SlideShare a Scribd company logo

Auditing SOX ITGC Compliance

Download as PPTX, PDF
S
seanpizzy

Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.

Technology
1 of 21
SOX-ITGC COMPLIANCE & PCI www.techembro.com @techembro
SUMMARY 1.Introduction 2.What is SOX? 3.Legal requirements for IT compliance 4.Methods of compliance 5.Frameworks 6.How can be SOX Helpful 7.Conclusions www.techembro.com @techembro
1. INTRODUCTION - INFORMATION TECHNOLOGY Important part of the recent businesses Responsible for the key business activities Maintain a correct accounting mechanism www.techembro.com @techembro
ITGC www.techembro.com @techembro
2. What is SOX? SOX www.techembro.com @techembro
GOALS Why SOX? www.techembro.com @techembro
www.techembro.com @techembro
MANAGEMENT RULES www.techembro.com @techembro
SECURITY CONTROLS “The best plan of action for SOX compliance is to have the correct security controls in place to ensure that financial data is accurate and protected against loss. “ www.techembro.com @techembro
DATA PROTECTION AND COMPLIANCE - Data classification enables: - security teams to more easily monitor - enforce corporate policies for data handling - It may need to be encrypted, compressed, or saved to a different file format www.techembro.com @techembro
Compliance AndAudits “Being in SOX compliance and complying with other regulatory standards is nearly impossible without the correct security solutions in place” www.techembro.com @techembro
3. LEGAL REQUIREMENTS FOR IT COMPLIANCE 1.Section 302: Companies need to put in place systems that protect against data tampering, provide the ability to track timelines and are able to determine who had access to data and when. -Data Tampering:. Organizations need to ensure that their access controls are managed appropriately. A robust access control process is required. Additionally, businesses must ensure that it is difficult for people to access data without proper credentials (complex passwords…). Another part of preventing data tampering is ensuring that records can be recovered if they are lost. www.techembro.com @techembro
-Timeline tracking: Section 302 compliance requires that companies keep track of when changes were made to data. In addition to knowing when a file was last modified, companies may also need to keep a log of when changes are made, what the changes were and who made the changes -Ensuring Safeguards are active and reporting on their effectiveness: Senior management is required to verify the effectiveness and functionality of safeguards and security systems in the 90 days prior to a financial report being made. 2. Section 404. - Section 404 requirements are often met by using a remote and web based system that allows access to outsiders which allows them to verify that the structures and processes in place are appropriate and sufficient to meet Section 302 requirements. www.techembro.com @techembro
3. Section 409: -Deliver Timely Disclosure: SOX compliance mandates the timely disclosure of any information that could affect a public company's financial performance. 4. Section 802: -Ensure Records Retention: The IT team's role in SOX compliance to preserve records (IMs, recorded calls discussing money, financial transactions…) with internal automated backup processes and ensure the proper function of document management systems. www.techembro.com @techembro
4. METHODS OF COMPLIANCE - There is no one size fits all approach to complying with SOX requirements - It may be best for businesses to start handling some tasks manually until it is determined • if they are actually effective. - The initial costs of compliance can be high - The first step for companies is to do an audit - It's important that organizations verify that systems work as intended after changes are • made, it's important to ensure that existing processes are still running correctly. www.techembro.com @techembro
THIRD PARTY AND SOX: - Complying with SOX does not rule out having a third-party handle IT issues for an organization, but any failures of a third party to comply with standards set out by SOX will still be considered the fault and responsibility of the organization. - When a company uses a third-party to handle their IT services, they will still need to verify that they are in compliance with SOX regulations: assurance report, or by having the testing done by an outside consultant. www.techembro.com @techembro
www.techembro.com @techembro
COSO andCOBIT - - - - Help organizations determine how to manage and run business processes. Most companies end up using only COBIT or a combination of COSO and COBIT. COSO has the advantage of being a very robust framework for enterprise governance and risk management. However, COSO falls short in terms of IT planning. COBIT complements COSO, as it provides the IT considerations lacking in COSO; the two frameworks are so complementary that COBIT documentation refers to COSO. 5. FRAMEWORKS PCAOB - - - Created to develop auditing standards and train auditors on the best practicesfor assessing a company’s internal controls. It is here that the specific SOX requirements for information security are spelled out. PCAOB publishes periodic recommendations and changes to the auditing process. ITGI to meet helping their without information - Dedicated businesses objectives compromising security. - ITGI has independently published its own framework for SOX compliance, using both COBIT and COSO as guides. the ITGI only with - Unlike COBIT, framework deals security issues. There are many frameworks and structures that could be followed or adopted by organizations; it depends solely on the business area, specificities of interests and cost efficient approach of selection. www.techembro.com @techembro
6. HOW CAN SOX BE HELPFUL? 3. Better Audits - More effective and efficient operations under SOX lead to better audit outcomes. - With better internal audit outcomes, external auditors have a more efficient process. - A more efficient process for external auditor lowers overall audit costs and the cost of employee time when responding to external audit report results. 1. Risk Triage - Complying with SOX benefits companies as it gives them a starting point for asset analysis. - ISACA states that the most appropriate way to define the right scope and extent of testing for each SOX in-scope system is to perform a risk assessment specific to SOX’s requirements and ITGC - These focused risk assessments allows you to understand the entire landscape of the organisations’ controls 2. Control Structure Strengthening - SOX is helpful in the context of control structure, as SOX compliance includes better control awareness . - SOX assessments also involve additional scrutiny to ensure that the financial reporting activities are well-executed and well- controlled. - SOX compliance tackles problems that may occur as a company matures, at an early stage. www.techembro.com @techembro
6. Team Collaboration and Building Working Relationships - SOX compliance requires deeper and more frequent collaboration among internal stakeholders - SOX provides the backdrop for building stronger working relationships among teams (e.g. internal auditors and those who oversee SOX assessments) 4. Efficient Financial Reporting - Main goal of SOX was to provide transparency in financial reporting. - Complying with SOX when financial reporting allows for more efficient financial reporting, and makes reporting easier as the organisation matures. - More accurate financial reporting results in less time spent needing to correct mistakes. 5. PEAK OPERATIONAL PERFORMANCE EARLY ON - Early SOX compliance benefits companies by instilng a sense of internal control - By requiring organisations to initiate controls at an early stage, SOX compliance benefits companies by requiring them to assess their startng points and their risk. - Steve Guarini states a number of benefits of complying with SOX, among which are ‘utilising a top- down approach to drive efficiency and effectiveness’. www.techembro.com @techembro
7. CONCLUSIONS - Although there is a rise in the application of SOX by the companies and there could be a special cost involved in the process of doing so, studies from renowned firms clearly indicate that SOX application has lead to betterment in the performance of firms. - One of the recent studies done by techembro in 2020, under the heading “Understanding the Costs and Benefits of SOX Compliance” showed that companies are spending more time and money but continue improving their internal costs and business processes. www.techembro.com @techembro

