The Impact of Sarbanes-Oxley on IT Presented by
Download
Report
Transcript The Impact of Sarbanes-Oxley on IT Presented by
The Impact of Sarbanes-Oxley on IT
Presented by
Jerald Savin, FIMC, CMC, CPA, CITP
Cambridge Technology Consulting Group, Inc.
201 Wilshire Blvd., Ste 41, Santa Monica, CA 90401
Tel: (310) 229-8947 - Email: [email protected]
For the July CIO Breakfast
Jerald (Jerry) M. Savin
President/CEO, Cambridge Technology
Consulting Group, Inc.
Certified Public Accountant (CPA)
Fellow Institute of Management Consultants
(FIMC)
Certified Management Consultant (CMC)
Certified Information Technology Professional
(CITP)
Former Chairman, Institute of Management
Consultants USA
co-author
Richard Savich, Ph. D., C.P.A.
President, ABKO Consulting (A Business
Knowledge Organization)
Director, Professional Development Institute,
The Collins School of Hospitality
Management, Cal Poly Pomona
Formerly, National Director, Management
Consulting Training, Coopers & Lybrand and
Ernst & Young
Formerly, Professor, USC School of
Accounting
Outline
The Sarbanes-Oxley Act
Section 404 - Internal Controls
Trends and Developments
Questions & Answers
The Sarbanes-Oxley Act
101 Board Membership
103 Board Duties
108 Accounting Standards
201 Prohibited Activities
203 Audit Partner Rotation
301 Audit Committees
302 Corporate Responsibility For Financial Reports
402 Loans to Executives
404 Mgmt Assessment of Internal Controls
407 Disclosure of Audit Committee Financial Expert
806 Whistle Blower Protection
PCAOB
(www.pcaobus.org)
PCAOB - Auditing Standards
Amend, modify, repeal and reject
standards suggested by designated
professional groups of accountants
and by standard-setting advisory
groups
Report on its standard-setting
activities to the SEC annually
Section 404
Internal Control Standard
PCAOB must adopt an audit standard to
implement an internal control review
The standard must require the auditor to
evaluate whether the internal control
structure and procedures
Include records that accurately and fairly
reflect the transactions of the issuer
Provide reasonable assurance that the
transactions are recorded in a manner that
will permit the preparation of financial
statements in accordance with GAAP, and
Provide a description of any material
weaknesses in the internal controls
Section 404
Management Assessment of
Internal Controls
404(a)
Management’s responsibility for
establishing and maintaining adequate
internal control for financial reporting.
404(b)
Independent auditor’s responsibility
for attesting to and reporting on
management’s assessment of internal
control.
Section 404(a)
Management’s Responsibilities:
Implement effective internal structure
and procedures for ICOFR
Evaluate effectiveness of ICOFR using
suitable internal control framework
Support that evaluation with sufficient
evidence
Present a written assessment of the
effectiveness at year end
Section 404(b)
Auditor’s Responsibilities:
Evaluate management’s assessment
Obtain an understanding of the
company’s ICOFR
Test and Evaluate the design and
operational effectiveness of ICOFR
Form an opinion regarding the
adequacy and effectiveness of ICOFR
Section 302
Corporate Responsibility For
Financial Reports (1 of 3)
CEO/CFO certifications
Financial statements and disclosures comply
with the requirements of the Exchange Act
Disclosures fairly present, in all material
respects, the results of operations and
financial condition of the issuer
Section 302
Corporate Responsibility For
Financial Reports (2 of 3)
Establish and maintain disclosure controls
and procedures that are designed to ensure
that material information is made known to the
officers
Evaluate the effectiveness of the disclosure
controls and procedures in the last 90 days
Present their conclusions about the
effectiveness of the disclosure controls and
procedures
Section 302
Corporate Responsibility For
Financial Reports (3 of 3)
Disclose to the auditors/audit committee any
significant deficiencies or material
weaknesses in internal controls and any
fraud committed by any person with a
significant role in internal control
Indicate whether or not there were significant
changes in internal controls or other factors
that could significantly affect internal
controls subsequent to the date of their
evaluation, including corrective actions for
significant deficiencies/material weaknesses
Section 404
Management Assessment of
Internal Controls (1 of 2)
Internal Control Report
Effective for fiscal years ending on or after
November 15, 2004 for accelerated filers (Originally 6/15/04)
July 14, 2005 for non-accelerated filers (Originally 4/15/05)
Signed by the CEO and CFO
Must contain statements
Management is responsible for establishing and
maintaining adequate internal control over financial
