Adam Bearhalter Kristy Kelly Julie Bland Alex Tiset
Introduction Corporate & Accounting Scandals Public confidence Signed in July 30, 2002 Reach
Titles TITLE I—PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD TITLE II—AUDITOR INDEPENDENCE TITLE III—CORPORATE RESPONSIBILITY TITLE IV—ENHANCED FINANCIAL DISCLOSURES TITLE V—ANALYST CONFLICTS OF INTEREST TITLE VI—COMMISSION RESOURCES AND AUTHORITY TITLE VII—STUDIES AND REPORTS TITLE VIII—CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY TITLE IX—WHITE-COLLAR CRIME PENALTY ENHANCEMENTS TITLE X—CORPORATE TAX RETURNS TITLE XI—CORPORATE FRAUD AND ACCOUNTABILITY
Key Provisions 1. SOX Section 302: Internal control certifications 2. SOX Section 404: Assessment of internal control 3. SOX Section 802 Criminal Penalties for Violation of SOX 4. SOX Section 1107 Criminal Penalties for Retaliation Against Whistleblowers
SOX Section 404 Management must report on the effectiveness of the company's internal controls over financial reporting. A statement of management's responsibility over internal controls Management's assessment of the effectiveness of the company's internal control Identify the framework used to evaluate controls State that their auditor has reported on their internal controls as well
SOX Section 404 In today’s business environment IT systems initiate, process, and report most financial transactions Because they are so involved in the day to day financial transactions, the IT systems become key to financial reporting Making the controls over the IT systems key to financial reporting as well IT Governance Institute, 2006
SOX Section 404 Management is required to implement an internal control framework. COSO is most widely used framework for SOX compliance Pays little attention to IT controls COBIT is one of the better known frameworks that relate to IT controls IT Governance Institute, 2006
Key Controls Controls that are key to ensuring that the values on the balance sheet are accurate and reliable Database triggers entry in general ledger. System to ensure s are sent IT Auditor ensures that they are effective, reliable, and reproducible
General Controls Controls that go across all IT systems and are essential to ensuring the integrity, reliability, and quality of the systems Security Policies Change Management Administration of Duties/Rights
Separation of Duties Individual Permissions Roles Least Privilege Individual only given privileges needed to do their job User Provisioning New users set up with correct privileges Standard profile for each user
What if these 3 principles are not in place? The IT system has failed to meet SOX Compliance The Auditor must: Note the exception Flag it up to Management for remediation
Strategies for Sarbanes-Oxley Compliance Understand SOX requirements Set aside sufficient resources Get everyone involved Create independent audit committee Educate everyone Evaluate auditors Make required changes Prepare for the future Source:
Impact of SOX on IT and Management Risk Assessment Control Environment Control Security Monitoring Information and Communication Source:
Impact of SOX Risk Assessment Areas of Risk Examination of systems Accuracy of Documentation Control Environment Effectiveness of IC’s Tone of Organization Control Environment Factors Source:
Impact on Sox Control Security IT Security Monitoring Processes and Schedules Internal Audits Information and Communication Timely and Accurate Information Communication to Management Source: