Editorial Type:
Article Category: Research Article
 | 
Online Publication Date: 01 Jan 2010

Enriching AIS Courses With SOX Compliance Activities

,
,
, and
Page Range: 1 – 24
DOI: 10.3194/1935-8156-5.1.1
Save
Download PDF

A very significant change to the accounting profession occurred in 2002 when the Sarbanes-Oxley Act of 2002 (SOX) was enacted. This legislation had a significant impact on corporations and their audit firms. The objective was to improve corporate governance and its quality of financial reporting to improve investor confidence. This paper provides instructors with a background on SOX and suggests readings and activities that reflect the requirements of SOX as it relates to the AIS environment and the analysis of internal controls. These activities can strengthen students' understandings of how corporations respond to the various reporting requirements of this Act.

Keywords: Sarbanes Oxley Act; internal control; accounting information systems; accounting projects; auditing projects

INTRODUCTION

This paper suggests exercises that demonstrate a student's knowledge about SOX and its requirements as it relates to the AIS environment and analysis of internal control weaknesses. We provide additional questions and activities, including readings in academic and practitioner journals, for use in advanced undergraduate- or graduate-level courses emphasizing AIS or auditing concepts.

A significant change to the accounting profession occurred on July 20, 2002 when President George W. Bush signed into law the Sarbanes-Oxley Act of 2002 (SOX) that applied to publicly held companies and their audit firms. Congress initiated legislation due to the Enron collapse and the misleading reporting of special purpose entities by Enron and Arthur Andersen's role in the debacle. This new law resulted in about 40 requirements for actions under the law for the SEC's implementation. The objective was to improve corporate governance, quality of financial reporting and profitability in order to improve investor confidence. The legislation established a new accounting board, addressed the roles of audit committees and auditors, established criminal penalties and protection for whistleblowers, and added procedures to the financial reporting and auditing process to assess internal controls and improve financial disclosure (US Congress, 2002).

Researchers who investigate differences among generations refer to the students entering college today as the digital natives or “native speakers” of video games and various digital devices. These students have distinctive characteristics and learning styles. According to Microsoft's 2003 study, the millennial learners:

Gravitate toward group activity, identify with their parents' values, and spend more time on homework and housework and less time on television than those a few years older. They're almost completely unaware of a time before the Internet. Their formative years were spent in highly structured environments. They grew up acculturated by terrorism, heroism, patriotism, and globalism. They're confident and self-assured. They believe it's cool to be smart, and they're fascinated by new technologies. They're racially and ethnically diverse; in fact, one in five has at least one immigrant parent (Microsoft, 2003).

These students began their formative learning with educational programs such as Sesame Street or the Magic School Bus and computerized games to learn reading, math, or even history. The video game players learn the games by losing and restarting the process to master the game's objectives.

These students are characteristically “sociable, optimistic, talented, well-educated, collaborative, open-minded, influential, and achievement-oriented. They've always felt sought after, needed, and indispensable. They are arriving in the workplace with higher expectations than any generation before them—and they're so well connected that, if an employer doesn't match those expectations, they can tell thousands of their cohorts with one click of the mouse” (Raines, 2005) .

These learners do not want a “one size fits all” environment; they expect learning that is socially constructed and contextual, structured yet self-paced, and they are more outcomeoriented than ever before. Their learning preferences include teamwork, experiential activities, service learning, and community service (Microsoft, 2003; Visions 2020.2). These students' visions for learning environments include digital devices (preferably small and voice-activated), high-speed Internet access, and an intelligent tutor/helper for homework (Visions 2020.2).

Creating assignments that allow students to use technology or search the Internet focus on students' learning preferences for using experiential activities and technology. This paper provides some suggested Internet readings and activities relating to SOX. As instructors design courses for students to acquire the content, the incorporation of technology will potentially enable the development of life-learning skills (information and media literacy; critical thinking; problem identification, formulation, and solution; creativity and intellectual curiosity; interpersonal and collaborative skills; and social responsibility) (Oblinger, 2005).

The remainder of the paper's organization follows. First, we provide a section introducing background material on SOX and suggested readings. Following the background material, we provide a section with sample exercises and solutions. The exercises include learning objectives and implementation guidance. The conclusion contains student comments from course evaluations in AIS and auditing courses where we have incorporated various activities. Note that if an instructor has a strong background relating to SOX or does not want to incorporate additional readings within the AIS course, the reader may want to skip the “Suggested Background Resources” section and proceed to the second section, “Activities,” which provides specific SOX activities.