Recommended

IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 

Recommended

IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT PerspectiveNeelabh Srivastava
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Managementjiricejka
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Auditvelcomerp
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
Cobit 5 - An Overview
Cobit 5 - An OverviewCobit 5 - An Overview
Cobit 5 - An OverviewAnurag Purohit
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ssKashif Rana ACCA
 
Sox regulation and Analytics
Sox regulation and AnalyticsSox regulation and Analytics
Sox regulation and Analyticsbrunomase
 

More Related Content

What's hot

Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3Tanmay Shinde
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Managementjiricejka
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Auditvelcomerp
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMSBusiness Beam
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewNaresh Rao
 

What's hot (20)

Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT Perspective
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Audit
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)
 
Cobit 5 - An Overview
Cobit 5 - An OverviewCobit 5 - An Overview
Cobit 5 - An Overview
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 

Similar to Auditing SOX ITGC Compliance

Sox regulation and Analytics
Sox regulation and AnalyticsSox regulation and Analytics
Sox regulation and Analyticsbrunomase
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
There are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxThere are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxrandymartin91030
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptssuser45a8a6
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Achieving IT Governance and compliance using Kovair
Achieving IT Governance and compliance using KovairAchieving IT Governance and compliance using Kovair
Achieving IT Governance and compliance using KovairKovair
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
Project NameYour Full NameCourse Number and Name (As i.docx
Project NameYour Full NameCourse Number and Name (As i.docxProject NameYour Full NameCourse Number and Name (As i.docx
Project NameYour Full NameCourse Number and Name (As i.docxwkyra78
 
IT Control Objectives Framework, A Relationship Between COSO Cobit and ITIL
IT Control Objectives Framework, A Relationship Between COSO Cobit and ITILIT Control Objectives Framework, A Relationship Between COSO Cobit and ITIL
IT Control Objectives Framework, A Relationship Between COSO Cobit and ITILAlfid Ardyanto
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleyAmarnath Gupta
 
Communicating SOC Status
Communicating SOC StatusCommunicating SOC Status
Communicating SOC StatusAdam Alhafid
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxdanas19
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects3gamma
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007Slava Gorbunov
 
