国际信息安全标准系列之SOX 404 Guidance v1 1

SOX 404 Implementation Guidance October 2003STRICTLY FOR INTERNAL CIRCULATION ONLYContentsPage 1Sarbanes-Oxley, 2002, Section 404 (“SOX 404”) 3 1.1Management’s attestation requirement under SOX 404 3 1.2Management’s attestation 3 2Overview of the COSO framework 4 2.1COSO Framework 4 2.2Components of COSO framework 5 3Internal control 6 3.1Who 6 3.2Objective 6 3.3Effective internal controls 6 4IINV’s SOX 404 Framework 7 4.1SOX 404 framework 7 4.2Entity Assessment Questionnaires 7 4.3Controls performed at the Corporate Office 8 4.4Controls not documented or not formalised 8 5Financial Statements and Disclosure Assertion 9 5.1The Six assertions 9 5.2Financial statement caption 10 5.3Assertion Risk 10 5.4Mitigating controls 10 5.5Examples of control techniques 11 6Documentation 12 6.1Routine transactions 12 6.2Non-routine transactions 13 6.3Estimations 13 6.4Informal controls 14 6.5Some sources of Control Documentation 14 7How to address deficiencies 15 8Roles and responsibilities 16 8.1Unit management 16 8.2Unit Internal Assurance 16 8.3External Auditors 16SOX 404 – Implementation GuidanceOctober 20039Corporate Assistance 17 9.1Contacts 17 9.2Further guidance 17Appendices1 2 Management Attestation to be signed by the Unit CEO and CFOSample template for control documentationSOX 404 – Implementation GuidanceOctober 20031 Sarbanes-Oxley, 2002, Section 404 (“SOX 404”)1.1 Management’s attestation requirement under SOX 404The SEC Rules implementing SOX 404 require that each annual report of an SEC registrant should include an internal control report by management which contains the following:State responsibility of management for establishing and maintaining an adequateinternal control structure and procedures for financial reporting.Statement identifying the framework used by management to evaluate the effectivenessof internal controlContain an assessment of the effectiveness of the internal control structure andprocedures for financial reporting.External auditors are required attest management’s assertion on effectiveness ofinternal controls and procedures for financial reporting.1.2 Management’s attestationA sample of the attestation is given in Appendix 1 of this guidance note.SOX 404 – Implementation GuidanceOctober 20032 Overview of the COSO framework2.1 COSO FrameworkA SOX 404 assessment requires a suitable criteria for an effective internal control system.Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed an internal control framework in 1992 (“COSO Framework”). IINV has chosen the COSO framework due to the following reasons:In the SEC rule to implement SOX 404, SEC has suggested COSO to be preferredframework;Draft AICPA guidelines for evaluation of internal control for SOX 404 recommends theuse of the COSO framework to provide the attestation.Suitable, recognised control framework developed through due process including publiccomment.The COSO Framework is illustrated below:SOX 404 – Implementation GuidanceOctober 20032.2 Components of COSO framework2.2.1 Control EnvironmentReflects tone set by top managementOverall attitude, awareness and actions of the board, management, owners, and othersconcerning importance of internal control and the emphasis placed on control in thecompany’s policies, procedures, methods, and organizational structure.Foundation for all other components of internal control, providing discipline andstructure.2.2.2 Risk AssessmentEntity’s identification and analysis of relevant risks (both internal and external) to theachievement of its objectives, forming a basis for determining how the risks should bemanaged.Entity-level objectives, including how they are supported by strategic plans and complemented on a process/application level, have been established andcommunicated.Risk assessment process, including estimating the significance of risks, assessing thelikelihood of their occurrence, and determining needed actions, has been established.2.2.3 Control ActivitiesPolicies and procedures ensure that management’s directives are carried out andcontrols called for by policy are being applied.Mitigating and monitoring controls related to specific risks for each financial statementcaption in the balance sheet and income statement.2.2.4 Information and CommunicationInformation and communication systems support identification, capture, and exchangeof information in a form and time frame that enable management and other appropriatepersonnel people to carry out their responsibilities.2.2.5 Monitoring and EvaluationMonitoring is a process that assesses the quality of internal control performance overtime.Periodic evaluations of internal control are made and personnel, in carrying out theirregular duties, obtain evidence as to whether the system of internal control continues to function.SOX 404 – Implementation GuidanceOctober 20033 Internal controlInternal control is a process, effected by an entity’s board of directors, management andother personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:Effectiveness and efficiency of operations Reliability of financial reportingCompliance with applicable laws and regulations3.1 WhoProcess designed by, or under the supervision of, the registrant's principal executive and principal