SUMMARY OF SOX

Sarbanes-Oxley legislation established new standards for all U.S. public company boards and their management. The legislation also covers public accounting firms but does not apply to privately held companies. The SOX Act contains 11 sections, which cover the following areas:

  • Establishment of Public Company Accounting Oversight Board (PCAOB)

  • Increased auditor independence that prohibits the designing and implementing of services to audit clients; requires audit partner rotation; and restricts employment of corporate officers from audit firms within the previous year

  • Certification by CEO and CFO to quarterly and annual reports (Section 302) that indicates their responsibility for establishing, maintaining, and reporting on the effectiveness of internal controls as well as the accuracy and completeness of financial reports

  • Enhanced financial disclosures (Section 404) that require management and the external auditors to supply an internal control report that assesses the effectiveness of internal control structure and procedures for financial reporting as well as to disclose whether or not they have adopted a code of ethics (Section 406)

  • Disclosure of analysts' conflicts of interest to help restore investor confidence

  • Authorization of SEC to censor or deny individuals the privilege of appearing or practicing before the SEC who have aided and abetted the violation of federal security laws or are deemed unqualified or unethical

  • Authorization of General Accounting Office to study the consolidation of public accounting firms

  • Increased penalties for corporate and criminal fraud as well as legal protection to whistleblowers of fraud

  • Increased white-collar penalties for CEO or CFO fraudulent reporting activity

  • Expectation that CEO signs the tax returns

  • Increased fines and imprisonment for altering, destroying, mutilating, or concealing documents with intent to impair or impede official proceedings (Gelinas and Dull, 2008, p. 221).

These aforementioned provisions allow a convenient framework to provide potential background reading and activities related to SOX. The paper will address only those areas that the authors deem most appropriate for AIS courses.

IMPLEMENTATION OF SOX IN AIS COURSES

Why incorporate SOX compliance activities in the AIS course? By attending various accounting conferences, we have found that AIS educators vary greatly in their pedagogical approach to the course, and the best way to teach the course is a matter of much debate. So much depends not only on the experience level of the professor but also on the backgrounds of students and the technology resources available to students on- and off-campus. Customary topics in the AIS course include internal control, documentation methodologies, transaction cycles, security issues, fraud, business processes, and risk assessment. All of these topics specifically address the strategic planning and control of business and related information technology platforms, consistent with AICPA's Core Competencies for entry to the profession.

One point not as heavily debated by interested academics reflects the fact that SOX requirements have greatly impacted AIS course content in the last decade, and AIS instructors seem to consistently emphasize internal control and flowcharting—accountants' tools used for SOX Section 404 reporting requirements. The impact of SOX has changed the regulatory processes for business organizations such as the issuance of audit standards by PCAOB. However, in addition to the standard setting authority over public companies that presently accrues to that organization, the AICPA issued SAS 99 related to fraud with an effective date of December 2002, within months of the effective date of SOX.

Increased knowledge of SOX requirements has permeated the organizational landscape. The literature suggests that nonprofit and governments alike on both domestic and international levels have found that some of the requirements reflect good practices (for example, codes of ethics and whistleblowing policies). The SOX requirement of using of an acceptable internal control framework has added increased attention to COSO and COBIT frameworks, among others. Knowledge of appropriate documentation techniques became especially important in the years immediately following SOX, increasing the demand for accountants within CPA firms and public companies, who were struggling to meet the initial deadlines. The concurrent issuance by COSO of the Enterprise Risk Framework (COSO, 2004) and the auditing risk standards by the AICPA supported the need for understanding and managing risk at all levels of the organization.

In education, adaptation to change does not occur overnight. While most AIS texts or some software texts (Yacht et al., 2007) discuss the SOX requirements in some measure and provide some assignments, instructors need more applications relating to AIS so that students possess skills to face the practical realities and expectations of employers upon graduation. Young students do not even know much about the background of the corporate scandals that surfaced at the turn of the century, let alone the regulations that ensued. A big difference exists for a student reading about something in a textbook and trying to locate supporting guidance, finding the actual reporting by corporations, or interpreting what the many pages of reporting requirements mean. If instructors cover SOX topics in practical applications within AIS, (typically, a prerequisite course for Auditing), students are more prepared and more receptive to understanding these related concepts addressed in auditing material.

The next section presents background resources available on the Internet and a brief description of the information. Instructors and students can familiarize themselves with the events leading to the implementation of SOX and the ensuing compliance requirements.

SUGGESTED BACKGROUND RESOURCES

I. Sarbanes-Oxley Act Internet sites

  1. http://www.soxlaw.com/index.htm or http://www.soxlaw.com: This site has brief summaries of the major sections of SOX. A humorous inclusion on this site includes the many misspellings of the Act found at the humor link at the menu. In addition, the site offers access to “External Resources” from the left hand side of the page of this site: 1) Sarbanes-Oxley Compliance Toolkit and 2) a link to a relatively active and useful discussion forum.

  2. http://sox-online.com/: This site contains a rich repository of information and links to the Act itself, history and facts leading up to the Act, the COSO and COBIT frameworks, ethics, and security. This site includes a link to a humor section with cartoons and an advice column to “Ms. Sarbox,” complete with an image of a little old woman with an umbrella to wave dangerously as she tries to get her point across. Other easily viewable online favorites in the humor section include a listing of quotes from late night TV about jokes related to this timeframe as well as Slates's Corporate Scandal Trading Cards. Currently, this site's links to some of the special SEC and PCAOB pages do not work, but the site contains sufficient available materials to entice students to explore. Finally, there are links to a number of songs for those instructors inclined to have a short class sing-along! The songs have lyrics that individuals penned (likely out of frustration at the time) that link to well-known melodies, some very amusing.

