adam bearhalter kristy kelly julie bland alex tiset
Post on 19-Dec-2015
214 views
TRANSCRIPT
IT & Sarbanes-Oxley Adam Bearhalter
Kristy KellyJulie BlandAlex Tiset
Introduction• Corporate & Accounting Scandals
• Public confidence
• Signed in July 30, 2002
• Reach
TitlesTITLE I—PUBLIC COMPANY ACCOUNTING OVERSIGHT
BOARDTITLE II—AUDITOR INDEPENDENCETITLE III—CORPORATE RESPONSIBILITYTITLE IV—ENHANCED FINANCIAL DISCLOSURESTITLE V—ANALYST CONFLICTS OF INTERESTTITLE VI—COMMISSION RESOURCES AND AUTHORITYTITLE VII—STUDIES AND REPORTSTITLE VIII—CORPORATE AND CRIMINAL FRAUD
ACCOUNTABILITYTITLE IX—WHITE-COLLAR CRIME PENALTY ENHANCEMENTSTITLE X—CORPORATE TAX RETURNSTITLE XI—CORPORATE FRAUD AND ACCOUNTABILITY
Key Provisions1. SOX Section 302: Internal control
certifications2. SOX Section 404: Assessment of
internal control3. SOX Section 802 Criminal Penalties
for Violation of SOX4. SOX Section 1107 Criminal Penalties
for Retaliation Against Whistleblowers
SOX Section 404Management must report on the
effectiveness of the company's internal controls over financial reporting.A statement of management's responsibility
over internal controlsManagement's assessment of the effectiveness
of the company's internal control Identify the framework used to evaluate
controlsState that their auditor has reported on their
internal controls as wellwww.sec.gov
SOX Section 404In today’s business environment IT systems
initiate, process, and report most financial transactions
Because they are so involved in the day to day financial transactions, the IT systems become key to financial reporting
Making the controls over the IT systems key to financial reporting as well
IT Governance Institute, 2006
SOX Section 404Management is required to implement an
internal control framework.COSO is most widely used framework for
SOX compliancePays little attention to IT controls
COBIT is one of the better known frameworks that relate to IT controls
IT Governance Institute, 2006
Key ControlsControls that are key to ensuring that the
values on the balance sheet are accurate and reliable Database triggers entry in general ledger. System to ensure emails are sent
•IT Auditor ensures that they are effective, reliable, and reproducible
General ControlsControls that go across all IT systems and are
essential to ensuring the integrity, reliability, and quality of the systemsSecurity PoliciesChange ManagementAdministration of Duties/Rights
Administration of Duties/RightsSeparation of Duties
Individual Permissions RolesLeast Privilege
Individual only given privileges needed to do their job
User ProvisioningNew users set up with correct privilegesStandard profile for each user
What if these 3 principles are not in place?The IT system has failed to meet SOX
Compliance
The Auditor must:Note the exceptionFlag it up to Management for remediation
Strategies for Sarbanes-Oxley ComplianceUnderstand SOX requirementsSet aside sufficient resourcesGet everyone involvedCreate independent audit
committeeEducate everyoneEvaluate auditorsMake required changesPrepare for the futureSource: www.afponline.org
Impact of SOX on IT and Management
Risk Assessment Control Environment Control Security Monitoring Information and
CommunicationSource: www.answers.com
Impact of SOXRisk AssessmentAreas of RiskExamination of systemsAccuracy of Documentation
Control EnvironmentEffectiveness of IC’sTone of OrganizationControl Environment FactorsSource: www.answers.com
Impact on SoxControl Security IT Security
MonitoringProcesses and Schedules Internal Audits
Information and Communication
Timely and Accurate InformationCommunication to ManagementSource: www.answers.com