Final+Training+Presentation(SOX)

仅供你个人参考
Training Objectives
培训目标
To understand the compliance requirements of Sarbanes-Oxley (SOX) Act
理解萨班斯法案遵从要求
To understand the SOX 404 implementation process in Trio-Tech 理解萨班斯法案在裕达科技的贯彻程序
To prepare the process owners and their team members to document and assist in testing process-level internal controls
确定每个程序的负责人及其组员，他们收集文件及协助对影响到财务报告的内控程序执行情况进行抽样测试
今天的议程
Introduction to SOX 萨班斯法案介绍
Sarbanes-Oxley Act…
萨班斯法案
A Statutory Requirement enacted in 2002,
法案制定于2002年
To help prevent fraudulent and inaccurate reporting
为了杜绝欺骗性的和不精确的报告
To provide reasonable assurance to investors about the reliability of financial reporting
为投资者提供足以信赖的财务报告
Applies to all public companies in the U.S. and its subsidiaries
适用于所有在美国上市的公司及其子公司
Compliance is with respect to Section 404 of the Act –popularly known as SOX 404
遵循重点是第404节,俗称萨班斯404法案
Section 404 is mainly about Internal Controls Over Financial Reporting (ICFR)
萨班斯404法案主要是财务报告内部控制
Internal Controls
内部控制
Internal Controls are
policies, procedures,
practices and organizational
structures designed to
provide reasonable
assurance that business
objectives will be achieved
and that undesired events
will be prevented or
detected and corrected.
内部控制是一种政策，程
序，惯例和组织结构，为
实现业务目标提供尽可能
的保证．阻止，发现和纠
正意想不到的事件．
Internal Controls Over Financial Reporting (1)财务报告内部控制(1)
ICFR is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with US Generally Accepted Accounting Principles (GAAP)
ICFR是一个程序用来为了公众目的根据美国会计准则,提供财务报告可靠性和财务报表准备的合理保证
Includes those policies, procedures and practices that pertain to:包括这些政策/程序和惯例用于:
Recording of Transactions转移记录
Maintenance of Records记录维护
Safeguarding of Assets,资产安全
Internal Controls Over Financial Reporting (2)财务报告内部控制(2)
ICFR are controls over:
ICFR是以下控制
Initiating, authorizing, recording, processing and reporting of transactions初始,授权,记录,处理和转移报告
Safeguarding of Assets资产安全
Selection and application of accounting policies to conform with GAAP遵循美国会计准则会计政策的选择和运用
Anti-fraud Programs and controls反欺诈项目和控制
Controls on which other controls are dependent e.g., IT General Controls借助一些其他控制例如IT 日常控制
Controls over significant non-routine and non-systematic transactions
重大的非日常和非系统转移控制
Requirements of SOX 404
SOX404
State its responsibility for establishing
and maintaining
adequate ICFR规定
为建立和保持记分的ICFR的职责
Contain its assessment of the
effectiveness of the internal control
structure over financial reporting接受
财务报告内部控制结构有效性的评价
First Compliance Date –Fiscal Year
Ending 30th June 2008首次遵从日期
08.06.30
The effectiveness of the Company’s
internal control system over
financial reporting公司财务报告内
部控制系统的有效性
First Compliance Date –Fiscal
Year Ending 30th June 2009首
次遵从日期09.06.30
Scope of SOX 404
SOX404的范围
SOX 404 relates to Internal Control over Financial Reporting
SOX404讲财务报告内部控制
Does it mean it includes only Finance Processes?是否就意味它仅仅包含财务程序 The answer is NO答案是NO
Reason: 原因
Operational processes like Billing, Purchasing, Store, Payroll, MIS, etc. form the basis for financial reporting象开票,采购,仓库,薪资,管理信息系统等等营运流程是形成财务报告的基础
Controls in these processes have a direct / indirect impact on financial reporting 这些流程的控制对财务报告直接或间接产生影响
SOX compliance involves 60% contribution from Finance, 20% from Operations and 20% from Logistics. SOX遵从财务占60%,生产占20%,物流占20%
Non Compliance…
不遵从
Certifying that requirements have not been met i.e., certifying that ICFR is not adequate or effective: 证明报告不符合要求,ICFR是不充 分的和有效的 Impact on stock prices; 影响股票价格 Loss of Investor Confidence; and 失去投资者信任 Loss of Company’s reputation 失去公司的声誉
Certifying report that does not meet requirements – CEO and CFO are liable for the following: 证明报告不符合要求,CEO/CFO 将被处以 Fine; 罚金 Imprisonment; or 关押 Both 罚金且关押
11
27/03/2007
TTSH & TTSIP SOX Training


