Upload
mahesh-patwardhan
View
6.284
Download
12
Tags:
Embed Size (px)
DESCRIPTION
The Role of IT in the design and implementation of Internal Control over Financial Reporting
Citation preview
Sarbanes-Oxley (SOX) compliance
The Role of IT in the design and implementation of Internal Control over Financial Reporting
Mahesh Patwardhan
SOX
• The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley
• The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom.
• These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. The act was passed to safeguard the investors and restore confidence in the securities markets.
• The gist of the act is that a company ‘s top management has to certify by way of internal and external audits that there is sufficient internal control on all systems impacting financial reporting.
Definitions
• COSO• Committee of Sponsoring Organizations of the Treadway Commission
• Model for evaluating internal controls• Generally accepted framework for internal control• Definitive standard against which organizations measure effectiveness of internal controls
• Internal Control :• A process, effected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations
• Five Components of Internal Control System:• Control Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring
IT Compliance Roadmap
Plan and Scope IT Controls
Assess IT Risk
Document Controls
Evaluate Control Design and Operating Effectiveness
Prioritize and Remediate Deficiencies
Internal Control Framework
Control Environment
• Integrity and Ethical Values
• Commitment to competence
• Board of Directors and audit committee
• Managements Philosophy and Operating Style
• Organizational Structure
• Assignment of Authority and Responsibility
• Human Resource Policies and Procedures
Risk Assessment
• Company-wide objectives
• Process-level objectives
• Risk Identification and Analysis
• Managing Change
Control Activities
• Policies and Procedures
• Security (Applications and Network)
• Application Change Management
• Business Continuity / Backups
• Outsourcing
Information and Communication
• Quality of Information
• Effectiveness of Communication
Monitoring
• Ongoing Monitoring
• Separate Evaluations
• Reporting Deficiencies
Control Activities
Policies and Procedures
•IT-Security Policy
•IT-Access Control Policy
•IT-Appropriate Usage Policy
•Email-Internet Policy
•End-user Computing
Security (Applications and
Network)
•Application Authorization Matrix
•End User Computing Trace ability Matrix
•IT – Landscape Diagram
•ISO
Application Change
Management
•Project Management
Business Continuity
•IT-Infrastructure Management
•Disaster Recovery
•Backup and Recovery Procedures
•Job Scheduling
IT Control Objectives for SOX
Acquire and Maintain Application Software
Acquire and Maintain Technology Infrastructure
Enable Operations
Install and accredit solutions and changes
Manage Changes
Define and Manage Service Levels
Manage Third Party Services
Ensure Systems Security
Manage the Configuration
Manage Problems and Incidents
Manage Data
Manage Operations
Types of Controls
Entity Level Controls
• Strategies and Plans
• Policies and Procedures
• Risk Assessment Activities
• Training and Education
• Quality Assurance
• Internal Audit
Application Controls
• Completeness
• Accuracy
• Existence/Authorization
• Presentation/Disclosure
IT General Controls
• Program Development
• Programs Changes
• Access to Programs and Data
• Computer Operations
Control Documentation
Entity Policy Manuals
IT Policies and Procedures
Narratives
Flowcharts Decision TablesProcedural Write-ups
Completed Questionnaires
Control Documentation
Entity Level
• Assessment of entity level controls including evidence to support the responses and opinions of management
Activity Level
• Description of the processes and related sub-processes (may be in narrative form, more effective to illustrate as a flowchart)
• Description of the risk associated with the process or subprocess, including an analysis of its impact and probability of occurrence
• Statement of the control objective designed to reduce the risk of the process or subprocess to an acceptable level and a description of its alignment to the COSO framework.
Activity Level
• Description of the control activity(ies) designed and performed to satisfy the control objective related to the process or subprocess. This should include the type of controls (preventive or detective) and the frequency they are performed.
• Description of the approach followed to confirm (test) the existence and operational effectiveness of the control activities.
• Conclusions reached about the effectiveness of controls, as a result of testing.