  3. http://www.pbs.org/: A search at the PBS website on the term “Bigger than Enron” will yield a comprehensive 2002 Frontline program that examined the Enron crisis, corporate watchdogs, and the new reforms. This portal provides links to original source material as well as discussion and analysis within six chapters. For example, the Chapter entitled “Congress and Accounting Wars” contains a link to a 2000 letter signed by Congressman Oxley to SEC Chairman Arthur Levitt about independence concerns and discusses the “war over consulting.” Note the date of the letter in class discussions; independence concerns were a topic of interest for years before the enactment of SOX. The Bigger than Enron page also contains a chapter entitled “Who dropped the ball?” Was it the boards, auditors, investment banks (think Section 705 of the Act), and/or others? Merely scrolling one's mouse over the title chapter explains the theme as a “primer on corporate watchdogs, conflicts of interest and new reforms.”

  4. Appendix A of this paper contains a summary of the main sections of SOX that the instructor could provide to students as a suggested reading.

  5. http://www.grcg.com/grc-blog/: AIS instructors can keep up with proposed reforms through this site launched in 2003 to provide SOX compliance training and certification programs. Instructors who do not want to have to remember to visit the blog may register for the free weekly newsletter from the SOX Institute that assimilates headlines with resources related to SOX and current regulatory requirements such as Dodd-Frank and SEC materials. The newsletter combines media and press related to Governance, Risk and Compliance matters (hence the web site provider's name, GRC Group).

II. Background Materials for Events Occurring in 2002

  1. http://www.econedlink.org: An article in “Fortune” magazine, “Why Companies Fail,” (Charan et al., 2002) inspired a lesson designed for high school students. From the Econedlink (Economics and Personal Finance Resources for K-12) home page, search on the module name “collapse of corporate giants” to find the lesson focusing on the relationship of business ethics to business bankruptcy or near failure. The more useful and appropriate part of this lesson includes the five transparencies and the student handout. (Notice that transparency five, labeled “The 10 Corporate Deadly Sins,” emphasizes the overdose of risk, dysfunctional board, and the corporate culture, which the instructor can easily tie to the COSO elements. The fourth transparency prompts the instructor to ask the question “When does ‘managerial error’ become criminal behavior?” The instructor can relate this to the purpose of internal controls and potential protections from error and fraud.)

III. Background Materials for Section 302 CEO Certification

  1. http://www.pbs.org/: A search at the PBS website on the term “vouching for veracity” links to material and discussions of the then newly signed documents that CEOs and CFOs must certify. The follow-up discussion contains a short transcript, video and audio segments of an August 14, 2002 interview with Linda Griggs, the former chief counsel to the chief accountant of the SEC. One interesting point to spark debate would address whether crooks would mind signing.

IV. Enron Resources

  1. http://www.pbs.org/: A search at the PBS website on the term “Enron: after the Collapse” links to a portal of supporting materials from the online News Hour with Jim Lehrer. Segments available from the menu bar include the following: What is Enron, Timeline, The Rise and Fall, Key Players, and Bankruptcy. The site contains updates pertaining to the outcomes for some of the players. Prior to entering the actual website, instructors will not want to miss the interactive materials from the timeline segment, or the interactive materials linked from the key players segment. In addition to the main highlights, do not overlook the subtle arrow pointing to more stories located right above the Special Features section. This literally opens the door to dozens of news pages telling the story from November 29, 2001 to September 29, 2006.

  2. http://www.trinity.edu/rjensen/FraudEnron.htm: This website, courtesy of Professor Robert Jensen, contains voluminous material with links, history and musings. An interesting Enron quiz is accessible from the second link on the home page.

V. Audit Committee Resources

  1. http://www.aicpa.org: If you search the site for “audit committee resources,” the reader will uncover some materials available to AICPA subscribers only. However, there are electronic alerts that link to various briefs. The ones most relevant to AIS from the most recent October 2010 e-alert include XBRL, COSO, and risk management oversight.

VI. Fraud Related Links

  1. http://www.scu.edu/ethics/: If you search the site for “WorldCom,” an online case addresses the facts of the WorldCom accounting fraud. A 2006 update of the company and market events after it declared bankruptcy is included along with the outcome of the key players in the fraud. The links in the bibliography of this case provide access to actual source articles.

  2. http://www.aicpa.org: A search on the site for “Presentation Materials on Fraud for Classroom Use by W. Stephen Albecht” yields seven different sets of presentation materials. Each PowerPoint slideshow focuses on a separate corporate fraud, including Adelphia, Enron, American Tissue, Lucent, WorldCom, Tyco and Waste Management. They illustrate fraud prevention, detection, and investigation/consequences.

  3. http://knowledge.wharton.upenn.edu: Search this site for the case “Paying the Price: Satyam's Auditors Face Plenty of Questions.” This 2009 international fraud case involving Satyam Computer Services published by India Knowledge@Wharton provides links to source materials and several discussion questions.

  4. http://www.trinity.edu/rjensen/fraud.htm: Professor Bob Jensen's site has an overwhelming amount of material, and he adds updates of scandals nearly every quarter.

VII. SOX 404 Resources

  1. http://www.sarbanes-oxley.be/: The home page hosted by Ernst and Young Belgium office contains links to a number of publications to assist financial market participants and increase their understanding of issues related to the Section 404 internal control reports and the implementing regulations of the SEC and the PCAOB.

  2. http://www.journalofaccountancy.com/Issues/2004/Oct/Section404ComplianceInTheAnnualReport.htm: This online article from Journal of Accountancy, “Section 404 Compliance in the Annual Report,” contains examples of Section 404 reporting, including language for management to report identified material weaknesses.

