IIA Webcast – s302
Download
Report
Transcript IIA Webcast – s302
Are You Ready for IT Control
Identification & Testing?
The Institute of Internal Auditors
February 10, 2004
Moderator:
Xenia Ley Parker, CIA, CISA, CFSA
XLP Associates
1
Agenda
• Introduction & Overview
Xenia Ley Parker, XLP Associates
• General Controls
Edward Hill, Protiviti
• Application Controls
John Gimpert, Deloitte
• Establishing a Framework
Reggie Combs, Lockheed Martin
• Break
• Q&A
2
References
•
•
Public Company Oversight Board - www.pcaobus.org/
Final Rule: Management's Reports on Internal Control Over Financial
Reporting and Certification of Disclosure in Exchange Act Periodic
Reports - www.sec.gov/rules/final/33-8238.htm
“Internal Control—Integrated Framework” Committee of Sponsoring
Organizations of the Treadway Commission (COSO), Exposure Draft
“Enterprise Risk Management Framework”- www.coso.org
CobiT 3rd Edition, IT Governance Institute - www.isaca.org
“IT Control Objectives for Sarbanes-Oxley”- www.itgi.org
The IIA GAIN Flash Survey Use of SOX tools - www.gain2.org/sox4jwsum
Protiviti “Guide to the Sarbanes-Oxley Act: IT Risks and Controls
Frequently Asked Questions” - www.protiviti.com
Deloitte “Taking Control, A Guide to Compliance with Section 404 of the
Sarbanes-Oxley Act of 2002” - www.deloitte.com
PricewaterhouseCoopers “Understanding the Independent Auditor’s Role
in Building Trust”; “The Sarbanes-Oxley Act of 2002, Strategies for
Meeting New Internal Control Reporting Challenges” - www.pwc.com
•
•
•
•
•
•
•
3
PCAOB ED Statements:
Impact on IT Control Guidance
• “determining which controls should be tested… generally, such
controls include… information technology general controls, on
which other controls are dependent” (page 41)
• “The auditor should obtain an understanding of the design of
specific controls by applying procedures that include… tracing
transactions through the information system relevant to
financial reporting” (page 48)
• “Information technology general controls over program
development, program changes, computer operations, and
access to programs and data help ensure that specific controls
over the processing of transactions are operating effectively”
(page 51)
4
PCAOB ED Statements
Impact on IT Control Guidance
• “The risk that the controls might not be operating effectively.
Factors … include the following:
– The degree to which the control relies on the
effectiveness of other controls (for example, the control
environment or information technology general controls)
(p 74)
• “The audit should trace all types of transactions and events,
both recurring and unusual from origination through the
company’s information systems until they are reflected in the
company’s financial reports…” (page 79)
Source: http://www.pcaobus.org/
5
Introduction of Key Issues
• Define 404 universe, processes,
risks, & controls
• Identify key controls: assertions
related to control considerations
• Impact of IT controls
• Application vs. IT controls
• Establishing a framework
6
PCAOB Release No. 2003-017
issued 7 October 2003
• Because of the frequency with which management of
public companies is expected to use COSO as the
framework for the assessment, the directions in the
proposed standard are based on the COSO framework
• Other suitable frameworks have been published in
other countries and likely will be published in the
future
• Although different frameworks may not contain exactly
the same elements as COSO, they should have
elements that encompass all of COSO's general
themes
7
Tone at the Top
• IT Executives need to be well versed on
internal control theory and practice
• Does the audit committee have the expertise to
understand the relevance and degree of
reliability/importance of IT controls?
• Is the audit committee aware of any significant
activities affecting the IT environment as it
relates to financial reporting?
8
IT Control Objectives for Sarbanes-Oxley:
Common Elements of Organizations
Company
Entity
Level
Controls
Controls
Etc.
Business Process
Logistics
Business Process
Manufacturing
Business Process
Finance
Business Process
Company-level
controls
Entity controls set
Executive
the the
set
tonetone
for the
for the
Management
organization.
Examples include:
• Systems
planning
planning
• Operating style
• Enterprise
policies
policies
• Governance
• Collaboration
••Information
Information
sharing
sharing
• Codes of
conduct
IT Services
• Fraud
OS/Data/Telecom/Continuity/Networks
prevention
programs
General Controls
9
Controls embedded in common services form
general controls. Examples include:
• Systems maintenance
• Disaster recovery
• Physical and logical security
• Data management
• Incident response
Application
Controls
Controls embedded in
business process
applications, designed to
achieve completeness,
accuracy, validity and
recording assertions, are
commonly referred to as
application controls.