reporting
Identify the framework used by management to evaluate
the effectiveness of the internal control
Assessment of the effectiveness of the internal controls
as of the end of year-end
Auditor has issued an attestation report on
management’s assessment
Section 404
Management Assessment of
Internal Controls (2 of 2)
ICOFR is not effective if there is one or
more material weaknesses in internal
control
Management's evaluation should be
based on a suitable, recognized internal
control framework
Internal Control over Financial
Reporting (ICOFR) defined (1 of 2)
ICOFR
Is a process
Designed by the principal executive and
financial officers and approved by
management and the Board of Directors
To provide reasonable assurance regarding
the reliability of financial reporting and the
preparation of financial statements in
accordance with GAAP and include those
policies and procedures that
Internal Control over Financial
Reporting (ICOFR) defined (2 of 2)
Pertains to the maintenance of records that in
reasonable detail accurately and fairly reflect the
transactions and dispositions of the assets
Provide reasonable assurance that transactions
are recorded as necessary to permit preparation
of financial statement in accordance with GAAP,
and that receipts and expenditures are being
made only in accordance with authorizations of
management and the directors
Provide reasonable assurance regarding
prevention or timely detection of unauthorized
acquisition, use or disposition of the registrant's
assets that could have a material effect on the
financial statements
The Auditor
Is required to attest to/report on
management’s assessment
In accordance with standards
issued/adopted by PCAOB
This evaluation is not a separate
engagement
“… integrated audit …”
Key Dates
July 30, 2002 - Date of Enactment
April 18, 2003 - Interim Auditing Stds issued
March 9, 2004 - Auditing Std No 2 issued
November 15, 2004
(Originally June 15, 2004)
404 Internal Control assessments due for Accelerated
filers with fiscal years ending on/after
July 15, 2005
(Originally April 15, 2005)
404 Internal Control assessments due for Nonaccelerated filers with fiscal years ending on/after
PCAOB Auditing Standards
2004-001 – An Audit of Internal Control Over Financial
Reporting Performed in Conjunction with an Audit of
Financial Statements (03/09/04)
(Standard No. 2)
2003-026 – Technical Amendments to Interim Standards
Rules (12/18/03)
2003-025 – References in Auditors’ Reports to the
Standards of the Public Company Accounting Oversight
Boards (12/18/03)
2003-009 – Compliance with Auditing and Related
Professional Practice Standards (6/30/03)
2003-006 – Establishment of Interim Professional Auditing
Standards (4/18/03)
(Standard No. 1)
2004-002 – Proposed Auditing Standards Conforming
Amendments to PCAOB Interim Standards …
(Comment period ended 4/23/04)
PCAOB Standards
An Audit Of Internal Control Over
Financial Reporting Performed In
Conjunction With An Audit Of Financial
Statements, Release 2004-001, March 9, 2004
“… integrated audit of the financial statements and
internal control over financial reporting.” “… not a …
separate engagement.” (p. 8)
“COSO … provides a suitable framework for purposes
of management’s assessment.” (p. 9)
“… an auditor impairs his or her independence if the
auditor audits his or her own work, including any work
on designing or implementing an audit client’s internal
control system.” (p. 10,11)
Outline
The Sarbanes-Oxley Act
Section 404 - Internal Controls
Trends and Developments
Questions & Answers
COSO
The Committee of Sponsoring Organizations of
the Treadway Commission
AICPA, AAA, FEI, IIA, IMA
Is a voluntary private sector organization
Formed in 1985 to sponsor the National
Commission on Fraudulent Financial Reporting
Dedicated to improving the quality of financial
reporting through business ethics, effective
internal controls and corporate governance.
COSO
Definition of Internal Control
Internal control is a process, instituted
by an entity’s board of directors and
management that is designed to provide
reasonable assurance regarding the
achievement of the following categories
of objectives:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and
regulations
COSO
Internal Control Framework
“Internal control consists of five interrelated
components.”
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
-- Internal Control – Integrated Framework – Executive Summary,
Committee of Sponsoring Organizations of the Treadway Commission.
COSO
Internal Control Framework
Three categories of objectives:
Operations
Financial reporting
Compliance
Relates to the entire enterprise:
To all Units
To all Activities
COSO
Internal Control Components
-- Internal Control – Integrated Framework – Framework, COSO, p. 13.
COSO
Internal Control Framework
-- Internal Control –
Integrated Framework –
Framework, COSO, p. 15.
COSO
Internal Control Framework
Control
Environment
Monitoring
Information &
Communicati
on
Risk
Assessment
Control
Activities
COSO
Internal Control Components
Control Environment factors
Organization tone
Discipline and structure
Integrity, ethics, competence
Management philosophy and operating style
Assignment of authority & responsibility
Work organization
Personnel development
Attention & direction of Board of Directors
-- Internal Control – Integrated Framework – Framework, COSO, p. 19.
COSO
Internal Control Components
Control Environment factors
Integrity & ethical values
Incentives & temptations
Moral Guidance
Commitment to Competence
Board of Directors & Audit Committee
Management Philosophy & Operating Style
Organizational Structure
Assignment of Authority & Responsibility
Human Resources Policies & Practices
Evaluation (p. 27/28)
-- Internal Control – Integrated Framework – Framework, COSO, p. 19-28.
COSO
Internal Control Framework
Control
Environment
Monitoring
Information &
Communicati
on
Risk
Assessment
Control
Activities
COSO
Internal Control Components
Risk Assessment
Identify relevant risks to achieve objectives
Analyze these risks
Determine how to manage them
Begins with the Objectives:
Operations Objectives
Financial Reporting Objectives
Achieving the entity’s mission
Producing reliable financial statements
Compliance Objectives
Complying with applicable laws and regulations
-- Internal Control – Integrated Framework – Framework, COSO, p. 29-44.
Risk Assessment
Types of Risk
Control Risk
That error will not be prevented, detected
or corrected on a timely basis
Detection Risk
Fail to detect material errors
COSO
Risk Management
Managing Change
Identify & react to routine events
Identify & react to dramatic events
New or redesigned information systems
Rapid growth
New technology
New lines, products, activities, acquisitions
Corporate restructuring
Foreign operations
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 24-27.
COSO
Internal Control Framework
Monitoring
Information &
Communicati
on
IS Controls
Control
Environment
Risk
Assessment
Control
Activities
COSO
Internal Control Components
Control Activities
Policies and Procedures, which include
Approvals
Authorizations
Verifications
Validations
Reconciliations
Valuations
Classification controls
Completeness controls
Timeliness
Posting and Summarization Controls
Operating performance reviews
Information Processing Controls
Asset security
Segregation of duties
-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.
COSO
Information Systems Controls
General Controls
Data Center Operations
System Software
Access Security
Application Development &
Maintenance
Application Controls
COBIT provides details
-- Internal Control – Integrated Framework – Framework, COSO, p. 45-53.
General Controls
for Information Systems
Data Center Operations
Backup and recovery procedures
Contingency and disaster recovery
planning
Job set up and scheduling procedures
Operational controls
General Controls
for Information Systems
System Software Controls
Acquisition, implementation &
maintenance of
Operating system software
Database management software
Telecommunications
Security
Utility
General Controls
for Information Systems
Access Security
Access controls
Firewalls, Intrusion Detection and
Prevention Systems (IDS/IPS)
Password policies
General Controls
for Information Systems
Application development (SDLC)
Project authorization
Approval of development & maintenance
Application system development controls
Application system maintenance controls
Testing
Application Controls
for Information Systems
Application level risks
Application availability
Security
Integrity
Maintainability
Application Controls
for Information Systems
Application level risks
Data risks
Completeness
Integrity
Confidentiality
Privacy
Accuracy
Application Controls
for Information Systems
Application interface integrity:
All inputs are received
Inputs are valid
Outputs are correct
Outputs are properly distributed
Application Controls
for Information Systems
Transaction processing integrity:
Complete
Accurate
Authorized
Valid
COSO
Internal Control Framework
Control
Environment
Monitoring
Information &
Communicati
on
Risk
Assessment
Control
Activities
COSO
Internal Control Components
Information and Communication
“Pertinent information must be
identified, captured and
communicated in a form and
timeframe that enable people to carry
out their responsibilities.”
To the right people in sufficient detail
on time
-- Internal Control – Integrated Framework – Framework, COSO, p. 55-63.
COSO
Information and Communication
Pertinent Financial & Non-financial
Information
Information Quality
Appropriate
Timely
Current
Accurate
Accessible
-- Internal Control – Integrated Framework – Framework, COSO, p. 55-63.