  3. http://www.theiia.org: A search at the IIA home page on “Sarbanes-Oxley Resources” will yield some resources that do not require a member's login, such as the pdf document of 78 pages, entitled: “Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners,” The Institute of Internal Auditors 2nd Edition, January 2008.

VIII. PCAOB AS 5 Resources

  1. http://www.metricstream.com/: You can access the article “Leveraging Auditing Standard No.5 to Streamline SOX Compliance” December 18, 2008 (Goldenberg, 2008) by searching “leveraging auditing standard No. 5.” The site itself contains information that provides a useful reference for instructors and students. The points of this particular article emphasize the excessive cost of initial implementation of SOX and the move from the “overzealous audit requirements” of PCAOB AS 2.

IX. Internal Control Resources

  1. http://kvtests.digicomp.ch/kvtests/quiz/CobIT_Foundation_English/quizmaker.html: This allows users to access an online quiz for COBIT 4.1, which the instructor can use as an inclass review after exposing students to the COBIT model and materials. The timed quiz consists of 40 random questions that will provide students the reason for a wrong answer. The quiz proceeds to the next question if a student chooses the wrong answer without providing that actual answer in that round and records the total number correct.

X. Internal Audit Materials

  1. http://www.theiia.org: Use the search term “GTAG” to access Institute of Internal Auditors technology resources in volumes referred to as GTAG (the Global Technology Audit Guide). Only members of the IIA can access the audit guide itself; however, the summary table of contents easily viewable provides noteworthy information to reinforce the role of understanding and assessing IT controls. In addition, freely accessible Power Point slideshows discussing volumes 1 through 13 are available. AIS instructors will find IT Controls (#1), Outsourcing (#7), Auditing Application Controls (#8), Identity and Access Management (#9) and Fraud (#13) especially relevant to AIS courses.

  2. http://www.theiia.org: Use the search term “GAIT” to access the Institute of Internal Auditors Guide to Assessment of IT Risk (GAIT), a series of guides that describe the relation ships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments. While the guides require membership to access, some freely available Q&A resource documents at the site describe the framework in relationship to SOX 404. In addition, instructors can access a document entitled “Dr. GAIT Answers Questions,” which answers over 100 questions about the use of this methodology that meets the requirements of PCAOB AS #5.

XI. Title 9: White-Collar Crime, Penalty Enhancements

  1. http://www.fbi.gov: The FBI site contains an entire section on white-collar crime accessible through the search term “white collar crime.” Students will quickly become absorbed in this site's resources, which include the “Wanted” list of white-collar fugitives. This website also provides cases and resources to major threats and programs. While at the FBI home page, a search using the term “white-collar crime using UCR” will yield an eleven-page document entitled “Measuring White-Collar Crime Using Uniform Crime Reporting (UCR) Data.” This document provides detailed information in the National Incident Based Reporting System (NIBRS) and exemplifies the difference between data and information. Students' interest will likely be sparked by Appendix A (classification of white-collar offenses). Appendix B includes the data elements that reinforce the necessity of good database query skills and how UCR data must approach white-collar crime in terms of type of offense.

  2. http://sleightfraud.blogspot.com/: This well-written blog, “Sleight of Hand,” contains interesting articles, videos, and commentary on matters related to white-collar crime, whistleblowing, ethics and other related matters.

XII. Ethics

  1. http://www.pbs.org: From the home page, use the search term “Barbara Toffler money and ethics” to access 2002 transcripts of a report on ethics in corporate America. Business ethicist Barbara Toffler discusses with Paul Solman “Money as intoxicant” and has MBA students visit prison.

  2. http://www.pbs.org/newshour/bb/business/ethics/: This site contains numerous 2002–2003 articles and links on ethics.

  3. http://www.scu.edu/ethics/: The Santa Clara University Markulla Center for Applied Ethics provides fascinating materials on business and technology ethics. Items of interest include an ethical decision framework and business cases. The section for current ethical issues in technology includes articles, cases, and conference program transcripts and videos, along with an annotated list of technology resources that acts as a portal to dozens of related sites. Materials are available related to ethical dimensions of databases including data mining, privacy and security topics.

ACTIVITIES

This section provides various SOX activities that instructors can adapt in undergraduate or graduate AIS or auditing courses. Two instructors at different campuses have used different combinations of these activities over the past five years. The suggested answers will include observations and comments to assist instructors' use and relate to specific activities arising from the instructors' experiences.

Instructors can easily mix and match the activities throughout the course or assign one large assignment relating to SOX. We have found the grading of shorter assignments more manageable to grade than one large assignment. In addition, instructors can use small teams on discussion boards to brainstorm and compile answers to various questions included in the activities to reduce grading. Instructors could also use groups or require the presentation of results by different students or groups.

The various writing assignments provide an indication of students' writing and communication skills. The research relating to writing and one author's experience note that the points assigned can influence the quality of writing. For example, one student indicated that an assignment's points were immaterial to the total points in the course so the student had spent limited time; thus, the write up appeared more of a first draft quality than an example of the student's actual writing skills.

Instructors can choose to assign different activities to different sections of the course or in different semesters. The activities below are somewhat unstructured and the suggested answers will provide some notes to increase the structure, if needed.

