An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation.

Slides:



Advertisements
Similar presentations
Chapter 1 Business Driven Technology
Advertisements

Chapter 10 Accounting Information Systems and Internal Controls
ITAuditing Using GAS & CAATs
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Sarbanes-Oxley Compliance Process Automation
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.
SE 464: Industrial Information systems Systems Engineering Department Industrial Information System LAB 02: Introduction to SAP.
Audit considerations for your 11i implementation Richard Byrom Oracle Applications Consultant EOUG October 2003.
MIS350 Accounting Information Systems Course Context.
McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.
MIS 648 Lecture 131 MIS 648 Presentation Notes: Lecture 13 Managing IT Offshoring: Is it a good thing?
SYSTEMS DEVELOPMENT Phases, Tools, and Techniques
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.
Accounting Information Systems: An Overview
Euseden INTERNAL AUDIT & ASSURANCE SERVICES.
Trinidad & Tobago Corporate Governance Code 2013
Information Systems Controls for System Reliability -Information Security-
Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002) Requires “an effective system of internal control” for financial reporting in publicly- held companies.
Control environment and control activities. Day II Session III and IV.
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
© Copyright 2012 Pearson Education. All Rights Reserved. Chapter 10 Fraud & Internal Control ACCOUNTING INFORMATION SYSTEMS The Crossroads of Accounting.
Internal Auditing and Outsourcing
How Will Continuous Auditing and XBRL-GL Work Together to Provide Improved Business Value? Nigel J. R. Matthews, BASc, CA ACL Services Ltd.
IS Today (Valacich & Schneider) Copyright © 2010 Pearson Education, Inc. Published as Prentice Hall 8/25/ Chapter 9 Building Organizational Partnerships.
Copyright © 2002 Open Applications Group, Inc. All rights reserved Project Definition Project name - RiskML Project Leader name – ? Date – 9/12/03.
The Islamic University of Gaza
HR Planning & HRIS. HR Planning The process of systematically reviewing HR requirements to ensure that the required number of employees, with the required.
The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.
Auditing Internal Control over Financial Reporting
INTERNAL CONTROL OVER FINANCIAL REPORTING
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Project Tracking. Questions... Why should we track a project that is underway? What aspects of a project need tracking?
Chapter 4 Accounting Information Systems. Accounting Information Systems (AIS) summarizes financial data organize the data into useful form results of.
Scandals (in the public and private sector)  Enron  Worldcom  Livent  Nortel  HRDC  Sponsorship Scandal.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Chapter 1 Accounting Information Systems: An Overview Copyright © 2012 Pearson Education 1-1.
Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
Enterprise Resource Planning ERP Systems
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
Virginia Enterprise Applications Program (VEAP) Agency Information Technology Resource (AITR) Tuesday, May 15 th, 2007
Chapter 1 Accounting Information Systems: An Overview Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 1-1.
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
S4: Understanding the IT environment of the entity.
April 2008 Global Developments in Corporate Reporting Charles Tilley Chartered Institute of Management Accountants Chief Executive Global Developments.
7-1 McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.
Change and Patch Management Controls
Casualty Loss Reserve Seminar General Session II September 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS,
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
© 2007 by Prentice HallManagement Information Systems, 10/e Raymond McLeod and George Schell 1 Information Auditing ► External auditors from outside the.
Accounting Information Systems: An Overview
EI Architecture Overview/Current Assessment/Technical Architecture
Management Information Systems
Auditing Information Technology
Description of Revision
Effects of IT on Consideration of Internal Control in a Financial Statement Audit Dr. Donald McConnell Jr. 12/1/2018.
ECT 589: E-Commerce Management
Sarbanes-Oxley Act (404) An IT Viewpoint
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
An overview of Internal Controls Structure & Mechanism
Information Technology Auditing
{Project Name} Organizational Chart, Roles and Responsibilities
Presentation transcript:

An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation Grand Valley State University West Michigan Accounting and Auditing Symposium May 27, 2004