COSO
Information & Communication
Including
Effective communication of duties
and control responsibilities
Communication of improprieties
Management’s receptivity to employee
suggestions
Timely appropriate mgmt follow-up
Internal and External communications
Customer/supplier communications
Outside awareness of ethical standards
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 33-35.
COSO
Internal Control Framework
Control
Environment
Monitoring
Information &
Communicati
on
Risk
Assessment
Control
Activities
COSO
Internal Control Components
Monitoring
Ongoing assessment of the system’s
performance over time
Accomplished through
Ongoing monitoring
Separate evaluations
Internal and external audits
Combination
-- Internal Control – Integrated Framework – Framework, COSO, p. 65-74.
Internal Controls
Traditional Generic List of Controls
Preventive
Detective
Corrective
Manual
Computer
Managerial supervision
Internal Control Examples
Direct management of the business
Performance reviews
Executive
Functional
Activity
Use of performance measures,
indicators, benchmarks
Independent performance checks
Management of human capital
Internal Controls Examples
Proper procedures for authorizing
transactions
Proper execution of transactions &
events
Accurate & timely recording of
transactions & events
Segregation of duties
Authorization
Record keeping
Custody
Internal Controls Examples
Physical controls over vulnerable
Assets and records
Access restrictions to and
accountability for resources &
records
Appropriate documentation of
transactions and internal controls
Information processing controls
COSO
Reference Manual
Format
Objectives
O,F,C:
O = Operations
F = Financial reporting
C = Compliance
Risks
Points of Focus for Actions/Control
Activities
-- Internal Control – Integrated Framework – Evaluation Tools, COSO.
COSO
Reference Manual
Basic Value Chain Activities:
Inbound
Operations
Outbound
Marketing/Sales
Service
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 49.
COSO
Reference Manual
Infrastructure Support Activities:
Administration
Human Resources
Technology Development
Procurement
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 50.
COSO
Reference Manual
Administrative subactivities:
Manage Finance
Manage Enterprise
Manage External Relations
Provide Administrative Services
Manage Information Technology
Manage Risks
Manage Legal Affairs
Plan
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 50.
COSO
Reference Manual
Administrative Controllership
subactivities :
Process A/P
Process A/R
Process Funds
Process Fixed Assets
Analyze and Reconcile
Process Benefits & Retirement
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 50.
COSO
Reference Manual
Administrative Controllership
subactivities :
Process Payroll
Process Tax Compliance
Process Product Costs
Provide Financial & Management
Reporting
-- Internal Control – Integrated Framework – Evaluation Tools, COSO, p. 50.
COSO Summary
Criticized as
Too Vague
Contains guidelines
Doesn’t contain specific work program
Too Operational
Includes operational areas traditionally
outside of auditors examination
IT Controls
ISACA
Formerly EDP Auditors Association
Founded in 1967
ISACA
Standards
Guidelines
Procedures
Control Objectives
Control Practices
Audit Guidelines
Management Guidelines
COBIT
Control OBjectives for Information
and related Technology
ISACA/IT Governance Institute
Defines IT Controls in terms of
Planning & Organization
Acquisition & Implementation
Delivery & Support
Monitoring
COBIT
Planning & Organization
Define strategic IT plan
Define information architecture
Determine technology direction
Define IT organization & relationships
Manage IT investment
Communicate mgmt aims & direction
COBIT
Planning & Organization
Manage human resources
Comply with external requirements
Assess risks
Manage projects
Manage quality
COBIT
Acquisition & Implementation
Identify automated solutions
Acquire & maintain application software
Acquire & maintain technology
infrastructure
Develop & maintain procedures
Install & accredit systems
Manage changes
COBIT
Delivery & Support
Define & manage service levels
Manage third-party services
Manage performance & capacity
Ensure continuous service
Ensure systems security
Identify & allocate costs
COBIT
Delivery & Support
Educate & train users
Assist & advise customers
Manage configuration
Manage problems & incidents
Manage data
Manage facilities
Manage operations
COBIT
Monitoring
Monitor the process
Assess internal control adequacy
Obtain independent assurance
Provide for independent audit
Specific IT Control Issues
ERP
BPI (Business Process Improvement)
B2C & B2B
Risk Measurement
Intrusion Detection
Viruses
Email integrity
Third Parties
Evaluate the role third parties play
in relation to IT environment, related
controls and control objectives
Third party provider controls
Third parties subcontractors
SAS 70 Type 2
ISO 17799 (BS7799)
“A comprehensive set of controls
comprising best practices in information
security”
“Management should set a clear policy
direction and demonstrate support for,
and commitment to, information security
through the issue and maintenance of an
information security policy across the
organization”
ISO 17799 (BS7799)
Security Policy
System Access
Control
Computer &
Operations Mgmt
System Development
& Maintenance
Physical &
Environment
Security
Compliance
Personnel Security
Security
Organization
Asset Classification
and Control
Business Continuity
Management (BCM)
Mgmt Assessment Process
1.
