Skip to main content

Say everything, blogs are everywhere

Our title is itself a book's and the first sentence, see that after the comma, is in its front flap by journalist Scott Rosenberg. Let's take some more words from it and share here. Blogging brought the Web's native character into focus---convivial, expressive, democratic. Bloggers have become the curators of our collective experience, testing out their ideas in front of a crowd and linking people in ways that broadcasts can't match. Blogs have created a new kind of public sphere--one in which we can think out loud together. The preceding paragraph is all in the book flap, front and back. It is the simplest answer if somebody is asking what a blog is, then and now. Although we see that as the magnanimous purpose of a blog which is really enticing and challenging. It adds choices and rooms for both sources and audiences without the regular prescriptive cadence.  What's common is the responsibility. Whether or not we do it via blog, print and online news, and whoever ...

SOX ACT 2002 Section 404 and ISO/IEC 38500

Sarbanes-Oxley Act 2002 is a U.S. law. The passage of the bill is to improve quality and transparency in financial reporting and independent audits and accounting services for public companies in the U.S. including companies that are non-U.S. but being traded in any of the U.S. stock exchanges. The SOX during its early days perceived by many it is not reasonable, in some unexpectedly high even to large publicly-traded corporations. It creates even more burden for smaller reporting companies. With the incarnations being made by concerned regulatory organizations, in this instance the SEC and Public Company Accounting Oversight Board (PCAOB), issues mentioned have been continuously addressed and the law become more relevant for organizations to comply (and even adapt in other cases) to make financial reporting accurate as well as reliable and secure information technology for internal control. Since after the 2007 reforms, which is referred to the released of the new PCAOB Accounting Standard 5, the SOX Act Section 404 study in 2009 reported by members of the Office of Economic Analysis, SEC, confirms that compliance costs vary with company size (increasing with size), compliance history (decreasing with increased compliance experience), and compliance regime (lower after said reforms).

The PCAOB is created along with the enactment of the bill to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair and independent audit reports. While Securities and Exchange Commission, like any other SEC's in other countries, oversees the key participants in the securities world, which is also has the oversight authority over PCAOB including the approval of Board's rules, standards and budget. SOX mandates appropriation for SEC to improve resources and oversight.

The Section 404 of the bill is management assessment of internal controls. Which the SEC, shall prescribe rules that state the responsibility of the management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and contain an assessment, as of the end of the fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
The PCAOB Accounting Standard number 5 (AS5) which supersedes AS2 receives lots of comments including broad discussion of material weaknesses and deficiencies on internal control over financial reporting (ICFR) and suggestions to make alignment to the standards being used or available to SEC. AS5, accordingly, establishes requirements and provides direction that would be integrated with an audit of the financial statements. That ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements and the auditor’s objectives is to express opinion on the effectiveness of the company's ICFR. It is also noted that if one or more material weaknesses or deficiencies exist the internal control cannot be considered effective.

In its proposed rule released in 2002, a disclosure required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002, SEC mentions: "The Sarbanes-Oxley Act does not explicitly state who at the company should determine whether any of the audit committee members is a financial expert. Management is responsible for preparing the financial statements. Therefore, it seems inappropriate for management to assess the qualifications of audit committee members. Similarly, it does not seem appropriate for the members of the audit committee, alone, to assess their own qualifications. We believe that the board of directors in its entirety, as the most broad-based body within the company, is best-equipped to make the decision."

SOX2002 ISO IEC38500 As to how the corporate governance of IT or ISO/IEC 38500 is relevant to such law (maybe including similar laws like J-SOX of Japan, CLERP9 of Australia, Bill 198 of Ontario, Canada, et al) particularly provisions in Section 404 is how board taking on ICT, in general, to underpin companies' requirement to do business including compliance on government regulations and directives. Which in the case of ISO/IEC 38500, its application is international in nature and one of its functions is to promote effective, efficient and acceptable use of IT in all organizations by assuring stakeholders that if the standard is followed, they can have confident in the organizations corporate governance of IT, or in its simplest term, the delivery and use of IT. That includes the security and reliability of information systems and infrastructure. It also informs and guides directors in their organization's use of IT. Directors mean the board of directors including owners of company. In OECD's principles of corporate governance, there are two types of board of directors and they are: supervisory (or non-management) board and management board. In some cases, the management board usually constitute in the person of the chief executive officer. By making them, either supervisory or management board, aware of the standard they would have a better approach to their IT which is usually being facilitated if not solely directed by an IT able bodied in an organization. The board, or senior managers in other cases, would also realize that their efforts in IT if not done as it is directed or aimed to be, it would not only implicates them considering they are accountable to stakeholders but also could impact negatively how their organization as whole function and operate business.

