Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Control Objectives for Sarbanes-Oxley

Published byJessica Bond Modified over 9 years ago

Similar presentations

Presentation on theme: "IT Control Objectives for Sarbanes-Oxley"— Presentation transcript:

1 IT Control Objectives for Sarbanes-Oxley
This presentation is focused on the IT Control Objectives for SOX published by the ITGI Background: This document is focused on the 404 section of the SOX act. Which requires mgt. To assess the effectiveness of an org.’s internal controls over financial reporting and annually report on the results of that assessment. PCAOB suggests that. “IT controls have a pervasive effect on the achievement on the many control objectives. PCAOB further provides guidance on the controls that should be considered in the assessment and require companies to select and implement a suitable control framework. COSO has become the most commonly adopted framework. In general, the SEC registrants and others have found that the additional details regarding control considerations were needed beyond what has been provided in COSO. Insert COBIT COBIT in its full perspective provides controls and objectives that address the operational and compliance objectives, only those related directly to financial reporting were used to develop this document.

2 Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information generated by their IT systems are not well versed in the intricacies of internal control. This is not to suggest that risk is not being managed by IT, but rather that it may not be formalized or structured in a way required by an organization’s management or its auditors.” In my experience, this is the most difficult concept to relay to our IT management. While we find that generally IT management does perform their due diligence in this area, most do not fully understand their role in internal control. Have any of you had similar experiences in your organization? Example: Architectural review committees. Adding new equipment without full authorization. How about wireless access points?

3 IT Key Areas of Responsibility
Understanding the organization’s internal control program and financial reporting process Mapping the IT systems that support internal control and the financial reporting process to the financial statements Identifying risks related to these systems Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness Documenting and testing IT controls Organizations need representation from the SOX teams to ensure the IT general controls and app. Controls support the objectives of compliance. According to the COBIT control objectives key areas of responsibility include: Comments: How many of your organizations have someone within the IT department performing these functions? How many of your organizations have IA performing these functions and the IT folks join in where the documentation and testing of IT controls?

4 IT Key Areas of Responsibility
Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting process Monitoring IT controls for effective operation over time Participation by IT in the Sarbanes-Oxley project management office And the list goes on… If you really take a look at the responsibilities, these are activities that, as auditors, we perform every day. No need to reinvent the wheel. Most companies have IT controls in place although they may not be formalized. My personal experience, the greatest challenge is helping IT management to recognize the significance of effectively communicating and documenting the controls environment and, most importantly, taking ownership of the controls within their responsibilities. Eg. System development projects. IT teams rely on business units to specifically tell them how to code the “soft” controls. Example: the system built with no reporting. It is logging all activity, right? According to COBIT: Organizations may be able to tailor existing IT control processes to to comply with SOX. According to the ITGI, “Frequently, it is the consistency and quality of control documentation and evidential matter that is lacking, but the general process is often in place, only requiring some modification.” We would expect that IT enhancements will be in the areas of IT environment, Computer operations, access to programs and data, program development and program changes.

5 ITGI Control Objectives
IT Control Environment Computer Operations Access to Programs and Data Program Development and Program Change IT Control Environment “tone at the top” The ITGI’s recent publication now includes a company level, IT management questionnaire to assess management’s attitude and actions towards internal controls Question: How many companies have completed their Entity Level Reviews? Did these reviews include questions/comments/input from the CIO or IT senior management? We’ll go over each point in detail. This slide is to introduce the topics

6 IT Control Environment
The PCAOB has indicated that an ineffective control environment should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists That’s a pretty strong statement. What are the implications for IT? The next two slides will describe the IT Control environment.

7 What is the IT Control Environment?
IT Governance Process IS Strategic Plan IT risk management process Compliance and Regulatory management IT policies, procedures and standards Monitoring and reporting are required to ensure that IT is aligned with business requirements. How many of your IT organizations have these types of plans/processes standardized? Do they use a formalized control framework? If so, which one?

8 Computer Operations Computer operations should include controls over:
Effective acquisition Implementation Configuration and maintenance Ongoing controls over operation address the day-to-day delivery of information services, service level mgt., management of third-party services, etc. Effective acquisition: Third party software Was there a bid process and formal evaluation? Does the expenditure have to be approved? If so, by whom? Hardware Is there a policy and procedure for the acquisition and installation of new hardware? Is a third party responsible for acquiring and installing the hardware? Example: At CAL, EDS sometimes acquires the hardware, sets up the OS and Database. In this instance they would also harden the box. Any other examples? Implementation: How does your company introduce new software/hardware to the environment? What are the security protocols? What are the testing procedures? Configuration and maintenance: Extracting data from a legacy system into the new one New software could require a process change, who reviews, who approve? Are users getting useful reporting from the new system? Include CAL Test procedures for management of third party services

9 Access to Programs and Data
Overall goal of access controls are to prevent “the unauthorized use of, and changes to, the system, and entity protects it data and program integrity.” Sounds simple enough… How does this change when you add in remote users? How does this change when you add in wireless access? How does this change when you add in vendors/customers with web access to needed systems or information? How about contract or temporary workers? How about third party vendors that require limited access to your systems?