It aac cloud-acquisition_roadmap2012
It aac cloud-acquisition_roadmap2012It aac cloud-acquisition_roadmap2012
It aac cloud-acquisition_roadmap2012John Weiler
 
SOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideSOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideBrielle Aria
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 

Similar to Auditing SOX ITGC Compliance (20)

Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ss
 
Sox regulation and Analytics
Sox regulation and AnalyticsSox regulation and Analytics
Sox regulation and Analytics
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance Presentation
 
There are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docxThere are regulatory rules that must be met as well as organizatio.docx
There are regulatory rules that must be met as well as organizatio.docx
 
zSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.pptzSecurity_L9_Standards and Policies.ppt
zSecurity_L9_Standards and Policies.ppt
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
Achieving IT Governance and compliance using Kovair
Achieving IT Governance and compliance using KovairAchieving IT Governance and compliance using Kovair
Achieving IT Governance and compliance using Kovair
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
Project NameYour Full NameCourse Number and Name (As i.docx
Project NameYour Full NameCourse Number and Name (As i.docxProject NameYour Full NameCourse Number and Name (As i.docx
Project NameYour Full NameCourse Number and Name (As i.docx
 
A Guide to SOA Implementation | Torry Harris Whitepaper
A Guide to SOA Implementation | Torry Harris WhitepaperA Guide to SOA Implementation | Torry Harris Whitepaper
A Guide to SOA Implementation | Torry Harris Whitepaper
 
IT Control Objectives Framework, A Relationship Between COSO Cobit and ITIL
IT Control Objectives Framework, A Relationship Between COSO Cobit and ITILIT Control Objectives Framework, A Relationship Between COSO Cobit and ITIL
IT Control Objectives Framework, A Relationship Between COSO Cobit and ITIL
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-Oxley
 
Communicating SOC Status
Communicating SOC StatusCommunicating SOC Status
Communicating SOC Status
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
 
Company Profile Doc 1
Company Profile Doc 1Company Profile Doc 1
Company Profile Doc 1
 
Embedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projectsEmbedding compliance: how to integrate sarbanes-oxley in your projects
Embedding compliance: how to integrate sarbanes-oxley in your projects
 
SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007SOX ICMS Implmenetation - 2007
SOX ICMS Implmenetation - 2007
 
It aac cloud-acquisition_roadmap2012
It aac cloud-acquisition_roadmap2012It aac cloud-acquisition_roadmap2012
It aac cloud-acquisition_roadmap2012
 
SOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideSOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete Guide
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 

