending on or after December 15, 2007. If we have not issued additional guidance for management on how to complete its assessment of internal control over financial reporting in time to be of sufficient assistance in connection with annual reports filed for fiscal years ending on or after December 15, 2007, we will consider whether we should further postpone this date. A non-accelerated filer is not required to file the auditor’s attestation report on internal control over financial reporting until it files an annual report for its first fiscal year ending on or after December 15, 2008. We will consider further postponing this date after we consider the anticipated revisions to Auditing Standard No. 2. Management’s report included in a non-accelerated filer’s annual report during the filer’s first year of compliance with the Section404(a) requirements will be deemed “furnished” rather than filed. Management’s report for foreign private issuers filing on Form 20-F or 40-F that are accelerated filers (but not large accelerated filers) also will be deemed furnished rather than filed for the year that such issuers are only required to provide management’s report. Companies that only provide management’s report during their first year of compliance in accordance with our rules must state in the annual report that the report does not include the auditor’s attestation report and that the company’s registered public accounting firm has not attested to management’s report on the company’s internal control over financial reporting.We also are adopting amendments that provide for a transition period for a newly public company before it becomes subject to the internal control over financial reporting requirements. Under the new amendments, a company will not become subject to these requirements until it either had been required to file an annual report for the prior fiscal year with the Commission or had filed an annual report with the Commission for the prior fiscal year. A newly public company is required to include a statement in its first annual report that the annual report does not include either management’s assessment on the company’s internal control over financial reporting or the auditor’s attestation report.DATES: Effective Date: The effective date published on June 18, 2003, in Release No. 33-8238 [68 FR 36636], remains August 14, 2003. The effective date of this document is [insert 60 days after publication in the Federal Register] except Temporary §210.2-02T(c), Temporary§228.308T, Temporary §229.308T, Temporary Item 15T of Form 20-F (§249.220f), Temporary Instruction 3T of General Instruction B(6) of Form 40-F (§249.240f), Temporary Item 4T of Form 10-Q (§249.308a), Temporary Item 3A(T) of Form 10-QSB (§249.308b), Temporary Item 9A(T) of Form 10-K (§249.310), and Temporary Item 8A(T) of Form 10-KSB (§249.310b) areeffective from [insert 60 days after publication in the Federal Register] to June 30, 2009. Temporary §210.2-02T(a) remains effective from September 14, 2006 to December 31, 2007.Compliance Dates: The compliance dates are extended as follows: A company that does not meet the definition of either an “accelerated filer” or a “large accelerated filer,” as these terms are defined in Rule 12b-2 under the Securities Exchange Act of 1934, is not required to comply with the requirement to provide management’s report on internal control over financial reporting until it files an annual report for its first fiscal year ending on or after December 15, 2007. Non-accelerated filers must begin to comply with the provisions of Exchange Act Rule 13a–15(d) or 15d–15(d), whichever applies, requiring an evaluation of changes to internal control over financial reporting requirements with respect to the company’s first periodic report due after the first annual report that must include management’s report on internal control over financial reporting. The extended compliance also applies to the amendments of Exchange Act Rule 13a-15(a) or 15d-15(a) relating to the maintenance of internal control over financial reporting. We also are extending the compliance date to permit a non-accelerated filer to omit the portion of the introductory language in paragraph 4 as well as language in paragraph 4(b) of the certification required by Exchange Act Rules 13a-14(a) and 15d-14(a) that refers to the certifying officers’ responsibility for designing, establishing and maintaining internal control over financial reporting for the company, until it files an annual report that includes a report by management on the effectiveness of the company’s internal control over financial reporting.A company that does not meet the definition of either an accelerated filer or a large accelerated filer is not required to comply with the requirement to provide the auditor’s attestation report on internal control over financial reporting until it files an annual report for its first fiscal year ending on or after December 15, 2008. Furthermore, until this type of companybecomes subject to the auditor attestation report requirement, the registered public accounting firm retained by the company need not comply with the obligation in Rule 2-02(f) of Regulation S-X. Rule 2-02(f) requires every registered public accounting firm that issues or prepares an accountant’s report that is included in an annual report filed by an Exchange Act reporting company (other than a registered investment company) containing an assessment by management of the effectiveness of the company’s internal control over financial reporting to attest to, and report on, such assessment.Comment Date: Comments regarding the collection of information requirements within the meaning of the Paperwork Reduction Act of 1995 should be received on or before [insert 30 days after the date of publication in the Federal Register].ADDRESSES: Comments may be submitted by any of the following methods:Electronic Comments:•Use the Commission’s Internet comment form (/rules/final.shtml);•Send an e-mail to rule-comments@. Please include File Number S7-06-03 on the subject line; or•Use the Federal Rulemaking Portal (). Follow the instructions for submitting comments.Paper Comments:•Send paper comments in triplicate to Nancy M. Morris, Secretary, Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549-1090.All submissions should refer to File Number S7-06-03. This file number should be included on the subject line if e-mail is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’sInternet Web site (/rules/final.shtml). Comments are also available for public inspection and copying in the Commission’s Public Reference Room, 100 F Street, NE, Washington, DC 20549. All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly.FOR FURTHER INFORMATION CONTACT: Sean Harrison, Steven G. Hearne, or Katherine Hsu, Special Counsels, Office of Rulemaking, Division of Corporation Finance, at (202) 551-3430, U.S. Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549-3628.SUPPLEMENTARY INFORMATION:We are amending certain internal control over financial reporting requirements in Rules 13a-14,1 13a-15,2 15d-14,3 and 15d-154 under the Securities Exchange Act of 1934,5 Item 308 of Regulations S-K6 and S-B,7 Item 15 of Form 20-F,8 General Instruction B(6) of Form 40-F,9 and Rule 2-02(f)10 of Regulation S-X.11 We also are adding the following temporary provisions: Rule 2-02T of Regulation S-X, Item 308T of Regulations S-K and S-B, Item 3A(T) of Form 10-QSB, Item 4T of Form 10-Q, Item 8A(T) of1 17 CFR 240.13a-14.2 17 CFR 240.13a-15.3 17 CFR 240.15d-14.4 17 CFR 240.15d-15.5 15 U.S.C. 78a et seq.6 17 CFR 229.10 et seq.7 17 CFR 228.10 et seq.8 17 CFR 249.220f.9 17 CFR 249.240f.10 17 CFR 210.2-02(f).11 17 CFR 210.1-01 et seq.Form 10-KSB, Item 9A(T) of Form 10-K, Item 15T of Form 20-F, and Instruction 3T of General Instruction B(6) of Form 40-F.I. BackgroundOn June 5, 2003,12 the Commission adopted several amendments to its rules and forms implementing Section 404 of the Sarbanes-Oxley Act of 2002.13 Among other things, these amendments require companies, other than registered investment companies, to include in their annual reports filed with us a report of management, and an accompanying auditor’s attestation report, on the effectiveness of the company’s internal control over financial reporting, and to evaluate, as of the end of each fiscal quarter, or year in the case of a foreign private issuer filing its annual report on Form 20-F or Form 40-F, any change in the company’s internal control over financial reporting that occurred during the period that has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting.Under the compliance dates that we originally established, companies meeting the definition of an “accelerated filer” in Exchange Act Rule 12b-214 would have become subject to the internal control reporting requirements with respect to the first annual report that they filed for a fiscal year ending on or after June 15, 2004. Non-accelerated filers15 would not have become subject to the requirements until they filed an annual report for a fiscal year ending on or after April 15, 2005. The Commission provided a lengthy compliance period for these requirements in light of the substantial time and resources needed by companies to implement12 See Release No. 33-8238 (June 5, 2003) [68 FR 36636].13 15 U.S.C. 7262.14 17 CFR 240.12b-2.15 Although the term “non-accelerated filer” is not defined in our rules, we use it throughout this release to refer to an Exchange Act reporting company that does not meet the Exchange Act Rule 12b-2 definitions of either an “accelerated filer” or a “large accelerated filer.”the rules properly.16 In addition, we believed that a corresponding benefit to investors would result from an extended transition period that allowed companies to implement the new requirements carefully, and noted that an extended period would provide additional time for the Public Company Accounting Oversight Board (the PCAOB) to consider relevant factors in determining and implementing new attestation standards for registered public accounting firms.17 In February 2004, we extended the compliance dates for accelerated filers to fiscal years ending on or after November 15, 2004, and for non-accelerated filers and for foreign private issuers to fiscal years ending on or after July 15, 2005.18 The primary purpose of this extension was to provide additional time for companies’ auditors to implement Auditing Standard No. 2, which the PCAOB had issued in final form in June 2004.19In March 2005, we approved a further one-year extension of the compliance dates for non-accelerated filers and for all foreign private issuers filing annual reports on Form 20-F or 40-F in view of the efforts by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to provide more guidance on how the COSO framework on internal control can be applied to smaller public companies.20 We also acknowledged the significant efforts being expended by many foreign private issuers to apply the International Financial Reporting Standards.16 See Release No. 33-8238.17 Under the Sarbanes-Oxley Act, the PCAOB was granted authority to set auditing and attestation standards for registered public accounting firms.18 See Release No. 33-8392 (Feb. 24, 2004) [69 FR 9722].19 See Release No. 34-49884 File No. PCAOB 2004-03 (June 17, 2004) [69 FR 35083]. Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Connection with an Audit of Financial Statements, provides the professional standards and related performance guidance for independent auditors to attest to, and report on, management’s assessment of the effectiveness of companies’ internal control over financial reporting.20 Release No. 33-8545 (Mar. 2, 2005) [70 FR 11528].Most recently, in September 2005, we again extended the compliance dates for the internal control over financial reporting requirements applicable to companies that are non-accelerated filers.21 Based on the September 2005 extension, domestic and foreign non-accelerated filers were scheduled to comply with the internal control over financial reporting requirements beginning with annual reports filed for their first fiscal year ending on or after July 15, 2007. This extension was based primarily on our desire to have the additional guidance in place that COSO had begun to develop to assist smaller companies in applying the COSO framework. In addition, the extension was consistent with a recommendation made by the SEC Advisory Committee on Smaller Public Companies.Since we granted that extension last year, a number of events related to internal control over financial reporting assessments have occurred. Most recently, on July 11, 2006, COSO and its Advisory Task Force issued Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting.22 The guidance is intended to assist the management of smaller companies in understanding and applying the COSO framework. It outlines 20 fundamental principles associated with the five key components of internal control described in the COSO framework, defines each principle, describes a variety of approaches that smaller companies can use to apply the principles to financial reporting, and includes examples of how smaller companies have applied the principles.21 See Release No. 33-8618 (Sept. 22, 2005) [70 FR 56825].22 See SEC Press Release No. 2006-114 (July 11, 2006) at /news/press/2006/2006-114.htm.In addition, on April 23, 2006, the SEC Advisory Committee on Smaller Public Companies submitted its final report to