ACTIVITY #1: PCAOB

Learning Objectives:

  • Explain material weaknesses in internal control and their indicators

  • Describe how to report material weaknesses

  • Demonstrate processing and application controls that increase internal controls over transaction processing

Assignment:

Access the PCAOB website (http://pcaobus.org). Find the link to Standards; select the auditing standards and find AS #5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. Within the website's search engine, access various sections of the standards or use appropriate search terms and methods to answer the following questions:

  1. Define a deficiency in internal control over financial reporting. In addition, explain when a material deficiency exists.

  2. What are indicators of material weaknesses? Document the section, paragraph used for your answer and/or search terms used, if any.

  3. Describe briefly the paragraphs included in an unqualified (i.e., a clean) audit report ex pressing an opinion on the internal control over financial reporting. What paragraph of an opinion references the internal control model used to identify the criteria? What internal control model does AS #5 reference? Document the section and paragraph used for your answer and/or search terms used, if any.

  4. Appendix A of AS#5 provides the definition of internal control over financial reporting. The definition indicates that management provides reasonable assurance that the company has recorded transactions as necessary to permit preparation of financial statements as well as has acquired the appropriate authorization. Paragraph 24 of the AS#5 addresses entitylevel controls such as centralized processing and controls, and Paragraph 26 addresses procedures for the period end reporting process. Provide three examples of processing controls or application controls within an accounting software that provide internal control over the transaction processing. Note to students using software: you may provide screen shots demonstrating the application controls in lieu of narrative description.

ACTIVITY #2: PCAOB IT Activities

Learning Objectives:

  • Describe the internal control review of PCAOB's IT and security

  • Enumerate the results and challenges of the internal control review

  • Describe how these activities relate to topics within your text

Assignment:

Using appropriate search terms, locate PCAOB's 2004 Information report on the Internal Control Review of the PCAOB's Information Technology and Security Function. Answer the following questions:

  1. Who completed the review? What was the focus of the review?

  2. Who is responsible for the IT operations?

  3. What were the results of its review?

  4. What are some of its challenges?

  5. Access the current budget. What is the current budget within the Office of Administration program for IT?

  6. How do these activities and findings relate to the discussion of these topics within your text?

ACTIVITY #3: Section 302 Certification

Learning Objectives:

  • Describe and illustrate Section 302 requirements

  • Examine and discuss the information presented within the 302 certification

  • Describe the penalties for false certifications

Assignment:

Obtain an example of Sarbanes-Oxley Section 302 certification. In order to answer some of the following questions relating to Section 302 reporting requirements or penalties, you will need to access SOX websites to obtain additional information. (Note that the instructor can provide one of the suggested background resources discussed in this paper.)

  1. Describe the requirements of SOX Section 302. How does this certification affect corporate responsibility?

  2. Obtain an example of Section 302 certification by accessing a company's annual report found within the 10-K report at the Securities and Exchange Commission Edgar Database website: http://www.Sec.gov/edgar.shtml.

  3. Repeat this process for a recent quarterly report for the same company. Save the quarterly certification to the same file as the annual, and clearly label both certifications.

  4. Explain how the certification addresses internal controls.

  5. List the officers and the positions of the officers that provided the certifications.

  6. Who would receive the Section 302 report from the certifying officers?

  7. If any fraud existed, what would the officer report relating to the fraud?

  8. W hat penalties exist for officers who provide false certifications?

ACTIVITY #4: COSO Model

Learning Objectives:

  • Understand how the COSO framework relates to application and general controls

  • Illustrate application and general controls that exist within an accounting software application for a selected business process

  • Describe how application and general controls increase processing integrity of data

Assignment:

To evaluate and monitor the effectiveness of internal controls, organizations and auditing firms must select and implement a suitable internal control framework. Companies and auditing firms most commonly adopt the COSO (Committee of Sponsoring Organizations) Internal Control Framework 1992. PCAOB also recommends the use of this framework in Auditing Standard #5. This framework contains five internal control components: control environment, risk assessment, control activities, information, and monitoring. Appendix B of this paper presents the framework. This model includes control activities for the policies and procedures to process transactions and prepare reports. The use of accounting software provides application controls to enter and process information as well as general controls to restrict access to software and data. These system controls also increase input validity, completeness, and accuracy, as well as update completeness and accuracy. A software user experiences these controls though data entry, automatic entry controls, automatic calculations, or posting controls.

Perform the following activities:

  1. Review an accounting software application such as Peachtree or Microsoft Dynamics GP. For a business process (sales, cash receipts, purchases, cash payments, payroll, human resources, or financial reporting), determine and illustrate with screen shots, if instructed, the required number of applications that exist within a specific business process.

  2. Identify whether the control affects input data and/or master data.

  3. Provide explanations of how the internal control increases the validity, accuracy or completeness of input data or master data.

  4. Describe general controls that exist within the software.

ACTIVITY #5: Code of Ethics and Whistleblowing

Learning Objectives:

  • Illustrate how corporations comply with Section 408 and its requirements to adopt a code of ethics

  • Investigate whether a company discloses its whistleblowing policy and discuss your results Summarize how your findings affect the company's tone at the top

Assignment:

The COSO model presented in Appendix B of this paper refers to the tone of the organization. Code of ethics and whistleblowing policies assist corporations in establishing this tone at the top. Section 406 requires companies to disclose whether they have adopted a code of ethics and the annual report discloses how to obtain access to its code of ethics. Section 806 offers protection to whistleblowers who provide evidence of fraud.

