NokiaInternalControlsamptheSarbanesOxleyAct

《NokiaInternalControlsamptheSarbanesOxleyAct》由会员分享，可在线阅读，更多相关《NokiaInternalControlsamptheSarbanesOxleyAct（36页珍藏版）》请在装配图网上搜索。

1、Nokia Internal Controls & the Sarbanes-Oxley ActNokia generic training materialNokia Internal Controls&the Sarbanes-Oxley ActThis training provides an introduction to Nokia Internal Controls and the Sarbanes-Oxley ActWelcome! Nokia Internal ControlsSarbanes-Oxley ActLearning objectivesAfter

2、this module you shouldunderstand what a good internal controls arebe aware that internal controls will be modified due to SOXunderstand how Nokia internal controls will be made transparentunderstand how Nokia will implement internal controls by maintaining commitment to empowermentbe able to identif

3、y internal controls within your own functional and process arearealize that internal controls will continuously be tested internally and audited externallyknow whom to contact to get further BG/HG-specific informationTable of ContentsWhat are internal controls in practice?Your own responsibility 30

4、minAction points & discussionHow Nokia implements internal controls and SOX?An example of internal controls and processes 30 minWhat will change in working practices?30 minWhat are internal controls and the Sarbanes-Oxley Act (SOX) and why are they important?Internal controls are good business p

5、racticesInternal controls consist of measures to provide reasonable assurance of effectiveness and efficiency of operations reliability of external and internal reportingcompliance with applicable laws and regulationsInternal controls ensure completeness, accuracy and timeliness of our processesGood

6、 internal controlsare designed with business benefits in mindfocus on critical processes are precise and define assignment of responsibilitygive instructions on how to deal with unexpected resultsprevent or detect errors or fraudare documented and easy to test and auditInternal controls are listed i

7、n control cataloguesPreventive vs4. detective controls Preventive controlsPreventive controls are designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a larger effort in the initial design and implementation stages. How

8、ever, preventive controls tend not to require significant ongoing investments. Preventive controls include:segregation of duties to prevent intentional wrongdoingrestricted system authorization to critical transactionsprocedures to avoid improper transactionsphysical control over equipment and other

9、 assets to prevent improper useDetective controlsDetective controls are designed to detect errors and irregularities that have already occurred and to assure their prompt correction. These controls represent a continuous operating expense and are often costly, but necessary. Detective controls suppl

10、y the means with which to correct data errors, modify controls or recover missing assets. Detective controls include:account reconciliationstaking a physical inventoryauditsReview QuestionIs the dividing of responsibilities for important activities a preventive or detective control?Question:The Sarb

11、anes-Oxley Act was the answer to major corporate and accounting scandalsThe winter of 2001 and spring of 2002 saw major corporate and accounting scandals involving several prominent companies in the Unites Statestimeline2 December 2001 Enron files for bankruptcy, in the US biggest ever corporate fai

12、lure10 January 2002 Arthur Andersen admits its staff shredded thousands of documents concerning the Enron audit15 June 2002 Arthur Andersen is found guilty of obstructing justice by shredding evidence relating to the Enron scandal25 June 2002 WorldCom, announces its intention to restate its financia

13、l statements, reducing previously reported earnings by nearly $4 billion21 July 2002 WorldCom files for bankruptcy protection, the largest such filing in U.S. history8 November 2001 Enron revises its financial statements to reduce earnings by $586 million over the past four yearsJuly 2002 Sarbanes-O

14、xley Act is passedIn July 2002, one of the most influential pieces of US corporate legislation related to corporate governance, financial disclosure, and public accounting was passed by the US Congress by a nearly unanimous vote. One of the most important aspects of the Act is the effect it will hav

15、e on companies internal controls.The Sarbanes-Oxley Act protects investorsSOX has been designed “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.”Section 404 - Internal controls for financial reporti

16、ngstates that management must take responsibility for maintaining an effective system of internal controlsCEOs and CFOs are required to certify personally in writing the accuracy and completeness of the financial information and management assessment of internal controlsSection 302 Disclosure contro

17、ls & proceduresSection 906 written statement on fairnessSOX and Section 404 in particular underline managements responsibilityAnnual reports must include ;internal control reports,; which shall:state the responsibility of management for establishing and maintaining an adequate internal control s

18、tructureidentify the framework used by management to evaluate the effectiveness of this internal controlcontain an assessment of the effectiveness of the internal control structure and proceduresdisclose any material weakness in such controlAll of these reporting requirements mean that management wi

19、ll become directly responsible for managing the internal controlsSection 404 is not only about accountingSection 404 holds management responsible for the end-to-end business processes that in turn feed into the financial reporting structureCorporations must ensure that the policies and practices ass

20、ociated with their business processes are being followedCorporations now have the burden of proof in the control of day-to-day operations, not only their financial reporting mechanismsAs a foreign publicly-listed company in the US, Nokia is obligated to comply with the Sarbanes-Oxley legislation for

21、 the year 2005.Internal controls are to benefit us and to increase shareholder value due to assurance of ethical operationsImproved business processes transparency will lead to improvementsdefinition of internal controls forces to take a critical look on processes inputs/outputs will become clearer

22、and overlapping can better be avoidedReduced errors and gaps in processes and reported resultsKnowledge sharing, induction, tracking of past issues etc. will become easier thanks to improved process understanding and documentationAssignment of roles and responsibilities will improve as communication

23、 and escalation is encouragedManagement will become more aware, better informed about the actual status of operationsTable of ContentsWhat are internal controls in practice?Your own responsibility30 minAction points & discussionHow Nokia implements internal controls and SOX?An example of interna

24、l controls and processes30 minWhat will change in working practices?30 minWhat are internal Controls and the US Sarbanes-Oxley Act (SOX) and why are they important?Message from CEOWithin Nokia, we have always focused strongly on performance, cultivating at the same time an atmosphere of openness. Th

25、is being important, we must also recognize the importance of accountability and renew our recognition thereof. This message serves as a reminder of this along with clarifying which groups or individuals have the key decision-making mandate and ultimate accountability in given situations. I believe t

26、hat the increased attention to internal controls is beneficial to us. It requires us to review and document our existing practices. It also serves as an essential reminder of the importance of complying with external and internal rules. Nokia Values and Code of Conduct set the standard how everyone

27、of us must act and work complying with all the ethical and legal standards. Sarbanes-Oxley Act and more specifically its internal control provision Section 404 requires now formalization of our good practices. I trust that you all take these requirements seriously and keep in mind that it is everyon

28、es responsibility at Nokia to ensure ethical and diligent conduct as well as good management practice.Message from CFOIn more concrete terms, the Sarbanes-Oxley Act and the related US rules require the CEO and CFO of Nokia to certify personally the accuracy and completeness of the financial informat

29、ion as well as the design and effectiveness of the companys internal controls annually in Nokias Form 20-F report. In addition, the management must issue a separate report on the companys internal controls to be included in each Form 20-F report.In order to fulfil these external requirements, the wh

30、ole Nokia organization must ensure that our control environment works, and as Jorma pointed out, that we all comply with the Nokia Values and the highest standards of ethical conduct, including the principles set out in Nokias Code of Conduct, in all of our activities.The key to SOX 404 compliance i

31、s to ensure that our internal controls are defined, managed and followed at all organizational levels. We need visibility and assurance to prove that.Having said this, I wish to highlight that this project is critically important and everyones full & timely contribution is expected.Nokia Values

32、are still key to our thinkingNokia Values - Customer satisfaction, Respect, Achievement and Renewal - were defined in early 1990s and form a common bond for working together at NokiaThe way we have implemented Nokia Values in our day-to-day work has been instrumental to our business successIn todays

33、 ever-changing business environment, a strong values base is crucial in holding a global company togetherNokia Way and Values are a foundation of our leadership principles; at the same time we strive to develop our fact-based management to master the growing business complexityWe continue to empower