The COSO Internal Control Framework COSO内控框架
27/03/2007
TTSH & TTSIP SOX Training
12


Why should we learn about COSO? 为什么我们要学习COSO?
SOX requires that management’s assessment of the effectiveness of an entity’s ICFR should be based on a suitable, recognized control framework SOX 要求管理层评估一个实体的财务报告内部控制的有效性应该基于 一个合适的,公认的控制框架 The COSO Internal Control framework is widely accepted and used by US companies to assess ICFR 为了遵循ICFR,COSO内控框架被美国公司广泛接受和采用 Trio-Tech uses COSO as the recognized framework and hence, Management’s assessment of internal controls over financial reporting need to cover the 5 COSO components 裕达科技采用 COSO 作为公认的内控框架 , 因此,ICFR的管理层评估必 须覆盖COSO五项内容
27/03/2007 TTSH & TTSIP SOX Training 13


What is COSO Framework? 什么是 COSO 内控框架?
COSO framework is an Internal Control framework developed by the ‘Committee Of Sponsoring Organizations’ COSO 内控框架是被美国反欺骗委员会发展了的一个国际内控框架 COSO definition of Internal Control: COSO对内部控制的定义 :
A process effected by directors, management and other staff to provide reasonable assurance in achieving the following objectives: 内部控制是受企业董事会、管理层和其他人员影响 ,为实现以下 目标而提供合理保证的过程: Operational Effectiveness and efficiency; 经营的效率效果 ; Financial Reporting Reliability; and, 财务报告的可靠性 ; Compliance with laws and regulations; 相关法规的遵循性
27/03/2007 TTSH & TTSIP SOX Training 14


COSO Components COSO 框架
Control Environment 控制环境 Risk Assessment 风险评估 Control Activities 控制活动 Information and Communication 信息和交流 Monitoring 监督
Control Environment Risk Assessment
- Foundation for other control components ;是其他内部控制组成部分的基础 - Influence staff behavior and how they carry out their duties;影响员工的行为及如何履行他们的职责 - Identification of the risks that threaten the attainment of the objectives; - 确认和分析影响达成企业目标的风险 - Policies & Procedures implemented by Management to mitigate identified risks - 为了减少风险,相关控制政策和流程被管理层贯彻 -
Control Activities Information & Communication Monitoring
27/03/2007
Information systems to collect, summarize & report information needed for decision making
信息系统收集汇总和报告决策必需信息
Other channels of communication necessary to accomplish objectives
为完成目标的其他交流渠道
- Continuous assessment of design and operating effectiveness of controls - 不断评估内部控制系统的表现
TTSH & TTSIP SOX Training 15


Risks and Controls - Core Concepts
风险和控制 - 核心内容
27/03/2007
TTSH & TTSIP SOX Training
16


Risk & Control Assessment Approach
风险和控制评价方法
SOX emphasizes on a Risk Based Assessment Approach SOX 强调基于评估方法的风险 SOX restricts its assessment to risks and controls relating to financial reporting SOX 严格限定仅对与财务报告相关的风险和控制的评估 This involves包括
Identification of Financial Reporting Objectives 确定财务报告目标 Identification of Risk i.e., threats to achieving the objectives 确定影响达到目标的风险 Control Activities to mitigate the identified risks 为了减少预计的风险,控制这些活动
27/03/2007 TTSH & TTSIP SOX Training 17


Financial Reporting Objectives
财务报告目标
Prepare reliable external financial statements that are fairly presented in conformity with 准备可信赖的公正地发布的符合以下要求的外部财务报告
Generally Accepted Accounting Principles(GAAP) 美国会计准则 Regulatory Requirement of SEC, etc. SEC(美国证监会)的要求
27/03/2007
TTSH & TTSIP SOX Training
18


Risk Identification & Assessment (1) 风险确定和评估(1)
Risk to achievement of the financial reporting objectives, that is, the financial statements are not: 达到财务报告目标的风险 主要是财务报表不符合以 下要求 Reliable;可信赖的 Fairly Stated公正陈述
Accounting Policies会计 政策
Financial Statements财 务报告
Required Disclosures必 须的揭发
27/03/2007
TTSH & TTSIP SOX Training
19