  1. Indicate the name of the company you selected. Access the company's annual report at the Securities and Exchange Commission Edgar Database website: http://www.Sec.gov/edgar.shtml Find the company's 10-K report (the annual report that publicly traded companies must file with the SEC). The current website has a link to the latest filings, which allows you to enter the company name and form type to access 10-K reports. When you have located your company's report, open the 10-K report. Determine whether the company has a code of ethics and if so, how a stockholder can obtain the code. Include the website where you found your answer.

  2. Go to the company's website and determine whether it refers to a whistleblowing policy for its employees. If so, briefly summarize and describe the policy. Include the website at the end of your explanation.

  3. Access the company's management discussion of its current operations within its annual report. You can use either the 10-K or go to the company's website and view the annual report, if posted. Based on the results of these three activities, how would you describe the company's tone at the top?

ACTIVITY #6: Section 404

Learning Objectives:

  • Describe and illustrate Section 404 requirements

  • Examine and discuss the information presented within the 404 reports by management and the public accounting firm

Assignment:

Section 404 of SOX enhances financial disclosures by requiring an annual internal control report that identifies significant material weaknesses, if any, by both management and auditors of publicly traded companies. The report states management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. During the evaluation process, management will use tools such as flowcharting and internal control matrices to document the business processes, identify key internal controls that address major risks in financial reporting, test these key controls to determine their effectiveness, and present a written assessment of the analysis. Auditors also evaluate and report on management's process for assessing its internal controls for financial reporting in a separate section.

This exercise requires you to obtain both management's and the public accounting firm's evaluations required by Section 404.

Select a company and access a company's annual report at the Securities and Exchange Commission Edgar Database website: http://www.Sec.gov/edgar.shtml. When you have located the company's report, open the 10-K report. Copy and paste both the management's report and the public accounting firm's report to a Word document and label the reports as management's report on internal controls or the public accounting firm's report. Also, copy and paste the URL for the company's 10-K report.

Answer the following questions:

  1. What material deficiencies in their internal controls, if any, did management report? For any existing deficiencies, how will the company address the deficiency?

  2. What material deficiencies in the company's internal controls, if any, did the auditing firm report? What public accounting firm performed the audit of the company's financial statements?

  3. Did the company's management and the auditing firm use the same internal control model to perform the evaluation of internal controls? What model did the company and the auditing firm use?

ACTIVITY #7: Security within Accounting Software Systems

Learning Objectives:

  • Describe the security features within accounting software systems

  • Illustrate how security features strengthen the internal controls

Assignment:

As the accountant inputs data, the software may have various application controls to improve the quality of the data. These controls include data validation checks with master tables, preventive, detective, or corrective controls, automatic controls, or automatic calculations. In addition, the software can restrict user access to modules through the use of passwords or limited access to screens, track changes through logs, use electronic approvals to process data, use date and time stamps, and provide e-mail alerts to prompt users of workflow tasks or available reports.

  1. Explore the Help feature within an accounting software package to ascertain some of its security features.

  2. Explain how various security features within the software strengthens internal control as defined by COSO framework. (See Appendix B).

ACTIVITY #8: Financial Reporting Internal Controls

Learning Objectives:

  • Describe application and general controls

  • Illustrate the use of application and general controls within the screens or commands of software packages used to generate financial statements

Assignment:

  1. Define application controls.

  2. Define general controls.

  3. If you use accounting software in your course, review the screen or commands used to generate financial statements. Use the software to provide examples of application controls and general controls that strengthen the internal control within financial reporting. Your instructor will provide the number of controls you should identify.

ACTIVITY #9: PCAOB Self-Monitoring Activities Align with COSO Practices

Learning Objectives:

  • Describe PCAOB self-monitoring activities that align with COSO practices

  • Explain how these activities relate to monitoring, the fifth element of the COSO framework (See Appendix B).

Assignment:

Internal controls can benefit all organizations, including oversight organizations. This appears particularly appropriate for organizations funded by and set up to regulate and establish standards. Such adherence represents using similar practices. PCAOB has an internal oversight role in its Office of Internal Oversight (IOPA) similar to that of an Inspector General. This exercise will introduce students to this important means of quality control in the form of a separate monitoring function, the fifth element of the COSO framework. (See Appendix B).

  1. Go to the PCAOB website at http://pcaobus.org, and click on the link at the bottom of the page entitled Internal Oversight. Once there, click on the General Report Summary link. This will lead you to a comprehensive chronological list of the monitoring activities to date. Reviewing this list, select the assignments that you can relate as relevant topics to the AIS course. List these topics with one sentence each that describes why you chose it.

  2. Select the Security Policies and Procedures report to review more thoroughly. The report acknowledges challenges. What challenge do you see that is similar to one of the five COSO elements?

  3. For the Security Policies and Procedures report, identify and detail the general controls that PCAOB had set in place by 2007.