the Commission.23 The final report includes recommendations designed to address the potential impact of the internal control reporting requirements on smaller public companies. Specifically, the Advisory Committee recommended that certain smaller public companies be provided exemptive relief from the management report requirement and from external auditor involvement in the Section 404 process under certain conditions unless and until a framework for assessing internal control over financial reporting is developed that recognizes the characteristics and needs of these companies.In April 2006, the U.S. Government Accountability Office (GAO) issued a report entitled Sarbanes-Oxley Act, Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies.24 This report recommended that the Commission consider whether the currently available guidance, particularly the guidance on management’s assessment, is sufficient or whether additional action is needed to help companies comply with the internal control over financial reporting requirements. The report indicates that management’s implementation and assessment efforts were largely driven by Auditing Standard No. 2 because guidance at a similar level of detail was not available for management’s implementation and assessment process. Furthermore, the report recommended that the Commission coordinate its efforts with the PCAOB so that the Section 404-related audit standards and guidance are23 See Final Report of the Advisory Committee on Smaller Public Companies to the United States Securities and Exchange Commission (Apr. 23, 2006), available at/info/smallbus/acspc.shtml.24 U.S. Govt. Accountability Office, Report to the Committee on Small Business and Entrepreneurship, U.S. Senate: Sarbanes-Oxley Act: Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies (April 2006).consistent with any additional guidance applicable to management’s assessment of internal control over financial reporting.25Finally, on May 10, 2006, the Commission and the PCAOB sponsored a roundtable to elicit feedback from companies, their auditors, board members, investors, and others regarding their experiences during the accelerated filers’ second year of compliance with the internal control over financial reporting requirements.26 Several of the comments provided at, and in connection with, the roundtable suggested that additional management guidance would be useful, particularly for smaller public companies, and also expressed support for revisions to the PCAOB’s Auditing Standard No. 2.27II.Extension of Internal Control Reporting Compliance Dates for Non-FilersAcceleratedOn May 17, 2006, the Commission and the PCAOB each announced a series of actions that they intended to take to improve the implementation of the Section 404 internal control over financial reporting requirements.28 These actions included:•Issuance of a concept release29 soliciting comment on a variety of issues that might be included in future Commission guidance for management to assist in its performance of a top-down, risk-based assessment of internal control over financial reporting;•Consideration of additional guidance from COSO;25 See GAO Report at 52-53, 58.26 Materials related to the roundtable, including an archived broadcast and a transcript of the roundtable, are available on-line at /spotlight/soxcomp.htm.27 See, for example, letters from the Biotech Industry Association, American Electronics Association, Emerson Electric Institute, U.S. Chamber of Commerce and Joseph A. Grundfest. These letters are available in File No. 4-511, at /news/press/4-511.shtml.28 See SEC Press Release 2006-75 (May 17, 2006), “SEC Announces Next Steps for Sarbanes-Oxley Implementation” and PCAOB Press Release (May 17, 2006), “Board Announces Four-Point Plan to Improve Implementation of Internal Control Reporting Requirements.”29 Release No. 34-54122 (July 11, 2006) [71 FR 40866].•Revisions to Auditing Standard No. 2;•Reinforcement of auditor efficiency through PCAOB inspections and Commission oversight of the PCAOB’s audit firm inspection program;•Development, or facilitation of development, of implementation guidance for auditors of smaller public companies;•Continuation of PCAOB forums on auditing in the small business environment; and •Provision of an additional extension of the compliance dates of the internal control reporting requirements for non-accelerated filers.Consistent with this announcement, on August 9, 2006, we proposed to extend further the date for complying with the internal control over financial reporting requirements for domestic and foreign non-accelerated filers.30 Approximately 44% of domestic companies filing periodic reports are non-accelerated filers, and an estimated 38% of the foreign private issuers subject to Exchange Act reporting are non-accelerated filers.31 Prior to today’s actions, non-accelerated filers were scheduled to begin complying with the management report requirement in Item308(a) of Regulations S-K and S-B and the auditor attestation requirement in Item 308(b) of Regulations S-K and S-B for their fiscal years ending on or after July 15, 2007. We proposed to postpone for five months (from fiscal years ending on or after July 15, 2007 to fiscal years ending on or after December 15, 2007) the date by which non-accelerated filers must begin to include management’s report. We also proposed to extend the compliance date for a non-30 Release No. 33-8731 (Aug. 9, 2006) [71 FR 47060].31 The percentage of domestic filing companies, excluding Investment Company Act of 1940 filers, that is categorized as non-accelerated filers is based on public float where available (or market capitalization, otherwise) from Datastream as of December 31, 2005. The estimated percentage of foreign private issuers that are non-accelerated filers is based on market capitalization data from Datastream as of December 31, 2005.accelerated filer regarding the auditor attestation report requirement for 17 months -- until it files an annual report for a fiscal year ending on or after December 15, 2008.32Furthermore, in a separate release also issued on August 9, 2006, we adopted an extension of the date for complying with the auditor attestation requirement for foreign private issuers that meet the Exchange Act definition of an accelerated filer, but not a large accelerated filer, and that file their annual reports on Form 20-F or 40-F, so that such issuers would not be subject to the auditor attestation requirement until a year after they first begin complying with the management report requirement.33We received letters from a total of 36 commenters on the proposed extension of the internal control over financial reporting compliance dates for non-accelerated filers.34 Thirty-five of these commenters generally supported the proposed extension.35 Many of these commenters believed that the extension would reduce compliance costs for smaller companies32 We also proposed and are extending the compliance dates for the auditor attestation report requirement appearing in Item 15(c) of Form 20-F and General Instruction B(6) of Form 40-F with respect to foreign private issuers that are non-accelerated filers.33 Release No. 33-8730A (Aug. 9, 2006) [71 FR 47056].34 The public comments we received are available for inspection in the Commission’s Public Reference Room at 100 F Street, NE, Washington DC 20549 in File No. S7-06-03. They are also available on-line at /rules/proposed/s70603.shtml.35 See letters from American Bar Association (ABA), American Bankers Association, America’s Community Bankers (ACB), American Institute of Certified Public Accountants (AICPA), BDO Seidman, LLP (BDO), Biotechnology Industry Organization and eight other commenters (BIO), Callidus Software Inc. (Callidus), Calix Networks, Inc. (Calix), Core-Mark International, Inc. (Core-Mark), Cravath, Swaine & Moore LLP (Cravath), Davis Polk & Wardwell (Davis Polk), Deloitte Touche LLP (Deloitte), Ernst & Young (E&Y), Financial Executives International (FEI), James Finn (J. Finn), Grant Thornton LLP (Grant Thorton), Graybar Electric (Graybar), Hermes Equity Ownership Services Ltd. (Hermes), Independent Community Bankers of America (ICBA), Idaho Independent Bank (IIB), IncrediMail Ltd., Institute of Public Auditors of Germany (IDW), Key Technology (Key), KPMG LLP (KPMG), LaCrosse Footwear, Inc. (LaCrosse), Congressman Stephen F. Lynch (Congressman Lynch), George Merkl (G. Merkl), MOCON, Inc. (MOCON), National Venture Capital Association (NVCA), PricewaterhouseCoopers LLP (PwC), Priority Fulfillment Services, Inc. (PFS), The Office of Advocacy of the Small Business Administration (SBA), Telecommunications Industry Association (TIA), Village Super Market, Inc. (Village) and Washington Legal Foundation.and provide them with additional time to develop best practices for compliance and greater efficiencies in preparing management reports.36 Some commenters suggested that the Commission extend the compliance date associated with the management report requirement for an even longer period of time than proposed.37 The commenter that did not express support for the proposed extension opposed, in particular, the 17-month extension of the auditor attestation compliance date.38We are adopting the extension of the compliance dates substantially as proposed. In response to public comment, we are adding a requirement that a non-accelerated filer clearly disclose in management’s report that management’s assessment of internal control has not been attested to by the auditor, if it is providing only management’s report during its first year of compliance with the Section 404 requirements.39Some commenters suggested that the Commission broaden the scope of relief so that the extended compliance dates would still cover companies that currently are non-accelerated filers even if they become accelerated filers or large accelerated filers before December 15, 2008.40 We are not adopting this relief as proposed. Consistent with the Exchange Act Rule 12b-2 definition of an accelerated filer and of a large accelerated filer, companies should determine their accelerated filing status at the end of the fiscal year in order to determine whether the extension is applicable to them.36 See, for example, letters from Core-Mark, FEI, J. Finn, Graybar, and Village.37 See, for example, letters from ABA, ACB, Davis Polk, ICBA, and MOCON.38 See letter from Council of Institutional Investors (CII). This commenter indicated that it would not oppose one additional modest extension of the compliance date for the internal control over financial reporting requirements for non-accelerated filers.39 See paragraph 4 of Item 308T of Regulations S-K and S-B, paragraph 4 of Item 15T of Form 20-F, and Instruction 3T of General Instruction B(6) of Form 40-F.40 See letters from Callidus, Core-Mark, IIB, PFS, and Village.Pursuant to the extension, a non-accelerated filer must begin to provide management’s report on internal control over financial reporting in an annual report it files for its first fiscal year ending on or after December 15, 2007.41 Non-accelerated filers must begin to comply with the provisions of Exchange Act Rule 13a–15(d) or 15d–15(d),42 whichever applies, requiring an evaluation of changes to internal control over financial reporting requirements with respect to the company’s first periodic report due after the first annual report that must include management’s report on internal control over financial reporting. The extended compliance date also applies to the amendments of Exchange Act Rule 13a-15(a) or 15d-15(a)43 relating to the maintenance of internal control over financial reporting. Under the extension, a non-accelerated filer must begin to provide the auditor attestation report in the annual report it files for its first fiscal year ending on or after December 15, 2008. We believe that these changes will make the internal control reporting process more efficient and effective, while preserving the intended benefits of the internal control over financial reporting provisions to investors.41 While the definition of an accelerated filer in Exchange Act Rule 12b–2 previously has had applicability only for a foreign private issuer that files its Exchange Act periodic reports on Forms 10–K and 10–Q, the definition by its terms does not exclude foreign private issuers. A foreign private issuer that is a large accelerated filer under the Exchange Act Rule 12b–2 definition, and that files its annual reports on Form 20–F or Form 40–F, must begin to comply with the internal control over financial reporting and related requirements in the annual report for its first fiscal year ending on or after July 15, 2006. A foreign private issuer that is an accelerated filer, but not a large accelerated filer, under the definition in Rule 12b-2 of the Exchange Act, and that files its annual report on Form 20-F or Form 40-F, must begin to comply with the requirement to provide the auditor’s attestation report on internal control over financial reporting in the annual report filed for its first fiscal year ending on or after July 15, 2007.A foreign private issuer that is not an accelerated filer under the Exchange Act Rule 12b–2 definition is required, under this extension, to begin to comply with the management report requirement in its annual report for its first fiscal year ending on or after December 15, 2007.42 17 CFR 240.13a-15(d) and 17 CFR 240.15d-15(d).43 17 CFR 240.13a-15(a) and 17 CFR 240.15d-15(a).。