Examples include:
• Authorizations
• Approvals
• Tolerance levels
• Reconciliations
Reconciliation's
• Input edits
Sarbanes Oxley, COSO and COBIT®
IT controls should consider the overall
governance framework to support the
quality and integrity of information.
M
o
Ev nit
a l or
ua a n
te d
De
l iv
Su e r
pp a n
or d
t
Ac
I m qu
pl ire
em a
e n nd
t
Pl
O an
rg a n
an d
iz
e
COBIT Objectives
Control Activities
Information and Communication
Monitoring
Controls in IT are relevant to both financial reporting
And disclosure requirements of Sarbanes-Oxley.
Competency in all five layers of COSO’s framework are
necessary to achieve an integrated control program.
10
Section 404
Risk Assessment
Section 302
COSO Components
Control Environment
Sarbanes-Oxley IT
Diagnostic Questions
1. Does the SOX steering committee understand the risks inherent in
IT systems & their impact on compliance with Section 404?
2. Does IT management understand the financial reporting process
and its supporting systems?
3. Does the CIO have an advanced knowledge of the types of IT
controls necessary to support reliable financial processing?
4. Are policies governing security, availability and processing
integrity established, documented & communicated to all
members of the IT organization?
5. Are the IT department’s roles and responsibilities related to
Section 404 documented & understood by all members of the IT
department?
11
Sarbanes-Oxley IT
Diagnostic Questions
6. Do IT employees understand their roles, do they possess the
requisite skills to perform their job responsibilities relating to
internal control, & are they supported with appropriate skill
development?
7. Is the IT department’s risk assessment process integrated with the
company’s overall risk assessment process for financial
reporting?
8. Does IT document, evaluate & remediate IT controls related to
financial reporting on an annual basis?
9. Does IT have a formal process in place to identify & respond to IT
control deficiencies?
10. Is the effectiveness of IT controls monitored & followed up on a
regular basis?
• Source for Slides 8-12: IT Governance Institute, ISACA
12
Are you Ready for IT Control
Identification & Testing?
General Controls
Edward Hill, CPA
Protiviti
13
“Plain English” Approach: IT Risks & Controls for SOX 404
IT Organization
& Structure
IT Entity Level
Control Evaluations
•
Define Universe, processes,
risks & controls
•
Assertion relationships
•
Document key controls &
valuate
•
Testing of key controls &
what to do
IT Process Level
Control Evaluations
General IT Processes
14
Application
& Data Owner
Processes
Integrated Application
Specific Processes
IT Organization
and Structure
IT Entity Level
Control Evaluations
Process Level:
IT Risks & Controls
IT Process Level
Control Evaluations
General IT Processes
Application and
Data Owner Processes
Integrated Application
Specific Processes
Most important part of this discussion:
These processes and activities are looked at in the
context of how the controls relate to the ability of the
company to meet the IC objectives over the reliability of
financial reporting.
15
IT Organization
and Structure
IT Entity Level
Control Evaluations
IT Process Level
Control Evaluations
General IT Process
Risks and Controls-A
Typical Universe &
Risk Assessment
General IT Processes
• Security Administration
• Application Maintenance - Change Control
• Ensure Continuity - Data Management & Disaster Recovery
•Manage Technical Infrastructure & Operations - Problem
Management
• Asset Management
16
IT Organization
and Structure
Impact of STRONG
Controls at the IT
General Controls
IT Entity Level
Control Evaluations
IT Process Level
Control Evaluations
General IT Processes
•Applications perform as
designed
•Programmed controls function
as designed
•Access to transactions and
data function as designed
17
Application &
Data Owner
Processes
Integrated Application
Specific Processes
WHEN SETTING SCOPE:
•Work at application and data owner
level can focus on proper design of
controls
General controls provide an
indication that such controls
operate as intended
Controls Security Administration
• How does this relate to the assertions - what can go wrong?
– Security, designed & implemented properly, assures
transactions are executed by only those individuals with
authorization.
– Security, designed appropriately, ensures (physical and
electronic) access to assets is restricted.
