O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

IT Control Objectives for SOX

The Role of IT in the design and implementation of Internal Control over Financial Reporting

  • Entre para ver os comentários

IT Control Objectives for SOX

  1. 1. Sarbanes-Oxley (SOX) compliance The Role of IT in the design and implementation of Internal Control over Financial Reporting Mahesh Patwardhan maheshpatwardhan@rediffmail.com
  2. 2. SOX • The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley • The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. • These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. The act was passed to safeguard the investors and restore confidence in the securities markets. • The gist of the act is that a company ‘s top management has to certify by way of internal and external audits that there is sufficient internal control on all systems impacting financial reporting.
  3. 3. Definitions • COSO • Committee of Sponsoring Organizations of the Treadway Commission • Model for evaluating internal controls • Generally accepted framework for internal control • Definitive standard against which organizations measure effectiveness of internal controls • Internal Control : • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • Five Components of Internal Control System: • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring
  4. 4. IT Compliance Roadmap Prioritize Evaluate and Control Remediate Document Design and Deficiencies Controls Operating Effectiveness Assess IT Risk Plan and Scope IT Controls
  5. 5. Internal Control Framework Control Risk Control Information and Environment Assessment Activities Communication Monitoring • Integrity and • Company-wide • Policies and • Quality of • Ongoing Ethical Values objectives Procedures Information Monitoring • Commitment to competence • Process-level • Security • Effectiveness of • Separate • Board of objectives (Applications Communication Evaluations Directors and and Network) audit • Risk committee • Reporting Identification • Application • Managements Deficiencies and Analysis Change Philosophy and Management Operating Style • Managing • Organizational Change • Business Structure Continuity / • Assignment of Backups Authority and Responsibility • Outsourcing • Human Resource Policies and Procedures
  6. 6. Control Activities Security Application Policies and Business (Applications and Change Procedures Continuity Network) Management •IT-Security Policy •Application •Project •IT-Infrastructure •IT-Access Control Authorization Management Management Policy Matrix •Disaster •IT-Appropriate •End User Recovery Usage Policy Computing Trace •Backup and •Email-Internet ability Matrix Recovery Policy •IT – Landscape Procedures •End-user Diagram •Job Scheduling Computing •ISO
  7. 7. IT Control Objectives for SOX Acquire and Maintain Manage Changes Manage the Application Software Configuration Define and Manage Acquire and Maintain Service Levels Manage Problems and Technology Incidents Infrastructure Manage Third Party Services Manage Data Enable Operations Manage Operations Ensure Systems Security Install and accredit solutions and changes
  8. 8. Types of Controls Entity Level Application IT General Controls Controls Controls • Strategies and • Completeness • Program Plans • Accuracy Development • Policies and • Existence/Authoriz • Programs Changes Procedures ation • Access to Programs • Risk Assessment • Presentation/Disclo and Data Activities sure • Computer • Training and Operations Education • Quality Assurance • Internal Audit
  9. 9. Control Documentation Entity Policy IT Policies and Narratives Manuals Procedures Procedural Flowcharts Decision Tables Write-ups Completed Questionnaires
  10. 10. Control Documentation Entity Level Activity Level Activity Level • Assessment of entity level • Description of the processes • Description of the control controls including evidence to and related sub-processes activity(ies) designed and support the responses and (may be in narrative form, performed to satisfy the opinions of management more effective to illustrate as control objective related to a flowchart) the process or subprocess. This should include the type of • Description of the risk controls (preventive or associated with the process or detective) and the frequency subprocess, including an they are performed. analysis of its impact and probability of occurrence • Description of the approach followed to confirm (test) the • Statement of the control existence and operational objective designed to reduce effectiveness of the control the risk of the process or activities. subprocess to an acceptable level and a description of its • Conclusions reached about alignment to the COSO the effectiveness of controls, framework. as a result of testing.