Recently uploaded

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 

Auditing SOX ITGC Compliance

  • 2. SUMMARY 1.Introduction 2.What is SOX? 3.Legal requirements for IT compliance 4.Methods of compliance 5.Frameworks 6.How can be SOX Helpful 7.Conclusions www.techembro.com @techembro
  • 3. 1. INTRODUCTION - INFORMATION TECHNOLOGY Important part of the recent businesses Responsible for the key business activities Maintain a correct accounting mechanism www.techembro.com @techembro
  • 5. 2. What is SOX? SOX www.techembro.com @techembro
  • 9. SECURITY CONTROLS “The best plan of action for SOX compliance is to have the correct security controls in place to ensure that financial data is accurate and protected against loss. “ www.techembro.com @techembro
  • 10. DATA PROTECTION AND COMPLIANCE - Data classification enables: - security teams to more easily monitor - enforce corporate policies for data handling - It may need to be encrypted, compressed, or saved to a different file format www.techembro.com @techembro
  • 11. Compliance AndAudits “Being in SOX compliance and complying with other regulatory standards is nearly impossible without the correct security solutions in place” www.techembro.com @techembro
  • 12. 3. LEGAL REQUIREMENTS FOR IT COMPLIANCE 1.Section 302: Companies need to put in place systems that protect against data tampering, provide the ability to track timelines and are able to determine who had access to data and when. -Data Tampering:. Organizations need to ensure that their access controls are managed appropriately. A robust access control process is required. Additionally, businesses must ensure that it is difficult for people to access data without proper credentials (complex passwords…). Another part of preventing data tampering is ensuring that records can be recovered if they are lost. www.techembro.com @techembro
  • 13. -Timeline tracking: Section 302 compliance requires that companies keep track of when changes were made to data. In addition to knowing when a file was last modified, companies may also need to keep a log of when changes are made, what the changes were and who made the changes -Ensuring Safeguards are active and reporting on their effectiveness: Senior management is required to verify the effectiveness and functionality of safeguards and security systems in the 90 days prior to a financial report being made. 2. Section 404. - Section 404 requirements are often met by using a remote and web based system that allows access to outsiders which allows them to verify that the structures and processes in place are appropriate and sufficient to meet Section 302 requirements. www.techembro.com @techembro
  • 14. 3. Section 409: -Deliver Timely Disclosure: SOX compliance mandates the timely disclosure of any information that could affect a public company's financial performance. 4. Section 802: -Ensure Records Retention: The IT team's role in SOX compliance to preserve records (IMs, recorded calls discussing money, financial transactions…) with internal automated backup processes and ensure the proper function of document management systems. www.techembro.com @techembro
  • 15. 4. METHODS OF COMPLIANCE - There is no one size fits all approach to complying with SOX requirements - It may be best for businesses to start handling some tasks manually until it is determined • if they are actually effective. - The initial costs of compliance can be high - The first step for companies is to do an audit - It's important that organizations verify that systems work as intended after changes are • made, it's important to ensure that existing processes are still running correctly. www.techembro.com @techembro
  • 16. THIRD PARTY AND SOX: - Complying with SOX does not rule out having a third-party handle IT issues for an organization, but any failures of a third party to comply with standards set out by SOX will still be considered the fault and responsibility of the organization. - When a company uses a third-party to handle their IT services, they will still need to verify that they are in compliance with SOX regulations: assurance report, or by having the testing done by an outside consultant. www.techembro.com @techembro
  • 18. COSO andCOBIT - - - - Help organizations determine how to manage and run business processes. Most companies end up using only COBIT or a combination of COSO and COBIT. COSO has the advantage of being a very robust framework for enterprise governance and risk management. However, COSO falls short in terms of IT planning. COBIT complements COSO, as it provides the IT considerations lacking in COSO; the two frameworks are so complementary that COBIT documentation refers to COSO. 5. FRAMEWORKS PCAOB - - - Created to develop auditing standards and train auditors on the best practicesfor assessing a company’s internal controls. It is here that the specific SOX requirements for information security are spelled out. PCAOB publishes periodic recommendations and changes to the auditing process. ITGI to meet helping their without information - Dedicated businesses objectives compromising security. - ITGI has independently published its own framework for SOX compliance, using both COBIT and COSO as guides. the ITGI only with - Unlike COBIT, framework deals security issues. There are many frameworks and structures that could be followed or adopted by organizations; it depends solely on the business area, specificities of interests and cost efficient approach of selection. www.techembro.com @techembro
  • 19. 6. HOW CAN SOX BE HELPFUL? 3. Better Audits - More effective and efficient operations under SOX lead to better audit outcomes. - With better internal audit outcomes, external auditors have a more efficient process. - A more efficient process for external auditor lowers overall audit costs and the cost of employee time when responding to external audit report results. 1. Risk Triage - Complying with SOX benefits companies as it gives them a starting point for asset analysis. - ISACA states that the most appropriate way to define the right scope and extent of testing for each SOX in-scope system is to perform a risk assessment specific to SOX’s requirements and ITGC - These focused risk assessments allows you to understand the entire landscape of the organisations’ controls 2. Control Structure Strengthening - SOX is helpful in the context of control structure, as SOX compliance includes better control awareness . - SOX assessments also involve additional scrutiny to ensure that the financial reporting activities are well-executed and well- controlled. - SOX compliance tackles problems that may occur as a company matures, at an early stage. www.techembro.com @techembro
  • 20. 6. Team Collaboration and Building Working Relationships - SOX compliance requires deeper and more frequent collaboration among internal stakeholders - SOX provides the backdrop for building stronger working relationships among teams (e.g. internal auditors and those who oversee SOX assessments) 4. Efficient Financial Reporting - Main goal of SOX was to provide transparency in financial reporting. - Complying with SOX when financial reporting allows for more efficient financial reporting, and makes reporting easier as the organisation matures. - More accurate financial reporting results in less time spent needing to correct mistakes. 5. PEAK OPERATIONAL PERFORMANCE EARLY ON - Early SOX compliance benefits companies by instilng a sense of internal control - By requiring organisations to initiate controls at an early stage, SOX compliance benefits companies by requiring them to assess their startng points and their risk. - Steve Guarini states a number of benefits of complying with SOX, among which are ‘utilising a top- down approach to drive efficiency and effectiveness’. www.techembro.com @techembro
  • 21. 7. CONCLUSIONS - Although there is a rise in the application of SOX by the companies and there could be a special cost involved in the process of doing so, studies from renowned firms clearly indicate that SOX application has lead to betterment in the performance of firms. - One of the recent studies done by techembro in 2020, under the heading “Understanding the Costs and Benefits of SOX Compliance” showed that companies are spending more time and money but continue improving their internal costs and business processes. www.techembro.com @techembro