34、 and trust our peopleIncreasing need for transparency calls for a more systematic approach in documenting policies, practices and responsibilities. We have to be able to show records on how we operate At Nokia, we decide how to review our processes, formalize controls and ensure the adoption of thes

35、e controls; auditors and authorities monitor legal compliance Everybody is responsible for implementing controls in his/her respective process area; the whole organization needs to be involvedNokias approach to implementationInternal controls have always been an integral aspect of Nokias operationsW

36、e will not reinvent internal controls but review and document their current statusThe implementation of SOX 404-compliant internal controls will require that our current controls and the assignment of responsibility are formalized and documented.Given that this project will have such a wide impact o

37、n processes throughout Nokia, efforts will be coordinated through the SOX 404 Project. Internal control project at NokiaThere are currently several projectsaddressing internal controls around Nokia:Business BG/HG (SOX 404)FSP BISOXHROther projects The requirement for the management is to implement t

38、ransparent internal controls Additional requirement for F&8C and Legal is to roll-out management testing of internal controls. Management testing means testing by Nokias own organization, validated by our external auditor PwCThe implementation of internal controls will involve the entire Nokia o

39、rganizationWhat the internal controls project at Nokia means in practice ?Prioritised and approved control catalogues by end of Q1Supported by flowcharts by end of Q1Updated other process descriptions by end of Q2Visible performing of internal controls starting Q2Documentation of performed controls

40、at all levels (Q2 pilot)Internal Control Mgmt solution is required from the beginning of Q2 i.e. April 1, 2005 onwardsBased on interim solution the reporting and follow-up practicesAutomated system probably provided laterManagement assessment of internal controls Internal testing done by next level

41、F&C and Legal on performed controls and documentation Sample sizes are calculated as defined by SOXExternal audit and internal controls report by PwCNokia SOX 404 project timelineSOX 404 project organizationNokia SOX Working GroupWeekly meetingsMP: Sari RouheM: Harri SpolanderES: Harri Spolander

42、CMO: Regina Mustam?kiTP: Kimmo Saarim?kiNokia F&C: Maarit AaltoFSP: Terttu HeikkonenTreasury: Kristian PullolaSRO: Virpi Heikkil?BI: Yrj? BensonNET: Sari TikkaORS: Tom LindgrenCF: Krista KarliHR: Janet WattWorking Group co-ordination: Harri SpolanderTraining planning and implementation co-ordina

43、tion: Kristiina Fromholtz-M?kiSteering Group Monthly meetings with Nokia SOX Working GroupNokia: Maija TorkkoMP: Anja KorhonenM: Riitta-Liisa HiillosES: Tore TeirNET: Helena RoineCMO: Andy FordTP: Timo RajalaFSP: Kaarina MuurinenSRO: Mika Uitto HR: Ari LehtorantaReview QuestionThe use of ”internal c

44、ontrols” is a new management philosophy being implemented at Nokia as a result of the SOX Act?True or False:Table of ContentsWhat are internal controls in practice?Your own responsibility30 minAction points & discussionHow Nokia implements internal controls and SOX?An example of internal control

45、s and processes30 minWhat will change in working practices?30 minWhat are internal Controls and the US Sarbanes-Oxley Act (SOX) and why are they important?Internal controls from various perspectivesAt a theoretical level, internal controls all contain the same basic principlesIn practice, the develo

46、pment, refinement, formalization, and/or documentation of internal controls will mean different things to different operational areasFor instance, there are differences in controls between BGs, HGs, BI and F&CAccess & Authorization,Change Management,IT OperationsBIBusiness processF&CFoll

47、ow, control analyze transactions and reporting BGs/HGsInput transaction data,control master dataBusiness and IT controls in co-operationReportInput 1Input 2Layers of data controlledMaster dataTransactionsReportingReportIllustrativeThere are three types of controls:Manual business process controlsAut