• This impact must be understood at each IT component level:
– Application transaction and data level
– Access to the systems and infrastructure such as administrator
and super user:
• Databases
• Platforms (operating systems)
• Networks
18
Security & Segregation of Duties
Potential impact on assertions:
– Transactions are executed only by individuals
authorized by management to do so
– Duties that are incompatible from an internal control
standpoint are segregated in accordance with
management’s criteria
– Updates and changes to applications may impact how
security should be managed and the duties which may
need to be segregated (authorized and segregation
issues)
19
Security Administration
• Risk and controls documented, evaluated for specific process
portions:
– Role set up, maintenance and periodic validation
– User set up, maintenance and deletion
– Data classification and rules allowing access to sensitive data
– Periodic transaction and data access review, validation and followup
• Risks and controls documented, evaluated at the technical level:
– Set up of administrative and other sensitive accounts for all
technology components
• Add, modify and delete procedures
• Audit trail rules and set-up
– Monitoring and review procedures for usage of administrative and
sensitive account
20
Security Administration
Risk and controls documented, evaluated for specific process
portions:
– Development and maintenance of security roles restricting
access to transitions and data to only individuals with a valid
business need to execute transactions and access data
– Development and communication to the IT organization the
roles and transactions needed to be segregated from an
internal controls standpoint
– Maintenance and review of applications changes to confirm
appropriateness of the roles and transactions identified as
incompatible from an internal control standpoint
21
Manage Applications-Change Controls
• How does this relate to the assertions- what can go wrong:
– Application change provides assurances that applications function as
intended and integrity of processing can be assured
– Appropriate application changes assure completeness and accuracy of
processing
– Together with the security administration, processes assures
transactions can only be initiated, modified or deleted by individuals
authorized by management to execute and view transactions
– Access to applications and data through the change process must be
restricted so that inadvertent or deliberate changes to the following do
not occur:
• Production data
• Other related components such as interface routines, background
processing and updates, etc.
22
Application & Data Owner Responsibilities
For Change Controls
• How does this relate to the assertions- what can go
wrong:
– Application changes may not be in accordance with the directives
of the business owners causing them not to function as intended
or without the appropriate controls- impacts
• Completeness and accuracy
• Authorization
• Access to assets
– There may be changes to the security administration of roles and
responsibilities that effect the controls which ensure appropriate
authorization of transactions and access to assets
23
Management Applications – Change
Controls
Risk and controls documented, evaluated for
specific process
• Initiation of change requests
• Testing and approval of changes prior to migration into the
production environment
– Critical calculations and data validation and exception routines
– Interfaces
– Job sequencing and interrelationships
• Application migration procedures
– Integrity of process and access to applications and data by migrators
– Back out and validation of successful migrations
• Emergency change procedures and processes
24
Business Owner Change Control
Processes
Risk and controls documented, evaluated for specific process
•
•
•
•
Changes are appropriately initiated and approved by the application and data
owners
All changes are reviewed by the application owners from a controls
perspective and a sign-off that controls have been appropriately considered
for any change(s)
Changes are adequately tested from a controls functionality perspective.
This should be performed to ensure critical controls still function (error
checking and data validation, integrity of key management reports, interfaces
function properly, etc.)
There should be review (after the fact) of emergency changes such that
application owners verify validity of change and the appropriateness of
change on programmed controls.
25
Format for Documentation and
Control Related Work
• Evaluation of IT-related risks and controls should be
formatted similar to other process and control work
• Process maps
• Process narratives
• Risk and control matrices
• All work should focus on controls that affect the
financial reporting and disclosure risks and controls
• Must address financial reporting assertions
26
Evaluation of IT Controls
• After the documentation is complete, evaluate each risk to
determine whether the controls are designed to effectively
mitigate the risks
• The evaluation should include both manual and systems-based
controls - even in the General Controls processes
• At this point, control gaps if any, should be identified and a
management action plan to deal with the gaps determined, for
both manual and systems-based controls
• For controls evaluated as effective, the next step is to develop a
testing plan so that the operating effectiveness can be
evaluated
27
Define
Testing
Scopes
Build
Testing
Plan
Execute
Testing
Analyze Test
Results
Update
Testing
Approach to IT General
Controls Testing
For IT General Controls testing –
•
Test key controls can and should be tested similar to other processes
with pervasive controls:
• There needs to be a combination of inquiry, inspection, observation
and re-performance
• Process flows and risk and control matrices should be referenced and
a key to selecting the type of test needed
•
Timing of this testing- two competing issues
• One external firm indicated that for pervasive controls such as IT
General controls these controls should be tested near the “as of” date
• Testing of these needs to be done early in the overall process because
the results of these tests directly impact the nature and extent of
controls downstream of these.
