Download IT Control Objectives for Sarbanes

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts
no text concepts found
Transcript 
IT Control Objectives for
Sarbanes-Oxley
Managing Risk
“…many of the IT professionals being held
accountable for the quality and integrity of
information generated by their IT systems
are not well versed in the intricacies of
internal control. This is not to suggest that
risk is not being managed by IT, but rather
that it may not be formalized or structured
in a way required by an organization’s
management or its auditors.”
IT Key Areas of Responsibility
• Understanding the organization’s internal control
program and financial reporting process
• Mapping the IT systems that support internal
control and the financial reporting process to the
financial statements
• Identifying risks related to these systems
• Designing and implementing controls designed to
mitigate the identified risks and monitoring them
for continued effectiveness
• Documenting and testing IT controls
IT Key Areas of Responsibility
• Ensuring that IT controls are updated and
changed, as necessary, to correspond with
changes in internal control or financial
reporting process
• Monitoring IT controls for effective
operation over time
• Participation by IT in the Sarbanes-Oxley
project management office
ITGI Control Objectives
•
•
•
•
IT Control Environment
Computer Operations
Access to Programs and Data
Program Development and Program Change
IT Control Environment
The PCAOB has indicated that an ineffective
control environment should be regarded as
at least a significant deficiency and as a
strong indicator that a material weakness in
internal control over financial reporting
exists
What is the IT Control
Environment?
• IT Governance Process
–
–
–
–
IS Strategic Plan
IT risk management process
Compliance and Regulatory management
IT policies, procedures and standards
Monitoring and reporting are required to ensure
that IT is aligned with business requirements.
Computer Operations
Computer operations should include controls over:
• Effective acquisition
• Implementation
• Configuration and maintenance
• Ongoing controls over operation address the dayto-day delivery of information services, service
level mgt., management of third-party services,
etc.
Access to Programs and Data
Overall goal of access controls are to prevent
“the unauthorized use of, and changes to,
the system, and entity protects it data and
program integrity.”
Program Development and
Program Change
• What are the acquisition and
implementation risks of new applications
and/or systems?
• What are the risks of not having a good
change management program?
Multi-location Considerations
• Significant business units
• Potential financial materiality and
significant risk considerations, quantitative
and qualitative and both aspects provide
focus
What is SOX?
 SOX provides the foundation for new corporate
governance rules, regulations & standards issued by the
Securities and Exchange Commission. It covers a range of
topics from criminal penalties to Corporate Board
responsibilities. SOX also covers issues such as
independent auditing requirements, corporate governance,
internal control assessment, and enhanced financial
disclosure.
 CEO’s of publicly traded companies will be held
accountable for the quality of the controls established
which enable accurate Financial reporting (including IT
processes, systems & roles).
Penalties
 Section 802(a) of the SOX states: “ Whoever knowingly
alters, destroys, mutilates, conceals, covers up, falsifies, or
makes a false entry in any record, document, or tangible
object with the intent to impede, obstruct, or influence the
investigation or proper administration of any matter within
the jurisdiction of any department or agency of the United
States or any case filed under title 11, or in relation to or
contemplation of any such matter or case, shall be fined
under this title, imprisoned not more than 20 years, or
both.”
What prompted SOX?
• Sarbanes-Oxley was
passed in the wake of
a number of notable
corporate accounting
scandals including
Enron and
WorldCom.
A hint on policies.
Bear in mind that you will be held to the letter of
all policies your company develops related to
SOX even if they exceed federal requirements.
This is very important to remember when drafting
policies.
Policies should ensure that corporate behavior is
consistent, controlled, and can be proven.
A word on Frameworks
There are many
frameworks out there
to assist you with SOX
compliance. The key
is to find a framework
that works for your
team, commit to it,
train on it, and use it
to your best possible
advantage.
Examples of COBIT Controls
 Network Security –
Firewalls, secure network
configuration including
802.11x
 Virus Protection –antivirus and anti-spyware
updated regularly
Examples of COBIT Controls
 Backups & Restore –
Regularly tested
procedures
 IT Continuity – Disaster
Recovery Procedures
Examples of COBIT Controls
 Files Access Privilege
Controls
 Identity Management –
password strength/age
and access. Who has
access and is that
appropriate now?
Examples of COBIT Controls
 Risk Evaluation
Programs – Risk
Assessment and
internal auditing.
 Employee IT
Security Training –
Training of end users
related to utilization
of resources.
Examples of COBIT Controls
 Management support/buy in – Executive level
oversight of projects related to IT.
 IT as part of strategic planning – The business
must be supported by technologies.
Change Management
Standardized change control is a great place to
find fast rewards in pursuit of compliance.
Change Approval
Change Categorization
Change Documentation
Change Prioritization
Formal Request for Change Process
A body of subject matter experts that oversee
change.
Consistent Logging
•
•
•
•
•
•
Change Management
Configuration Mgmt.
Event Management
Incident Management
Knowledge Mgmt.
Problem Management
“Operationalize” information.
Connect the internal changes needed with the
strategic objectives of the company.
Illustrate that real-time information flow enhances
your organization’s ability to make decisions
while making compliance easier.
Point out the significance of new activities that
may seem mundane or inconsequential. This will
help actions taken by staff at every level feel more
relevant and less painful.
Remember W. Edward Deming?
SOX Compliance is
not a fix it and forget it
endeavor. As
companies and the
ecosystems that
support them change
new compliance
quandaries will come
up.
How can SOX help ?
Perspectives on operational control, consistency,
and quality take on a whole different meaning
once they have a clear relationship to fiduciary
responsibility.
It is amazing how different the conversation about
project prioritization becomes once executive
management are offered the opportunity to make
decisions guiding it.
Related documents
Is it time to change SOX? Solongo Batbaatar MA0N0228
Is it time to change SOX? Solongo Batbaatar MA0N0228
How do internal controls and self
How do internal controls and self
Yankees Baseball Game - Westbrooks-Wiki
Yankees Baseball Game - Westbrooks-Wiki
Business Ethics Read the article Governance in the Spotlight: What
Business Ethics Read the article Governance in the Spotlight: What
Motivation - Center for IT and e
Motivation - Center for IT and e
Trans-activation and DNA-binding properties of
Trans-activation and DNA-binding properties of
Assignment #4 Solutions - UMB CS
Assignment #4 Solutions - UMB CS
MAX Regional Infrastructure
MAX Regional Infrastructure
5 Essential Facts
5 Essential Facts
Available funds for the LCP directive implementation -
Available funds for the LCP directive implementation -
We conclude that the bol.com approach to resource allocation and
We conclude that the bol.com approach to resource allocation and
grover jones - White Plains Public Schools
grover jones - White Plains Public Schools
Gene Section SOX4 (SRY (sex determining region Y)-box 4)
Gene Section SOX4 (SRY (sex determining region Y)-box 4)
COBIT
COBIT
Alignment of Botswana Audit methodology to COBIT Paper
Alignment of Botswana Audit methodology to COBIT Paper
IT Governance and SOX Compliance
IT Governance and SOX Compliance