Risk Identification & Assessment (2) 风险确定和评估(2)
How can it go wrong? 如何发生偏差?
Fraud欺诈 Illegal Acts违法活动 Oversight失职 Error错误
Human人 System系统
27/03/2007
Management 管理层
Employees 雇员
TTSH & TTSIP SOX Training
20


控制活动(1)
Entity Level Controls 经营实体层面控制
Controls undertaken by Senior Management that:
控制被高级管理层保证如下:
Form the foundation of internal controls
形成内控基础
Permeate the entity
渗透整个实体
Have pervasive impact on process level controls
对经营实体有深入的影响
Can impact achievement of financial reporting and disclosure significantly 能影响财务报告的业绩和重大的披露
Examples include Policies and Procedures, Top-Level Reviews, Direct Activity Management, etc.
例如包括政策和程序,高级别的审核,直接管理活动等等
控制活动(2)
Process Level Controls 流程层面控制
A business process is a structured set of activities designed to transform inputs (materials, knowledge and labor) to outputs valued by customers. 一个业务流程是一套有组织的活动,从客户需求组织生产到销售产品等
Examples of processes include production, billing, purchasing, accounting, etc.
例如流程包括生产,开票,采购,会计等等
Process level controls are controls necessary to mitigate risks identified and assessed for core business processes and resource management processes
流程控制是减轻确定和评估
For SOX 404, the focus is on controls to mitigate significant risks relating to financial reporting
对于SOX404.重点是控制减轻重大风险影响财务报告
Process level controls relevant to SOX are controls over Initiating, Authorizing, Recording, Processing and Reporting of a transaction
关于SOX的流程层面控制是控制初始,授权,记录,程序和转移报告.
SOX 404 Compliance
遵循SOX404的步骤
Identify
processes relevant to material account balances 确定与财务报相关的流
程Identify the
Process
Owners for
each Process
确定每个流
程的责任人
POs to
continuously
update
document
and monitor
controls
流程责任人
实时更新文
件和监督控
制
Perform Process
Level Control
Assessment
执行程序控制
评估
Entrust
documentation
ownership to
Process
Owners (POs)
委托文件所有
权为程序责任
人
Process
Owners to
support
Internal and
External
Audit流程责
任人协助内
外部审计
An Overview…总的看法
关键流程和子流程
关键流程和子流程
Approach to Document & Test Process Level Internal Controls
文件测试流程层面控制的步骤
Step 1: Document Process workflows and Internal Controls 文件处理流程和内部控
制
Step 2:
Analyze &
Summarize
key process
risks and
controls
分析和汇总
关键程序风
险和控制
Prepare
Report
on
ICFR
准备
ICFR报
告
Step 3:
Test Control
Design &
Operating
Effectiveness
测试控制效
率
Step 4:
Identify
Control
Gaps and
remediate
if required
确定控制
差异并更
正
Attest
and
Report
证明和报
告Management Auditor Continuous Improvement持续改善
Four Step Approach –An Overview 四步骤—总的看法
Step 4:Identify Control Gaps and remediate if required 定义控制差异如有需求,立即调整
Responsibilities –An Overview (1)职责---总的看法(1)
Process Owner 程度责任人
Internal Auditor 内部审计师
职责Step
No.
1
Preparing Process Flowcharts 准备流程图
Preparing the Process Flowchart 准备流程图
The template has a header with the following details:
模板表头包括以下细节:
Key Process关键程序
Sub Process子程序
Process Objectives程序目标
General Ledger Accounts总帐科目
Operation Unit营运单位
Process No.程序号
The main body of the Flowchart template has the following sections:
模板的主体包括以下细节:
Activity
活动
Three sections to show responsibilities across departments and individuals
(The sections can be increased or reduced depending on the work flow)
中间三列展示了部门和个人的责任(列根据工作流程可以增加或减少)
Last section to show the use of Information Systems in the process
最后一列展示信息系统在流程中的使用
Flowcharting Symbols (1)
流程符号(1)
Note: Worksheet containing the symbols is available in the Templates Excel file.注释:工作表含有的符号在EXCEL
Start of a Process
程序开始
Multiple Documents
