Information Technology Controls and Sarbanes-Oxley ISACA Roundtable Discussion April 15, 2004

What are IT Controls? IT processes embedded within the Business Processes (application level controls) – e.g., SAP security restricts access to vendor master file Infrastructure/General Computer Controls – e.g., Change Management, UNIX security How do you determine what is in SOX scope?

Financial Statements -Balance Sheet -Income State -Cash Flow Stmt -Footnotes Develop Materiality/ Threshold Identify Significant Accounts -Individual -In Aggregate Major Classes of Transactions Processes Applications (e.g., SAP) Infrastructure (Database, Network, Operating Systems)

COBIT and COSO Link

Minimum Documentation Information Security  Policies, Procedures, Standards  Risk Assessment  Authentication Controls  Authorization Controls (including Administrator/Super User level)  User Access Administration (Granting, Terminating and Employee Transfers, Contractors)  Security Logging and Monitoring Controls  Other Technical Configurations  Physical Security Systems Development and Change Management Controls  Request/Approvals  Prioritizations  Development Standards  SDLC  Testing, QA, Migration  Documentation Maintenance Computer Operations  Batch Jobs (Abends, Performance/Capacity Monitoring)  Backups Relevant application controls (e.g.,Access Controls, Edit/Validation Checks, Interfaces, Audit Trails, etc.)