2.
3.
4.
5.
Plan the Assessment
Document the ICOFR
Evaluate their design & effectiveness
Identify, Assess, Correct Deficiencies
Prepare written assessment
-- Adapted from the 404 Institute
Mgmt Assessment Process
1.
Plan the Assessment
Determine Scope:
Controls related to all significant
accounts and disclosures in financial
statements
An account is considered significant
when there is more than a remote
likelihood that it could contain
misstatements that individually or
aggregated with others could have a
material affect on the financials. -- Std
No. 2
Mgmt Assessment Process
1.
Plan the Assessment
Identify assessment team
Identify significant
Milestones
Schedule
Resources
Determine documentation approach
Mgmt Assessment Process
1.
Plan the Assessment
Other Considerations:
Multi-location
Use of outside service organizations –
Type II SAS 70 report
Evaluation of IT Controls – IT risks
Inaccurately processing accurate data;
accurately processing inaccurate data
Unauthorized access; Unauthorized changes to
programs/data; Potential loss of data
Mgmt Assessment Process
2.
Document ICOFR
Document the design of controls over
relevant assertions
Document the initiation, authorization,
recording, processing and reporting
of significant transactions
Document transaction flow to identify
where misstatements might occur
Mgmt Assessment Process
2.
Document ICOFR
Document controls designed to prevent
or detect fraud
Document controls over period-end
processing
Document controls to safeguard assets
Document the results of management’s
assessment
Mgmt Assessment Process
3.
Evaluate the design & effectiveness
of ICOFR
Effectively designed controls are expected
to prevent and detect errors or fraud
Design = the controls are appropriate to
prevent or detect misstatements
Effectiveness = the controls are
functioning as designed
Mgmt Assessment Process
3.
Evaluate the design & effectiveness
of ICOFR
Measuring effectiveness
Are the systems functioning as intended?
Are the controls operating as designed?
Do the people performing the controls
possess the authority and qualifications to
effectively perform the controls?
Mgmt Assessment Process
4.
Identify, Assess & Correct Deficiencies
Deficiency
Deficiencies exist when misstatements are not
prevented or detected on a timely basis in the
normal course of business
Design deficiency = a necessary control is missing
or not properly designed
Operating deficiency = a properly designed control
is not operating as designed or the person
performing the control is inadequate
Mgmt Assessment Process
4.
Identify, Assess, Correct Deficiencies
Definitions:
Significant deficiency = control deficiency
that adversely affect the initiation,
authorization, recording, processing or
reporting of reliable financial data
Material deficiency = significant deficiency
that results in more than remote likelihood of
a material misstatement
Per PCAOB Standard No. 2
Mgmt Assessment Process
5.
Prepare report
Management acknowledges its
responsibility for establishing and
maintaining adequate ICOFR
Identifies the ICOFR framework used
Assesses the effectiveness of ICOFR as
of yearend
No sample management report was
provided in Standard No. 2.
The Audit Process
1.
2.
3.
4.
5.
Plan the engagement
Evaluate Management’s
Assessment Process
Understand company’s ICOFR
Test & Evaluate Design and
Effectiveness of ICOFR
Form an Opinion
-- Adapted from the 404 Institute
Auditor Questions
What was examined to determine the
existence of errors?
What kinds of errors were found?
What happened as a result of finding
these errors?
How were the errors resolved?
Have personnel been asked to
override the processes or controls?
