Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation.

Published byMarylou Smith Modified over 9 years ago

Similar presentations

Presentation on theme: "An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation."— Presentation transcript:

1 An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation Grand Valley State University West Michigan Accounting and Auditing Symposium May 27, 2004

2 Primary Sarbanes-Oxley Sections Relevant to IT Section 302 Section 302 –CEOs and CFO must attest to accuracy of financial statements (a)(2) –CEO and CFO must certify that to their knowledge, quarterly and annual reports contain no untrue statement of a material fact or fails to omit material fact –CEOs and CFO must certify that they are responsible for internal controls (a)(4)(A) they are responsible for internal controls (a)(4)(A) that the controls are designed such that material information is made known to the CEO and CFO (a)(4)(B) that the controls are designed such that material information is made known to the CEO and CFO (a)(4)(B) that they have evaluated the effectiveness of internal control within 90 days prior to quarterly and annual reports (a)(4)(C) that they have evaluated the effectiveness of internal control within 90 days prior to quarterly and annual reports (a)(4)(C)

3 Primary Sarbanes-Oxley Sections Relevant to IT Section 404 Section 404 –Annual report must contain a report on the effectiveness of internal control –external auditor must provide assurance on internal control report Section 409 Section 409 –Real time disclosure requirements for “material changes in the financial condition or operations”

4 Pervasiveness of IT in business processes IT is critical to financial business processes in all but tiniest organizations IT is critical to financial business processes in all but tiniest organizations Many significant transactions entered into and/or processed without human intervention Many significant transactions entered into and/or processed without human intervention –Stock trades –Goods Orders –Payments for Goods and Services

5 Pervasiveness of IT in business processes (continued) Trend toward integrated, inter-enterprise systems Trend toward integrated, inter-enterprise systems –Supply Chain Management (SCM) –Electronic Data Interchange (EDI) –eXtensible Markup Language (XML) –eXtensible Business Reporting Language (XBRL) –Enterprise Application Integration (EAI)

6 Pervasiveness of IT in business processes (continued) Real-time, integrated global systems now common Real-time, integrated global systems now common Current emphasis is on advance specification of business rules instead of human judgements on individual transactions Current emphasis is on advance specification of business rules instead of human judgements on individual transactions

7 Basic Perspective Differences Between IT and Finance Organizational Perspective IT typically views individual information systems in isolation IT typically views individual information systems in isolation Risk Perspective IT is concerned with information technology operational and systems development risks IT is concerned with information technology operational and systems development risks Finance is concerned with the entire reporting entity Finance is concerned with the entire reporting entity Finance is concerned with financial risk and reporting risk Finance is concerned with financial risk and reporting risk

8 Characteristics of Section 302 & 404 Compliant Systems Well-defined and documented Well-defined and documented Transparent Transparent Accurate Accurate Verifiable Verifiable Based on Sarbanes-Oxley and insurance IT: think you don’t have to worry? RebusIS Insurance Solutions White Paper

9 Well-defined and documented processes Documentation of business processes often –Incomplete –Inconsistent –Obsolete –Obscured –Just plain wrong Internal control documentation situation is worse Internal control documentation situation is worse Repeatability lacking for manual processes Repeatability lacking for manual processes

10 Well-defined and documented processes (continued) What about non-routine processes? What about non-routine processes? How do we ensure that changes in business processes are documented? How do we ensure that changes in business processes are documented? What about outsourced processes? What about outsourced processes?

11 Transparency Most financial controls are embedded within information systems and require specialized IT knowledge to identify, understand and test Most financial controls are embedded within information systems and require specialized IT knowledge to identify, understand and test –Parameter files (Software, Hardware and Network) –Program source code –Job Control Language (JCL), Scripts –Scheduling Software (ex: CA-7) –Access Control Software (ex: RACF) –Change Control Software (ex: Librarian)

12 Transparency Many business processes cross organizational boundaries Many business processes cross organizational boundaries –Outsourcing –Enterprise Application Integration (EAI) –Supply Chain Management (SCM) –eXtensible Markup Language (XML) –eXtensible Business Reporting Language (XBRL) Are the processes used by external entities to implement outsourced business processes known, visible and documented? Are the processes used by external entities to implement outsourced business processes known, visible and documented? Are the controls over such processes known, visible and documented? Are the controls over such processes known, visible and documented?

13 Accuracy Does a company’s business processes result in the “right number” being reported? (Reliability) Does a company’s business processes result in the “right number” being reported? (Reliability) –Human error –System design deficiencies –Program bugs –System operational errors

14 Accuracy Is there repeatability (stability) in the processes? Potential problems: Is there repeatability (stability) in the processes? Potential problems: –Manual entries –Spreadsheets –Manual procedures and processes

15 Verifiability Does the information system provide the information required to verify how the reported numbers are produced? Does the information system provide the information required to verify how the reported numbers are produced? –Audit trails –Change control system(s) –Business process and control documentation tracking systems

16 Section 409 Compliance Issues Diversity of operating environments Diversity of operating environments –Multiple vendors –Multiple platforms –Operating systems –Programming languages –Networks –System operating cycles Batch vs. real-time Batch vs. real-time Daily, weekly, monthly cycles Daily, weekly, monthly cycles Ad Hoc Interfaces between business processes Ad Hoc Interfaces between business processes Manual Procedures Manual Procedures