28
Define
Testing
Scopes
Build
Testing
Plan
Execute
Testing
Analyze Test
Results
Update
Testing
Documenting General
Controls Testing
For IT General Controls testing –
• Documentation of testing should be tested similar to other
processes with pervasive controls:
• There needs to be documentation standards for inquiry,
inspection, observation and re-performance testing- scoping
should be based on overall approach
• Evidence of tests should be retained for review and approval
29
Are you Ready for IT Control
Identification & Testing?
Application Controls
John Gimpert, CPA
Deloitte
30
Importance of IT in Sarbanes Oxley
• For most organizations, IT controls are pervasive to the financial
reporting process
–Financial applications and automated systems are typically used to
initiate, record, process and report transactions
• Applications and ERP systems are supported by the general
computing environment
–Effectiveness of the application computing controls are dependant
upon the general computing controls
–Limitations of application controls may need to be appropriately
mitigated by general computing controls
• Overall, application and general computing controls support the
integrity and reliability of financial reporting
31
A Roadmap for Compliance
32
Source: IT Governance Institute (ITGI) “IT Control Objectives for Sarbanes Oxley Discussion Document
Internal Control Reliability Model
Determine the reliability and
maturity of IT controls.
Stage 1–Unreliable
Stage 2–Insufficient
Stage 3–Reliable
Characteristics
• Controls, policies and
procedures are not in place
and documented.
• Controls and policies and
procedures are not fully
documented.
• Controls and related policies
and procedures are in place
and adequately documented.
• A disclosure creation process
does not exist.
• A disclosure creation process
is not fully documented.
• Employees are unaware of
their controls responsibility.
• Employees may not be aware
of their responsibility for
control activities.
• A disclosure creation process
is in place and adequately
documented.
• Operating effectiveness of
control activities is not
evaluated regularly.
• Control deficiencies aren’t
identified.
33
• Operating effectiveness of
control activities is not
evaluated regularly and the
process isn’t documented.
• Control deficiencies may be
identified but not remediated
timely.
• Employees are aware of their
responsibility for controls
activities.
• Operating effectiveness of
control activities is evaluated
periodically; the process is
documented.
• Control deficiencies are
identified and remediated
timely.
Stage 4–Optimal
• Meets characteristics of
Stage 3.
• An enterprise-wide control
and risk mgt. program exists
such that controls are
documented and
continuously reevaluated to
reflect major process or
organizational changes.
• A self-assessment process is
used to evaluate controls
design and effectiveness.
• Technology helps document
processes, control objectives
and activities, identify gaps,
and evaluate control
effectiveness.
Mapping Accounts to Controls
Significant Accounts/Processes
• Determine
and walkthrough key
transactions
and accounts
• Identify
applications
and IT
systems
related to
significant
accounts and
transactions
34
• Identify,
document and
test controls
supporting the
above
Balance
Sheet
Income
Statement
G/L
Inventory
Other
Classes of Transactions / Business Processes
Process A
Process B
Process C
Financial Applications
Application A
Application B
Application C
Application controls (examples)
Seg of Duties
Data integrity
Completeness
Timeliness
General Computing Controls
Security
Retention
Operations
Configuration
Application Controls: Definition
• Application controls help ensure the completeness,
accuracy, authorization and validity of all transactions
during application processing
• Application controls also support interfaces to other
application systems to help ensure all inputs are
received in a complete and accurate manner and
outputs are correct
• Application controls are typically embedded within
software programs to prevent or detect unauthorized
transactions
35
Linking Business Process to Controls
Control Objectives
Account
Receivable
balances and
reserves are
complete and
accurate.
Sales revenues
and cost of goods
sold is complete
and accurate
All purchase
orders received
are input and
processed
Invoices are
generated using
authorized terms
and prices
Only valid
changes are made
to customer
master files.
36
Accounts
Receivable
Invoice
control
s
Order
Processing
Sales
Sub-process
Order &
supplier
controls
Customer
controls
SAP, Oracle, Other Applications
Customer
order
entry
Application controls cover authorized changes, segregation
of duties, validity, completeness and timeliness of reporting
of financial information.
Databases and Information
IT Infrastructure
Security
System Software
Networks
General computing controls cover security access,
change and configuration mgt, data retention,
testing, processing integrity, etc.
