Transcription
Fixed Asset Manager’sGuide to Sarbanes-OxleyComplianceSafeguards and features in FAS fixedasset management solutionsOctober 2005www.IMSolutions.netToll Free 877.208.1175, Facsimile 727.797.618126133 US Highway 19 North, Suite 314Clearwater, FL 33763-2017
TABLE OF CONTENTSExecutive Summary . 5Sarbanes-Oxley Act Background. 6W h o i s a f f e c t e d b y S a r b a n e s - O x l ey? . 6S e c t i o n 4 0 4 a n d I n t e r n a l C o n t rols . 7I mp a c t o f S e c t i o n 4 0 4 o n I n f o r ma t i o n T e c h n o l o g y . 7S a g e F A S a n d S a r b a n e s - O x l ey . 8Foundation for Internal Control:. 9The Fixed Asset Inventory . 9FAS As s e t Inv entory . 9Security and Access . 11Phy s i c a l s e c u rity . 11L o g i c a l s e c u rity . 11Data Integrity and Accuracy . 12F A S e n s u r e s a c c u r a t e d e p r e c i a t i o n c a l c u l ations. . 12S o f t w a r e u p d a t e s e n s u r e f u l l c o mp l i a n c e w i t h c h a n g i n g t a x r e g u l a t i o n s . . . . . . . . . . . . . . . 1 2S a g e F A S a u d i t s f i x e d a s s e t d a t a f o r p o t e n t i a l t a x e r r o r s . . 12S a g e F A S r e d u c e s e r r o r s w h e n e n t e r i n g n e w f i x e d a s s e t i n f o r ma ti o n . . . . . . . . . . . . . . . . 1 3Sage FAS tracks critical history in the fixed asset data, providing audit trails. . 13I n t e g r a t i o n w i t h f i n a n c i a l s o f t w a r e e l i mi n a t e s d u p l i c a t e d a t a e n t r y mi s t a k e s . . . . . . . . . 1 3Reliable Reporting System . 14Disaster Recovery. 15B e s t d e f e n s e a g a i n s t d a t a b a s e c o r r u p t i o n : T h e d a t a b a c k u p . 15S a g e F A S P r o f e s s i o n a l S e r v i c e s a s s i s t c u s t o me r s w i t h d i s a s t e r r e c o v e r y . . . . . . . . . . . 1 5Development Methodology. 16T h e S a g e F A S D e v e l o p me n t Team . 16S e c u r i t y a n d S o u r c e C o d e I n t e g r i t y D u r i n g D e v e l o p ment . 16I n t e g r i t y o f D e p r e c i a t i o n C a l c u l ations . 17S a g e S o f t w a r e : 2 5 Y e a r s a n d G r o w ing . 17Conclusion. 18Additional Resources. 193
This document is not intended to provide legal or financial advice and should not be relied upon for such.You should contact your legal or financial advisors for questions regarding compliance with theSarbanes-Oxley Act of 2002.
Sarbanes-Oxley Compliance in Fixed Asset ManagementExecutive SummaryIn 2002, Congress passed new regulations designed to improve corporategovernance of public corporations and reduce fraudulent corporate financial reporting.The US Public Company Accounting Reform and Investor Protection Act of 2002,commonly referred to as the Sarbanes-Oxley Act, hopes to rebuild investorconfidence in public corporations after the wave of high publicity corporate accountingscandals that began with the Enron crisis.The Sarbanes-Oxley Act places new burdens on corporations, imposes strictpenalties for non-compliance, and holds CEOs and CFOs personally responsible forthe accuracy of their financial reporting. Section 404 of this act requires a corporationto report on the effectiveness of their internal controls and requires an external auditorto attest to this statement. Consequently, corporations must now document theirinternal control structure and evaluate its effectiveness to ensure the accuracy offinancial data. Compliance with Sarbanes-Oxley includes paying particular attentionto IT systems that can impact financial record-keeping and reporting.Compiling an accurate financial picture of a company requires accurate fixed assetrecords as well as compliance with applicable tax laws and regulations for acquiring,depreciating and disposing of assets. This paper details how Sage FAS solutionsfrom Sage Software can help companies achieve tighter control over fixed assetmanagement to ensure the accuracy of their fixed asset data and compliance with theSarbanes-Oxley Act. 2005 Sage Software, Inc. All rights reserved.5
Sarbanes-Oxley Compliance in Fixed Asset ManagementSarbanes-Oxley Act BackgroundThe Sarbanes-Oxley Act of 2002 begins a new era in corporate governance. Strictrules to ensure accurate financial reporting put tremendous pressure on publiccompanies to document all internal procedures for gathering and reporting financialresults before the fast-approaching deadlines for compliance. Sarbanes-Oxley seeksto reduce corporate financial fraud and mismanagement while providing reassuranceto investors.Under the new regulations, CEOs and CFOs must personally certify the integrity offinancial reports, as well as the procedures and systems used to create them. Publicaccounting firms must also attest to the validity of the financial reports andassessments. Both executives and their accounting firms can be held criminally liablefor accounting inaccuracies, making the stakes higher than ever for everyone involvedin financial reporting.While theSarbanes-OxleyAct applies onlyto publiccompanies, it hasimplications forprivatecompanies andnonprofitorganizations.Who is affected by Sarbanes-Oxley?Public CompaniesSarbanes-Oxley currently applies to public companies that are registered withthe Securities and Exchange Commission. Most of these companies areheadquartered in the United States, but a number of foreign companies withsignificant operations in the US will also be affected. Some aspects ofSarbanes-Oxley are already in full effect. The requirements of Section 404must be met by large public corporations.Private CompaniesAlthough privates companies are not required to comply with SarbanesOxley, there are excellent reasons for them to consider its implications. Anyprivate company that aspires to go public will become subject to the act uponfiling a registration statement with the SEC in anticipation of an IPO.Additionally, any company that might be acquired by public companies or thathas significant business partnerships with public corporations will need toassess the impact of Sarbanes-Oxley on future and current businessrelationships. Many private companies are already implementing “bestpractice” aspects of Sarbanes-Oxley.Nonprofit OrganizationsLike private businesses, many nonprofit organizations are interested inapplying the best practices principles of Sarbanes-Oxley to their financialprocedures. Though Sarbanes-Oxley has not yet been applied to nonprofits,failure to provide adequate visibility into the financial management ofnonprofits could result in a similar regulatory environment being enacted inthe future. Some states are already considering this type of measure fornonprofit organizations.6 2005 Sage Software, Inc. All rights reserved.