Internal Control Assessment
Alternative Approaches
Financial Statement/Account based
Systems based
Role of “Best Practice Models”
Account Based Approach
Begin with Financial Statement
captions or Trial Balance accounts
Identify
Business cycle
Client processes
Inherent risks
Risk ranking (High, Medium, Low)
Identify Internal Controls
Account Based Approach
F/S
Caption
Business Cycle
Client Process
1 Revenue
Revenue Cycle
Client's sales process
2 Accounts
Receivable
Treasury Cycle
3 Cash
Treasury Cycle
4 Operating
Expenses
Expenditure Cycle Non-payroll
AR process
Cash application process
Collection process
Discrepancy resolution
Cash Receipts
Check Authorization/Writing
Vendor controls
Procurement process
Receiving process
Invoice processing
General Ledger recording
Employee hiring
Personnel records
Time and Attendance capture
Payroll interface
5 Accrued
Expenditure Cycle - Payroll
Compensation
Inherent
Risks
Risk
Ranking
Revenue Recognition
Authorization
Billing Accuracy
GAAP compliance
Accuracy
Application
Valuation
High
Accuracy
Completeness
Accuracy
Completeness
Segregation of duties
High
Accuracy
Completeness
High
Medium
High
Evaluating Risk
In terms of
Materiality
Process Complexity
Susceptibility to Change
Accounting History
Evaluating Risk
Materiality
Dollar amount
Transaction volume
Impact on ratios & covenants
Individually & collectively
Evaluating Risk
Process Complexity
Number of people/departments
Number of steps/phases
Number of interfaces (“hand-offs”)
Number of internal controls
Technical nature
Skill required vs. Skill available
Evaluating Risk
Susceptibility to Change
Process stability
Likelihood of future changes
Accounting History
Number of errors
Number of adjustments
Systems Based Approach
Identify business processes
Express them in “flow charts”
Conceptual
Physical
Examine transaction life cycle (from
cradle-to-grave)
Perform tests of transactions
Systems Based Approach
Approaches:
“Black Box”
“White Box”
Reconciliation
Internal
Controls
Internal controls
Identify control mechanisms
Are they adequate (design)?
Are they effective?
Which Approach is Best?
Top Down
Process oriented
Systemic approach
Requires systems expertise
May take longer
Bottom Up
Financial Statement/Account oriented
Focuses on the pieces before the whole
Tends exaggerate the number of assertions
and controls
Do not necessarily comprehend the whole
Outline
The Sarbanes-Oxley Act
Section 404 - Internal Controls
Trends and Developments
Questions & Answers
Trends
Internal control review is more
expensive than audit, at least the
first time
Internal control prep takes
extensive resources and budget
Annual reports will increase in size
Trends
Different standards among the Big 4
Different standards within the Big 4
Struggle between auditors and clients
over amount of ICOFR
Big 4 cannot consult on ICOFR for clients
The “grey line”
May provide some guidance/resources
But cannot impair independence
Private Companies Trends
Two standards
Other Actions
“Big GAAS” and “Little GAAS”
Banking Regulators
SEC: Non-Public Broker-Dealers
deferred until after 1/1/05
Cascading
Cascading
Cascading
New York
8 Bills
California
AB 664 (Correa)
AB 665 (Correa)
SB 1262 (Sher)
SB 1272
Private Companies Trends
Being acquired by a public company
just became more complicated
Going public just became more
complicated
Questions to ponder
How will SOX be applied to nonpublic companies?
What will businesses do differently
tomorrow because of SOX?
How will you be involved?
From the IT Perspective
Confusing, contradictory guidance
Prone to evaluate IT at the micro level
rather than macro level
Corporate level Policy/Procedures
Adapted for locations/systems
Fail to involve IT in accounting
systems assessments
Compartmentalize the controls
From the IT Perspective
Assessors have limited IT expertise
Opportunity to enhance IT
Convert a directive into growth
IT will require additional resources to
comply
From the IT Perspective
Confusing areas:
Business continuity
Third parties
Hot Topics:
Change management
System Development/Maintenance
Security
From the IT Perspective
Weak areas:
Data integrity
Complicating factors:
Multi-location
Multi-system
Resources
www.404institute.com
www.aaahq.org
www.accountingweb.com
www.aicpa.org
www.coso.org
www.fei.org
www.imanet.org
www.isaca.org
www.pcaobus.org
www.sec.gov
www.theiia.org
Resource
Internal Control Reporting –
Implementing Sarbanes-Oxley Section
404, AICPA paperback
Authoritative Literature
COSO IC Integrated Framework
Project Planning
Documentation of Internal Control
Testing of Internal Control
Outline
The Sarbanes-Oxley Act
Section 404 - Internal Controls
Trends and Developments
Questions & Answers
Questions and Answers
Good Luck!