Assertions
Elements of Transaction
Assertions
Potential Errors
1. Occurrence—Did the transaction occur?
Existence or occurrence
Validity
2. Ownership—Does the transaction give rise to an asset that
represents rights of the entity or a liability that represents
obligations of the entity?
Rights and obligations
Validity
3. Completeness—Are transactions missing?
Completeness
Completeness
4. Timing—Are transactions recorded in the correct accounting
period?
Are transactions recorded too early?
Are transactions recorded too late?
Existence or occurrence
Existence or occurrence
Cutoff
Cutoff
Existence or occurrence
Recording
Valuation or allocation
Valuation
6. Classification—Is the transaction recorded in the correct
general ledger account?
Presentation and disclosure
Recording
7. Presentation and disclosure—Is the transaction ultimately
presented appropriately in the financial statements and, where
relevant, related matters appropriately disclosed?
Presentation and disclosure
Presentation
5. Amount—Is the transaction recorded at the correct amount?
Amounts not subject to measurement uncertainty
(i.e., accuracy)
Amounts subject to measurement uncertainty
(i.e., valuation)
37
Examples of Control Identification
Objective
Assertion
Automated Application Controls
All orders received from
customers are input and
processed
Completeness
• Pending order reports are generated daily for review.
• Incomplete order entries are flagged for completion.
Orders are processed
only within the approved
customer credit limits
Authorization
• Orders entered that exceed customer credit limits
are pended for review prior to processing.
• Access to change/override customer credit limits
requires approval by credit manager.
Only valid orders are
processed
Existence or
Occurrences
• Access to enter orders is limited to appropriate
personal.
• A valid customer number is required prior to order
entry.
Orders and
cancellations of orders
are input accurately
Existence or
Occurrences
• Critical data fields (e.g.; order number, date,
address) are pre-populated prior to order
completion.
• Data entered on returns is matched with original
sales information.
38
Types of controls
Preventive
Detective
Manual
Information
Technology
39
Preventative controls are designed to avert problems rather than
correct them. Some examples include passwords to application
systems or an approval on all purchase orders over a specified limit.
Detective controls are meant to catch errors after the fact. These may
take the form of reviews, reconciliations, and analyses.
Manual controls are carried out by people, as opposed to automated
controls (i.e., application controls) that take place without direct
human intervention. Many manual controls can now be automated by
application software such as the triggering of exception reports.
IT controls consist of general controls (include controls over data
center operations, system software acquisition and maintenance,
access security, and application system development and
maintenance) and application controls (to ensure completeness,
accuracy, authorization, and validity of data input and transaction
processing).
Control Evaluation and Testing Process
Controls for
those
business
processes
impacting key
transactions
and accounts
Prepare for
Certification
Discovery
process for
existing
controls
Evaluation of Control
Design
Remediate
Document
Control
Assess the Document
Control
the
Design
Assessment
N
Evaluation of Control
Effectiveness
N
Remediate
Document the
Test Results
Y
40
Test Control
Effectiveness
Y
Sample Result of Evaluation Process
Control Activity
Example Test of Effectiveness
Control Gaps
• Pending order reports are
generated daily for review.
• Incomplete order entries are
flagged for completion.
• Obtain reports from individual
responsible for review.
• Observe entry of sample
incomplete orders.
• None noted.
• Orders entered that exceed
customer credit limits are pended
for review prior to processing.
• Review application security
settings to ensure control is set
up properly.
• None noted.
• Access to change/override
customer credit limits requires
approval by credit manager.
• Access to enter orders is limited to
appropriate personal.
• A valid customer number is
required prior to order entry.
• Critical data fields (e.g.; order
number, date, address) are prepopulated prior to order completion.
• Data entered on returns is matched
with original sale information.
41
• Review application security
settings to ensure control is set
up properly.
• Gap noted: Some incomplete
orders are processed
• Gap Identified: One person can
enter orders and increase
customer credit limits.
• Compare who system allows to
enter orders to list of
management approved
personnel.
• Observe entry of sample orders
with wrong customer numbers.
• Gap identified: access rights
are not updated promptly when
personnel change roles
• None noted.
• Query sample of order numbers
to ensure uniqueness.
• None noted.
• Compare sample of sales returns
against sales to ensure match.
• Gap Identified: Return can be
processed without matching an
original sale.