48、omated IT-enabled business process controlsIT controlsBusiness processIT processesControls for access and authorizationControls for IT changesControls for IT operationsF&CFSPTPCMOBGsHow to define which controls are material? All controls where a control weakness might have a material impact on f

49、inancials at Nokia level are relevant for SOX 404 scopeMateriality is defined based on the materiality of the process itself not based on individual control points As we can easily identify quite many possible controls in processes in scope we need to prioritise them The prioritization should be don

50、e by identifying risks in the process that could potentially create a control weakness Typically having a couple of effective control points relevant to financial reporting we have a good control coverageAll prioritised controls should be performed at all levelsThere can be more detailed controls fo

51、r operational or quality purposes but they are not critical SOX 404 controlsHow do I write a control description?WHY is the control performed (for prevention or detection)WHO performs the control (person or system)WHO is responsible for the controlHOW is the control performed (inputs/ process/ outpu

52、ts)HOW are exceptions resolvedWHAT evidence or documentation exists to show that the control has been performedWHO monitors the execution of the controlWHO reports on the execution of the controlWHO takes action if a control failsOTHER RELEVANT INFORMATION, IF APPROPRIATE:Is the control automated, s

53、emi-automated, or manualHow often the control is performed (daily, weekly, monthly, yearly)What is the name of the IT system in questionReview QuestionWhat are some of the internal controls used in your position?What are some of the internal controls used in your Group?Consider:Table of ContentsWhat

54、 are internal controls in practice?Your own responsibility30 minAction points & discussionHow Nokia implements internal controls and SOX?An example of internal controls and processes30 minWhat will change in working practices?30 minWhat are internal Controls and the US Sarbanes-Oxley Act (SOX) a

55、nd why are they important?Transparency to business processes through improved documentation and reporting“As a manager You control business activities not documentation”Performing and managing internal controlsEmployees and managers will perform, document, verify and report controls as part of their

56、 daily work.Each team and manager will ensure that controls are performed appropriately and issues are escalated. Management testing Managers and business controllers will test internal controls on a regular basis.Management testing process will be created as a part of internal controls (SOX) projec

57、t spring 2005.AuditingExternal auditors will test our internal controls. This is an integrated part of the annual audit but not limited to year-end activity.ManagementsperiodicalcommentsSOX reportAudit reportMirrorcertificateNew practicesExisting practicesMirror certificateWe have already mirror cer

58、tifications for financial information correctness. Now Nokia has burden of proof also that our internal control exists, it is followed and its effectiveness is tested.Table of ContentsWhat are internal controls in practice?Your own responsibility30 minAction points & discussionHow Nokia implemen

59、ts internal controls and SOX?An example of internal controls and processes 30 minWhat will change in working practices?30 minWhat are internal Controls and the US Sarbanes-Oxley Act (SOX) and why are they important?Examples of internal controlsBIIT access rights and authorizations User account added

60、, modified, and deleted in a timely mannerAppropriateness of access rights periodically reviewedIT operationsSystem and application appropriate authorization and schedulingIdentification and resolving of processed deviations/ problemsChange ManagementProgram/ Project related changesApplication maint

61、enance type of changesBGs and HGsDeals only with approved counterpartiesCustomer order- checked to be valid and according to the contractGoods received into inventory - the delivery documents checked against physical goodsSourcing and purchasing approval limits Legal and customs compliance - consult

62、ed before approvalFSPIncoming payments are posted daily against customer invoices and reconciled against cash and bank movementsAny unallocated incoming payment is cleared manuallyReceivable balances are reconciled regularlyHRPayroll calculation checklistExample of internal controls: Case Revenue Re

63、cognition Process in device businessesControl activities and internal controls related to business Payment Customer InvoiceDelivery of GoodsSales OrderContract CreationCustomer Credit ControlTimeliness of Customer invoicingFollow up of Customer receivablesPricingCompleteness, accuracy and timeliness of customer invoicing and related bookkeeping tr