Sarbanes-Oxley (SOX) compliance

The Role of IT in the design and implementation of Internal
              Control over Fi...
SOX
• The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States
  federal law enacted on July 30, 2002. It is...
Definitions
• COSO
    • Committee of Sponsoring Organizations of the Treadway Commission
        •   Model for evaluating...
IT Compliance Roadmap



                                                  Prioritize
                                  Ev...
Internal Control Framework
  Control               Risk               Control        Information and
Environment          ...
Control Activities



                          Security           Application
   Policies and                            ...
IT Control Objectives for SOX

Acquire and Maintain    Manage Changes            Manage the
Application Software          ...
Types of Controls

   Entity Level            Application             IT General
    Controls                Controls     ...
Control Documentation

Entity Policy   IT Policies and
                                  Narratives
 Manuals          Proc...
Control Documentation

         Entity Level                      Activity Level                      Activity Level
• Ass...
Upcoming SlideShare
Loading in...5
×

IT Control Objectives for SOX

7,335

Published on

The Role of IT in the design and implementation of Internal Control over Financial Reporting

Published in: Technology, Business
0 Comments
8 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,335
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
256
Comments
0
Likes
8
Embeds 0
No embeds

No notes for slide

IT Control Objectives for SOX

  1. 1. Sarbanes-Oxley (SOX) compliance The Role of IT in the design and implementation of Internal Control over Financial Reporting Mahesh Patwardhan maheshpatwardhan@rediffmail.com
  2. 2. SOX • The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley • The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. • These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. The act was passed to safeguard the investors and restore confidence in the securities markets. • The gist of the act is that a company ‘s top management has to certify by way of internal and external audits that there is sufficient internal control on all systems impacting financial reporting.
  3. 3. Definitions • COSO • Committee of Sponsoring Organizations of the Treadway Commission • Model for evaluating internal controls • Generally accepted framework for internal control • Definitive standard against which organizations measure effectiveness of internal controls • Internal Control : • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • Five Components of Internal Control System: • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring
  4. 4. IT Compliance Roadmap Prioritize Evaluate and Control Remediate Document Design and Deficiencies Controls Operating Effectiveness Assess IT Risk Plan and Scope IT Controls
  5. 5. Internal Control Framework Control Risk Control Information and Environment Assessment Activities Communication Monitoring • Integrity and • Company-wide • Policies and • Quality of • Ongoing Ethical Values objectives Procedures Information Monitoring • Commitment to competence • Process-level • Security • Effectiveness of • Separate • Board of objectives (Applications Communication Evaluations Directors and and Network) audit • Risk committee • Reporting Identification • Application • Managements Deficiencies and Analysis Change Philosophy and Management Operating Style • Managing • Organizational Change • Business Structure Continuity / • Assignment of Backups Authority and Responsibility • Outsourcing • Human Resource Policies and Procedures
  6. 6. Control Activities Security Application Policies and Business (Applications and Change Procedures Continuity Network) Management •IT-Security Policy •Application •Project •IT-Infrastructure •IT-Access Control Authorization Management Management Policy Matrix •Disaster •IT-Appropriate •End User Recovery Usage Policy Computing Trace •Backup and •Email-Internet ability Matrix Recovery Policy •IT – Landscape Procedures •End-user Diagram •Job Scheduling Computing •ISO
  7. 7. IT Control Objectives for SOX Acquire and Maintain Manage Changes Manage the Application Software Configuration Define and Manage Acquire and Maintain Service Levels Manage Problems and Technology Incidents Infrastructure Manage Third Party Services Manage Data Enable Operations Manage Operations Ensure Systems Security Install and accredit solutions and changes
  8. 8. Types of Controls Entity Level Application IT General Controls Controls Controls • Strategies and • Completeness • Program Plans • Accuracy Development • Policies and • Existence/Authoriz • Programs Changes Procedures ation • Access to Programs • Risk Assessment • Presentation/Disclo and Data Activities sure • Computer • Training and Operations Education • Quality Assurance • Internal Audit
  9. 9. Control Documentation Entity Policy IT Policies and Narratives Manuals Procedures Procedural Flowcharts Decision Tables Write-ups Completed Questionnaires
  10. 10. Control Documentation Entity Level Activity Level Activity Level • Assessment of entity level • Description of the processes • Description of the control controls including evidence to and related sub-processes activity(ies) designed and support the responses and (may be in narrative form, performed to satisfy the opinions of management more effective to illustrate as control objective related to a flowchart) the process or subprocess. This should include the type of • Description of the risk controls (preventive or associated with the process or detective) and the frequency subprocess, including an they are performed. analysis of its impact and probability of occurrence • Description of the approach followed to confirm (test) the • Statement of the control existence and operational objective designed to reduce effectiveness of the control the risk of the process or activities. subprocess to an acceptable level and a description of its • Conclusions reached about alignment to the COSO the effectiveness of controls, framework. as a result of testing.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×