Lessons Learned
• Effective IT application controls are critical and serve as a first
line of defense
• Some controls exist at both the general computing and
applications layer - for instance Security Controls
• Applications controls can be modernized, many previously
manual controls can be automated (such as automatic
generation of reports when suspect conditions exist)
• Applications controls can be proactively built into applications
and can help identify risks
• Improved applications controls can result in improved
application effectiveness and help drive higher quality
applications
• A well controlled environment is a first step toward improved IT
Governance
42
Sarbanes Oxley to Increase
Shareholder Value
Risk Management
–Compliance with Sarbanes Oxley has direct impact and IT control
improvements can reduce risk for downstream business initiatives
Operating Margin
–Deep understanding of process and technology linkages can result
in process re-engineering initiatives, improving levels of automation
Asset Efficiency
–Operational improvement regarding IT management processes
–Consolidation of systems to reduce complexity can result in
operational efficiencies
Revenue Growth
–Inventory your critical customer systems and data for future sales
targeting initiatives
43
Are you Ready for IT Control
Identification & Testing?
Establishing A Framework
Reginald B. Combs, CISA
Lockheed Martin Corporation
44
Establishing A Framework
• The COSO/COBIT Relationship
TM
• Considerations When Identifying Controls
• Entity, General, or Application Control?
45
Establishing A Framework
The COSO/COBIT Relationship
TM
To assess an organization’s internal controls, first
identify the assessment criteria:
• COSO report defines internal control consistent with
current auditing standards and SAS guidance
• COSO report also identifies five components of effective
internal control:
•
•
•
•
•
Control Environment
Risk Assessment
Information & Communication
Control Activities
Monitoring
404: “…establish and maintain an adequate internal
control structure…”
46
Establishing A Framework
The COSO/COBIT Relationship
TM
To assess an organization’s IT internal controls, first
identify the assessment criteria:
• COBIT framework is generally applicable and accepted as a
standard for good IT security and control practices
• COBIT “Business/Fiduciary Requirements” derived from COSO
categories
• COBIT classifies control objectives into four groups (domains):
•
•
•
•
Plan & Organize
Acquire & Implement
Deliver & Support
Monitor and Evaluate
COSO and COBIT Provide a Complementary
Framework for IT Control Identification
47
Mapping The COSO/COBIT
Relationship
COBIT Domains
TM
COSO Components
Control
Environment
Risk
Control
Assessment Activities
Information &
Communications
Monitoring
X
X
XX
X
X
Acquire &
Implement
XX
X
Deliver &
Support
XX
X
Plan
& Organize
Monitor &
Evaluate
48
X
X
Considerations When Identifying Controls
– Focus on “Key” controls:
• How does the application support the key financial processes?
• Is the application processing data or acting as a repository?
• Who relies on the controls?
– Consider the types of errors that can occur at
the application and process level
– Ask “What Can Go Wrong” questions
– When evaluating IT controls and related risks,
consider the relevant financial statement
assertions for significant accounts
49
Entity, General, or Application Control?
– Varying Opinions on which controls fall into
each category
– Establish definitions early and obtain
consensus
– Communicate throughout the organization
50
Example: Lockheed Martin Corporation
51
SOX 404 Documentation Tools
• Pentana
• JeffersonWells
• E&Y's tool
• Developed in-house
• SOXA Accelerator
• Focus - Paisley
• Axentis
• ERA - Methodware
• Lotus Notes
• Horizon--JP Morgan
• ICT-Grant Thornton
• Open-Pages
• SOX Express
• SPF
• Teammate
• Dynamic Policy
All Others
39%
CAT - KPMG
11%
Internal Control
Workbench - PwC
10%
Risk Navigator Paisley
6%
52
Risk Control
Tracking - Deloitte
20%
MS Office Tools +
Visio
7%
SarBox Portal Protiviti
7%
Source: http://www.gain2.org/sox4jwsum.htm
Concluding Remarks
• Lessons learned
– Understanding the role of IT controls means
understanding IT better
• Updating skill sets to identify/classify controls
– Changing business auditors’ mindset
– What they can do; when IT auditors are needed
• How to relate types of testing
• How to determine the impact of deficiencies
53
Questions & Answers
E-mail your questions by
clicking on the link provided
or directly to
[email protected]
54
Next Webcast
March 9, 2004
“Balancing SOX with Risk Based
Audit Planning”
See you at our next webcast!
55