Interesting article on User Developed Applications (UDAs). This could also apply to spreadsheets used for internal controls work, especially if they are distributed across departments and not centralized. Applications are typically developed for expense calculation and tracking (e.g. stock comp expense) as well as financial analysis. We try to take an approach that these types of tools should have permission control and be stored in documented locations where appropriate review and updating can be performed. It makes audit-related work much easier in the end!
"Internal Auditors Target Spreadsheets
The practitioners' leading trade group launches a campaign to get better control over spreadsheets and databases created without oversight from IT.
David McCann - CFO.com | US”
Click here to read the full article.
The article below was sent from a dear friend of mine and fellow SOX enthusiast, Clark Keeler, Director, BPM. I find the article to have a significant amount of irony considering it claims that "American business people of a conservative nature have been dreaming about driving a stake through the heart of the Sarbanes-Oxley act ever since the legislation was passed..." It would seem to me that if a person was truly fiscally conservative, they would consider Sarbanes-Oxley to be the prudent choice rather than the radical one. Internal controls require there to be a check point in a business procedure that requires someone other than the preparer of the documentation to verify the accuracy of what was prepared. This verification prevents someone from acting alone when making decisions about shareholder assets (physical assets, capital, intangible assets, etc). I am of the opinion that this double check adds a necessary layer of review considering the potential for fraud, errors, omissions, etc. Considering all that we at Vibato, LLC have found when testing internal controls, this is no longer just opinion but rather, fact. Read more on the article here:
“Two cheers for Sarbanes-Oxley
The Supreme Court gets it right by tweaking, but not overturning, the controversial legislation
Jun 29th 2010
AMERICAN business people of a conservative nature have been dreaming about driving a stake through the heart of the Sarbanes-Oxley act ever since the legislation was passed, back in 2002, in the wake of the Enron, Tyco, WorldCom and Global Crossing scandals. George Bush rightly described the legislation as “the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt”. But to its critics it is far-reaching in the wrong direction. The American Enterprise Institute, a right-wing think-tank, has dismissed Sarbox as a “colossal failure”. Ron Paul, a Texan libertarian, has argued that it puts America at a competitive disadvantage. The Wall Street Journal thunders that it has “imposed hundreds of billions of dollars in costs on business with no noticeable decline in financial scandals”. Newt Gingrich has urged Congress, the body that he once dominated, to repeal the act.”
See the full article here.
I read a press release titled "Decision in Free Enterprise Fund v. PCAOB". To read the full press release, click on the link below:
http://pcaobus.org/News/Releases/Pages/06282010_SupremeCourtDecision.aspx
Jake Leon from thecaq.com commented:
"In a letter sent to House and Senate conferees this morning, leaders of the three organizations wrote, “Like you, our organizations recognize the positive impact small businesses have on the economy and job creation. However, we cannot support actions, no matter how well intentioned, that threaten investor confidence and the stability of the U.S. capital markets. For investors’ sake, we urge you to strike from the conference report the Section 404(b) compliance waiver.”"
The full letter of which he speaks can be read here.
Background on SAS 70s
A SAS70 which is also known as a "Service Auditors' Report" is a report on the controls in place at an outsourced service provider. It is typically prepared by an Independent Accounting firm.A Type 1 report describes the controls as of a particular date, but does not include testing of the effectiveness of the controls, whereas a Type 2 report also includes testing of the effectiveness of the controls over a period of time. You ideally want a Type 2 report, that covers at least six months of your internal controls testing, and that is pretty close in timing to your company's year end. I typically consider a Type 1 SAS 70 to be pretty useless since the controls represented in the document have not been tested by a third party.
When to ask for a SAS 70
A general rule of thumb when it comes to requiring a SAS 70 from a vendor is if they are holding something of value in trust for your company, then you have the right to ask them for a SAS 70. An example of holding something of value could be in the form of data (server farm), inventory (logistics center), cash (payroll service (ADP, etc)), stock (Equity Edge, etc.) and so on.
What can I expect to learn from a SAS 70?
A SAS 70 will detail the controls available at your vendors company and whether they have passed or failed testing. It will also detail what controls your vendor expects you to have at your company to ensure they can live up to their end of the bargain, e.g., if you do not encrypt the data being sent to your payroll service provider, they cannot guarantee the safety of that highly confidential information. The information in the SAS 70 will let you know if you should feel comfortable or nervous that they are protecting the assets you are trusting them with.
What to do if your Vendor does not offer a SAS 70
There isn't a clear answer for this issue. If a vendor is holding a material amount of assets for you and they do not offer a SAS 70, that means you will need to implement more internal controls at your company to ensure the vendor is not stealing from you. This could equate to a lot of work and money. I personally would not store highly confidential data or a material amount of cash or inventory with a company who wasn't willing to provide me with a clean Type 2 SAS 70. There are plenty of vendors out there who are willing to earn your business by proving they are worth doing business with and a Type 2 SAS 70 is a way to demonstrate that commitment to your assets safety.
I received a SAS 70, now what?
Once you receive a SAS 70, you must analyze it to determine if your vendor was given a clean report or not (only in a Type 2). You must determine what controls your vendor requires of you (above) and whether or not you have them. You should also review the controls testing to see what, if any deficiencies were found during testing. When it comes to external audits and internal controls testing, your auditors will ALWAYS review your SAS 70's. When you receive one, just signing the top isn't proof that you have reviewed it. We have a great SAS 70 analysis document that we'd be happy to give to you. Click on this link to register to receive it.
What is a Negative Assurance Memo?
