it control objectives for sarbanes-oxley. managing risk “…many of the it professionals being...
TRANSCRIPT
![Page 1: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/1.jpg)
IT Control Objectives for Sarbanes-Oxley
![Page 2: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/2.jpg)
Managing Risk
“…many of the IT professionals being held accountable for the quality and integrity of information generated by their IT systems are not well versed in the intricacies of internal control. This is not to suggest that risk is not being managed by IT, but rather that it may not be formalized or structured in a way required by an organization’s management or its auditors.”
![Page 3: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/3.jpg)
IT Key Areas of Responsibility
• Understanding the organization’s internal control program and financial reporting process
• Mapping the IT systems that support internal control and the financial reporting process to the financial statements
• Identifying risks related to these systems• Designing and implementing controls designed to
mitigate the identified risks and monitoring them for continued effectiveness
• Documenting and testing IT controls
![Page 4: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/4.jpg)
IT Key Areas of Responsibility
• Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting process
• Monitoring IT controls for effective operation over time
• Participation by IT in the Sarbanes-Oxley project management office
![Page 5: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/5.jpg)
ITGI Control Objectives
• IT Control Environment
• Computer Operations
• Access to Programs and Data
• Program Development and Program Change
![Page 6: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/6.jpg)
IT Control Environment
The PCAOB has indicated that an ineffective control environment should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists
![Page 7: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/7.jpg)
What is the IT Control Environment?
• IT Governance Process – IS Strategic Plan– IT risk management process– Compliance and Regulatory management– IT policies, procedures and standards
Monitoring and reporting are required to ensure that IT is aligned with business requirements.
![Page 8: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/8.jpg)
Computer Operations
Computer operations should include controls over:• Effective acquisition • Implementation• Configuration and maintenance• Ongoing controls over operation address the day-
to-day delivery of information services, service level mgt., management of third-party services, etc.
![Page 9: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/9.jpg)
Access to Programs and Data
Overall goal of access controls are to prevent “the unauthorized use of, and changes to, the system, and entity protects it data and program integrity.”
![Page 10: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/10.jpg)
Program Development and Program Change
• What are the acquisition and implementation risks of new applications and/or systems?
• What are the risks of not having a good change management program?
![Page 11: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/11.jpg)
Multi-location Considerations
• Significant business units
• Potential financial materiality and significant risk considerations, quantitative and qualitative and both aspects provide focus
![Page 12: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/12.jpg)
What is SOX?
SOX provides the foundation for new corporate governance rules, regulations & standards issued by the Securities and Exchange Commission. It covers a range of topics from criminal penalties to Corporate Board responsibilities. SOX also covers issues such as independent auditing requirements, corporate governance, internal control assessment, and enhanced financial disclosure.
CEO’s of publicly traded companies will be held accountable for the quality of the controls established which enable accurate Financial reporting (including IT processes, systems & roles).
![Page 13: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/13.jpg)
Penalties
Section 802(a) of the SOX states: “ Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
![Page 14: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/14.jpg)
What prompted SOX?
• Sarbanes-Oxley was passed in the wake of a number of notable corporate accounting scandals including Enron and WorldCom.
![Page 15: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/15.jpg)
A hint on policies.
Bear in mind that you will be held to the letter of all policies your company develops related to SOX even if they exceed federal requirements. This is very important to remember when drafting policies.
Policies should ensure that corporate behavior is consistent, controlled, and can be proven.
![Page 16: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/16.jpg)
A word on Frameworks
There are many frameworks out there to assist you with SOX compliance. The key is to find a framework that works for your team, commit to it, train on it, and use it to your best possible advantage.
![Page 17: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/17.jpg)
Examples of COBIT Controls Network Security –Firewalls, secure network configuration including 802.11x
Virus Protection –anti-virus and anti-spyware updated regularly
![Page 18: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/18.jpg)
Examples of COBIT Controls Backups & Restore –
Regularly tested procedures
IT Continuity – Disaster Recovery Procedures
![Page 19: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/19.jpg)
Examples of COBIT Controls Files Access Privilege
Controls Identity Management –
password strength/age and access. Who has access and is that appropriate now?
![Page 20: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/20.jpg)
Examples of COBIT Controls
Risk Evaluation Programs – Risk Assessment and internal auditing.
Employee IT Security Training – Training of end users related to utilization of resources.
![Page 21: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/21.jpg)
Examples of COBIT Controls
Management support/buy in – Executive level oversight of projects related to IT.
IT as part of strategic planning – The business must be supported by technologies.
![Page 22: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/22.jpg)
Change Management
Standardized change control is a great place to find fast rewards in pursuit of compliance.
Change ApprovalChange Categorization Change DocumentationChange PrioritizationFormal Request for Change ProcessA body of subject matter experts that oversee
change.
![Page 23: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/23.jpg)
Consistent Logging
• Change Management• Configuration Mgmt. • Event Management• Incident Management• Knowledge Mgmt. • Problem Management
![Page 24: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/24.jpg)
“Operationalize” information.
Connect the internal changes needed with the strategic objectives of the company.
Illustrate that real-time information flow enhances your organization’s ability to make decisions while making compliance easier.
Point out the significance of new activities that may seem mundane or inconsequential. This will help actions taken by staff at every level feel more relevant and less painful.
![Page 25: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/25.jpg)
Remember W. Edward Deming?
SOX Compliance is not a fix it and forget it endeavor. As companies and the ecosystems that support them change new compliance quandaries will come up.
![Page 26: IT Control Objectives for Sarbanes-Oxley. Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e215503460f94b0d16c/html5/thumbnails/26.jpg)
How can SOX help ?
Perspectives on operational control, consistency, and quality take on a whole different meaning once they have a clear relationship to fiduciary responsibility.
It is amazing how different the conversation about project prioritization becomes once executive management are offered the opportunity to make decisions guiding it.