financial officers and effected by the registrant's board of directors, management and other personnel3.2 ObjectiveTo provide reasonable assurance regarding reliability of financial reporting for external purposes in accordance with GAAP.3.3 Effective internal controlsEffective internal controls include policies and procedures for:maintenance of records that in reasonable detail accurately and fairly reflecttransactions and dispositions of assets;providing reasonable assurance that transactions are recorded as necessary to permitpreparation of financial statements in accordance with GAAP, and receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; andproviding reasonable assurance regarding prevention or timely detection ofunauthorized acquisition, use or disposition of assets that could have a material effect on financial statements.SOX 404 – Implementation GuidanceOctober 20034 IINV’s SOX 404 Framework4.1SOX 404 framework4.2 Entity Assessment QuestionnairesThere are five questionnaires covering Control Environment, Risk Assessment, Control Activities, Information & Communications and Monitoring & Evaluation. The entity assessment questionnaires are essential for overall assessment of elements of COSO framework. Management will need to answer all questions and provide:explanations for each “Yes” or “No”;Reference to relevant processes, documentation and other supporting information; self-assessment of the relevant control;audit trail to demonstrate effectiveness of design and effectiveness of controlsSOX 404 – Implementation GuidanceOctober 20034.3 Controls performed at the Corporate OfficeCross refer to policy and procedures followed by the Corporate Office, for example reporting and control exercised by the Audit Committee.4.4 Controls not documented or not formalisedIn certain cases, there may not be formal documentation for certain controls. For example, controls such as daily or regular routine plant/facility visits, conference calls to corporate for performance update etc. In such cases, the processes and controls should be made:transparent and verifiable in terms of regularity and observable for the purpose ofattestation.result of the control activity should be observable and be available for objectiveevaluation.consider formalising and documenting controls.Please refer to the section 6 for minimum “Documentation”.SOX 404 – Implementation GuidanceOctober 20035 Financial Statements and Disclosure Assertion5.1 The Six assertions5.1.1 Completenessno unrecorded assets, liabilities, transactions or events, or undisclosed items. controls exist to ensure actual transactions are not omitted from the records, all transactions are reflected in the proper accounting period5.1.2 ExistenceAsset or a liability exists at a point in time.Controls exist to ensure only valid assets and liabilities are recorded, safeguarded andperiodic accountability is maintained.Controls exist to ensure legal title to recorded assets and rights to assets are onlyassigned with appropriate authorization, andOnly liabilities of the company are recorded.5.1.3 AccuracyControls exist to ensure that transactions are recorded at correct monetary amounts.5.1.4 Valuationasset or liability is recorded at an appropriate amount using an appropriate method ofvaluation in line with US GAAPtransaction or event is recorded at the proper amount and revenue or expense isallocated to the proper period.5.1.5 OccurrenceAn assertion that a recorded transaction or event actually took place during the period. Controls exist to ensure fictitious or duplicate transactions are not included in therecords.5.1.6 DisclosureItem is properly classified,described, and disclosed in the financial statements.SOX 404 – Implementation GuidanceOctober 20035.2 Financial statement captionFinancial statement line items which are included in Hyperion for financial reporting purposes.5.3 Assertion RiskRisk that amounts reflected in the financial statements do not reflect the assertions. See The Six Assertions5.4 Mitigating controls Preventive controls designed to detect a fraud or prevent an errorusually applied at individual transaction levelmanual or IT controlsauthorization would be one of the mainpreventative controls.Transaction ProcessingControlsControls to ensure completeness and accuracy of transactions reflected in the financial statements. Detection controlssubstantiation or evaluation controls designed tomonitor an assertion risk, including identification of a fraud or errors.usually applied to groups of transactions. Physical safeguardcontrols segregation of duties,physical observationother techniques to limit access to assets,records, forms and processing5.5 Examples of control techniquesApprovalsMatching and comparisonsSequence checking and control logsRecalculationsControl totalsValidationAnalytical proceduresVerification of physical existenceVerification with third partiesReconciliation of control accountsPeriodic determination of valuation allowancesAccess restrictions6 DocumentationThe following paragraphs outline the minimum documentation required for routine, non-routine and estimations. Units may provide additional documentation for its processes and controls but he following minimum standards will need to be followed to comply with the requirements of SOX 404. Documentation requirements for each class of transactions is given below.6.1 Routine transactions6.1.1 OverviewRoutine transactions are frequently recurring financial activities reflected in the books and records in the normal course of business (e.g., sales, purchases, cash receipts, cash disbursements, payroll).The Units should examine or prepare copies of documentation which provides a basic understanding of the flow of transactions. This documentation should include how transactions are initiated, recorded, processed, and reported. The Unit should also consider other existing documentation (e.g., process models, flowcharts, procedural manuals, job descriptions, documents, forms).The documentation reflects all the relevant processing procedures, whether performed manually or automated. The project team generally obtains copies of or prepares certain information technology documentation. Since the primary purpose of this documentation is to help identify where errors or fraud can occur, the Unit should concentrate on documenting:Brief description and objective of the control and how it mitigates the assertion risk Major input sourcesDescribe whether the control is manual or automatedImportant data files (e.g., customer and price master files), documents, and records Significant processing procedures, including on-line entry and updating processes Important output files, reports, and recordsFunctional segregation of duties indicating the person primarily responsible for thecontrol.Physical evidence for the control to the extent possible or physical observation of thecontrol or result of the control activity.How is the control activity is performed and how often is it performed?For a control documentation template see Appendix 2 of this Guidance.6.1.2 Segregation of dutiesA lack of segregation of duties exists if any individual performs incompatible activities or if access controls of a computer application grant users inappropriate or excessive access to functionality (e.g., if an individual is in a position to both perpetrate and conceal fraud in the normal course of performing his or her duties). Thus, the Unit should consider whether any individuals:perform processing procedures that are incompatible with each other,perform both processing procedures and related controls, orhave inappropriate access to the accounting records and related assets.We recommend that Units develop methods for identifying inadequacies in the segregation of duties for each major class of transactions.6.2 Non-routine transactionsNon-routine transactions are financial activities that occur only periodically (e.g., taking physical inventory, calculating depreciation, adjusting for foreign currencies). A distinguishing feature of non-routine transactions is that data involved generally are not part of the routine flow of transactions. The Unit should focus on documenting:Procedures or forms the company uses (e.g., the written instructions used in a physicalinventory)Any computer applications the company uses in the accounting activities (e.g.,applications, purchased or internally-developed, used to calculate depreciation or to capture the physical inventory counts through barcode scanning)Assumptions, if any, employed in the transaction (e.g., the average useful livesemployed in calculating depreciation)frequency with which the non-routine transactionoccursThe company personnel involved in the accounting activities6.3 EstimationsEstimation transactions are financial activities that involve management judgments or assumptions in formulating an accounting balance in the absence of a precise means of measurement (e.g., determining the allowance for doubtful accounts, establishing warranty reserves, assessing assets for impairment). For this class of transactions, the Unit should focus on documenting the following:Data used to make the estimate (e.g., the aged listing of accounts receivable may beused to identify potential bad debts)Relevant factors and assumptions that company personnel consider in making theestimate, including the reasons for the particular assumptionsTechniques (i.e., the models) company personnel use to apply the assumptions to thedata, including the procedures to collect, calculate, and aggregate the relevant dataFrequency with which the estimation transaction occursDegree of subjectivity involvedCompany personnel (or third party specialists) involved in making the estimatedepreciation)Frequency with which the non-routine transaction occursCompany personnel involved in the accounting activities6.4 Informal controlsIt is likely that there will be a number of informal controls over processes and certain transaction. In such cases, Unit Management will have to consider documenting those controls based on the guidelines given above. It should also make such informal controls transparent and verifiable in terms of regularity and observable for independentattestationresult of the control activity should be observable and be available for objectiveevaluation.consider formalising and documenting controls.6.5 Some sources of Control DocumentationSystems implementation such as ERP or SAPPolicy and procedures manualISO certification manualsWritten procedures – manual and/or IT systems proceduresProcess flow /control chartsStrategy documents Budget and/or regular performance/variance update.7 How to address deficienciesAll significant deficiencies and material weaknesses need to be communicated in writing. These items should be set forth by management as part of its assessment report. In addition, the existence of a material weakness in internal control precludes an unqualified opinion that internal control is effective. The broad approach to significant deficiencies is as follows:Where there are no formal controls – management should document controls to ensureresults of the control activity are transparent and the process is observableWhere there are no controls – management should design and implement controls as amatter of utmost urgencyControls are not working satisfactorily – Management will need to review design of thecontrol and develop a remedial action plan to ensure controls are operating effectively. Please inform the Steering Committee and the SOX 404 Project Manager at the earliestopportunity should you come across a significant deficiency or a material weakness8 Roles and responsibilities8.1 Unit managementPrimary responsibility of management to ensure and monitor the existence of effectiveinternal controls.Appoint coordinators at each unit for SOX 404 implementationAssess need for completion of questionnaires by management of subsidiariesconsolidated within each primary reporting unit. This may need to be done in conjunction with IINV management.Process must be properly documented to permit attestation firstly by management andthen by internal auditors.Complete Management Self Assessment periodically and for timely review by internaland external auditors.Report ALL deficiencies and material weaknesses. Significant deficiencies will bereported to audit committee and addressed in the auditors reportDevelop action plan to eliminate deficiencies and material weaknesses with detailedtime table and responsibilities.Management attestation report from all units, signed by CEO and CFO.Please see Appendix 2 for the Management Certification required under SOX 404.8.2 Unit Internal AssuranceTest management self assessments at each unitProvide assurance to unit, corporate management and audit committee of IINVNO involvement in developing controls or preparing documentation of internal control –Essential to maintain their independence of internal auditors.8.3 External AuditorsTest unit’s assertions on internal control by reviewing work performed by InternalAssurancePerform additional testing for areas to be determined by them.9 Corporate Assistance9.1 ContactsThe Toolset will contain detailed guidance for completing each questionnaire. In order to facilitate this process we have a dedicated project team based in London led by Homiyar Wykes and will be your first point of contact. He will liaise with the Steering Committee for SOX 404 and respond to your questions and concerns. Members of the Steering Committee for SOX 404:Arvind Chopra, Director - Internal Assurance : + 44 (0)20 7543 1158T.N. Ramaswamy, Director - Finance: + 44 (0)20 7543 1174Simon Evans, General Counsel: + 44 (0)20 7543 1183Homiyar Wykes - hwykes@ - +44 20 7543 11369.2 Further guidanceAdditional guidance on implementation will be provided through separate inter office memoranda.Appendix 1 Management Attestation to be signed by the Unit CEO and CFOIn addition to the existing management certification under section 302 or the Sarbanes-Oxley Act, Unit CEO and CFO will be required to attest to the following once SOX 404 has been fully implemented:“As the certifying officers of Ispat [specify Unit Name], we are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-1415(e) and 15d-1415(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for Ispat [specify unit name] and have designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.Based on our continuous review process we can certify, that adequate internal controls over financial reporting has been maintained in Ispat [specify unit name], over the period of twelve months ending December 31, 200[X].”Appendix 2Sample template for control documentationUnit NameFinancial Statement CaptionControl ObjectiveDescription of Control Activity How is the control activity performed and how often ?Manual / Automated / Semi automatedControl Procedures (Please describe briefly each of the applicable)AuthorisationCompletenessAccuracySubstantiationEvaluationAccess to AssetsRisk mitigated by the controlPrimary input sources Should include important data files (e.g., customer and pricemaster files), documents, and recordsProcessing procedures Significant processing procedures, including on-line entry andupdating processesPrimary OutputKey output files, reports, and recordsPhysical evidence for the control to the extent possible or physical observation of the control or result of the control activity.Segregation of duties Functional segregation of duties indicating the personprimarily responsible for the control.Process Recording Access Prepared by / Updated on: Name Designation Date Responsibility for control activity Name Designation DateDate of approval and authority Name Designation DateLast reviewed on: Name Designation Date。