Understanding this course help you have an idea on how the audit assessment is performed and where the focus lies. General controls take a large percentage of the entire Audit function and should be paid adequate attention during the session.
2. SUMMARY
1.Introduction
2.What is SOX?
3.Legal requirements for IT compliance
4.Methods of compliance
5.Frameworks
6.How can be SOX Helpful
7.Conclusions
www.techembro.com
@techembro
3. 1. INTRODUCTION - INFORMATION
TECHNOLOGY
Important part of the
recent businesses
Responsible for the
key business
activities
Maintain a correct
accounting
mechanism
www.techembro.com
@techembro
9. SECURITY CONTROLS
“The best plan of action for SOX compliance is
to have the correct security controls in place to
ensure that financial data is accurate and
protected against loss. “
www.techembro.com
@techembro
10. DATA PROTECTION AND
COMPLIANCE
- Data classification enables:
- security teams to more easily
monitor
- enforce corporate policies for
data handling
- It may need to be encrypted,
compressed, or saved to a different
file format
www.techembro.com
@techembro
11. Compliance AndAudits
“Being in SOX compliance and
complying with other regulatory
standards is nearly impossible without
the correct security
solutions in place”
www.techembro.com
@techembro
12. 3. LEGAL REQUIREMENTS FOR IT
COMPLIANCE
1.Section 302:
Companies need to put in place systems that
protect against data tampering, provide the ability
to track timelines and are able to determine who
had access to data and when.
-Data Tampering:. Organizations need to
ensure that their access controls are managed
appropriately. A robust access control process is
required. Additionally, businesses must ensure
that it is difficult for people to access data
without proper credentials (complex
passwords…). Another part of preventing data
tampering is ensuring that records can be
recovered if they are lost.
www.techembro.com
@techembro
13. -Timeline tracking: Section 302 compliance requires
that companies keep track of when changes were
made to data. In addition to knowing when a file was
last modified, companies may also need to keep a log
of when changes are made, what the changes were
and who made the changes
-Ensuring Safeguards are active and
reporting on their effectiveness: Senior
management is required to verify the effectiveness
and functionality of safeguards and security
systems in the 90 days prior to a financial report
being made.
2. Section 404.
- Section 404 requirements are often met by using
a remote and web based system that allows access
to outsiders which allows them to verify that the
structures and processes in place are appropriate
and sufficient to meet Section 302 requirements.
www.techembro.com
@techembro
14. 3. Section 409:
-Deliver Timely Disclosure: SOX compliance
mandates the timely disclosure of any information
that could affect a public company's financial
performance.
4. Section 802:
-Ensure Records Retention: The IT team's role in
SOX compliance to preserve records (IMs, recorded
calls discussing money, financial transactions…) with
internal automated backup processes and ensure the
proper function of document management systems.
www.techembro.com
@techembro
15. 4. METHODS OF
COMPLIANCE
- There is no one size fits all approach to
complying with SOX requirements
- It may be best for businesses to start handling
some tasks manually until it is determined
• if they are actually effective.
- The initial costs of compliance can be high
- The first step for companies is to do an audit
- It's important that organizations verify that
systems work as intended after changes are
• made, it's important to ensure that existing
processes are still running correctly.
www.techembro.com
@techembro
16. THIRD PARTY AND
SOX:
- Complying with SOX does not rule out having a
third-party handle IT issues for an organization, but
any failures of a third party to comply with standards
set out by SOX will still be considered the fault and
responsibility of the organization.
- When a company uses a third-party to handle their
IT services, they will still need to verify
that they are in compliance with SOX regulations:
assurance report, or by having the
testing done by an outside consultant.
www.techembro.com
@techembro
18. COSO andCOBIT
-
-
-
- Help organizations determine how to
manage and run business processes.
Most companies end up using only COBIT or
a combination of COSO and
COBIT.
COSO has the advantage of being a
very robust framework for enterprise
governance and risk management.
However, COSO falls short in terms of IT
planning.
COBIT complements COSO, as it
provides the IT considerations lacking in
COSO; the two frameworks are so
complementary that COBIT
documentation refers to COSO.
5. FRAMEWORKS
PCAOB
-
-
- Created to develop auditing
standards and train auditors
on the best practicesfor
assessing a company’s internal
controls.
It is here that the specific SOX
requirements for information
security are spelled out.
PCAOB publishes periodic
recommendations and
changes to the auditing
process.
ITGI
to
meet
helping
their
without
information
- Dedicated
businesses
objectives
compromising
security.
- ITGI has independently published
its own framework for SOX
compliance, using both COBIT
and COSO as guides.
the ITGI
only with
- Unlike COBIT,
framework deals
security issues.
There are many frameworks and structures that could be followed or
adopted by organizations; it depends solely on the business area,
specificities of interests and cost efficient approach of selection.
www.techembro.com
@techembro
19. 6. HOW CAN SOX BE
HELPFUL?
3. Better Audits
- More effective and efficient
operations under SOX lead
to better audit outcomes.
- With better internal audit
outcomes, external auditors
have a more efficient process.
- A more efficient process for
external auditor lowers overall
audit costs and the cost of
employee time when
responding to external audit
report results.
1. Risk Triage
- Complying with SOX benefits
companies as it gives them a starting
point for asset analysis.
- ISACA states that the most appropriate
way to define the right scope and
extent of testing for each SOX in-scope
system is to perform a risk
assessment specific to SOX’s
requirements and ITGC
- These focused risk assessments
allows you to understand the entire
landscape of the organisations’
controls
2. Control Structure
Strengthening
- SOX is helpful in the context of
control structure, as SOX
compliance includes better control
awareness .
- SOX assessments also involve
additional scrutiny to ensure that
the financial reporting activities
are well-executed and well-
controlled.
- SOX compliance tackles problems
that may occur as a company
matures, at an early stage.
www.techembro.com
@techembro
20. 6. Team Collaboration and
Building Working Relationships
- SOX compliance
requires deeper and
more frequent
collaboration among
internal stakeholders
- SOX provides the
backdrop for building
stronger working
relationships among
teams
(e.g. internal auditors
and those who oversee
SOX assessments)
4. Efficient Financial Reporting
- Main goal of SOX was to
provide transparency in
financial reporting.
- Complying with SOX when
financial
reporting allows for more
efficient financial
reporting, and makes
reporting easier as the
organisation matures.
- More accurate financial
reporting results in less
time spent needing to
correct mistakes.
5. PEAK OPERATIONAL
PERFORMANCE EARLY ON
- Early SOX compliance
benefits companies by
instilng a sense of
internal control
- By requiring
organisations to initiate
controls at an early
stage, SOX compliance
benefits companies by
requiring them to
assess their startng
points and their risk.
- Steve Guarini states a
number of benefits of
complying with SOX,
among which are
‘utilising a top-
down approach to drive
efficiency
and effectiveness’.
www.techembro.com
@techembro
21. 7. CONCLUSIONS
- Although there is a rise in the application of SOX by the
companies and there could be a special cost involved in
the process of doing so, studies from renowned firms
clearly indicate that SOX application has lead to betterment
in the performance of firms.
- One of the recent studies done by techembro in 2020, under
the heading “Understanding the Costs and Benefits of SOX
Compliance” showed that companies are spending more
time and money but continue improving their internal costs
and business processes.
www.techembro.com
@techembro