CRI SOX Methodology

Sarbanes Oxley Compliance

The US Securities and Exchange Commission (“SEC”) requires applicable Financial Institutions to demonstrate compliance with Section 404 of the Sarbanes-Oxley Act (“SOX”), which includes:

  • “Management performs a formal assessment of its internal controls over financial reporting (“ICFR”), including tests that confirm the design and operating effectiveness of the controls
  • Management includes in its annual report on From 10-K an assessment of ICFR
  • External Auditor provides two opinions as part of a single integrated audit of the Company:
    • An independent opinion on the effectiveness of the system of ICFR
    • The traditional opinion on the financial statements

Internal Controls Framework

Financial Institutions typically assess their system of ICFR using the Committee of Sponsoring Organization of the Treadway Commission (“COSO”) framework, which the SEC recognizes as an appropriate framework. The COSO Framework identifies three categories of objectives, which allow organizations to focus on different aspects of internal control. COSO’s internal control framework also describes internal controls as consisting of five integrated components. The controls within each component must be included in this assessment as depicted in the cube.

Scoping Assessment

In defining the detailed scope for the SOX assessment, a risk-based and top-down approach is taken, as strongly recommended by SEC guidance. The evaluation begins with the identification and assessment of the risks to materially accurate financial reporting, including changes in those risks year over year. It is then determined if the Institution has controls in operation that are designed to adequately address those risks. Institution’s entity-level controls are considered in both the assessment of risks and in identifying which controls adequately address the risks.

Key Controls Identification

A key control is a control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be prevented or detected on a timely basis. Key controls provide reasonable assurance that material errors will be prevented or timely detected. Controls may either prevent errors or detect their occurrence. The identification of key controls considers the risk of fraud, including override of management controls. Controls may be fully manual, fully automated, or IT-dependent. IT-dependent controls have an automated and a manual aspect to the control.

  • Entity Level Controls

    A top-down approach is taken in identifying key controls, which is a sequential thought process in identifying risks and the controls to test. This starts with Entity Level Controls (“ELCs”). The SEC guidance describes ELCs as aspects of internal control that have a pervasive effect on the system of ICFR.

  • Information Technology General Controls

    When there is reliance on key automated or IT-dependent controls where failures in the automated part of a control might not be detected by a manual control, an assessment is made to determine risks within the Information Technology General Control (“ITGC”) processes and to identify key ITGCs

  • Spreadsheets and End User Computing

    Because spreadsheet errors can result in material errors in financial statements, this risk is acknowledged and addressed.

  • Controls Performed by Third-Party Organizations

    Financial institutions outsource various operational services, and these outsourced operations are considered when developing the scope of the SOX assessment. Annually, outsourced service providers engage a third-party auditor to perform an independent attest engagement that adheres to the Statement of Standards of Attestation Engagements (SSAE) 18. Reports from audits performed by independent audit firms in accordance with provisions in SSAE 18 can be relied upon by management as assurance that the providers’ controls are adequate under certain conditions

Fraud Risk Assessment

Key controls are identified that would either prevent or timely detect any such fraudulent activity, confirms the adequacy of design, and ensures the key controls are tested. One area of focus relates to restricted access and Segregation of Duties (“SOD)”).

Process and Control Documentation

Significant business processes are documented in narrative form that:

  • Enables a reasonably knowledgeable individual to understand the process.
  • Provides context for the key controls.
  • Details the operation of key controls.
  • Enables a reasonable person to have a basis upon which to assess the design of the controls.

Testing Methodology

Control testing is performed to evaluate design and operating effectiveness, including:

  • Performance of walkthroughs, which confirm the adequacy of documentation as well as the design of the controls to meet the control objectives
  • Inquiry, examination, and inspection of related documents to confirm that the control appears to be performed consistently as documented
  • Reperformance of a sample of transactions to confirm the control is being performed effectively
Sample Sizes

The sample sizes used for the process-level control testing align with the expectations of external stakeholders and are based on the frequency of the control activity.

Evaluation of Deficiencies

As a result of testing, key controls could be deemed to be missing, deficient in design, or not operating effectively.  These deficiencies are evaluated to determine if they indicate the system of internal control does not provide a reasonable level of assurance that there will not be material errors in future financial statements.

FDICIA Implementation

  • Outline requirements of Part 363 of the FDIC’s laws and regulations
  • Evaluate a bank’s projected asset growth and anticipated implementation date of FDICIA
  • Discuss Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework (2013) including the five integrated components of the control environment, risk assessment, control activities, information and communication, and monitoring activities
  • Train and develop audit committee, board of directors, senior management, and functional business owners that are responsible for significant controls so all stakeholders understand requirements and overall approach
  • Emphasize FDICIA planning considerations at the $500 million and $1 billion total asset thresholds
  • Conduct FDICIA readiness assessment of the bank’s internal control over financial reporting (ICFR)
  • Formulate detailed FDICIA action plan by implementation phase and target dates for stakeholders with communication methods
  • Develop risk assessment process to determine significant accounts at the financial statement level and related processes as well as material reporting units
  • Evaluate entity level controls and information technology general controls (ITGCs) design and documentation
  • Assess activity level controls and related documentation
  • Assist with the documentation and design of ICFR in conjunction with COSO Internal Control – Integrated Framework (2013)
  • Determine and document significant controls within each significant area within the institution
  • Meet regularly with stakeholders and control owners to keep parties updated
  • Outline ICFR testing approach including sample sizes, methodology, technology tools/resources, and documentation
  • Test entity-level controls, activity level controls, and ITGCs based on testing approach
  • Communicate results to stakeholders and control owners
  • Report ineffective controls to senior management and audit committee
  • Develop ICFR monitoring schedule and discuss with business owners monitoring process
  • Establish plan for remedial testing
  • Ensure that control owners understand the underlying cause of the ineffective control
  • Retest ineffective controls and report results
  • Consider the need to develop mitigating or compensating controls for certain problematic controls
  • Report results to senior management and audit committee
  • Enhance control monitoring process
  • Solicit feedback from stakeholders and control owners
  • Determine strategy for annual testing and development of annual testing plan and approach