Better question, why does it have such a weird name??! A Negative Assurance Memo or Gap Letter is a letter from your vendor that will tell you if any of their internal controls have failed testing between SAS 70's. SAS 70's typically span nine-month periods. Because of this, you will need to gain comfort from your vendor that for the last three months of YOUR fiscal year, (not theirs but yours - you need comfort that their controls were working for the entire 12 months of your fiscal year) their controls were working. Because the SAS 70's typically come out at the same time each year, say March, for instance, then you will need a letter from your vendor stating that either nothing has changed from Jan - Mar or telling you that the sky is falling and it is just another issue you're going to have to deal with...but, at least you'll know!
Small Non-Accelerated Filers Now Have a Cost-Effective Option for Sarbanes-Oxley, Section 404(b) Compliance
SAN FRANCISCO, Calif. - February 17, 2010 - Vibato, the only provider of the fixed-price, best-practice, modular approach to meeting Sarbanes-Oxley (SOX) and SAS-related compliance requirements, today announced the release of SOX BASIC®. This revolutionary approach to SOX compliance delivers a size-specific SOX implementation to smaller reporting companies in just one day, and for less than $6,000; a fraction of the cost of competing alternatives and a compelling solution for this under-served segment of the market.
The latest SEC report, "Study of the Sarbanes-Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements," estimates the average cost of outside vendor assistance for companies with less than $75M market capitalization for their 2008 fiscal year to be approximately $82,000 for initial implementation (table 8, pg. 44). This is the result of the traditional time-and-materials approach to scoping and implementing a SOX engagement, but does not align with the budget and resource constraints faced by many smaller public companies today.
With the rapidly approaching deadline of June 15, 2010 for the auditor attestation of internal controls or SOX Section 404(b), non-accelerated filers need a reasonable solution that fits their budget, level of resource availability and ongoing maintenance requirements.
For the first time, a fully-integrated, best-practice approach to establishing and documenting internal controls for smaller public companies, as well as startups or larger companies with smaller initial requirements, is available in the form of a comprehensive toolset that can be implemented in one day and for a fixed price.
"We were impressed with the rapid implementation, thorough integration and cost-effective approach delivered in the SOX BASIC toolset from Vibato," said Rod Meisel, corporate controller, Cereplast, Inc. "The initial implementation was a very straightforward process. It got us on the right track for our year-end audit and met our budget constraints."
SOX BASIC is built on the same proven, integrated framework originally introduced in SOX Compliance Made Simple® (SCMS), but designed specifically for companies with fewer than 25 employees, or who need fewer than 20 internal controls to meet their compliance requirements. SOX BASIC includes the features listed below in a unique integration of the industry-proven, best-practice approach offered in the SCMS framework:
- Support - Includes consulting time to perform the implementation and help set up a controls testing plan.
- Risk Assessment - Measures both quantitative and qualitative factors for determining in-scope processes and identifying the high-risk areas of the business.
- Control Matrix - Supports up to 20 predefined best-practice controls available from the 17 process cycles currently offered by Vibato, covering all key areas of the business in addition to the following fully-integrated items:
o Dashboard to track initial results and ongoing updates
o Internal controls sub-certification for the 302 Attestation
o Automatic change control tracking
o Project plan with milestone deliverables
o Recommended testing sample sizes based on auditor selection
o PBC listing and summary
o Summary of aggregated deficiencies
o One-click roll-forward functionality that saves relevant historical data and prepares the tool for the next year
- Segregation of Duties Analysis - Analyzes 304 unique segregation conflicts, and identifies the specific resources affected along with suggested remediation strategies.
- Integrated Testing and Documentation - Includes test plans and every policy, checklist, form, and other documents necessary to execute each control as written.
SOX BASIC is also available for licensing by financial services and public accounting and consulting firms looking for a different approach to assisting their existing and potential clients with their compliance objectives.
"We developed SOX BASIC specifically for smaller public companies who have limited resources and internal controls needs," said Teresa Bockwoldt, chief executive officer, Vibato. "Our belief is that having a solid best-practice approach to use as a guide while a company grows will give companies an advantage from the start. SOX BASIC allows a company to start very small and scale as they grow."
To download the SOX BASIC product flyer, please click here.
We have just posted a significant amount of FAS 123(R) ASC 718 Compensation - Stock Compensation codification cross reference information to our Codification Tools page.
View the FAS 123R / ASC Topic 718 Codification Information page by clicking here
This is for all of those KPMG, PwC, IRS, and Federal Reserve people who look at our Codification cross reference tools everyday (including Saturdays....poor things...).
I've moved it all to one page so you can search by terms, etc and I am going to be adding to it shortly. Here is where it is now located:
http://www.vibato.com/resources/codification-tools/
GO CRAZY!
Want to save your accounts payable department time and money? Help them perform their job better and faster by providing them with a signature example sheet. This sheet should list the name, title, signature example, and initials example of each person who is authorized to approve payments for your company. This way, the AP Clerk will be able to recognize the approval signature and not have to ask questions or better yet, recognize when the approval signature is not correct and then escalate concerns...
We have a nice signature example template that we would be happy to give to you. Register via the below button to receive this document.
Another very good control to have in the accounts payables process is that employee expense reports should be reviewed and approved by someone who is not the owner of the expense report - this goes for company founders and C-level executives as well. This review needs to be formally documented to pass Sarbanes-Oxley.
A great way to accomplish this is to use an employee expense report form. We have a great employee expense report that we'd be happy to give to you. Register via the button below to receive it.