Download IT Governance and SOX Compliance

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
Document related concepts

Investment management wikipedia , lookup

Governance in higher education wikipedia , lookup

Control chart wikipedia , lookup

The Modern Corporation and Private Property wikipedia , lookup

Corporate governance wikipedia , lookup

Compliance and ethics program wikipedia , lookup

Transcript 
IT Governance and
SARBOX Compliance
Presenter: Lily Shue
Internet Now Technologies Ltd.
Objectives
Overview of:
 What is IT Governance?
 Why IT Governance?
 What are the relationships between IT
Governance, SARBOX, COSO and CobiT®
What is IT Governance?


Direct IT endeavors
Ensure the performance of IT addresses:

Alignment of IT with the enterprise and
realization of the promised benefits

Use of IT to enable the enterprise by
exploiting opportunities and maximizing
benefits

Responsible use of IT resources
Appropriate management of IT related risks

What is IT Governance?
Focus Areas of IT Governance
IT Value
Delivery
IT
Strategic
Alignment
Stockholder
Value
Drivers
Performance
Measurement
IT Resource
Management
Risk
Management
What is IT Governance?
IT Governance
 Is part of a broad framework of Enterprise
Governance

Is the responsibility of executives and board
members, including
 CIO, CEO and CFO

Should be addressed like any other strategic
agenda item of the board
IT Governance Reporting Structures
Board
Executive
Manager
Team Leader
Team
Team
Team
Manager
Team Leader
Team
Team
Team
Team Leader
Team
Team
Team
Team Leader
Team
Team
Team
IT Governance Responsibilities
The Board should:
 Drive enterprise alignment
 Direct management to deliver measurable
value
 Manage enterprise risk
 Support learning and growth and manage
resources
 Measure performance
IT Governance Responsibilities
Executive management should address the
following board expectations

Cascade strategy, policies and goals down into the
enterprise and align the IT organization with the
enterprise goals

Provide organizational structures to support the
implementation of IT strategies and an IT
infrastructure to facilitate the creation and sharing
of business information

Measure performance
IT Governance Responsibilities
Executive management should focus on:

Core competencies that IT must support

Key IT processes that improve business value

IT competencies relate to planning and
overseeing the management of IT assets, risks,
projects, customers and vendors

Optimization of IT costs to obtain the right value
from IT resources

Have clear external sourcing strategies
IT Governance Framework
Set Objectives
Provide
Direction
•IT is aligned with
the business
•IT enables the
business and
maximizes benefits
•Increase automation
(make the business
effective)
•Decrease cost (make
the enterprise efficient)
Compare
•IT resources are
used responsibly
•IT related risks are
managed
appropriately
IT Activities
Measure
Performance
Source: ITGI Board Briefing on IT governance
•Manage risks
(security, reliability
and compliance)
Why IT Governance?
• Good governance of IT is critical in supporting
and enabling enterprise goals
• Boards expects management to:

Deliver IT solutions of the right quality, on time and
on budget

Harness and exploit IT to return business value

Leverage IT to increase efficiency and productivity
while managing IT risks

Minimize negative impacts
SARBOX Requirements
Who
SARBOX Section
302
Corporate
management,
executive and
financial officer
SARBOX Section
404
Corporate
management,
executive and
financial officer
SARBOX Requirements
What
SARBOX Section 302
SARBOX Section 404
1. Evaluate
1. Evaluate
effectiveness of
disclosure controls (with
focus on changes since
the most recent
evaluation)
2. Evaluate changes in
internal control over
financial reporting
3. Disclose all known
control deficiencies and
weaknesses
4. Disclose acts of fraud
design and
operating effectiveness
of internal controls
over financial
reporting
2. Disclose all known
controls, significant
deficiencies
3. Disclose acts of fraud
SARBOX Requirements
SARBOX Section 302 SARBOX Section 404
How
Often
Quarterly Assessment Annual assessment by
by management
management and
independent auditors
COSO Components





Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
COSO Components
Control Environment
 Creates the foundation for
 Effective internal control
 Establishes the “tone at the top”
 Represent the apex of the corporate governance
structure
 Apply throughout an organization
 Address at the company level
 IT frequently has the characteristics that may require
additional emphasis on business alignment, roles and
responsibilities, policies and procedures, and
technical competence
COSO Components
Risk Assessment –