17 Technologies conducive to Section 409 compliance ERP systems ERP systems Real-Time systems Real-Time systems Middleware Middleware Data Warehouses Data Warehouses Data Marts Data Marts Section 409 Reporting systems Section 409 Reporting systems

18 Information Technology Cultural Issues Lack of domain knowledge Lack of domain knowledge Preference for “elegant” solutions Preference for “elegant” solutions Preference for new and emerging technologies Preference for new and emerging technologies Focus on individual tasks instead of the big picture Focus on individual tasks instead of the big picture Sense that organizational rules don’t always apply to IT Sense that organizational rules don’t always apply to IT The “others just don’t get it” The “others just don’t get it”

19 The Information Technology Function’s Role Pre-Sarbanes-Oxley: IT is responsible solely for controls over IT operational processes IT is responsible solely for controls over IT operational processes –controls over IT operations –controls over IT development –general controls over IT function processes Financial controls are outside IT domain Financial controls are outside IT domain –view often promoted by finance/accounting –controls are merely application function to IT

20 The Information Technology Function’s Role (continued) Pre-Sarbanes-Oxley: “no need for IT to have basic understanding of business processes” “no need for IT to have basic understanding of business processes” –“business process is within functional domain” –“tell us what you want and we’ll build it” –“system meets specifications” … but not necessarily business requirements

21 The Information Technology Function’s Role (continued) Pre-Sarbanes-Oxley: “no need to understand financial controls” “no need to understand financial controls” –viewed as functional requirement of application –few IT professionals have formal training in internal control –assumes that choice of technical design and implementation has no effect on controls

22 The Information Technology Function’s Role (continued) Pre-Sarbanes-Oxley: controls often viewed by IT as separate from business process rather than integral to process controls often viewed by IT as separate from business process rather than integral to process IT’s Risk perspective limited to IT’s Risk perspective limited to –IT security risks –IT operational risks IT TYPICALLY HAS LITTLE OR NO KNOWLEDGE OR CONSIDERATION OF FINANCIAL REPORTING RISK! IT TYPICALLY HAS LITTLE OR NO KNOWLEDGE OR CONSIDERATION OF FINANCIAL REPORTING RISK!

23 What can IT do to comply with Sarbanes-Oxley? Understand that the rules have changed Understand that the rules have changed –Business processes and their controls must be continuously transparent –Controls must be viewed as an essential component of systems –Complete, correct, and up-to-date documentation is no longer simply a good practice, it is critically necessary –IT Governance is here and now

24 What can IT do to comply with Sarbanes-Oxley? Understand that the rules have changed (continued) Understand that the rules have changed (continued) –Financial reporting risk must be considered in all IT decisions Outsourcing and inter-enterprise integration Outsourcing and inter-enterprise integration Choice of technology Choice of technology Systems design, implementation and maintenance Systems design, implementation and maintenance Vendor selection Vendor selection –IT professionals must have a basic understanding of business processes and financial controls

25 What can IT do to comply with Sarbanes-Oxley? Insist on full representation on and participation in Sarbanes-Oxley compliance projects Insist on full representation on and participation in Sarbanes-Oxley compliance projects Provide technical expertise to assist in the documenting of controls Provide technical expertise to assist in the documenting of controls Assist in the selection and implementation of Sarbanes-Oxley compliance tools Assist in the selection and implementation of Sarbanes-Oxley compliance tools –Business Process Management (BPM) tools –Document management tools –Data mining applications –Monitoring tools (dashboards, exception reporting systems)

26 What can IT do to comply with Sarbanes-Oxley? (continued) Request the internal audit function to facilitate a control self-assessment Request the internal audit function to facilitate a control self-assessment Adopt a Comprehensive IT Control Framework Adopt a Comprehensive IT Control Framework –Control Objectives for Information Technology (COBIT)

27 The good news for IT... “There is no discretionary spending where the alternative is a prison sentence.” From Sarbanes-Oxley and insurance IT: think you don’t have to worry? RebusIS Insurance Solutions White Paper

28 Questions?

Download ppt "An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation."

Similar presentations

Chapter 1 Business Driven Technology

Chapter 1 Business Driven Technology
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
ITAuditing Using GAS & CAATs

ITAuditing Using GAS & CAATs
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.

Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.
SE 464: Industrial Information systems Systems Engineering Department Industrial Information System LAB 02: Introduction to SAP.

SE 464: Industrial Information systems Systems Engineering Department Industrial Information System LAB 02: Introduction to SAP.
Audit considerations for your 11i implementation Richard Byrom Oracle Applications Consultant EOUG October 2003.

Audit considerations for your 11i implementation Richard Byrom Oracle Applications Consultant EOUG October 2003.
MIS350 Accounting Information Systems Course Context.

MIS350 Accounting Information Systems Course Context.
McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.

McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.
MIS 648 Lecture 131 MIS 648 Presentation Notes: Lecture 13 Managing IT Offshoring: Is it a good thing?

MIS 648 Lecture 131 MIS 648 Presentation Notes: Lecture 13 Managing IT Offshoring: Is it a good thing?
SYSTEMS DEVELOPMENT Phases, Tools, and Techniques

SYSTEMS DEVELOPMENT Phases, Tools, and Techniques
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.

McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.
Accounting Information Systems: An Overview

Accounting Information Systems: An Overview
Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

Similar presentations

Ads by Google