SlideShare a Scribd company logo

IT Control Objectives for SOX

Mahesh Patwardhan
Mahesh Patwardhan

The Role of IT in the design and implementation of Internal Control over Financial Reporting

TechnologyBusiness
1 of 10
Download to read offline
Sarbanes-Oxley (SOX) compliance The Role of IT in the design and implementation of Internal Control over Financial Reporting Mahesh Patwardhan maheshpatwardhan@rediffmail.com
SOX • The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley • The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. • These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. The act was passed to safeguard the investors and restore confidence in the securities markets. • The gist of the act is that a company ‘s top management has to certify by way of internal and external audits that there is sufficient internal control on all systems impacting financial reporting.
Definitions • COSO • Committee of Sponsoring Organizations of the Treadway Commission • Model for evaluating internal controls • Generally accepted framework for internal control • Definitive standard against which organizations measure effectiveness of internal controls • Internal Control : • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • Five Components of Internal Control System: • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring
IT Compliance Roadmap Prioritize Evaluate and Control Remediate Document Design and Deficiencies Controls Operating Effectiveness Assess IT Risk Plan and Scope IT Controls
Internal Control Framework Control Risk Control Information and Environment Assessment Activities Communication Monitoring • Integrity and • Company-wide • Policies and • Quality of • Ongoing Ethical Values objectives Procedures Information Monitoring • Commitment to competence • Process-level • Security • Effectiveness of • Separate • Board of objectives (Applications Communication Evaluations Directors and and Network) audit • Risk committee • Reporting Identification • Application • Managements Deficiencies and Analysis Change Philosophy and Management Operating Style • Managing • Organizational Change • Business Structure Continuity / • Assignment of Backups Authority and Responsibility • Outsourcing • Human Resource Policies and Procedures
Control Activities Security Application Policies and Business (Applications and Change Procedures Continuity Network) Management •IT-Security Policy •Application •Project •IT-Infrastructure •IT-Access Control Authorization Management Management Policy Matrix •Disaster •IT-Appropriate •End User Recovery Usage Policy Computing Trace •Backup and •Email-Internet ability Matrix Recovery Policy •IT – Landscape Procedures •End-user Diagram •Job Scheduling Computing •ISO
IT Control Objectives for SOX Acquire and Maintain Manage Changes Manage the Application Software Configuration Define and Manage Acquire and Maintain Service Levels Manage Problems and Technology Incidents Infrastructure Manage Third Party Services Manage Data Enable Operations Manage Operations Ensure Systems Security Install and accredit solutions and changes
Types of Controls Entity Level Application IT General Controls Controls Controls • Strategies and • Completeness • Program Plans • Accuracy Development • Policies and • Existence/Authoriz • Programs Changes Procedures ation • Access to Programs • Risk Assessment • Presentation/Disclo and Data Activities sure • Computer • Training and Operations Education • Quality Assurance • Internal Audit
Control Documentation Entity Policy IT Policies and Narratives Manuals Procedures Procedural Flowcharts Decision Tables Write-ups Completed Questionnaires
Control Documentation Entity Level Activity Level Activity Level • Assessment of entity level • Description of the processes • Description of the control controls including evidence to and related sub-processes activity(ies) designed and support the responses and (may be in narrative form, performed to satisfy the opinions of management more effective to illustrate as control objective related to a flowchart) the process or subprocess. This should include the type of • Description of the risk controls (preventive or associated with the process or detective) and the frequency subprocess, including an they are performed. analysis of its impact and probability of occurrence • Description of the approach followed to confirm (test) the • Statement of the control existence and operational objective designed to reduce effectiveness of the control the risk of the process or activities. subprocess to an acceptable level and a description of its • Conclusions reached about alignment to the COSO the effectiveness of controls, framework. as a result of testing.

Recommended

Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 

Recommended

Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Sarbanes-Oxley act
Sarbanes-Oxley actSarbanes-Oxley act
Sarbanes-Oxley actRizze
 

More Related Content

What's hot

ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO FrameworkJesús Gándara
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveMax Neira Schliemann
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 

What's hot (20)

IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
Internal Audit COSO Framework
Internal Audit COSO FrameworkInternal Audit COSO Framework
Internal Audit COSO Framework
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
GRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance ExecutiveGRC Governance, Risk mgmt. & Compliance Executive
GRC Governance, Risk mgmt. & Compliance Executive
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 

Viewers also liked

SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Sarbanes-Oxley act
Sarbanes-Oxley actSarbanes-Oxley act
Sarbanes-Oxley actRizze
 
Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX)Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX)vinaya.hs
 
Sarbanes-Oxley Act 2002
Sarbanes-Oxley Act 2002Sarbanes-Oxley Act 2002
Sarbanes-Oxley Act 2002Syed Shah
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Actles561
 
Automating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsAutomating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsSmart ERP Solutions, Inc.
 
Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Smart ERP Solutions, Inc.
 
HRIS-The Road Map For A Successful Transition
HRIS-The Road Map For A Successful TransitionHRIS-The Road Map For A Successful Transition
HRIS-The Road Map For A Successful TransitionHatem El Houshy
 
Hris data management
Hris data managementHris data management
Hris data managementalexhuq2010
 
Human Resource Information System - HRIS
Human Resource Information System - HRIS Human Resource Information System - HRIS
Human Resource Information System - HRIS antonyjosephtharayil
 
Data Analysis for Audit Training (2016.06)
Data Analysis for Audit Training (2016.06)Data Analysis for Audit Training (2016.06)
Data Analysis for Audit Training (2016.06)Matthew Green
 
internal audit function ans controller's role in investors relation
internal audit function ans controller's role in investors relation internal audit function ans controller's role in investors relation
internal audit function ans controller's role in investors relationArgentinaMorata
 

Viewers also liked (20)

SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-Oxley
 
Sarbanes-Oxley act
Sarbanes-Oxley actSarbanes-Oxley act
Sarbanes-Oxley act
 
Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX)Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX)
 
Sarbanes-Oxley Act 2002
Sarbanes-Oxley Act 2002Sarbanes-Oxley Act 2002
Sarbanes-Oxley Act 2002
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Act
 
Sarbanes Oxley Act
Sarbanes Oxley ActSarbanes Oxley Act
Sarbanes Oxley Act
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT Perspective
 
Automating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsAutomating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and Financials
 
Sox
SoxSox
Sox
 
Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23
 
HRIS-The Road Map For A Successful Transition
HRIS-The Road Map For A Successful TransitionHRIS-The Road Map For A Successful Transition
HRIS-The Road Map For A Successful Transition
 
HRIS
HRISHRIS
HRIS
 
Hris data management
Hris data managementHris data management
Hris data management
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Human Resource Information System - HRIS
Human Resource Information System - HRIS Human Resource Information System - HRIS
Human Resource Information System - HRIS
 
Hris ppt
Hris pptHris ppt
Hris ppt
 
Human Resource Information System (HRIS) – Implementation and Control
Human Resource Information System (HRIS) – Implementation and ControlHuman Resource Information System (HRIS) – Implementation and Control
Human Resource Information System (HRIS) – Implementation and Control
 
Hris
HrisHris
Hris
 
Data Analysis for Audit Training (2016.06)
Data Analysis for Audit Training (2016.06)Data Analysis for Audit Training (2016.06)
Data Analysis for Audit Training (2016.06)
 
internal audit function ans controller's role in investors relation
internal audit function ans controller's role in investors relation internal audit function ans controller's role in investors relation
internal audit function ans controller's role in investors relation
 

Similar to IT Control Objectives for SOX

Migrating data: How to reduce risk
Migrating data: How to reduce riskMigrating data: How to reduce risk
Migrating data: How to reduce riskETLSolutions
 
Quality Management Services
Quality Management ServicesQuality Management Services
Quality Management ServicesRCM Technologies
 
Better security through IT operations
Better security through IT operationsBetter security through IT operations
Better security through IT operationsslighltyanon
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodologylaurahees
 
Pm Toolbox Nlr Final
Pm Toolbox Nlr FinalPm Toolbox Nlr Final
Pm Toolbox Nlr FinalYdalus
 
E-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldE-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldChris Byrne
 
Computerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence SolutionsComputerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence SolutionsDigital-360
 
Service catalogue
Service catalogueService catalogue
Service catalogueAlex Rea
 
CA Quality Management System
CA Quality Management SystemCA Quality Management System
CA Quality Management SystemWahyu Prasetianto
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Stepsagiliancecommunity
 
The Coming Age of Continuous Auditing
The Coming Age of Continuous AuditingThe Coming Age of Continuous Auditing
The Coming Age of Continuous Auditingcarlabrut
 
Maetrics One Sheet Overview1 4
Maetrics One Sheet Overview1 4Maetrics One Sheet Overview1 4
Maetrics One Sheet Overview1 4TRynkiewicz
 
SharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle ManagementSharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle ManagementMontrium
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 

Similar to IT Control Objectives for SOX (20)

Migrating data: How to reduce risk
Migrating data: How to reduce riskMigrating data: How to reduce risk
Migrating data: How to reduce risk
 