Primary Sarbanes-Oxley Sections Relevant to IT Section 302 Section 302 –CEOs and CFO must attest to accuracy of financial statements (a)(2) –CEO and CFO must certify that to their knowledge, quarterly and annual reports contain no untrue statement of a material fact or fails to omit material fact –CEOs and CFO must certify that they are responsible for internal controls (a)(4)(A) they are responsible for internal controls (a)(4)(A) that the controls are designed such that material information is made known to the CEO and CFO (a)(4)(B) that the controls are designed such that material information is made known to the CEO and CFO (a)(4)(B) that they have evaluated the effectiveness of internal control within 90 days prior to quarterly and annual reports (a)(4)(C) that they have evaluated the effectiveness of internal control within 90 days prior to quarterly and annual reports (a)(4)(C)

Primary Sarbanes-Oxley Sections Relevant to IT Section 404 Section 404 –Annual report must contain a report on the effectiveness of internal control –external auditor must provide assurance on internal control report Section 409 Section 409 –Real time disclosure requirements for “material changes in the financial condition or operations”

Pervasiveness of IT in business processes IT is critical to financial business processes in all but tiniest organizations IT is critical to financial business processes in all but tiniest organizations Many significant transactions entered into and/or processed without human intervention Many significant transactions entered into and/or processed without human intervention –Stock trades –Goods Orders –Payments for Goods and Services

Pervasiveness of IT in business processes (continued) Trend toward integrated, inter-enterprise systems Trend toward integrated, inter-enterprise systems –Supply Chain Management (SCM) –Electronic Data Interchange (EDI) –eXtensible Markup Language (XML) –eXtensible Business Reporting Language (XBRL) –Enterprise Application Integration (EAI)

Pervasiveness of IT in business processes (continued) Real-time, integrated global systems now common Real-time, integrated global systems now common Current emphasis is on advance specification of business rules instead of human judgements on individual transactions Current emphasis is on advance specification of business rules instead of human judgements on individual transactions

Basic Perspective Differences Between IT and Finance Organizational Perspective IT typically views individual information systems in isolation IT typically views individual information systems in isolation Risk Perspective IT is concerned with information technology operational and systems development risks IT is concerned with information technology operational and systems development risks Finance is concerned with the entire reporting entity Finance is concerned with the entire reporting entity Finance is concerned with financial risk and reporting risk Finance is concerned with financial risk and reporting risk

Characteristics of Section 302 & 404 Compliant Systems Well-defined and documented Well-defined and documented Transparent Transparent Accurate Accurate Verifiable Verifiable Based on Sarbanes-Oxley and insurance IT: think you don’t have to worry? RebusIS Insurance Solutions White Paper

Well-defined and documented processes Documentation of business processes often –Incomplete –Inconsistent –Obsolete –Obscured –Just plain wrong Internal control documentation situation is worse Internal control documentation situation is worse Repeatability lacking for manual processes Repeatability lacking for manual processes

Well-defined and documented processes (continued) What about non-routine processes? What about non-routine processes? How do we ensure that changes in business processes are documented? How do we ensure that changes in business processes are documented? What about outsourced processes? What about outsourced processes?

Transparency Most financial controls are embedded within information systems and require specialized IT knowledge to identify, understand and test Most financial controls are embedded within information systems and require specialized IT knowledge to identify, understand and test –Parameter files (Software, Hardware and Network) –Program source code –Job Control Language (JCL), Scripts –Scheduling Software (ex: CA-7) –Access Control Software (ex: RACF) –Change Control Software (ex: Librarian)

Transparency Many business processes cross organizational boundaries Many business processes cross organizational boundaries –Outsourcing –Enterprise Application Integration (EAI) –Supply Chain Management (SCM) –eXtensible Markup Language (XML) –eXtensible Business Reporting Language (XBRL) Are the processes used by external entities to implement outsourced business processes known, visible and documented? Are the processes used by external entities to implement outsourced business processes known, visible and documented? Are the controls over such processes known, visible and documented? Are the controls over such processes known, visible and documented?