若干文件
Single Document
单一文件
Process Descriptions and Numberings
流程描述
Flowcharting Symbols (2)
流程符号
(2)
End of Process
流程结束
Description of Information System
Used
使用信息系统Decision Point
判断
Connectors 连接Off-Page Connectors
隔页连接
流程向导(1)
Keep the Flowchart simple
保持流程图简单
Process workflows should always flow either from:流程图应根据以下要求流转
Left to Right (or) 左到右(或)
Top to Bottom 顶到到底
CORRECT 正确INCORRECT 不正确
流程向导(2)
Use each section of the template for the departments or individuals through which the work or document flows through
模板部门和个人项有以下要求
Add sections, if required, by reducing the column width of the existing sections
如有需求,通过减少存在项的列宽来增加项,
Reduce sections, if required, by increasing the column width of the existing sections
如有需求,通过增加存在项的列宽来减少项,
In no case, should the template width be changed
模板宽度不要随便改变
Ensure that the flowcharting symbols are centered within the section
保证流程图符号在项中间
Flowchart should always start with a ‘start’symbol and end with an ‘end’symbol
流程图应该以开始符号开始,结束符号表示结束
Flows should not be broken in a page without a ‘connector’or an ‘end’symbol
流程图不应该没有连接或结束符号而在一页中断开
Wherever connectors are used, ensure to complete the flow under the connectors
无论连线何地被使用,确保通过连线完成流程
Flowcharting Guidelines (3)
流程向导(3)
Wherever decision points are used, it should branch out into at least two flows 无论决定在哪里被使用,它应该至少扩展到至少两个流程
Ensure that process numberings are continuous and that they do not repeat
保证流程编号是连续,不重复的
Do not change the size of the object unless absolutely required –copy and paste from the ‘Std Format’sheet. Maintain the font as Arial Narrow ‘8’
除了绝对要求否则不改变目标的尽寸,从标准格式表复制和粘贴,字体为Arial 8.
Ensure that the arrows are straight,
保证箭头是直的
Indicate the exact name of the system in the Information Systems symbol e.g., GPS –AP Module, etc.
在信息系统符号中表明适当的系统名称,例如AP模块
Write a brief description of the activity in the Activity Column
在活动列写上简短的活动摘要
Test of a Good Flowchart
一个恰当流程的测试
Understood by an unfamiliar person readily
让一个不熟悉的人理解它
Helps briefly understand the entire process, key controls and all the important documents involved without going through the narratives
帮助简要理解整个流程,关键控制和所有重要文件但没有浏览叙述
INCORRECT 不
正确
CORRECT
正确
Example:Narrative says ‘The Cashier receives the cheques and restrictively endorses it. He enters the received cheque details in the Incoming Cheque Records’.
INCORRECT
不正确
Preparing Process Narratives 准备程序叙述
Preparing the Process Narratives (1)
准备流程叙述(1)
The template has a header with the same details as in the Process Flowchart
模板有象流程图一样的表头
The main body of the Narratives template has the following sections
叙述模板主体有以下项
No. –should be consistent with the ‘Process No.’in the Process Description symbol in the Process Flowchart
编号应该有与流程图描述符号一致的流程编号
Supplemental explanation to each activity
每项活动追加解释
Supporting Document –List the documents involved and provide a sample copy of each document as supporting
支持文件,列出文件清单包括提供支持文件样本
Risk Control Matrix –Link to the key controls identified in the matrix. The number to be indicated in this section is the same as Process No. This section should be filled up only for those processes which have key controls in them
风险控制模型—链到模型确定的关键控制,编号表明项与流程相对应,项应填入关键控制点
Preparing the Process Narratives (2)准备流程叙述(2)
Purpose of Narrative is to document the work flow along with the control activities –Hence it
should be in sufficient detail
叙述的目的是根据控制活动记录工作流程,因此,它应有充分的细节。