ACTIVITY #10: Audit Trails

Learning Objectives:

  • Illustrate the audit trail report within accounting software

  • Describe and discuss the information provided within the audit trail report

Assignment:

Access accounting software and obtain the audit trail report. Describe the information provided and how SOX compliance topics apply to the potential uses of the audit trail report.

CONCLUDING REMARKS

This paper provides suggested background readings and resources as well as various activities relating to SOX compliance. The readings and resources will potentially benefit instructors as well as students.

These activities use various technologies that appear to appeal to students entering college. We have assigned assorted materials in auditing and AIS courses. Although instructors have not accumulated specific evaluation of these activities, student evaluations include the following remarks:

  • It was interesting learning about SOX compliance.

  • I could have related of lot of information to auditing (a class that I am simultaneously enrolled in).

  • I thought working with GP was a very helpful experience.

  • More exercises like the SOX/COSO would be good.

These limited comments provide some support of the potential value. As instructors assign future activities and administer course evaluations, additional questions could address these assignments to ascertain their benefits.

REFERENCES

APPENDIX A SUGGESTED SOX READING

The following paragraphs describe the various sections of the SOX Act. This provides students with additional background to SOX and its implications on the accounting profession.

Establishment of the Public Company Accounting Oversight Board

Due to the beliefs of legislators that the deep failings in the accounting profession resulted from its ability to regulate itself, SOX appointed a new Public Company Accounting Oversight Board (the Board) to oversee and investigate the audits and auditors of public companies, and sanction both firms and individuals for violations of laws, regulations, and rules. The Board was comprised of five full-time independent members. This non-governmental, nonprofit corporation had five primary duties:

  1. registration of public accounting firms;

  2. establishment, or adoption, by rule, “auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers;”

  3. inspections of accounting firms;

  4. investigations and disciplinary proceedings, and imposition of appropriate sanctions;

  5. enforcement of the compliance with the Act, the rules of the Board, professional standards, and the securities laws relating to the preparation and issuance of audit reports and the obligations and liabilities of accountants with respect thereto.

New Roles for Audit Committees and Auditors

One of the most significant aspects of Sarbanes-Oxley was the expansion of the role and responsibilities of audit committees. Sarbanes-Oxley required the audit committee to be responsible for the outside auditor relationship, including the responsibility for the appointment, compensation, and oversight of a company's outside auditor. In addition, the Act required that members of the audit committee be “independent” from company management.

The Sarbanes-Oxley Act defined new roles for audit committees and auditors. The basic implications included the following:

  • auditors reporting to the audit committee and not management of the company

  • the approval of all audit services by the audit committees

  • auditors reporting critical accounting policies and practices to be used, alternative treatments of financial information within GAAP that have been discussed with management, accounting disagreements between the auditor and management, and other relevant communications between the auditor and management

  • prohibition of specified non-audit services such as bookkeeping, information systems design and implantation, appraisals or valuation services, actuarial services, internal audits, management and human resources services, broker/dealer and investment banking services, and legal or expert services unrelated to audit services

  • the rotation of the lead audit partner and audit review partner every five years on public company engagements

  • the prohibition of the accounting firm to conduct an audit if the accounting firm previously employed one of the company's top officials (CEO, Controller, CFO, Chief Accounting Officer, etc.) during the one-year period following their participation on an external audit.

Increased Criminal Penalties and Protection for Whistleblowers

The Sarbanes-Oxley legislation created tough penalties for those who destroyed records, committed securities fraud and failed to report fraud. Corporations provide whistleblowers protection, and audit committees established procedures for whistleblowing and handling information regarding questionable accounting or auditing matters. Other provisions banned personal loans to executives and prohibited insider trading during blackout periods.

Changes to Management's Responsibilities in Financial Reporting

Although management has the primary responsibility for preparation of financial reports and new reporting requirements, Sarbanes-Oxley emphasized this responsibility. The Sarbanes-Oxley Act required management to assess and make representations about the effectiveness of their internal control structure and procedures in their financial reporting. The legislation also required the companies' boards to issue or adopt standards that required approval of every public company audit report and attestation to the assessment made by management on the company's internal control structures, including a specific notation about any significant defects or material noncompliance found based on such testing.

The act also required chief executive officers and CFOs to certify quarterly and annual financial reports. In addition, the act holds these officers responsible for restatements of results caused by misconduct. Another area covered by the act was rules on how a company should disclose whether it has adopted a code of ethics for senior financial officers, and, if it has not, an explanation why.

Corporate Governance

The objective of the changes to management's reporting responsibility was to improve corporate governance and its quality of financial reporting and profitability. In general, the definition of corporate governance promotes corporate fairness, transparency and accountability. Views ranged from a narrow view that referred to the way in which directors and auditors handled their responsibilities towards shareholders to an expanded view that explained a firm's relationship to society that blurred the distinction between corporate governance and corporate social responsibility.

The KPMG white paper (EIU, 2002) defined corporate governance as the system that directs and controls business corporations.

The corporate governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs. By doing this, it also provides the structure through which the company objectives are set, and the means of attaining those objectives and monitoring performance. (EIU, p.5)

Changes have occurred relating to corporate governance.