International standards, whether mandatory or advisory, are not meant to replace legislations. However, careful considerations on adaptation of such can have significant effect, usually useful even uplifting in greater context, on any organization's strive on certain activity e.g. any or combination of ITIL, ISMS, environmental, et al. Legislations or laws have different purposes, it is not something of a choice or privilege, covered individuals and entities are all required to comply, on time, else the penalization would come next.

The ISO/IEC 38500 standard is also relevant to PCAOB particularly AS5 that notes that the identification of risks and controls within IT is not a separate evaluation. That is why AS5 is, an audit of internal control over financial reporting that is integrated with an audit of financial statement. Since corporate governance of IT is a high-level principles-based advisory standard, its aim is to help facilitate, aiming primarily at the board and senior management, just like in the case of SOX, to understand how IT is being carried out and utilized in a wider context and not on organization's individual processes. It did not mention how to address risk or any subject except for good corporate governance of IT, however it suggests that in order to benefit from the standard, adaption and application of other standards required to carry out particular objective is necessary in order for the organization’s use of IT, underpinning business needs, is effective and satisfactory.

The SEC, accordingly, endorsed the recommendations of its staff and directed its staff to focus on the four remaining work areas, one of which is: “Following a principles-based approach to determining when and to what extent the auditor can use the work of others.” In response to commenters’ suggestions that there remained too many instances of the use of the terms “should” and “must” in the proposed AS5, where accordingly, it might drive excessive documentation and possibly unnecessary work, the PCAOB, made modifications to make the final standard more principles-based, and found this approach to internal control auditing convincing, rather than some kind of detailed requirements. 

Not only that both PCAOB AS5 and ISO/IEC 38500 followed principles-based approach, AS5 also contained, though not specifically mentioned, the six principles available in ISO/IEC 38500. Not comprehensive as it is, the AS5, stated the responsibilities clearly of the company’s management, board of directors and auditors; the strategy, acquisition, performance and conformance forms part in the effectiveness of their internal control including management of risk whether or not it needs some improvement to have the financial reporting effective and compliant to the provisions made available for SOX Act Section 404 as enforce by SEC; and the human behavior maintains that the standard may require technical training and proficiency (as for the auditor), independence and exercise of due professional care and scepticism.

Comments

Popular posts from this blog

How to save from Microsoft 365 or Teams and learn the basics of the solution from our first license and transaction

 Subscription and license fees for cloud services is not always appealing to small businesses. For big businesses, we are on a spending spree because we simply can, even if a license if not being used purposely and productively. With small businesses, no matter the need for Microsoft 365, we won't even try it. We did try but stopped and never subscribed back again. We consider the cost to be very high not just because of the service or product's license cost only. If accumulated for years compared to simply buying physical media, which is still the best bet. This, however, is going away. For some markets, it is not available anymore. How can a business get Microsoft 365 without breaking the planned budget allocation just for this service? There are options available from Microsoft 365 website. Pick the business, not family, personal or enterprise, which we may want to consider as well. With the cost the only consideration, any of this may not be a good choice. But then some fea...

Jobs we observed in a system performance

They are made either any of the following- - Tech job, - Business job, - Nut job, or - Enterprise job. What's yours? Can you do it better from your existing drive? Whatever you do, your output should facilitate not just your organization's goal but a little more than what you originally planned. Leaders usually kept them in the mind, so subtle only them knows it, but with some useful and delicate strategies employed people really are doing a good job, and working to improve them, too. That's the beginning why corporate social responsibility, or even the consequential environmental, social and governance initiatives can be a potent move to do something, if pertinent or weighty is even the right word. That doesn't need an ostentatious resources but the effect is meaningful for stakeholders, everyone we meant.

Philippine telcos blocking entire SMS text with internet addresses in it

If you are sending SMS texts to your friends, family or colleagues and they contain internet or web address including IP and email addresses, and even a period or dot separating, regardless of, your words and numbers, they are automatically blocked and not going to be received by your waiting recipient. Cooler heads must prevail here especially if an important message is urgently being expected. IP version 6 address is fine. However, an IPv4 including localhost address (given automatically to every computers and network interfaces as their own alone designed for troubleshooting purposes), and your money in the billion figure using dot as separators would be blocked.  If you send "local.business, naman.naman etcetera" or any words that made you use dot in between them, as part of the text, they will be blocked. There are some, that isn't blocked in this category. Like check.iclassed, some.ent, whatever.local etcetera, that is because they do not form any domain name at all...