What is Sufficient detail?
充分细节是什么?
Each activity of the process should have the following details to be sufficient:
每个流程活动应有以下充分的细节:
Who did the activity
谁实施活动
Where was the activity performed i.e., in which department
活动在哪里哪个部门实施
When was the activity performed i.e., what triggered the activity
活动什么时候实施,活动由什么引起
What was the activity,
活动是什么
How was it performed e.g., manually, using a software, etc.
如何实施该活动例如手工或软件等等
Basic Elements –Who…
基本要素—谁
Every activity description should indicate who performed the activity
每项活动描述应表明谁实施活动
Only designations need to be used for this purpose.
Individual names SHOULD NOT be used in the Narratives 只写实施人的职务,个人姓名不应在叙述中被使用
Example:例如:
Incorrect:Ai Noi prepares the Monthly payroll summary (OR)
Monthly Payroll Summary is prepared
不正确:佳佳准备每月工资
Correct:The HR Executive prepares the Monthly payroll summary 正确:人事准备准备每月工资
基本要素—何地
The place where the activity was performed and the place where the documents were generated should be indicated to understand the departments / locations through which
the workflow passes
为了理解工作流程通过的部门和地点,应表明活动被实施的地点和文档获取地点
The departments indicated in the narratives should correspond to the flowchart e.g., an activity said to be performed by the Manufacturing Billing Clerk should be under the
Manufacturing section of the flowchart.
叙述中所指的部门应与流程图相一致,例如,活动被生产实施,开票专员应在流程图
生产项下
Example:例如:
Incorrect:HR Assistant receives the payroll analysis and performs 100% checking
不正确:人事助理收到薪资分析,并进行100%核对
Correct:HR Assistant receives the payroll analysis from the outsourced vendor and performs 100% checking
正确:人事助理收到来自外包供应商的薪资分析,并进行100%核对
基本要素—何时
The period in which the activity was performed should be indicated, if it is not obvious from the other sections of the narrative
哪个时期活动应被表明,如果它不是显而易内见来自叙述的其他项
Example:例如:
Incorrect:Reconciliation from GL to AP Ageing Report is done by the Accounts 不正确:会计助理匹配总帐和AP子系统
However, if the process is ‘Period-end Closing’and the Sub-head is ‘Monthly Closing’, the time of activity NEED NOT be indicated as month-end for each activity
然而,如果流程是期末,子抬头是月末,活动时间不必表明月末
Correct:Reconciliation from GL to AP Ageing Report is done by the Accounts 正确:会计助理在每月末匹配总帐和AP子系统
Basic Elements –What & How…
基本要素—什么和如何
These two elements form the crux of Narratives
这两个要素构成叙述的关键：
It is not just sufficient to write about the activity –the controls embedded in the activity should be sufficiently explained写这个活动不是十分充分的—活动中的控制应是被充分解释.
Include all the control activities, however insignificant they may be. They can be used as compensating controls if the key controls are not working during the audit 包括所有的控制活动,然而他们也许是无关紧要的,如果关键控制在审计时没有执行,他们可能作为补充控制
Example:例如:
Incorrect:Sales Commission claim form is checked by the Marketing Executive before passing it for Management approval不正确:销售佣金支付在提交管理层审批前,销售助理要先行核对
Correct:Marketing Executive checks the following with respect to the Sales
正确:销售佣金支付在提交管理层审批前,要先行核对以下事项
Physical copies of invoices and Monthly sales Reports发票复印件和每月报告.
Verified from the AR Assistant whether the invoices have been paid by the customers来自AP确认是否这些发票客户已付款
Control Activities –An Overview
控制活动—一个总的看法
Control activities include both manual and application controls控制活动包括人工和应用软件控制
Manual controls are those performed manually like checking, reviews, physical verifications, use of pre-printed serially numbered stationery for printing invoices, etc.人工控制是手工实现,例如检查,审核,实物盘点,使用印好连续编号的纸打印发票
Application controls include those performed by the information system in use –e.g., Purchase Order cannot be generated without the required approvals, AP system not allowing the same invoice number to be entered again, user rights for specific applications, etc.应用软件控制包括使用信息系统获取,订单不能没有经批准的需求而发出,应付系统不允许同样发票号码被重复录入,用户权限限于其专门的申请等等.
Both application and manual controls have to be included in the documentation.
应用软件和手工控制被包含于文件中
Any simple routine check and balance activity can also be a control activity from SOX point of view.任何简单的日常核对和试算平衡活动依据SOX观点也视为一种控制活动
Control Activities –Examples
控制活动–实例
Policies and Procedures
制度和流程
Segregation of Duties
职责分离
Authorization and Approval
授权和审批
Custodial and Security
Arrangements
保管和安全的安排
Reviews by Supervisors and
Managers
主管和经理审核
Reconciliations
总帐明细帐匹配
Physical Controls
实物盘点
Checklists, Record Books, etc.
档案管理–检查清单,帐簿等等
Staff Training
员工培训
Test of a Good Narrative
一个好的叙述的测试
Clarity –The person who reads the narrative should understand the workflow and the control activities clearly without any need for significant assumptions
清楚–读这个叙述的人能够在没有借助任何重大假定的前提下清楚地理解工作流程和控制活动
External and Internal Auditors should be able to easily identify the control activities from the narratives
内外审计师能够从叙述中容易确定控制活动
Flowcharts & Narratives should be acceptable to the External
Auditors since they will use these to understand the controls for
their audit
流程图和叙述应该被外部审计师所接受.因为他们将使用他们理解内部控制。