观念管理在遵循SOX404过程中的重要性

观念管理在遵循SOX404过程中的重要性

观念管理在遵循SOX404过程中的重要性随着美国萨班斯法案的出台,所有在美国资本市场上市的企业都要求遵循此项法案的规定,而尤以萨班斯法案第404条款(简称SOX404)最难执行。

企业遵循SOX404的阻力来源于员工观念的落后及对内部控制责任的认识。

对员工进行观念管理有利于加强企业内部控制建设和减少企业遵循SOX404的成本。

标签:SOX404观念管理内部控制0引言自从2001年美国的安然事件和世通事件爆发出来,企业内部控制建设被美国政府提高到了一个前所未有的层次,建立健全企业的内部控制成为民众日益关注的焦点。

美国政府为了重整股民对金融市场的信心,毅然在2002年7月25日通过了萨班斯一奥克斯利法案(“Sarbanes—Oxley Act,SOX”)。

该法案被小布什总统评价为“自富兰克林·罗斯福总统以来对美国资本市场影响最大的法案”,在涉及内部控制的相关规定中,尤其以该法案第404条款对资本市场的影响最为深远。

美国出台萨班斯法案,目的在于通过加强内部控制来改进公司治理状况,并最终强化公司的受托责任。

1关于SOX404和观念管理的概述萨班斯一奥克斯利法案第404条款(简称SOX404)要求上市企业在年报中增加对企业当年财务报告内部控制机制的有效性进行评估的内容,同时外部审计师对上述评价发表意见。

该条款规定CEO和CFO必须签字确认企业内部控制的有效性并为此承担相应的民事和刑事责任,在提供年度财务报告之外还必须向美国证券交易委员会(SEC)提供内控报告等。

随着美国证券交易委员会对上市公司提出出具内部控制有效性的报告,很多企业开始按照SOX404的规定来推行内部控制制度建设。

在推行内部控制制度时,内部审计部门的工作人员遇到的最大阻力不是来自于企业的管理层,而是来自各部门的员工。

企业是一个盈利组织,企业的经营和管理活动都是由整个组织的所有员工共同完成,每一步的决策与操作都和企业的获利与损失息息相关。

如何遵循sox法案404条款

如何遵循sox法案404条款

如何遵循sox法案404条款
遵循SOX法案404条款需要从内部控制和风险管理方面入手,具体包括以下几个方面:
1.建立健全内部控制体系:SOX法案404条款要求企业建立完善的内部控制体系,以确保财务报告的准确性和可靠性。

企业应该评估现有的内部控制体系,识别存在的缺陷和风险点,并采取措施进行改进和完善。

2.完善风险管理机制:SOX法案404条款要求企业建立完善的风险管理机制,包括风险识别、评估、预警和应对等方面。

企业应该建立健全风险管理制度,明确风险管理流程和责任,及时发现和应对风险,确保企业的稳健运营。

3.提高治理水平:SOX法案404条款要求企业提高治理水平,建立健全治理结构,明确各治理主体的职责和权限。

企业应该建立科学的决策机制,规范治理行为,加强董事会和监事会的建设,提高治理水平。

4.加强内部审计和外部审计:SOX法案404条款要求企业加强内部审计和外部审计,以确保内部控制的有效性和财务报告的准确性。

企业应该建立健全内部审计制度,加强对内部控制体系的监督和评价。

同时,企业应该积极配合外部审计工作,确保审计的独立性和公正性。

5.提高信息披露质量:SOX法案404条款要求企业提高信息披露质量,包括财务报告和内部控制报告等。

企业应该建立健全信息披
露制度,规范信息披露流程,确保信息披露的真实、准确、完整和及时。

遵循SOX法案404条款需要企业在多个方面下功夫,不断完善内部控制体系和风险管理机制,提高治理水平、加强内部审计和外部审计以及提高信息披露质量等。

SOX404条款实施-控制例外事项与缺陷评估框架

SOX404条款实施-控制例外事项与缺陷评估框架

重要缺陷(Significant Deficiency):
是一种严重影响公司根据公认会计准则要求,对外部财务数据进行可 靠的初始化处理、授权、记录、处理和报告的能力的一个内部控制缺陷或 多个控制缺陷的汇总。
是一个财务报告内部控制缺陷或多个财务报告内部控制缺陷的联合, 它在严重性上小于实质性漏洞,但其重要程度足以值得那些负责监督公司 财务报告的人员注意(PCAOB5-A11)。
补偿性控制、补充性控制和冗余性控制
补偿性控制( Compensating controls ): 能够防范或发现年度或中期财务报告中影响程度“比较重要”或
“重要”的错报的控制。其操作层面和执行力度的确定应当与实施该控制 后仍然存在未发现错报的可能性相联系。(控制力度与效果相同。)
补充性控制( Complementary controls ): 与其它控制共同作用以实现相同控制目标的控制。(不同的控制力
设计缺陷:当缺少实现内部控制目标必需的某项控制措施时,或者当 现有内部控制的设计不适当,以至于即使内部控制按照设计运行,通常也 无法实现内部控制目标时,则存在设计缺陷。
运行缺陷:当设计适当的内部控制没有按照设计运行,或者当执行内 部控制的相关人员缺乏必要的授权或不具备实施有效控制的资格时,则存 在运行缺陷。
实质性漏洞(Material Weakness):
是财务报告内部控制的一个缺陷或多个缺陷的联合,以至于公司年度 或中期财务报告的一个重大错报没有被及时防止或发现存在的合理可能性 (PCAOB5-A7)。(注:如果一个事项的可能性是“相当可能”或“很 可能”,那么该事项就存在合理可能性。)
SOX404条款实施-控制例外事项
3)缺陷报告是将内部控制缺陷自下而上报告的行为。缺陷报告的内容包 括:汇集和报告发现的内部控制缺陷、汇报机制的适当性、跟进评估的适 当性等。