Accuracy Does a company’s business processes result in the “right number” being reported? (Reliability) Does a company’s business processes result in the “right number” being reported? (Reliability) –Human error –System design deficiencies –Program bugs –System operational errors

Accuracy Is there repeatability (stability) in the processes? Potential problems: Is there repeatability (stability) in the processes? Potential problems: –Manual entries –Spreadsheets –Manual procedures and processes

Verifiability Does the information system provide the information required to verify how the reported numbers are produced? Does the information system provide the information required to verify how the reported numbers are produced? –Audit trails –Change control system(s) –Business process and control documentation tracking systems

Section 409 Compliance Issues Diversity of operating environments Diversity of operating environments –Multiple vendors –Multiple platforms –Operating systems –Programming languages –Networks –System operating cycles Batch vs. real-time Batch vs. real-time Daily, weekly, monthly cycles Daily, weekly, monthly cycles Ad Hoc Interfaces between business processes Ad Hoc Interfaces between business processes Manual Procedures Manual Procedures

Technologies conducive to Section 409 compliance ERP systems ERP systems Real-Time systems Real-Time systems Middleware Middleware Data Warehouses Data Warehouses Data Marts Data Marts Section 409 Reporting systems Section 409 Reporting systems

Information Technology Cultural Issues Lack of domain knowledge Lack of domain knowledge Preference for “elegant” solutions Preference for “elegant” solutions Preference for new and emerging technologies Preference for new and emerging technologies Focus on individual tasks instead of the big picture Focus on individual tasks instead of the big picture Sense that organizational rules don’t always apply to IT Sense that organizational rules don’t always apply to IT The “others just don’t get it” The “others just don’t get it”

The Information Technology Function’s Role Pre-Sarbanes-Oxley: IT is responsible solely for controls over IT operational processes IT is responsible solely for controls over IT operational processes –controls over IT operations –controls over IT development –general controls over IT function processes Financial controls are outside IT domain Financial controls are outside IT domain –view often promoted by finance/accounting –controls are merely application function to IT

The Information Technology Function’s Role (continued) Pre-Sarbanes-Oxley: “no need for IT to have basic understanding of business processes” “no need for IT to have basic understanding of business processes” –“business process is within functional domain” –“tell us what you want and we’ll build it” –“system meets specifications” … but not necessarily business requirements

The Information Technology Function’s Role (continued) Pre-Sarbanes-Oxley: “no need to understand financial controls” “no need to understand financial controls” –viewed as functional requirement of application –few IT professionals have formal training in internal control –assumes that choice of technical design and implementation has no effect on controls

The Information Technology Function’s Role (continued) Pre-Sarbanes-Oxley: controls often viewed by IT as separate from business process rather than integral to process controls often viewed by IT as separate from business process rather than integral to process IT’s Risk perspective limited to IT’s Risk perspective limited to –IT security risks –IT operational risks IT TYPICALLY HAS LITTLE OR NO KNOWLEDGE OR CONSIDERATION OF FINANCIAL REPORTING RISK! IT TYPICALLY HAS LITTLE OR NO KNOWLEDGE OR CONSIDERATION OF FINANCIAL REPORTING RISK!

What can IT do to comply with Sarbanes-Oxley? Understand that the rules have changed Understand that the rules have changed –Business processes and their controls must be continuously transparent –Controls must be viewed as an essential component of systems –Complete, correct, and up-to-date documentation is no longer simply a good practice, it is critically necessary –IT Governance is here and now

What can IT do to comply with Sarbanes-Oxley? Understand that the rules have changed (continued) Understand that the rules have changed (continued) –Financial reporting risk must be considered in all IT decisions Outsourcing and inter-enterprise integration Outsourcing and inter-enterprise integration Choice of technology Choice of technology Systems design, implementation and maintenance Systems design, implementation and maintenance Vendor selection Vendor selection –IT professionals must have a basic understanding of business processes and financial controls

What can IT do to comply with Sarbanes-Oxley? Insist on full representation on and participation in Sarbanes-Oxley compliance projects Insist on full representation on and participation in Sarbanes-Oxley compliance projects Provide technical expertise to assist in the documenting of controls Provide technical expertise to assist in the documenting of controls Assist in the selection and implementation of Sarbanes-Oxley compliance tools Assist in the selection and implementation of Sarbanes-Oxley compliance tools –Business Process Management (BPM) tools –Document management tools –Data mining applications –Monitoring tools (dashboards, exception reporting systems)

What can IT do to comply with Sarbanes-Oxley? (continued) Request the internal audit function to facilitate a control self-assessment Request the internal audit function to facilitate a control self-assessment Adopt a Comprehensive IT Control Framework Adopt a Comprehensive IT Control Framework –Control Objectives for Information Technology (COBIT)

The good news for IT... “There is no discretionary spending where the alternative is a prison sentence.” From Sarbanes-Oxley and insurance IT: think you don’t have to worry? RebusIS Insurance Solutions White Paper

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.