The identification and analysis by management of relevant
risks to achieve predetermined objectives and form the basis
for determining control activities
Occur at the company level or at the activity level for a
specific process or business unit
Control activities –


Policies, procedures and practices that are put into place to
ensure that business objectives are achieved and risk
mitigation strategies are carried out
Two broad groupings of information system control activities
 General controls
 Application system development and maintenance controls
COSO Components
Information and Communication

COSO states that information is needed at all levels of an
organization to run the business and achieve the entity’s
control objectives
Monitoring



COSO states that monitoring which covers the oversight of
internal control by management through continuous and pointin-time assessment processes
Two types of monitoring
 Continuous monitoring
 Separate evaluations
IT performance measures to evaluate underlying control is
operating effectively, defect identification and management and
security monitoring
General and Application Controls
Examples of general controls:
•Data center operation controls
•System software controls
•Access security controls
•Application system development and
maintenance controls
Examples of application controls:
•Balancing control activities
•Check digits
•Predefined data listings
•Data reasonableness tests
•Logic tests
CobiT Control Objectives




Plan and organize
Acquire and implement
Deliver and Support
Monitor and evaluate
CobiT Control Objectives
Plan and Organize
 Define a strategic IT plan
 Define the information architecture
 Determine technological direction
 Define the IT organization and relationships
 Manage the IT investment
 Communicate management aims and direction
 Manage human resources
 Ensure compliance with external requirements
 Assess risks
 Manage projects
 Manage quality
CobiT Control Objectives
Acquire and implement






Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain procedures
Install and accredit systems
Manage changes
CobiT Control Objectives
Deliver and Support












Define and manage service level
Manage performance and capacity
Ensure continuous service
Ensure system security
Identify and allocate costs
Educate and train users
Assist and advise customers
Manage the configuration
Manage problems and incidents
Manage data
Manage facilities
Manage operations
CobiT Control Objectives
Monitor and Evaluate




Monitor the process
Assess internal control adequacy
Obtain independent assurance
Provide for independent audit
Relationships between SARBOX
and IT Governance

SARBOX aims to enhance corporate/IT
governance through measures that will
strengthen:




Internal checks and balances
Corporate accountability
Established and maintain an adequate
internal control structure
Assess the effectiveness on an annual bases
Relationships between SARBOX
and IT Governance


Building a strong internal control program within IT
can help enhance overall IT governance
CEOs should provide organizational structures to
support the implementation of IT strategy

CIOs must be business oriented and provide a bridge
between IT and the business

All executives should become involved in IT steering
or similar committees
Relationships between SARBOX
and COSO



COSO is the recommended internal control
framework to be used for evaluating the
effectiveness of the company’s internal control
over financial reporting
COSO addresses the topic of IT general
controls, but does not dictate requirements for
such control objectives and related control
activities
PCAOB highlight the importance of IT general
controls but do not specify which in particular
must be included
Relationships between SARBOX
and COSO

General Controls- ensure financial information
from a company’s application systems can be
relied upon

Application controls – embedded within software
programs to prevent or detect unauthorized
transactions

When combined with general controls,
application controls ensure the completeness,
accuracy, authorization and validity of
processing transactions
Relationships between COSO
and CobiT®

Specific IT control objectives decisions remain
the responsibility of an organization’s
management and independent auditors

Companies should assess the nature and
extent of IT on a case-by-case basis
Relationships between COSO
and CobiT®

IT management requires more examples to:



help identify, document and evaluate IT controls
provide guidance on specific control objectives for
consideration for compliance with COSO and
ultimately SARBOX
A company can use CobiT® (Control Objectives
for Information and Related Technologies)
established by the IT Governance Institute (ITGI)
framework to design a system of IT controls to
comply with Section 404
Relationships between
SARBOX and CobiT®
CobiT --
Is a comprehensive approach for managing risk
and control of IT

Has been used by IT and control professionals as
the initial IT controls baseline to develop a control
objective template

Provides both company and activity objectives
along with associated controls

Is an open framework and an IT governance
model
Relationships between COSO
and CobiT®