国外信息安全标准

国外信息安全标准

国外信息安全标准嘿,朋友们!咱今儿来聊聊国外信息安全标准那些事儿。

你说这信息安全,就好比是咱家里的门锁,要是不牢固,那小偷不就随便进啦!国外在这方面那可是有一套一套的标准呢。

比如说啊,他们对数据的保护那叫一个严格。

就好像是保护宝贝一样,小心翼翼地把数据藏起来,不让那些坏家伙有可乘之机。

这就好比你有一箱子金银财宝,你肯定得找个最安全的地方放着呀,还得加上好几把锁!还有啊,他们对网络的防护就跟城墙似的。

各种防火墙、加密技术,让那些黑客们望而却步。

这城墙建得高高的、厚厚的,想攻破可没那么容易嘞!你想想看,要是没有这些标准,那咱们的信息不就跟在大街上裸奔一样啦?那多可怕呀!人家国外可不会让这种事情发生。

他们对系统漏洞的修复也是争分夺秒的。

就跟消防员灭火似的,一旦发现火苗,马上就冲过去扑灭。

要是不赶紧修,那漏洞不就越变越大,最后整个房子都烧没啦?而且哦,他们对员工的培训也特别重视。

可不是随便讲讲就算了,那是真的要让每个人都清楚知道怎么保护信息安全。

这就好像是教你怎么用灭火器,你得学会了才能在关键时刻派上用场呀!咱再说说那些大公司,人家在信息安全上的投入那可真是舍得下本儿。

为啥呀?因为他们知道这有多重要啊!要是信息泄露了,那损失可不是一点点,那可是会伤筋动骨的呀!咱平时用手机、电脑的时候,不也得注意点嘛。

别随便下载那些来路不明的软件,就跟别随便给陌生人开门一样。

你说要是不小心让坏人进来了,那多麻烦呀!国外信息安全标准真的是给我们树立了一个好榜样。

咱们也得好好学学,把自己的信息安全保护好。

别等到出了问题才后悔莫及呀!反正我觉得,信息安全这事儿,可大可小,咱得重视起来,你说是不是?别不当回事儿,不然到时候吃亏的可是自己哟!原创不易,请尊重原创,谢谢!。

SOX404条款—管理层实务指南(中文版)

SOX404条款—管理层实务指南(中文版)

第一部分:摘要
近七十年来颁布的最重要的金融法规 – 萨班斯-奥克斯利法案颁布 的原因
《2002年上市公司会计改革和投资者保护法》(以下简称“萨班斯-奥克斯利法 案”或“该法案”)于2002年7月颁布,该法案很大程度上是针对美国几家知名 公司的财务丑闻而制定的。丑闻的发生导致人们丧失了对金融市场的信心,并 失去了对公司会计记录和报告活动的信任。该法案是继《 1933 年证券法》和 《1934年证券交易法》颁布以来给美国金融市场带来最深远的改革的法案。 该法案的影响已波及整个金融市场,各行各业也都受到并将继续受到该法案的 影响。该法案的404条款-管理层对内部控制的评估(404条款)则可能是最棘手的 部分,它要求大部分登记的上市公司及其外部审计师对公司对于财务报告的内 部控制的有效性进行报告。一个显而易见的问题就是:公司将如何实施 404 条 款? 本文将对404条款的具体内容进行解释,为404条款的实施提供实践指导,并对 公司在法案实施方面所遇到的问题进行举例和讲解。我们还将对其他重要的问 题提出我们的观点。
第四部分:服务机构的聘用 ......................... 38
评估服务机构执行的程序的步骤.....................................40 是否聘用了服务机构.............................................40 确定外包活动、流程和职能对于公司对财务报告的内部控制是否重要...40 确定是否有一个类型 II 的 SAS 70 报告,其范围是否充分 ............41 如果没有类型 II 的 SAS 70 报告,则应确定替代程序 ................43
第八部分:沟通—重要发现 ......................... 76