Effective August 29, 2002, the SEC requires CEOs and CFOs of public companies to certify the following:

  1. accuracy and completeness of the quarterly and annual reports their companies filed with the Commission

  2. their responsibility for establishing and maintaining “disclosure controls and procedures ” (a newly-defined term reflecting the concept of controls and procedures related to disclosure)

  3. the evaluation and effectiveness of the issuer's disclosure controls and procedures

  4. the disclosure to the auditors and the audit committee

    1. all significant deficiencies in the design or operation of internal controls which could adversely affect the company's ability to record, process, summarize and report financial data

    2. any identified material weaknesses in internal controls

    3. any fraud that involves management or other employees who have a significant role in the internal controls

    4. any significant changes in internal controls or in other factors that could affect the internal controls subsequent to the date of their evaluation

Since the SEC had no jurisdiction over corporate governance, and stock exchanges provided listing requirements that pertain to corporate governance, NASD, NYSE, and American Stock Exchange (AMEX) made changes. Each stock exchange addressed the audit committee members' requirements of independence, the number of committee members, and their financial literacy (PricewaterhouseCoopers LLP 2000, 5).

The company's audit committee was required to define and maintain director independence and appropriate membership qualifications as mandated by the various stock exchanges. NYSE listing requirements also mandated an internal audit function for all listed companies.

On January 15, 2003, the SEC issued rules that increased public disclosure. The SEC voted to adopt rules that required public companies to disclose information about corporate codes of ethics and audit committee financial experts. The company was required to disclose whether at least one audit committee financial expert exists on its audit committee and whether the expert is independent of management. The company also was required to disclose annually whether the company had adopted a code of ethics for the company's chief financial officers, and if it had not, the company was required to explain why (US Congress, 2002).

In addition, the SEC released rules concerning the release of pro forma financial information by a public company. The rules required companies to present pro forma financial information in a manner that

  • did not contain an untrue statement of a material fact or omitted to state a necessary material fact whose omission would be misleading to the pro forma financial information presented

  • reconciled the pro forma financial information presented with the financial condition and results of operations of the company under GAAP (US Congress, 2002).

On January 22, 2003, the SEC adopted rules that required management to disclose all material off-balance sheet transactions, arrangements, obligations… and other relationships of the issuer with unconsolidated entities or other persons, that may have a material current or future effect on financial condition, changes in financial condition, results of operations, liquidity, capital expenditures, capital resources, or significant component of revenues or expenses (SEC, 2003).

Changes in Auditing Profession

On January 22, 2003, the Securities and Exchange Commission approved new rules on auditor independence and audit work paper retention that implemented provisions of the Sarbanes-Oxley Act of 2002. Audits were required to have a second partner review. The new independence rules required certain disclosures and reports by auditors and set conditions for auditor independence for performing audits of public company financial statements. The new rules addressed the following issues:

  1. Prohibitions on the delivery of non-audit services to an audit client

  2. Requirements regarding rotation of “audit team partners”

  3. Audit committee pre-approval of audit and non-audit services

  4. New “buckets” for disclosure of fees paid to the auditor

  5. Prohibitions on compensation of audit team partners based on non-audit services

  6. Disclosure of critical accounting policies

  7. Prohibitions on employment in certain management positions of an audit client of audit engagement team members (US Congress, 2002).

Changes occurred during a period of uncertainty in leadership.

Harvey Pitt was appointed the SEC chairman. He announced plans to resign in November 2002 amidst the controversy of his handling the Public Company Accounting Oversight Board and his appointment of William Webster, former head of the FBI, to chair the Board. On February 13, 2003, the nomination of William Donaldson as the next chairman of the SEC was approved.

Reactions to New Regulations

A white paper from the Economist Intelligence Unit sponsored by KPMG International (EIU 2002) revealed concern among executives that hasty regulation and overly strict internal procedures may impair their ability to run the organization effectively. Four main conclusions emerged from the white paper:

  1. Improved corporate governance arises not only from regulations but also from how corporate officers direct and control the companies. Prime responsibility for good corporate governance must lie within the company.

  2. Senior managers need to instill the right culture and need to ensure that board members feel free to engage in open and meaningful debate. The board's primary task is to understand and approve the risk of the company at any particular stage of its evolution and the processes to monitor risk.

  3. Impediments to growth exist due to inherent tension between innovation and conservatism, governance and growth. Executives feel merger and acquisition deals would negatively affect results because of longer due-diligence procedures, which comprises swift and effective decisions.

  4. Transparency about a company's governance policies is critical so that the market can focus on “assigning an appropriate risk premium to companies that have too few independent directors or an overly aggressive compensation policy, or cutting the costs of capital for companies that adhere to conservative accounting policies” (EIU 2002).

APPENDIX B

COSO FRAMEWORK (1992)

The key areas addressed in each of these components:

COSO ERM FRAMEWORK (2004)

The three new components of the COSO framework are Objective Setting, Event Identification and Risk Response (http://www.sox-online.com/coso_2004_coso_framework.html)

Copyright: © 2010 AIS Educator Association

Contributor Notes

A teaching note and electronic files are available for use with this case. If you are member of the AIS Educator Association, please go to http://www.aiseducators.com and follow the links for the supplemental material. If you are not a member of the Association, contact the author directly at the address provided above to obtain these materials. Please provide a means for verifying your credentials as a faculty member so that we may protect the integrity of the solutions materials.

  • Download PDF