Sarbanes-Oxley Compliance in Fixed Asset ManagementSection 404 and Internal ControlsSection 404 of the Sarbanes-Oxley Act requires executives of public companies toinclude an assessment report of the effectiveness of internal controls over financialreporting, including IT controls, when submitting their annual reports to the SEC.SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.(a) RULES REQUIRED.—The Commission shall prescribe rules requiring eachannual report required by section 13(a) or 15(d) of the Securities Exchange Act of1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—(1) state the responsibility of management for establishing and maintainingan adequate internal control structure and procedures for financialreporting; and(2) contain an assessment, as of the end of the most recent fiscal year of theissuer, of the effectiveness of the internal control structure and proceduresof the issuer for financial reporting.(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect tothe internal control assessment required by subsection(a), each registered public accounting firm that prepares or issues the audit reportfor the issuer shall attest to, and report on, the assessment made by themanagement of the issuer. An attestation made under this subsection shall be madein accordance with standards for attestation engagements issued or adopted by theBoard. Any such attestation shall not be the subject of a separate engagement.By establishing and documenting internal controls, companies can attest to thevalidity and integrity of financial information from the time such information enters thecompany to the completion of the annual report each year. The SEC also requiresthat each company’s external auditors independently review management’sassessment of internal controls and document any material weaknesses the audit firmdiscovers.Impact of Section 404 on Information TechnologyThe “assessment of internal controls” report is designed to assure the SEC as well asinvestors that a company has the necessary procedures and controls in place toadequately ensure the integrity of financial data. When applied to technology, thisimplies that financial data must be accurately recorded and shared in appropriateways and that the data must be secured from threats of unauthorized access,inappropriate changes and data corruption.Additionally, this report places increased impetus on companies to select softwareproviders that can be a partner to them in Sarbanes-Oxley compliance by providing 2005 Sage Software, Inc. All rights reserved.7
Sarbanes-Oxley Compliance in Fixed Asset Managementinformation about software features that provide internal controls over financial data,as well as by ensuring that the development process for creating the software is wellcontrolled and in line with industry best practices.IT internalcontrols shouldensure thatfinancial data issecured fromthreats ofunauthorizedaccess,inappropriatechanges anddata corruption.Section 404 refers to internal controls as defined by The Committee of SponsoringOrganizations of the Treadway Commission (COSO), although it does not require thata company use the COSO framework in order to create the assessment of internalcontrols. Some IT organizations are choosing to adopt the Control Objectives forInformation and Related Technology (COBIT) framework for guidance about how toapproach assessment and testing of IT related internal controls. The Public CompanyAccounting Oversight Board (PCAOB) (established by the Sarbanes-Oxley Act)released guidelines for auditors that discuss IT internal controls in March 2004.Whether a company approaches IT internal controls from the COSO or COBITframework, it will be necessary for organizations to review their financial applicationsfor: Data Security and Access Controls Integrity and Accuracy of Data Reliable Reporting Systems Disaster RecoveryIn addition, organizations will want to review the development methodologies andchange control processes used by their financial software vendors to ensuremodifications to the software are made with proper authorization and areappropriately reviewed and tested.Sage FAS and Sarbanes-OxleySage FAS fixed asset management solutions address each of the key areas ofinternal control for financial software systems outlined above. This paper is designedto help Sage Software customers in public or private companies and nonprofitorganizations understand and document the internal controls over fixed assetmanagement provided within Sage FAS solutions, and to give an overview of thecontrol procedures Sage Software has used and may use development and testing ofthe software.8 2005 Sage Software, Inc. All rights reserved.
Sarbanes-Oxley Compliance in Fixed Asset ManagementFoundation for Internal Control:The Fixed Asset InventoryAn accurate inventory of fixed assets is the core of solid financial reporting ofcorporate assets. Without it, all downstream internal controls can do nothing toresolve inaccuracies created when assets which have been lost, stolen or taken out ofservice continue to be depreciated and reported.In order to establ
Compliance Safeguards and features in FAS fixed asset management solutions October 2005 www.IMSolutions.net Toll Free 877.208.1175, Facsimile 727.797.6181 26133 US Highway 19 North, Suite 314 Clearwater, FL 33763-2017File Size: 1MBPage Count: 20