国际信息安全标准系列之SOX404Guidancev11

国际信息安全标准系列之SOX404Guidancev11

国际信息安全标准系列之SOX404Guidancev11SOX 404 Implementation Guidance October 2003STRICTLY FOR INTERNAL CIRCULATION ONLYContentsPage 1Sarbanes-Oxley, 2002, Section 404 (“SOX 404”) 3 1.1Management’s attestation requirement under SOX 404 3 1.2Management’s attestation 3 2Overview of the COSO framework 4 2.1COSO Framework 4 2.2Components of COSO framework 5 3Internal control 6 3.1Who 6 3.2Objective 63.3Effective internal controls 6 4IINV’s SOX 404 Framework 74.1SOX 404 framework 7 4.2Entity Assessment Questionnaires 7 4.3Controls performed at the Corporate Office 8 4.4Controls not documented or not formalised 8 5Financial Statements and Disclosure Assertion 95.1The Six assertions 9 5.2Financial statement caption 10 5.3Assertion Risk 10 5.4Mitigating controls 10 5.5Examples of control techniques 11 6Documentation 126.1Routine transactions 12 6.2Non-routine transactions 13 6.3Estimations 13 6.4Informal controls 14 6.5Some sources of Control Documentation 14 7How to address deficiencies 15 8Roles and responsibilities 16 8.1Unit management 16 8.2Unit Internal Assurance 16 8.3External Auditors 16SOX 404 – Implementation GuidanceOctober 20039Corporate Assistance 17 9.1Contacts 17 9.2Further guidance 17Appendices1 2 Management Attestation to be signed by the Unit CEO and CFOSample template for control documentationSOX 404 – Implementation GuidanceOctober 20031 Sarbanes-Oxley, 2002, Section 404 (“SOX 404”)1.1 Management’s attestation re quirement under SOX 404The SEC Rules implementing SOX 404 require that each annual report of an SECregistrant should include an internal control report by management which contains thefollowing:State responsibility of management for establishing and maintaining an adequateinternal control structure and procedures for financial reporting.Statement identifying the framework used by management to evaluate the effectivenessof internal controlContain an assessment of the effectiveness of the internal control structure andprocedures for financial reporting.External auditors are required attest management’s assertion on effectiveness ofinternal controls and procedures for financial reporting.1.2 Management’s attestationA sample of the attestation is given in Appendix 1 of this guidance note.SOX 404 – Implementation GuidanceOctober 20032 Overview of the COSO framework2.1 COSO FrameworkA SOX 404 assessment requires a suitable criteria for aneffective internal control system.Committee of Sponsoring Organizations of the Treadway Commission (COSO) developedan internal control framework in 1992 (“COSO Framework”). IINV has chosen the COSOframework due to the following reasons:In the SEC rule to implement SOX 404, SEC has suggested COSO to be preferredframework;Draft AICPA guidelines for evaluation of internal control for SOX 404 recommends theuse of the COSO framework to provide the attestation.Suitable, recognised control framework developed through due process including publiccomment.The COSO Framework is illustrated below:SOX 404 – Implementation GuidanceOctober 20032.2 Components of COSO framework2.2.1 Control EnvironmentReflects tone set by top managementOverall attitude, awareness and actions of the board, management, owners, and othersconcerning importance of internal control and the emphasis placed on control in the company’s policies, procedures, methods, and organizational structure.Foundation for all other components of internal control, providing discipline andstructure.2.2.2 Risk AssessmentEntity’s identification and analysis of relevant risks (both internal and external) to theachievement of its objectives, forming a basis for determining how the risks should be managed.Entity-level objectives, including how they are supported by strategic plans and complemented on a process/application level, have been established and communicated.Risk assessment process, including estimating the significance of risks, assessing thelikelihood of their occurrence, and determining needed actions, has been established.2.2.3 Control Activities Policies and procedures ensure that management’s directives are carried out andcontrols called for by policy are being applied.Mitigating and monitoring controls related to specific risks for each financial statementcaption in the balance sheet and income statement.2.2.4 Information and CommunicationInformation and communication systems support identification, capture, and exchangeof information in a form and time frame that enable management and other appropriate personnel people to carry out their responsibilities.2.2.5 Monitoring and EvaluationMonitoring is a process that assesses the quality of internal control performance overtime.Periodic evaluations of internal control are made and personnel, in carrying out theirregular duties, obtain evidence as to whether the system ofinternal control continues to function.SOX 404 – Implementation GuidanceOctober 20033 Internal controlInternal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws and regulations3.1 WhoProcess designed by, or under the supervision of, the registrant's principal executive and principal financial officers and effected by the registrant's board of directors, management and other personnel3.2 ObjectiveTo provide reasonable assurance regarding reliability of financial reporting for external purposes in accordance with GAAP.3.3 Effective internal controlsEffective internal controls include policies and procedures for: maintenance of records that in reasonable detail accurately and fairly reflecttransactions and dispositions of assets;providing reasonable assurance that transactions are recorded as necessary to permitpreparation of financial statements in accordance with GAAP, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management anddirectors of the registrant; andproviding reasonable assurance regarding prevention or timely detection ofunauthorized acquisition, use or disposition of assets that could have a material effect on financial statements.SOX 404 – Implementation GuidanceOctober 20034 IINV’s SOX 404 Framework4.1SOX 404 framework4.2 Entity Assessment QuestionnairesThere are five questionnaires covering Control Environment, Risk Assessment, Control Activities, Information & Communications and Monitoring & Evaluation. The entity assessment questionnaires are essential for overall assessment of elements of COSO framework. Management will need to answer all questions and provide:explanations for each “Yes” or “No”;Reference to relevant processes, documentation and other supporting information; self-assessment of the relevant control;audit trail to demonstrate effectiveness of design and effectiveness of controlsSOX 404 – Implementation GuidanceOctober 20034.3 Controls performed at the Corporate OfficeCross refer to policy and procedures followed by the Corporate Office, for example reporting and control exercised by the Audit Committee.4.4 Controls not documented or not formalisedIn certain cases, there may not be formal documentation for certain controls. For example, controls such as daily or regular routine plant/facility visits, conference calls to corporate for performance update etc. In such cases, the processes and controls should be made: transparent and verifiable in terms of regularity and observable for the purpose ofattestation.result of the control activity should be observable and be available for objectiveevaluation.consider formalising and documenting controls.Please refer to the section 6 for minimum “Documentation”.SOX 404 – Implementation GuidanceOctober 20035 Financial Statements and Disclosure Assertion5.1 The Six assertions5.1.1 Completenessno unrecorded assets, liabilities, transactions or events, or undisclosed items.controls exist to ensure actual transactions are not omittedfrom the records,all transactions are reflected in the proper accounting period5.1.2 ExistenceAsset or a liability exists at a point in time.Controls exist to ensure only valid assets and liabilities are recorded, safeguarded andperiodic accountability is maintained.Controls exist to ensure legal title to recorded assets and rights to assets are onlyassigned with appropriate authorization, andOnly liabilities of the company are recorded.5.1.3 AccuracyControls exist to ensure that transactions are recorded at correct monetary amounts.5.1.4 Valuationasset or liability is recorded at an appropriate amount using an appropriate method ofvaluation in line with US GAAPtransaction or event is recorded at the proper amount and revenue or expense isallocated to the proper period.5.1.5 OccurrenceAn assertion that a recorded transaction or event actually took place during the period. Controls exist to ensure fictitious or duplicate transactions are not included in therecords.5.1.6 DisclosureItem is properly classified,described, and disclosed in the financial statements.SOX 404 – Implementation GuidanceOctober 20035.2 Financial statement captionFinancial statement line items which are included in Hyperion for financial reporting purposes.5.3 Assertion RiskRisk that amounts reflected in the financial statements do not reflect the assertions. See The Six Assertions5.4 Mitigating controls Preventive controls designed to detect a fraud or prevent an errorusually applied at individual transaction levelmanual or IT controlsauthorization would be one of the mainpreventative controls.Transaction ProcessingControlsControls to ensure completeness and accuracy of transactions reflected in the financial statements. Detection controlssubstantiation or evaluation controls designed tomonitor an assertion risk, including identification of a fraud or errors.usually applied to groups of transactions. Physical safeguard controls segregation of duties,physical observationother techniques to limit access to assets,records, forms and processingSOX 404 – Implementation GuidanceOctober 20035.5 Examples of control techniquesApprovalsMatching and comparisonsSequence checking and control logsRecalculationsControl totalsValidationAnalytical proceduresVerification of physical existenceVerification with third partiesReconciliation of control accountsPeriodic determination of valuation allowancesAccess restrictionsSOX 404 – Implementation GuidanceOctober 20036 DocumentationThe following paragraphs outline the minimum documentation required for routine, non-routine and estimations. Units may provide additional documentation for its processes and controls but he following minimum standards will need to be followed to comply with the requirements of SOX 404. Documentation requirements for each class of transactions is given below.6.1 Routine transactions6.1.1 OverviewRoutine transactions are frequently recurring financial activities reflected in the books and records in the normal course of business (e.g., sales, purchases, cash receipts, cash disbursements, payroll).The Units should examine or prepare copies of documentation which provides a basic understanding of the flow of transactions. This documentation should include howtransactions are initiated, recorded, processed, and reported. The Unit should also consider other existing documentation (e.g., process models, flowcharts, procedural manuals, job descriptions, documents, forms).The documentation reflects all the relevant processing procedures, whether performed manually or automated. The project team generally obtains copies of or prepares certain information technology documentation. Since the primary purpose of this documentation is to help identify where errors or fraud can occur, the Unit should concentrate on documenting: Brief description and objective of the control and how it mitigates the assertion risk Major input sourcesDescribe whether the control is manual or automatedImportant data files (e.g., customer and price master files), documents, and records Significant processing procedures, including on-line entry and updating processes Important output files, reports, and recordsFunctional segregation of duties indicating the person primarily responsible for thecontrol.Physical evidence for the control to the extent possible or physical observation of thecontrol or result of the control activity.How is the control activity is performed and how often is it performed?For a control documentation template see Appendix 2 of this Guidance.SOX 404 – Implementation GuidanceOctober 20036.1.2 Segregation of dutiesA lack of segregation of duties exists if any individual performs incompatible activities or if access controls of a computer application grant users inappropriate or excessive access to functionality (e.g., if an individual is in a position to both perpetrate and conceal fraud in the normal course of performing his or her duties). Thus, the Unit should consider whether any individuals:perform processing procedures that are incompatible with each other,perform both processing procedures and related controls, or have inappropriate access to the accounting records and related assets.We recommend that Units develop methods for identifying inadequacies in the segregation of duties for each major class of transactions.6.2 Non-routine transactionsNon-routine transactions are financial activities that occur only periodically (e.g., taking physical inventory, calculating depreciation, adjusting for foreign currencies). A distinguishing feature of non-routine transactions is that data involved generally are not part of the routine flow of transactions. The Unit should focus on documenting:Procedures or forms the company uses (e.g., the written instructions used in a physicalinventory)Any computer applications the company uses in the accounting activities (e.g.,applications, purchased or internally-developed, used to calculate depreciation or to capture the physical inventory counts through barcode scanning)Assumptions, if any, employed in the transaction (e.g., the average useful livesemployed in calculating depreciation)frequency with which the non-routine transactionoccursThe company personnel involved in the accounting activities6.3 EstimationsEstimation transactions are financial activities that involve management judgments or assumptions in formulating an accounting balance in the absence of a precise means of measurement (e.g., determining the allowance for doubtful accounts, establishing warranty reserves, assessing assets for impairment). For this class of transactions, the Unit should focus on documenting the following:Data used to make the estimate (e.g., the aged listing of accounts receivable may beused to identify potential bad debts)SOX 404 – Implementation GuidanceOctober 2003Relevant factors and assumptions that company personnel consider in making theestimate, including the reasons for the particular assumptionsTechniques (i.e., the models) company personnel use to apply the assumptions to thedata, including the procedures to collect, calculate, and aggregate the relevant dataFrequency with which the estimation transaction occursDegree of subjectivity involvedCompany personnel (or third party specialists) involved in making the estimatedepreciation)Frequency with which the non-routine transaction occursCompany personnel involved in the accounting activities6.4 Informal controlsIt is likely that there will be a number of informal controls over processes and certain transaction. In such cases, Unit Management will have to consider documenting those controls based on the guidelines given above. It should also make such informal controls transparent and verifiable in terms of regularity and observable for independentattestationresult of the control activity should be observable and be available for objectiveevaluation.consider formalising and documenting controls.6.5 Some sources of Control DocumentationSystems implementation such as ERP or SAPPolicy and procedures manualISO certification manualsWritten procedures – manual and/or IT systems procedures Process flow /control chartsStrategy documents Budget and/or regular performance/variance update.SOX 404 – Implementation GuidanceOctober 20037 How to address deficienciesAll significant deficiencies and material weaknesses need to be communicated in writing. These items should be set forth by management as part of its assessment report. In addition, the existence of a material weakness in internal control precludes anunqualified opinion that internal control is effective. The broad approach to significant deficiencies is as follows:Where there are no formal controls – management should document controls to ensureresults of the control activity are transparent and the process is observableWhere there are no controls – management should design and implement controls as amatter of utmost urgencyControls are not working satisfactorily –Management will need to review design of thecontrol and develop a remedial action plan to ensure controls are operating effectively. Please inform the Steering Committee and the SOX 404 Project Manager at the earliest opportunity should you come across a significant deficiency or a material weaknessSOX 404 – Implementation GuidanceOctober 20038 Roles and responsibilities8.1 Unit managementPrimary responsibility of management to ensure and monitor the existence of effectiveinternal controls.Appoint coordinators at each unit for SOX 404 implementationAssess need for completion of questionnaires by management of subsidiariesconsolidated within each primary reporting unit. This may need to be done in conjunction with IINV management.Process must be properly documented to permit attestationfirstly by management andthen by internal auditors.Complete Management Self Assessment periodically and for timely review by internaland external auditors.Report ALL deficiencies and material weaknesses. Significant deficiencies will bereported to audit committee and addressed in the auditors reportDevelop action plan to eliminate deficiencies and material weaknesses with detailedtime table and responsibilities.Management attestation report from all units, signed by CEO and CFO.Please see Appendix 2 for the Management Certification required under SOX 404.8.2 Unit Internal AssuranceTest management self assessments at each unitProvide assurance to unit, corporate management and audit committee of IINVNO involvement in developing controls or preparing documentation of internal control –Essential to maintain their independence of internal auditors.8.3 External AuditorsTest unit’s assertions on internal control by reviewing work performed by InternalAssurancePerform additional testing for areas to be determined by them.SOX 404 – Implementation GuidanceOctober 20039 Corporate Assistance9.1 ContactsThe T oolset will contain detailed guidance for completing each questionnaire. In order to facilitate this process we have a dedicated project team based in London led by Homiyar Wykes and will be your first point of contact. He will liaise with the Steering Committee for SOX 404 and respond to your questions and concerns. Members of the Steering Committee for SOX 404: Arvind Chopra, Director - Internal Assurance : + 44 (0)20 7543 1158T.N. Ramaswamy, Director - Finance: + 44 (0)20 7543 1174 Simon Evans, General Counsel: + 44 (0)20 7543 1183****************************.uk-+4420754311369.2 Further guidanceAdditional guidance on implementation will be provided through separate inter office memoranda.SOX 404 – Implementation GuidanceOctober 2003Appendix 1 Management Attestation to be signed by the Unit CEO and CFOIn addition to the existing management certification under section 302 or the Sarbanes-Oxley Act, Unit CEO and CFO will be required to attest to the following once SOX 404 has been fully implemented:“As the certifying officers of Ispat [specify Unit Name], we are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-1415(e) and 15d-1415(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for Ispat [specify unit name] and have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.Based on our continuous review process we can certify, that adequate internal controls over financial reporting has been maintained in Ispat [specify unit name], over the period of twelve months ending December 31, 200[X].”SOX 404 – Implementation GuidanceOctober 2003。

