Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
IT Governance and SARBOX Compliance Presenter: Lily Shue Internet Now Technologies Ltd. Objectives Overview of: What is IT Governance? Why IT Governance? What are the relationships between IT Governance, SARBOX, COSO and CobiT® What is IT Governance? Direct IT endeavors Ensure the performance of IT addresses: Alignment of IT with the enterprise and realization of the promised benefits Use of IT to enable the enterprise by exploiting opportunities and maximizing benefits Responsible use of IT resources Appropriate management of IT related risks What is IT Governance? Focus Areas of IT Governance IT Value Delivery IT Strategic Alignment Stockholder Value Drivers Performance Measurement IT Resource Management Risk Management What is IT Governance? IT Governance Is part of a broad framework of Enterprise Governance Is the responsibility of executives and board members, including CIO, CEO and CFO Should be addressed like any other strategic agenda item of the board IT Governance Reporting Structures Board Executive Manager Team Leader Team Team Team Manager Team Leader Team Team Team Team Leader Team Team Team Team Leader Team Team Team IT Governance Responsibilities The Board should: Drive enterprise alignment Direct management to deliver measurable value Manage enterprise risk Support learning and growth and manage resources Measure performance IT Governance Responsibilities Executive management should address the following board expectations Cascade strategy, policies and goals down into the enterprise and align the IT organization with the enterprise goals Provide organizational structures to support the implementation of IT strategies and an IT infrastructure to facilitate the creation and sharing of business information Measure performance IT Governance Responsibilities Executive management should focus on: Core competencies that IT must support Key IT processes that improve business value IT competencies relate to planning and overseeing the management of IT assets, risks, projects, customers and vendors Optimization of IT costs to obtain the right value from IT resources Have clear external sourcing strategies IT Governance Framework Set Objectives Provide Direction •IT is aligned with the business •IT enables the business and maximizes benefits •Increase automation (make the business effective) •Decrease cost (make the enterprise efficient) Compare •IT resources are used responsibly •IT related risks are managed appropriately IT Activities Measure Performance Source: ITGI Board Briefing on IT governance •Manage risks (security, reliability and compliance) Why IT Governance? • Good governance of IT is critical in supporting and enabling enterprise goals • Boards expects management to: Deliver IT solutions of the right quality, on time and on budget Harness and exploit IT to return business value Leverage IT to increase efficiency and productivity while managing IT risks Minimize negative impacts SARBOX Requirements Who SARBOX Section 302 Corporate management, executive and financial officer SARBOX Section 404 Corporate management, executive and financial officer SARBOX Requirements What SARBOX Section 302 SARBOX Section 404 1. Evaluate 1. Evaluate effectiveness of disclosure controls (with focus on changes since the most recent evaluation) 2. Evaluate changes in internal control over financial reporting 3. Disclose all known control deficiencies and weaknesses 4. Disclose acts of fraud design and operating effectiveness of internal controls over financial reporting 2. Disclose all known controls, significant deficiencies 3. Disclose acts of fraud SARBOX Requirements SARBOX Section 302 SARBOX Section 404 How Often Quarterly Assessment Annual assessment by by management management and independent auditors COSO Components Control Environment Risk Assessment Control Activities Information and Communication Monitoring COSO Components Control Environment Creates the foundation for Effective internal control Establishes the “tone at the top” Represent the apex of the corporate governance structure Apply throughout an organization Address at the company level IT frequently has the characteristics that may require additional emphasis on business alignment, roles and responsibilities, policies and procedures, and technical competence COSO Components Risk Assessment – The identification and analysis by management of relevant risks to achieve predetermined objectives and form the basis for determining control activities Occur at the company level or at the activity level for a specific process or business unit Control activities – Policies, procedures and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out Two broad groupings of information system control activities General controls Application system development and maintenance controls COSO Components Information and Communication COSO states that information is needed at all levels of an organization to run the business and achieve the entity’s control objectives Monitoring COSO states that monitoring which covers the oversight of internal control by management through continuous and pointin-time assessment processes Two types of monitoring Continuous monitoring Separate evaluations IT performance measures to evaluate underlying control is operating effectively, defect identification and management and security monitoring General and Application Controls Examples of general controls: •Data center operation controls •System software controls •Access security controls •Application system development and maintenance controls Examples of application controls: •Balancing control activities •Check digits •Predefined data listings •Data reasonableness tests •Logic tests CobiT Control Objectives Plan and organize Acquire and implement Deliver and Support Monitor and evaluate CobiT Control Objectives Plan and Organize Define a strategic IT plan Define the information architecture Determine technological direction Define the IT organization and relationships Manage the IT investment Communicate management aims and direction Manage human resources Ensure compliance with external requirements Assess risks Manage projects Manage quality CobiT Control Objectives Acquire and implement Identify automated solutions Acquire and maintain application software Acquire and maintain technology infrastructure Develop and maintain procedures Install and accredit systems Manage changes CobiT Control Objectives Deliver and Support Define and manage service level Manage performance and capacity Ensure continuous service Ensure system security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations CobiT Control Objectives Monitor and Evaluate Monitor the process Assess internal control adequacy Obtain independent assurance Provide for independent audit Relationships between SARBOX and IT Governance SARBOX aims to enhance corporate/IT governance through measures that will strengthen: Internal checks and balances Corporate accountability Established and maintain an adequate internal control structure Assess the effectiveness on an annual bases Relationships between SARBOX and IT Governance Building a strong internal control program within IT can help enhance overall IT governance CEOs should provide organizational structures to support the implementation of IT strategy CIOs must be business oriented and provide a bridge between IT and the business All executives should become involved in IT steering or similar committees Relationships between SARBOX and COSO COSO is the recommended internal control framework to be used for evaluating the effectiveness of the company’s internal control over financial reporting COSO addresses the topic of IT general controls, but does not dictate requirements for such control objectives and related control activities PCAOB highlight the importance of IT general controls but do not specify which in particular must be included Relationships between SARBOX and COSO General Controls- ensure financial information from a company’s application systems can be relied upon Application controls – embedded within software programs to prevent or detect unauthorized transactions When combined with general controls, application controls ensure the completeness, accuracy, authorization and validity of processing transactions Relationships between COSO and CobiT® Specific IT control objectives decisions remain the responsibility of an organization’s management and independent auditors Companies should assess the nature and extent of IT on a case-by-case basis Relationships between COSO and CobiT® IT management requires more examples to: help identify, document and evaluate IT controls provide guidance on specific control objectives for consideration for compliance with COSO and ultimately SARBOX A company can use CobiT® (Control Objectives for Information and Related Technologies) established by the IT Governance Institute (ITGI) framework to design a system of IT controls to comply with Section 404 Relationships between SARBOX and CobiT® CobiT -- Is a comprehensive approach for managing risk and control of IT Has been used by IT and control professionals as the initial IT controls baseline to develop a control objective template Provides both company and activity objectives along with associated controls Is an open framework and an IT governance model Relationships between COSO and CobiT® COSO identifies 5 components of internal control that need to be in place and integrated to achieve financial reporting and disclosure objectives CobiT provides 4 categories of control objectives Relationships between COSO and CobiT® CobiT Objectives •Plan and Organize •Acquire and Implementation •Delivery and Support •Monitor and Evaluation •Control Activities •Information and Communication •Monitoring Section 302 •Risk Assessment Section 404 COSO Components •Control Environment Cobit Relationship to COSO COSO Components CobiT Control Objectives 1 Plan and Organize Define a strategic IT plan Define the information architecture Determine technological direction Define the IT organization and relationships Manage the IT investment Communicate management aims and direction Manage human resources Ensure compliance with external requirements Assess risks Manage projects Manage quality 1-Control Environment 2-Risk Assessment 3-Control Activities Source: ITGI IT Control Objectives for Sarbanes-Oxley Discussion Document 2 3 4 5 x x x x x x x x x x x x x x x x x x x x 4-Information and Communication 5-Monitoring Cobit Relationship to COSO COSO Components CobiT Control Objectives 1 2 3 4 x x x x x x 5 Acquire and implement Identify automated solutions Acquire and maintain application software Acquire and maintain technology infrastructure Develop and maintain procedures Install and accredit systems Manage changes 1-Control Environment 2-Risk Assessment 3-Control Activities Source: ITGI IT Control Objectives for Sarbanes-Oxley Discussion Document 4-Information and Communication 5-Monitoring x COSO Components Cobit Relationship to COSO CobiT Control Objectives 1 2 3 4 5 Deliver and Support Define and manage service level Manage third party services Manage performance and capacity Ensure continuous service Ensure system security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations 1-Control Environment 2-Risk Assessment 3-Control Activities Source: ITGI IT Control Objectives for Sarbanes-Oxley Discussion Document x x x x x x x x x x x x x 4-Information and Communication x x x x x x x x x x x x x x x 5-Monitoring x Cobit Relationship to COSO CobiT Control Objectives Monitor and Evaluate Monitor the process Assess internal control adequacy Obtain independent assurance Provide for independent audit 1-Control Environment 2-Risk Assessment 3-Control Activities Source: ITGI IT Control Objectives for Sarbanes-Oxley Discussion Document COSO Components 1 2 3 4 5 x x x x x 4-Information and Communication 5-Monitoring Relationships between COSO and CobiT® Key Points… Ensure compliance with external requirements Manage change System logics and business rules from end-toend Manage data Data lineage from end-to-end Frequent Asked Questions by CFOs and CEOs How do we assure that business roles and calculations for financial reporting are correct? How do we assure that change management relating to financial reporting are appropriately implemented in all applications/systems? How do we assure that documentation in compliance to Section 404 are correct? How do we assure that the data flow for financial reporting are correct? How do we ensure the environment are adequately controlled going forward? Summary SARBOX provides the impetus to develop an IT financial reporting control framework that links COSO financial reporting objectives to existing IT management and control framework SARBOX provides the foundation for new Corporate/IT Governance SEC final rule made specific reference to the recommendation of COSO PCAOB directions are based on COSO CobiT provides both company and activity objectives along with associated controls, a company can use the CobiT framework to design a system of IT controls to comply with Section 404 Summary CIOs must now take on the challenges of: Enhancing their knowledge of Internal Control Understanding their company’s overall SARBOX compliance plan Developing a compliance plan to specifically address IT controls Integrating this plan into overall SARBOX compliance IT professionals, especially those in executive positions need to be well versed in internal control theory and practice to meet the requirements of the Act Questions?