COSO identifies 5 components of internal
control that need to be in place and integrated
to achieve financial reporting and disclosure
objectives
CobiT provides 4 categories of control
objectives
Relationships between COSO
and CobiT®
CobiT Objectives
•Plan and Organize
•Acquire and Implementation
•Delivery and Support
•Monitor and Evaluation
•Control Activities
•Information and
Communication
•Monitoring
Section 302
•Risk Assessment
Section 404
COSO Components
•Control Environment
Cobit Relationship to COSO
COSO Components
CobiT Control Objectives
1
Plan and Organize
Define a strategic IT plan
Define the information architecture
Determine technological direction
Define the IT organization and relationships
Manage the IT investment
Communicate management aims and direction
Manage human resources
Ensure compliance with external requirements
Assess risks
Manage projects
Manage quality
1-Control Environment
2-Risk Assessment
3-Control Activities
Source: ITGI IT Control Objectives for Sarbanes-Oxley Discussion Document
2
3
4
5
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
4-Information and Communication
5-Monitoring
Cobit Relationship to COSO
COSO Components
CobiT Control Objectives
1
2
3
4
x
x
x
x
x
x
5
Acquire and implement
Identify
automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain procedures
Install and accredit systems
Manage changes
1-Control Environment
2-Risk Assessment
3-Control Activities
Source: ITGI IT Control Objectives for Sarbanes-Oxley Discussion Document
4-Information and Communication
5-Monitoring
x
COSO Components
Cobit Relationship to COSO
CobiT Control Objectives
1
2
3
4
5
Deliver and Support
Define
and manage service level
Manage third party services
Manage performance and capacity
Ensure continuous service
Ensure system security
Identify and allocate costs
Educate and train users
Assist and advise customers
Manage the configuration
Manage problems and incidents
Manage data
Manage facilities
Manage operations
1-Control Environment
2-Risk Assessment
3-Control Activities
Source: ITGI IT Control Objectives for Sarbanes-Oxley Discussion Document
x
x
x
x
x
x
x
x
x
x
x
x
x
4-Information and Communication
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
5-Monitoring
x
Cobit Relationship to COSO
CobiT Control Objectives
Monitor and Evaluate
Monitor the process
Assess internal control adequacy
Obtain independent assurance
Provide for independent audit
1-Control Environment
2-Risk Assessment
3-Control Activities
Source: ITGI IT Control Objectives for Sarbanes-Oxley Discussion Document
COSO Components
1
2
3
4
5
x
x
x
x
x
4-Information and Communication
5-Monitoring
Relationships between COSO
and CobiT®
Key Points…

Ensure compliance with external requirements

Manage change


System logics and business rules from end-toend
Manage data

Data lineage from end-to-end
Frequent Asked Questions by CFOs and
CEOs





How do we assure that business roles and calculations
for financial reporting are correct?
How do we assure that change management relating to
financial reporting are appropriately implemented in all
applications/systems?
How do we assure that documentation in compliance to
Section 404 are correct?
How do we assure that the data flow for financial
reporting are correct?
How do we ensure the environment are adequately
controlled going forward?
Summary





SARBOX provides the impetus to develop an IT financial
reporting control framework that links COSO financial
reporting objectives to existing IT management and control
framework
SARBOX provides the foundation for new Corporate/IT
Governance
SEC final rule made specific reference to the
recommendation of COSO
PCAOB directions are based on COSO
CobiT provides both company and activity objectives along
with associated controls, a company can use the CobiT
framework to design a system of IT controls to comply with
Section 404
Summary

CIOs must now take on the challenges of:





Enhancing their knowledge of Internal Control
Understanding their company’s overall SARBOX
compliance plan
Developing a compliance plan to specifically address
IT controls
Integrating this plan into overall SARBOX
compliance
IT professionals, especially those in executive
positions need to be well versed in internal control
theory and practice to meet the requirements of the
Act
Questions?
Related documents
Accounting Information Systems and Internal Controls
Accounting Information Systems and Internal Controls
Program Plan
Program Plan
• FRAMEWORK The LGRRC-CAR is designed to support DILG
• FRAMEWORK The LGRRC-CAR is designed to support DILG
IT Control Objectives for Sarbanes
IT Control Objectives for Sarbanes
world civil society forum
world civil society forum
5 Essential Facts
5 Essential Facts
Post-Arab Spring Patterns
Post-Arab Spring Patterns
COBIT
COBIT
Government and Governance in the Great Lakes Environment
Government and Governance in the Great Lakes Environment
Motivation and Objectives - World Resources Institute
Motivation and Objectives - World Resources Institute