Sox法案404条款

Sox法案404条款

Sox法案404条款
第404节管理层对内部控制的评价
(a) 内部控制方面的要求——SEC应当相应的规定,要求按《1934年证券交易法》第13节(a)或15节(d)编制的年度报告中包括内部控制报告,包括:
(1) 强调公司管理层建立和维护内部控制系统及相应控制程序充分有效的责任;
(2) 发行人管理层最近财政年度末对内部控制体系及控制程序有效性的评价;
(b) 内部控制评价报告——――
对于本节(a)中要求的管理层对内部控制的评价,担任公司年报审计的会计公司应当对其进行测试和评价,并出具评价报告。

上述评价和报告应当遵循委员会发布或认可的准则。

上述评价过程不应当作为一项单独的业务。

中国上市公司遵循SOX404条款的影响和应对方法

中国上市公司遵循SOX404条款的影响和应对方法

中国上市公司遵循SOX404条款的影响和应对方法中国上市公司遵循SOX404条款的影响和应对方法【摘要】随着我国经济的高速发展,越来越多的国内企业在规模上达到了世界一流水平,而管理水平、综合素质也有了长足的进步。

企业扩张的需求促使他们到美国股市寻求海外融资,然而问题也应运而生。

2001 年安然、世通等财务欺诈丑闻造就了《萨班斯-奥克斯利法案》的诞生,其中最为严厉、最富有争议的条款是旨在加强上市公司内控制度并保证财务报告可靠性的404条款。

按照SEC的规定,在美国上市的非本土公司须和本土公司一样遵循SOX404,我国内地和香港现共有近百家公司在美国融资上市,SOX404 的合规是它们不得不面对的挑战。

中国公司内部控制薄弱,精细化管理和流程管理都不完善,在实际操作中遇到了众多问题。

本文旨在分析中国赴美上市企业遵循SOX404的机遇和挑战,并试图在结合中国现状的基础上借鉴其他国家的经验,提出应对方法,从而为中国公司更好地顺应这一变化提供帮助。

关键字:萨班斯法案,404条款,内部控制,结构性方法AbstractWith rapid development of Chinese economy, more and more Chinese corporations have reached world-class in scale. Taken into consideration of broadened sight and better management, Chinese corporations are becoming more competitive. Out of the growing needs in expansion, many of them started financing by listed in US stock market. Then came the problem.After financial frauds arose in Enron, Worldcom and other companies, US government issued Sarbanes-Oxley Act of 2002. Section 404 of the act which extremely emphasizes oneffectiveness of internal control in order to guarantee the reliability of financial report is the harshest and most controversial part. According to SEC regulations, all non-American issuers are liable to comply with SOX404. In regard of this, SOX404 is a great challenge that the Chinese corporations listed in US stock market have to confront.Chinese corporations are still weak in internal control, refined management and activity process management. Undoubtedly many of them have some problems in complying with such a harsh regulation as SOX404. The dissertation aims at digging out the obstacles that most Chinese corporations applicable to SOX404 have to face and tries to give some suggestions basing on their current status and overseas experiences. The conclusion is helpful for Chinese corporations to better comply with SOX404.Key words: Sarbanes-Oxley Act, SOX404, internal control, structured approach目录一、序言••••••••••••••••••••••••••••••••••••••••••••••••••1(一)研究目的和意义••••••••••••••••••••••••••••••••••••••1(二)研究思路和内容••••••••••••••••••••••••••••••••••••••1二、文献综述••••••••••••••••••••••••••••••••••••••••••••••1三、萨班斯法案404条款的相关规定和社会影响••••••••••••••••2(一)萨班斯法案404条款的相关规定••••••••••••••••••••••••2 (二)萨班斯法案404条款的社会影响••••••••••••••••••••••••3四、中国企业遵循萨班斯法案404条款:机遇与挑战••••••••••••4(一)机遇方面••••••••••••••••••••••••••••••••••••••••••••4(二)挑战方面••••••••••••••••••••••••••••••••••••••••••••6五、中国企业如何遵循SOX404:结构化方法••••••••••••••••••8(一)选择合适的内控框架••••••••••••••••••••••••••••••••••8(二)识别关键控制••••••••••••••••••••••••••••••••••••••••9(三)形成文档记录•••••••••••••••••••••••••••••••••••••••10(四)测试和评价公司层面的控制•••••••••••••••••••••••••••11(五)测试和评价流层层面的控制•••••••••••••••••••••••••••12五、中国网通对结构化方法的运用•••••••••••••••••••••••••••13资料来源和参考文献•••••••••••••••••••••••••••••••••••••••14一、序言(一)研究目的和意义2001年底,美国最大的能源交易商——安然公司财务造假案爆发并申请破产,震惊世界。

15416946_萨班斯法案(SOX)404条款对内部控制有效性评估的研究与借鉴__

15416946_萨班斯法案(SOX)404条款对内部控制有效性评估的研究与借鉴__

L i a o n i n gE c o n o my萨班斯法案(S OX)404条款对内部控制有效性评估的研究与借鉴〔内容提要〕萨班斯法案(S O X)作为一项内容丰富的综合性法案,其404条款中内部控制认证规定尤其受到重视,近年来对美国以至全球企业强化内部控制、提升内部管理水平的作用愈发显现。

本文重点研究了法案404条款中内部控制评估的方法及流程,作为开展内部控制评价的有益借鉴。

〔关键词〕萨班斯法案内部控制研究借鉴!杨莉萨班斯法案("#$)颁布于%&&%年,正式名称是《公众公司会计改革与投资者保护法案》(简写为"#$),这项法案旨在改善财务报告审计流程,并强制性规定了董事会、公共会计师以及其他主体的企业治理责任。

