SOX FOR NPO S Focus on Control Stephen L. Kuptz, CPA
Personal Background and Perspective SOX for NPO s Focus on Control 2
Introduction to SOX The Sarbanes Oxley Act of 2002 commonly called Sarbanes Oxley, Sarbox or SOX, is a United States federal law which set new or enhanced standards for all U.S. public company boards, management and public accounting firms. The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. The effects of SOX have now spilled over to non profits due to the financial transgressions of entities such as United Way, Red Cross and the Fiesta Bowl. SOX for NPO s Focus on Control 3
Introduction to SOX (cont d) The Sarbanes Oxley Act of 2002 was enacted to restore confidence in U.S. capital markets and public company financial reporting SOX section 404 requires public reporting companies to file a report on internal controls with their annual reports The report must state the responsibility of management for establishing and maintaining an adequate internal control structure SOX for NPO s Focus on Control 4
Results of SOX Total number of restatements over the last four years has leveled off. SOX for NPO s Focus on Control 5
Why SOX for NPO s? Highest Level of Stewardship and Accountability (ACSI, WASC, ECFA) Increases Stakeholder Confidence Mitigates Risk (Particularly COSO Framework) Provides reliable information supporting sound decision making SOX for NPO s Focus on Control 6
Board of Directors Responsibility SAS 115 Cited Deficiency: Ineffective oversight of the organization s financial reporting and internal controls by those charged with governance Auditor Significant Deficiency Comment: During the course of our audit, we determined that internal controls are now properly documented. We did not see any evidence, however, that the board has reviewed management s internal control risk assessment, nor that the board has monitored the design and effectiveness of the internal controls put in place by management in response to its risk assessment. SOX for NPO s Focus on Control 7
What Did We Do at SFC? In 2012 Adopted and implemented the requirements of section 404 of the Sarbanes Oxley Act of 2002 Based our assessment of the effectiveness of internal control on the criteria established in the December, 2011 draft COSO Internal Control Integrated Framework SOX for NPO s Focus on Control 8
What is COSO Internal Control Integrated Framework? COSO Integrated Framework provides the structure and guidance for establishing, testing, monitoring and reporting on a company s system of internal controls SOX for NPO s Focus on Control 9
What is Internal Control? A process, affected by an entity s Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of OBJECTIVES relating to operations, reporting and compliance SOX for NPO s Focus on Control 10
Internal Control Integrated Framework First published in 1992 Gained wide acceptance following financial control failures of early 2000 s Most widely used Framework in the U.S. Also widely used around the world ORIGINAL COSO CUBE Source: AICPA Learning Center 11
COSO Internal Control Integrated Framework 2013 Consists of three volumes: Executive Summary Framework and Appendices Illustrative Tools for Assessing Effectiveness of a System of Internal Control Sets out: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness SOX for NPO s Focus on Control 12
Update considers changes in business and operating environments Environments changes... have driven Framework updates Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud SOX for NPO s Focus on Control 13
COSO Pyramid Objectives (3) Operations Reporting Compliance Components (5) Control Environment Risk Assessment Control Activities Information and Communication Monitoring Principles and Attributes (17) SOX for NPO s Focus on Control 14
What are Objectives? COSO sets forth three categories of internal control objectives in its May, 2013 Integrated Framework: Operations Objectives Reporting Objectives Compliance Objectives These objectives allow organizations to focus on differing aspects of internal control. They remain unchanged from the 1992 Framework SOX for NPO s Focus on Control 15
What are Objectives? Operations Objectives: Pertain to the effectiveness and efficiency of the entity s operations, including operational and financial performance goals, and safeguarding assets against loss Reporting Objectives: Pertain to internal and external financial and non financial reporting Compliance Objectives: Pertain to laws and regulations to which the entity is subject SOX for NPO s Focus on Control 16
What are Components and Principles? Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability 6. Specifies relevant objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Source: AICPA Learning Center 17
SFC Internal Control Components Internal Control and Risk Assessment Report Address each of the 17 COSO Principles Internal Control Scoping Memorandum (SOX 404) Risk Identification and Analysis by Account and Disclosure Focus on Medium and High Risk Accounts (Cash, Receivables, Restrictions) SOX for NPO s Focus on Control 18
SFC Internal Control Components Key Controls Mapping Plan Control Owner Control Frequency (Annual, Semi, Monthly) Control Properties (Preventive, Detective, Manual, Auto, etc.) FS Assertions (Existence/Occurrence, Completeness, etc) Key Controls Summary and Testing Plan 38 Key Controls Tested Quarterly and Report to Board SOX for NPO s Focus on Control 19
Results 2012: No Audit Adjustments No Management Letter Comments 2013: No Audit Adjustments No Management Letter Comments Our Board of Directors, Management and Stakeholders can rely on the financial information we present throughout the fiscal year enabling us to make sound business decisions on a real time basis SOX for NPO s Focus on Control 20
QUESTIONS AND COMMENTS