Quality Management Services
Quality Management ServicesQuality Management Services
Quality Management Services
 
Better security through IT operations
Better security through IT operationsBetter security through IT operations
Better security through IT operations
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
Pm Toolbox Nlr Final
Pm Toolbox Nlr FinalPm Toolbox Nlr Final
Pm Toolbox Nlr Final
 
E-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldE-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real World
 
IaaS
IaaSIaaS
IaaS
 
Computerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence SolutionsComputerized System Validation Business Intelligence Solutions
Computerized System Validation Business Intelligence Solutions
 
Service catalogue
Service catalogueService catalogue
Service catalogue
 
Service catalogue
Service catalogueService catalogue
Service catalogue
 
CA Quality Management System
CA Quality Management SystemCA Quality Management System
CA Quality Management System
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous Monitoring
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Agiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key StepsAgiliance Whitepaper - Six Key Steps
Agiliance Whitepaper - Six Key Steps
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisa
 
The Coming Age of Continuous Auditing
The Coming Age of Continuous AuditingThe Coming Age of Continuous Auditing
The Coming Age of Continuous Auditing
 
Maetrics One Sheet Overview1 4
Maetrics One Sheet Overview1 4Maetrics One Sheet Overview1 4
Maetrics One Sheet Overview1 4
 
Entitlement and Access Manegement
Entitlement and Access ManegementEntitlement and Access Manegement
Entitlement and Access Manegement
 
SharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle ManagementSharePoint for Pharma - Computer System Life Cycle Management
SharePoint for Pharma - Computer System Life Cycle Management
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 

More from Mahesh Patwardhan

Social Media Publishing & Aggregation
Social Media Publishing & AggregationSocial Media Publishing & Aggregation
Social Media Publishing & AggregationMahesh Patwardhan
 
Social Media For A Sporting Event
Social Media For A Sporting EventSocial Media For A Sporting Event
Social Media For A Sporting EventMahesh Patwardhan
 
A Real Time Web Analytics System
A Real Time Web Analytics SystemA Real Time Web Analytics System
A Real Time Web Analytics SystemMahesh Patwardhan
 
Revenue Reconciliation System
Revenue Reconciliation SystemRevenue Reconciliation System
Revenue Reconciliation SystemMahesh Patwardhan
 
Concept for a Facebook App for a Mexican Restaurant
Concept for a Facebook App for a Mexican RestaurantConcept for a Facebook App for a Mexican Restaurant
Concept for a Facebook App for a Mexican RestaurantMahesh Patwardhan
 
A concept for a facebook app
A concept for a facebook appA concept for a facebook app
A concept for a facebook appMahesh Patwardhan
 
Digital And New Media Strategy using Web 2.0
Digital And New Media Strategy using Web 2.0Digital And New Media Strategy using Web 2.0
Digital And New Media Strategy using Web 2.0Mahesh Patwardhan
 
Digital And New Media Consultancy Services
Digital And New Media Consultancy ServicesDigital And New Media Consultancy Services
Digital And New Media Consultancy ServicesMahesh Patwardhan
 
Social Media in Sports - some Case Studies
Social Media in Sports - some Case StudiesSocial Media in Sports - some Case Studies
Social Media in Sports - some Case StudiesMahesh Patwardhan
 
Social Media - some case studies
Social Media - some case studiesSocial Media - some case studies
Social Media - some case studiesMahesh Patwardhan
 

More from Mahesh Patwardhan (16)

Model Information Office
Model Information OfficeModel Information Office
Model Information Office
 
Digital Landscape
Digital LandscapeDigital Landscape
Digital Landscape
 
Social Media Publishing & Aggregation
Social Media Publishing & AggregationSocial Media Publishing & Aggregation
Social Media Publishing & Aggregation
 
Social Media Metrics
Social Media MetricsSocial Media Metrics
Social Media Metrics
 
Social Media For A Sporting Event
Social Media For A Sporting EventSocial Media For A Sporting Event
Social Media For A Sporting Event
 
A Real Time Web Analytics System
A Real Time Web Analytics SystemA Real Time Web Analytics System
A Real Time Web Analytics System
 
Revenue Reconciliation System
Revenue Reconciliation SystemRevenue Reconciliation System
Revenue Reconciliation System
 
Business Analytics System
Business Analytics SystemBusiness Analytics System
Business Analytics System
 
The Information Office
The Information OfficeThe Information Office
The Information Office
 
Concept for a Facebook App for a Mexican Restaurant
Concept for a Facebook App for a Mexican RestaurantConcept for a Facebook App for a Mexican Restaurant
Concept for a Facebook App for a Mexican Restaurant
 