萨班斯法案最初只是对美国企业有重要影响,如今其影响力遍及全球。

作为一项内容丰富的综合性法案,其'&'条款中内部控制认证规定尤其受到重视,目前广为使用的(#"#内部控制框架即是在萨班斯法案影响下成为全球范围内部控制领域的标准。

因此,研究萨班斯法案对内部控制进行有效性评估的具体做法,通过对内部控制质量进行评估报告,发挥内部审计重要作用,提升单位内部控制水平具有十分重要的借鉴意义。

一、萨班斯法案(S O X)及404条款的主要内容)*萨班斯法案("#$)主要内容。

《萨班斯法案》对企业内部控制、会计职业监管、证券市场监管等方面作出了许多新规定。

”该法案共))章,)+,章阐述了对会计职业及行为的监管;-+))章主要提高了对公司高管及白领犯罪的刑事责任。

具体包括以下七个方面的内容:一是成立独立的公众公司会计监督委员会,监管执行公众公司审计的具有证券执业资格的会计师事务所。

二是要求加强注册会计师的独立性。

三是增加经费拨款,强化美国证券交易中心的监管职能。

四是要求美国审计总署加强调查研究。

五是要求加大公司的财务报告责任,即要求公司首席执行官和财务总监对呈报给".(的财务报告“完全符合证券交易法,以及在所有重大方面公允地反映了财务状况和经营成果”予以保证。