10 Program Development and Program Change
What are the acquisition and implementation risks of new applications and/or systems? What are the risks of not having a good change management program? With regards to Program Development and Program Change, COBIT focuses on two areas: the acquisition and implementation of new applications and the maintenance of existing applications What are the risks of acquiring/implementing new systems? Poor project management Unrealistic completion dates/project goals Overspent budgets or mismanagement of budgets Not all affected departments are included in discussions/sign off process Affected departmental needs are not met, I.e. reporting requirements How do we mitigate these risks? What are your strategies for managing these risks? What are the risks of not having a good change management program? Unauthorized changes Unmanaged changes Changes implemented without proper testing What constitutes a good change management program change requests only come from authorized individuals change requests are logged and weighed in priority change requests are properly tested change requests are properly documented both in the change management tool and in the code change requests receive proper sign off

11 Multi-location Considerations
Significant business units Potential financial materiality and significant risk considerations, quantitative and qualitative and both aspects provide focus Significant business units can include financial business units or IT business units. The assessment of significance can impacted by the materiality of transactions processed by the business unit, the potential impact on financial reporting if an IT business unit fails and other potential risk factors What are some examples of your organization’s multi-location considerations?

12 What is SOX? SOX provides the foundation for new corporate governance rules, regulations & standards issued by the Securities and Exchange Commission. It covers a range of topics from criminal penalties to Corporate Board responsibilities. SOX also covers issues such as independent auditing requirements, corporate governance, internal control assessment, and enhanced financial disclosure.  CEO’s of publicly traded companies will be held accountable for the quality of the controls established which enable accurate Financial reporting (including IT processes, systems & roles).

13 Penalties Section 802(a) of the SOX states: “ Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”

14 What prompted SOX? Sarbanes-Oxley was passed in the wake of a number of notable corporate accounting scandals including Enron and WorldCom. 

15 A hint on policies. Bear in mind that you will be held to the letter of all policies your company develops related to SOX even if they exceed federal requirements. This is very important to remember when drafting policies. Policies should ensure that corporate behavior is consistent, controlled, and can be proven. Remember, 3 parts carrot 1 part stick.

16 A word on Frameworks There are many frameworks out there to assist you with SOX compliance. The key is to find a framework that works for your team, commit to it, train on it, and use it to your best possible advantage.

17 Examples of COBIT Controls
Network Security –Firewalls, secure network configuration including x Virus Protection –anti-virus and anti-spyware updated regularly

18 Examples of COBIT Controls
Backups & Restore – Regularly tested procedures IT Continuity – Disaster Recovery Procedures

19 Examples of COBIT Controls
Files Access Privilege Controls Identity Management – password strength/age and access. Who has access and is that appropriate now?

20 Examples of COBIT Controls
Risk Evaluation Programs – Risk Assessment and internal auditing. Employee IT Security Training – Training of end users related to utilization of resources.

21 Examples of COBIT Controls
Management support/buy in – Executive level oversight of projects related to IT. IT as part of strategic planning – The business must be supported by technologies.

22 Change Management Standardized change control is a great place to find fast rewards in pursuit of compliance. Change Approval Change Categorization Change Documentation Change Prioritization Formal Request for Change Process A body of subject matter experts that oversee change.

23 Consistent Logging Change Management Configuration Mgmt.
Event Management Incident Management Knowledge Mgmt. Problem Management

24 “Operationalize” information.
Connect the internal changes needed with the strategic objectives of the company. Illustrate that real-time information flow enhances your organization’s ability to make decisions while making compliance easier. Point out the significance of new activities that may seem mundane or inconsequential. This will help actions taken by staff at every level feel more relevant and less painful.

25 Remember W. Edward Deming?
SOX Compliance is not a fix it and forget it endeavor. As companies and the ecosystems that support them change new compliance quandaries will come up.

26 How can SOX help ? Perspectives on operational control, consistency, and quality take on a whole different meaning once they have a clear relationship to fiduciary responsibility. It is amazing how different the conversation about project prioritization becomes once executive management are offered the opportunity to make decisions guiding it.

Download ppt "IT Control Objectives for Sarbanes-Oxley"

Similar presentations

IT Control Objectives for Sarbanes-Oxley Presented by Doug Moore, Jefferson Wells International and Christine Chaney, Continental Airlines.

IT Control Objectives for Sarbanes-Oxley Presented by Doug Moore, Jefferson Wells International and Christine Chaney, Continental Airlines.
Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 2 - 1 The CPA Profession Chapter 2.

©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
WELCOME Annual Meeting & Compliance Seminar. Code of Conduct - Impact on Corporate Culture by Andy Greenstein Knight Capital Group, Inc.

WELCOME Annual Meeting & Compliance Seminar. Code of Conduct - Impact on Corporate Culture by Andy Greenstein Knight Capital Group, Inc.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Sarbanes-Oxley IT Audits. 2 Sarbanes-Oxley 2002 Recommended “audit firms place a high priority on enhancing the overall effectiveness of auditors’ work.

1 Sarbanes-Oxley IT Audits. 2 Sarbanes-Oxley 2002 Recommended “audit firms place a high priority on enhancing the overall effectiveness of auditors’ work.
Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.

Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
ECM Project Roles and Responsibilities

ECM Project Roles and Responsibilities
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Similar presentations

Ads by Google