A concept for a facebook app
A concept for a facebook appA concept for a facebook app
A concept for a facebook app
 
Digital And New Media Strategy using Web 2.0
Digital And New Media Strategy using Web 2.0Digital And New Media Strategy using Web 2.0
Digital And New Media Strategy using Web 2.0
 
Digital And New Media Consultancy Services
Digital And New Media Consultancy ServicesDigital And New Media Consultancy Services
Digital And New Media Consultancy Services
 
Lets Build A Story
Lets Build A StoryLets Build A Story
Lets Build A Story
 
Social Media in Sports - some Case Studies
Social Media in Sports - some Case StudiesSocial Media in Sports - some Case Studies
Social Media in Sports - some Case Studies
 
Social Media - some case studies
Social Media - some case studiesSocial Media - some case studies
Social Media - some case studies
 

Recently uploaded

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Recently uploaded (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

IT Control Objectives for SOX

  • 1. Sarbanes-Oxley (SOX) compliance The Role of IT in the design and implementation of Internal Control over Financial Reporting Mahesh Patwardhan maheshpatwardhan@rediffmail.com
  • 2. SOX • The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley • The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. • These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. The act was passed to safeguard the investors and restore confidence in the securities markets. • The gist of the act is that a company ‘s top management has to certify by way of internal and external audits that there is sufficient internal control on all systems impacting financial reporting.
  • 3. Definitions • COSO • Committee of Sponsoring Organizations of the Treadway Commission • Model for evaluating internal controls • Generally accepted framework for internal control • Definitive standard against which organizations measure effectiveness of internal controls • Internal Control : • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • Five Components of Internal Control System: • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring
  • 4. IT Compliance Roadmap Prioritize Evaluate and Control Remediate Document Design and Deficiencies Controls Operating Effectiveness Assess IT Risk Plan and Scope IT Controls
  • 5. Internal Control Framework Control Risk Control Information and Environment Assessment Activities Communication Monitoring • Integrity and • Company-wide • Policies and • Quality of • Ongoing Ethical Values objectives Procedures Information Monitoring • Commitment to competence • Process-level • Security • Effectiveness of • Separate • Board of objectives (Applications Communication Evaluations Directors and and Network) audit • Risk committee • Reporting Identification • Application • Managements Deficiencies and Analysis Change Philosophy and Management Operating Style • Managing • Organizational Change • Business Structure Continuity / • Assignment of Backups Authority and Responsibility • Outsourcing • Human Resource Policies and Procedures
  • 6. Control Activities Security Application Policies and Business (Applications and Change Procedures Continuity Network) Management •IT-Security Policy •Application •Project •IT-Infrastructure •IT-Access Control Authorization Management Management Policy Matrix •Disaster •IT-Appropriate •End User Recovery Usage Policy Computing Trace •Backup and •Email-Internet ability Matrix Recovery Policy •IT – Landscape Procedures •End-user Diagram •Job Scheduling Computing •ISO
  • 7. IT Control Objectives for SOX Acquire and Maintain Manage Changes Manage the Application Software Configuration Define and Manage Acquire and Maintain Service Levels Manage Problems and Technology Incidents Infrastructure Manage Third Party Services Manage Data Enable Operations Manage Operations Ensure Systems Security Install and accredit solutions and changes
  • 8. Types of Controls Entity Level Application IT General Controls Controls Controls • Strategies and • Completeness • Program Plans • Accuracy Development • Policies and • Existence/Authoriz • Programs Changes Procedures ation • Access to Programs • Risk Assessment • Presentation/Disclo and Data Activities sure • Computer • Training and Operations Education • Quality Assurance • Internal Audit
  • 9. Control Documentation Entity Policy IT Policies and Narratives Manuals Procedures Procedural Flowcharts Decision Tables Write-ups Completed Questionnaires
  • 10. Control Documentation Entity Level Activity Level Activity Level • Assessment of entity level • Description of the processes • Description of the control controls including evidence to and related sub-processes activity(ies) designed and support the responses and (may be in narrative form, performed to satisfy the opinions of management more effective to illustrate as control objective related to a flowchart) the process or subprocess. This should include the type of • Description of the risk controls (preventive or associated with the process or detective) and the frequency subprocess, including an they are performed. analysis of its impact and probability of occurrence • Description of the approach followed to confirm (test) the • Statement of the control existence and operational objective designed to reduce effectiveness of the control the risk of the process or activities. subprocess to an acceptable level and a description of its • Conclusions reached about alignment to the COSO the effectiveness of controls, framework. as a result of testing.