  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

SOX 404 Implementation Guidance October 2003STRICTLY FOR INTERNAL CIRCULATION ONLYContentsPage 1Sarbanes-Oxley, 2002, Section 404 (“SOX 404”) 3 1.1Management’s attestation requirement under SOX 404 3 1.2Management’s attestation 3 2Overview of the COSO framework 4 2.1COSO Framework 4 2.2Components of COSO framework 5 3Internal control 6 3.1Who 6 3.2Objective 6 3.3Effective internal controls 6 4IINV’s SOX 404 Framework 7 4.1SOX 404 framework 7 4.2Entity Assessment Questionnaires 7 4.3Controls performed at the Corporate Office 8 4.4Controls not documented or not formalised 8 5Financial Statements and Disclosure Assertion 9 5.1The Six assertions 9 5.2Financial statement caption 10 5.3Assertion Risk 10 5.4Mitigating controls 10 5.5Examples of control techniques 11 6Documentation 12 6.1Routine transactions 12 6.2Non-routine transactions 13 6.3Estimations 13 6.4Informal controls 14 6.5Some sources of Control Documentation 14 7How to address deficiencies 15 8Roles and responsibilities 16 8.1Unit management 16 8.2Unit Internal Assurance 16 8.3External Auditors 16SOX 404 – Implementation GuidanceOctober 20039Corporate Assistance 17 9.1Contacts 17 9.2Further guidance 17Appendices1 2 Management Attestation to be signed by the Unit CEO and CFOSample template for control documentationSOX 404 – Implementation GuidanceOctober 20031 Sarbanes-Oxley, 2002, Section 404 (“SOX 404”)1.1 Management’s attestation requirement under SOX 404The SEC Rules implementing SOX 404 require that each annual report of an SEC registrant should include an internal control report by management which contains the following:State responsibility of management for establishing and maintaining an adequateinternal control structure and procedures for financial reporting.Statement identifying the framework used by management to evaluate the effectivenessof internal controlContain an assessment of the effectiveness of the internal control structure andprocedures for financial reporting.External auditors are required attest management’s assertion on effectiveness ofinternal controls and procedures for financial reporting.1.2 Management’s attestationA sample of the attestation is given in Appendix 1 of this guidance note.SOX 404 – Implementation GuidanceOctober 20032 Overview of the COSO framework2.1 COSO FrameworkA SOX 404 assessment requires a suitable criteria for an effective internal control system.Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed an internal control framework in 1992 (“COSO Framework”). IINV has chosen the COSO framework due to the following reasons:In the SEC rule to implement SOX 404, SEC has suggested COSO to be preferredframework;Draft AICPA guidelines for evaluation of internal control for SOX 404 recommends theuse of the COSO framework to provide the attestation.Suitable, recognised control framework developed through due process including publiccomment.The COSO Framework is illustrated below:SOX 404 – Implementation GuidanceOctober 20032.2 Components of COSO framework2.2.1 Control EnvironmentReflects tone set by top managementOverall attitude, awareness and actions of the board, management, owners, and othersconcerning importance of internal control and the emphasis placed on control in thecompany’s policies, procedures, methods, and organizational structure.Foundation for all other components of internal control, providing discipline andstructure.2.2.2 Risk AssessmentEntity’s identification and analysis of relevant risks (both internal and external) to theachievement of its objectives, forming a basis for determining how the risks should bemanaged.Entity-level objectives, including how they are supported by strategic plans and complemented on a process/application level, have been established andcommunicated.Risk assessment process, including estimating the significance of risks, assessing thelikelihood of their occurrence, and determining needed actions, has been established.2.2.3 Control ActivitiesPolicies and procedures ensure that management’s directives are carried out andcontrols called for by policy are being applied.Mitigating and monitoring controls related to specific risks for each financial statementcaption in the balance sheet and income statement.2.2.4 Information and CommunicationInformation and communication systems support identification, capture, and exchangeof information in a form and time frame that enable management and other appropriatepersonnel people to carry out their responsibilities.2.2.5 Monitoring and EvaluationMonitoring is a process that assesses the quality of internal control performance overtime.Periodic evaluations of internal control are made and personnel, in carrying out theirregular duties, obtain evidence as to whether the system of internal control continues to function.SOX 404 – Implementation GuidanceOctober 20033 Internal controlInternal control is a process, effected by an entity’s board of directors, management andother personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:Effectiveness and efficiency of operations Reliability of financial reportingCompliance with applicable laws and regulations3.1 WhoProcess designed by, or under the supervision of, the registrant's principal executive and principal financial officers and effected by the registrant's board of directors, management and other personnel3.2 ObjectiveTo provide reasonable assurance regarding reliability of financial reporting for external purposes in accordance with GAAP.3.3 Effective internal controlsEffective internal controls include policies and procedures for:maintenance of records that in reasonable detail accurately and fairly reflecttransactions and dispositions of assets;providing reasonable assurance that transactions are recorded as necessary to permitpreparation of financial statements in accordance with GAAP, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; andproviding reasonable assurance regarding prevention or timely detection ofunauthorized acquisition, use or disposition of assets that could have a material effect on financial statements.SOX 404 – Implementation GuidanceOctober 20034 IINV’s SOX 404 Framework4.1SOX 404 framework4.2 Entity Assessment QuestionnairesThere are five questionnaires covering Control Environment, Risk Assessment, Control Activities, Information & Communications and Monitoring & Evaluation. The entity assessment questionnaires are essential for overall assessment of elements of COSO framework. Management will need to answer all questions and provide:explanations for each “Yes” or “No”;Reference to relevant processes, documentation and other supporting information; self-assessment of the relevant control;audit trail to demonstrate effectiveness of design and effectiveness of controlsSOX 404 – Implementation GuidanceOctober 20034.3 Controls performed at the Corporate OfficeCross refer to policy and procedures followed by the Corporate Office, for example reporting and control exercised by the Audit Committee.4.4 Controls not documented or not formalisedIn certain cases, there may not be formal documentation for certain controls. For example, controls such as daily or regular routine plant/facility visits, conference calls to corporate for performance update etc. In such cases, the processes and controls should be made:transparent and verifiable in terms of regularity and observable for the purpose ofattestation.result of the control activity should be observable and be available for objectiveevaluation.consider formalising and documenting controls.Please refer to the section 6 for minimum “Documentation”.SOX 404 – Implementation GuidanceOctober 20035 Financial Statements and Disclosure Assertion5.1 The Six assertions5.1.1 Completenessno unrecorded assets, liabilities, transactions or events, or undisclosed items. controls exist to ensure actual transactions are not omitted from the records, all transactions are reflected in the proper accounting period5.1.2 ExistenceAsset or a liability exists at a point in time.Controls exist to ensure only valid assets and liabilities are recorded, safeguarded andperiodic accountability is maintained.Controls exist to ensure legal title to recorded assets and rights to assets are onlyassigned with appropriate authorization, andOnly liabilities of the company are recorded.5.1.3 AccuracyControls exist to ensure that transactions are recorded at correct monetary amounts.5.1.4 Valuationasset or liability is recorded at an appropriate amount using an appropriate method ofvaluation in line with US GAAPtransaction or event is recorded at the proper amount and revenue or expense isallocated to the proper period.5.1.5 OccurrenceAn assertion that a recorded transaction or event actually took place during the period. Controls exist to ensure fictitious or duplicate transactions are not included in therecords.5.1.6 DisclosureItem is properly classified,described, and disclosed in the financial statements.SOX 404 – Implementation GuidanceOctober 20035.2 Financial statement captionFinancial statement line items which are included in Hyperion for financial reporting purposes.5.3 Assertion RiskRisk that amounts reflected in the financial statements do not reflect the assertions. See The Six Assertions5.4 Mitigating controls Preventive controls designed to detect a fraud or prevent an errorusually applied at individual transaction levelmanual or IT controlsauthorization would be one of the mainpreventative controls.Transaction ProcessingControlsControls to ensure completeness and accuracy of transactions reflected in the financial statements. Detection controlssubstantiation or evaluation controls designed tomonitor an assertion risk, including identification of a fraud or errors.usually applied to groups of transactions. Physical safeguardcontrols segregation of duties,physical observationother techniques to limit access to assets,records, forms and processing5.5 Examples of control techniquesApprovalsMatching and comparisonsSequence checking and control logsRecalculationsControl totalsValidationAnalytical proceduresVerification of physical existenceVerification with third partiesReconciliation of control accountsPeriodic determination of valuation allowancesAccess restrictions6 DocumentationThe following paragraphs outline the minimum documentation required for routine, non-routine and estimations. Units may provide additional documentation for its processes and controls but he following minimum standards will need to be followed to comply with the requirements of SOX 404. Documentation requirements for each class of transactions is given below.6.1 Routine transactions6.1.1 OverviewRoutine transactions are frequently recurring financial activities reflected in the books and records in the normal course of business (e.g., sales, purchases, cash receipts, cash disbursements, payroll).The Units should examine or prepare copies of documentation which provides a basic understanding of the flow of transactions. This documentation should include how transactions are initiated, recorded, processed, and reported. The Unit should also consider other existing documentation (e.g., process models, flowcharts, procedural manuals, job descriptions, documents, forms).The documentation reflects all the relevant processing procedures, whether performed manually or automated. The project team generally obtains copies of or prepares certain information technology documentation. Since the primary purpose of this documentation is to help identify where errors or fraud can occur, the Unit should concentrate on documenting:Brief description and objective of the control and how it mitigates the assertion risk Major input sourcesDescribe whether the control is manual or automatedImportant data files (e.g., customer and price master files), documents, and records Significant processing procedures, including on-line entry and updating processes Important output files, reports, and recordsFunctional segregation of duties indicating the person primarily responsible for thecontrol.Physical evidence for the control to the extent possible or physical observation of thecontrol or result of the control activity.How is the control activity is performed and how often is it performed?For a control documentation template see Appendix 2 of this Guidance.6.1.2 Segregation of dutiesA lack of segregation of duties exists if any individual performs incompatible activities or if access controls of a computer application grant users inappropriate or excessive access to functionality (e.g., if an individual is in a position to both perpetrate and conceal fraud in the normal course of performing his or her duties). Thus, the Unit should consider whether any individuals:perform processing procedures that are incompatible with each other,perform both processing procedures and related controls, orhave inappropriate access to the accounting records and related assets.We recommend that Units develop methods for identifying inadequacies in the segregation of duties for each major class of transactions.6.2 Non-routine transactionsNon-routine transactions are financial activities that occur only periodically (e.g., taking physical inventory, calculating depreciation, adjusting for foreign currencies). A distinguishing feature of non-routine transactions is that data involved generally are not part of the routine flow of transactions. The Unit should focus on documenting:Procedures or forms the company uses (e.g., the written instructions used in a physicalinventory)Any computer applications the company uses in the accounting activities (e.g.,applications, purchased or internally-developed, used to calculate depreciation or to capture the physical inventory counts through barcode scanning)Assumptions, if any, employed in the transaction (e.g., the average useful livesemployed in calculating depreciation)frequency with which the non-routine transactionoccursThe company personnel involved in the accounting activities6.3 EstimationsEstimation transactions are financial activities that involve management judgments or assumptions in formulating an accounting balance in the absence of a precise means of measurement (e.g., determining the allowance for doubtful accounts, establishing warranty reserves, assessing assets for impairment). For this class of transactions, the Unit should focus on documenting the following:Data used to make the estimate (e.g., the aged listing of accounts receivable may beused to identify potential bad debts)Relevant factors and assumptions that company personnel consider in making theestimate, including the reasons for the particular assumptionsTechniques (i.e., the models) company personnel use to apply the assumptions to thedata, including the procedures to collect, calculate, and aggregate the relevant dataFrequency with which the estimation transaction occursDegree of subjectivity involvedCompany personnel (or third party specialists) involved in making the estimatedepreciation)Frequency with which the non-routine transaction occursCompany personnel involved in the accounting activities6.4 Informal controlsIt is likely that there will be a number of informal controls over processes and certain transaction. In such cases, Unit Management will have to consider documenting those controls based on the guidelines given above. It should also make such informal controls transparent and verifiable in terms of regularity and observable for independentattestationresult of the control activity should be observable and be available for objectiveevaluation.consider formalising and documenting controls.6.5 Some sources of Control DocumentationSystems implementation such as ERP or SAPPolicy and procedures manualISO certification manualsWritten procedures – manual and/or IT systems proceduresProcess flow /control chartsStrategy documents Budget and/or regular performance/variance update.7 How to address deficienciesAll significant deficiencies and material weaknesses need to be communicated in writing. These items should be set forth by management as part of its assessment report. In addition, the existence of a material weakness in internal control precludes an unqualified opinion that internal control is effective. The broad approach to significant deficiencies is as follows:Where there are no formal controls – management should document controls to ensureresults of the control activity are transparent and the process is observableWhere there are no controls – management should design and implement controls as amatter of utmost urgencyControls are not working satisfactorily – Management will need to review design of thecontrol and develop a remedial action plan to ensure controls are operating effectively. Please inform the Steering Committee and the SOX 404 Project Manager at the earliestopportunity should you come across a significant deficiency or a material weakness8 Roles and responsibilities8.1 Unit managementPrimary responsibility of management to ensure and monitor the existence of effectiveinternal controls.Appoint coordinators at each unit for SOX 404 implementationAssess need for completion of questionnaires by management of subsidiariesconsolidated within each primary reporting unit. This may need to be done in conjunction with IINV management.Process must be properly documented to permit attestation firstly by management andthen by internal auditors.Complete Management Self Assessment periodically and for timely review by internaland external auditors.Report ALL deficiencies and material weaknesses. Significant deficiencies will bereported to audit committee and addressed in the auditors reportDevelop action plan to eliminate deficiencies and material weaknesses with detailedtime table and responsibilities.Management attestation report from all units, signed by CEO and CFO.Please see Appendix 2 for the Management Certification required under SOX 404.8.2 Unit Internal AssuranceTest management self assessments at each unitProvide assurance to unit, corporate management and audit committee of IINVNO involvement in developing controls or preparing documentation of internal control –Essential to maintain their independence of internal auditors.8.3 External AuditorsTest unit’s assertions on internal control by reviewing work performed by InternalAssurancePerform additional testing for areas to be determined by them.9 Corporate Assistance9.1 ContactsThe Toolset will contain detailed guidance for completing each questionnaire. In order to facilitate this process we have a dedicated project team based in London led by Homiyar Wykes and will be your first point of contact. He will liaise with the Steering Committee for SOX 404 and respond to your questions and concerns. Members of the Steering Committee for SOX 404:Arvind Chopra, Director - Internal Assurance : + 44 (0)20 7543 1158T.N. Ramaswamy, Director - Finance: + 44 (0)20 7543 1174Simon Evans, General Counsel: + 44 (0)20 7543 1183Homiyar Wykes - hwykes@ - +44 20 7543 11369.2 Further guidanceAdditional guidance on implementation will be provided through separate inter office memoranda.Appendix 1 Management Attestation to be signed by the Unit CEO and CFOIn addition to the existing management certification under section 302 or the Sarbanes-Oxley Act, Unit CEO and CFO will be required to attest to the following once SOX 404 has been fully implemented:“As the certifying officers of Ispat [specify Unit Name], we are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-1415(e) and 15d-1415(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for Ispat [specify unit name] and have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.Based on our continuous review process we can certify, that adequate internal controls over financial reporting has been maintained in Ispat [specify unit name], over the period of twelve months ending December 31, 200[X].”Appendix 2Sample template for control documentationUnit NameFinancial Statement CaptionControl ObjectiveDescription of Control Activity How is the control activity performed and how often ?Manual / Automated / Semi automatedControl Procedures (Please describe briefly each of the applicable)AuthorisationCompletenessAccuracySubstantiationEvaluationAccess to AssetsRisk mitigated by the controlPrimary input sources Should include important data files (e.g., customer and pricemaster files), documents, and recordsProcessing procedures Significant processing procedures, including on-line entry andupdating processesPrimary OutputKey output files, reports, and recordsPhysical evidence for the control to the extent possible or physical observation of the control or result of the control activity.Segregation of duties Functional segregation of duties indicating the personprimarily responsible for the control.Process Recording Access Prepared by / Updated on: Name Designation Date Responsibility for control activity Name Designation DateDate of approval and authority Name Designation DateLast reviewed on: Name Designation Date。

相关文档
最新文档