国外简约大气的PPT模板

TheImportanceofITControlstoSarbanes-OxleyCompliance.,ImportanceofITControlstoSarbanes-Oxley,2,Provideahigh-leveloverviewofSarbanes-OxleyandtheinternalcontrolcertificationrequirementsDiscusstheimportanceofinformationtechnologyininternalcontroloverfinancialreportingDescribehowtheSarbanes-Oxleysection404rulesimpactinformationtechnologyProvideanoverviewoftheCobitITcontrolframeworkProvideanexampleofareadinessprogramroadmapSummarizetheimportanceandimpactofITcontrolstoSarbanes-Oxleycompliance,TodaysObjectives,ImportanceofITControlstoSarbanes-Oxley,3,SettingtheStage,ImportanceofITControlstoSarbanes-Oxley,4,SettingtheStage,Whatisinternalcontrol?Internalcontrolisbroadlydefinedasaprocess,effectedbyanentitysboardofdirectors,managementandotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesinthefollowingcategories:EffectivenessandefficiencyofoperationsReliabilityoffinancialreportingCompliancewithapplicablelawsandregulationsInternalcontrolisnowtheLawTheSarbanes-OxleyActof2002wascreatedtorestoreinvestorconfidenceinthepublicmarketsSection404oftheActrequiresmanagementtoestablishandmaintaininternalcontrolandrequirestheindependentauditorstoevaluateCompliancedeadline:Year-endsonorafterNovember15,2004PreparingforSarbanes-OxleycomplianceisasignificantandchallengingtaskTherearemanyrequirements,includingtheidentificationofsignificantfinancialstatementaccounts,processesandsystemsthatsupportthemandthendocumentingandtestingthem,ImportanceofITControlstoSarbanes-Oxley,5,OverviewofInternalControlCertificationRequirements,Section302CertificationOverviewCEOandCFOtomakespecificcertificationsasoftheendofeachquarterlyandannualreportingperiod,including:ReportcontainsnountruestatementsReportisfairlypresentedinallmaterialrespectsResponsibilityfordesignandmaintenanceofdisclosurecontrolsandproceduresaswellasinternalcontrolsoverfinancialreportingBecameeffectivein2002(amendedinJune2003),Section404CertificationOverviewCEOandCFOtocertifyasoftheendofeveryannualreportingperiod:TheirresponsibilityforestablishingandmaintainingeffectiveinternalcontrolsoverfinancialreportingTheirassessmentofinternalcontrols,accompaniedbytheindependentauditorsattestationreportEffectiveforannualperiodsendingafterNovember15,2004(smallbusinessandforeignfilersJuly15,2005).,ImportanceofITControlstoSarbanes-Oxley,6,UnderstandingtheRulesImpacttoIT,ImportanceofITControlstoSarbanes-Oxley,7,UnderstandingtheRulesImpacttoIT,Managementisrequiredtoassessthedesignandeffectivenessofitsinternalcontroloverfinancialreportingandprovideanassertiontothateffectinthepublishedfinancialstatements.Thecompanysexternalauditorsarerequiredtoexpressanopiniononmanagementsassessmentaswelltheirownopiniononthecompanysinternalcontrols.,Auditormustperformawalkthroughofmajorclassesoftransactionsforsignificantprocessestounderstandprocessflows,andassessthedesignandeffectivenessofcontrolsincludingapplicationandITgeneralcontrols.EvaluatethedesigneffectivenessofITcontrolstodeterminewhethertheyareproperlydesignedtoachieverelevantassertions.PerformtestsoftheoperatingeffectivenessofITcontrolsthatarenecessarytoachieverelevantassertions.,KeyComplianceRequirements,ImpacttoITControls,ImportanceofITControlstoSarbanes-Oxley,8,(paragraph47)“Theauditorshouldobtainanunderstandingofthedesignofspecificcontrolsbyapplyingproceduresthatincludetracingtransactionsthroughtheinformationsystemrelevanttofinancialreporting”(paragraph73)“Mostprocessesinvolveaseriesoftaskssuchascapturinginputdata,sortingandmergingdata,makingcalculations,updatingtransactionsandmasterfiles,generatingtransactions,andsummarizinganddisplayingorreportingdata.Theprocessingproceduresrelevantfortheauditortounderstandtheflowoftransactionsgenerallyarethoseactivitiesrequiredtoinitiate,authorize,record,processandreporttransactions.”,ThePCAOBrulesareclear-auditorsmustunderstandhowtransactionsflowthroughthesystemnotaroundit,UnderstandingtheRulesImpacttoITcontd,ImportanceofITControlstoSarbanes-Oxley,9,(paragraph69)“TheauditorshouldidentifyeachsignificantprocessovereachmajorclassoftransactionsaffectingsignificantaccountsorgroupsofaccountsandUnderstandtheflowoftransactions,includinghowtransactionsareinitiated,authorized,recorded,processed,andreported.Identifythepointswithintheprocessatwhichamisstatementincludingamisstatementduetofraudrelatedtoeachrelevantfinancialstatementassertioncouldarise.Identifythecontrolsthatmanagementhasimplementedtoaddressthesepotentialmisstatements.Identifythecontrolsthatmanagementhasimplementedoverthepreventionortimelydetectionofunauthorizedacquisition,use,ordispositionofthecompanysassets.,PCAOBstatementsapplicabletoApplicationControls:,UnderstandingtheRulesImpacttoITcontd,ImportanceofITControlstoSarbanes-Oxley,10,(paragraph40)“DeterminingwhichcontrolsshouldbetestedGenerally,suchcontrolsincludeinformationtechnologygeneralcontrols,onwhichothercontrolsaredependent”(paragraph50)“Somecontrolshaveapervasiveeffectontheachievementofmanyobjectivesforexample,informationtechnologygeneralcontrolsoverprogramdevelopment,programchanges,computeroperations,andaccesstoprogramsanddata”,PCAOBstatementsapplicabletoITGeneralControls:,UnderstandingtheRulesImpacttoITcontd,ImportanceofITControlstoSarbanes-Oxley,11,TheImportanceofInformationTechnologyinInternalControloverFinancialReporting,ImportanceofITControlstoSarbanes-Oxley,12,Formostorganizations,ITispervasiveandcriticaltothefinancialreportingprocessFinancialandroutinebusinessapplicationsarecommonlyusedtoinitiate,authorize,record,processandreporttransactionsRelevantITcontrolsincludeapplicationcontrols-thosethatareembeddedinfinancialandbusinessapplicationsgeneralcomputercontrolsunderlyinginfrastructurecomponentsthatsupporttheapplicationsStatementsmadebythePublicCompanyAccountingandOversightBoard(PCAOB)ontheimpactofIT(paragraph75):“Thenatureandcharacteristicsofacompanysuseofinformationtechnologyinitsinformationsystemaffectthecompanysinternalcontroloverfinancialreporting”,TheImportanceofInformationTechnology(IT)inInternalControloverFinancialReporting,ImportanceofITControlstoSarbanes-Oxley,13,ApplicationControls,SoD,Dataintegrity,Completeness,Validation,GeneralComputingControls,InformationSecurity,Operations,DatabaseImpl.Theimportanceofinformationtechnologyinthedesign,implementationandsustainabilityofinternalcontrol”Thepublicationistheresultofajointeffortofindustryandauditors,withleadershipfromDeloitteandothersTheITGIisarecognizedgloballeaderinITgovernance,controlandassurancewithmembersinmorethan100countries,ImportanceofITControlstoSarbanes-Oxley,17,PCAOBdesignatesCOSOastheprescribedstandardcontrolframeworkandhasbecomethecontrolframeworkofchoiceforSOXcomplianceAll5layersmustbeconsideredwhenevaluatinginternalcontrolHowever,COSOdoesnotprovidespecificguidancearoundITcontrol.CobiTisawidelyacceptedITcontrolframework(ITGI)CobiTprovides4domainsofITcontrolCobiTcontrolsaddressthe5layersofCOSOWiththedevelopmentofthisapproach,organizationscanbeconfidentthattheyaretakinganapproachthatreflectsCOSOrequirements,COBITAModelforGeneralComputerControlscontd,ImportanceofITControlstoSarbanes-Oxley,18,TheITGIpublicationprovidesguidancetoITprofessionalsonhowtomeettheSarbanes-OxleychallengeDetailedcontrolobjectivesareprovidedforeachCobiTdomainandmappedtotheirrespectiveCOSOcomponentOthercontrolguidelineswerereviewedandreconciledtothisapproachduringthedevelopmentprocess,includingISO17799,CommonCriteria,ITIL,andSysTrustOrganizationsshouldassesstheirrequirementsonanindividualbasisandtailortheirapproachaccordingly,COSOComponents,CobiTObjectives,COBITAModelforGeneralComputerControlscontd,ImportanceofITControlstoSarbanes-Oxley,19,TheCobiTSOAframeworkidentifiedasub-setoftheseareasforthepurposeoffocusingonSOArequirementsCompanylevel:Planninglackofsegregationofduties;inadequateapprovalofaccess;theywillbetestingkeyprocessestodeterminethattheyareeffectiveChangeControlNeedtoensurethatproceduresareinplacetocontrolandensureproperapprovalofchangestoproductionTechnicalcontrolsmusttightlylimitandcontroldeveloperaccesstoproductionDisasterRecoveryFocuswillbeonbasicbackupandrecoverabilityoffinancialdataITGovernanceFocuswillbeondeterminingofthereareclearpolicies,procedures,andcommunicationswithinITArethereclearsegregationofduties?Istheretheappropriate“toneatthetop”oftheITorganization?DevelopmentAndImplementationActivitiesPropercontrolsneedtobebuiltinbeforeanewsystemorsystemchangesgointheproductionenvironmentAuditorsmayevaluatenewfinancialsystems;dataconversionandtestingarecritical,ImportanceofITControlstoSarbanes-Oxley,21,MostCommonITControlGapsToRemediate,Changecontrolprocessesnotfullyinplace(especiallyindistributedorwebbasedenvironments)Securityprocedures,strategies,andprofilestructuresnotdocumentedforcriticalapplications.Organizationalsecuritypolicies,procedures,androlesandresponsibilitygaps.SecurityadministrationprocedureslackappropriatecontrolsorconsistencyInadequatecontrolstodeleteorchangeaccesswhenindividualleavesofchangesjobresponsibilities(especiallycontractors)InadequateapprovalofaccesschangesAccesslevelsnotregularlyreviewedandapprovedbymanagementExcessiveaccesstosystemsPrivilegedaccesstooperatingsystem,database,andapplicationenvironmentInadequatesegregationofdutiesApplicationdevelopersandDBAshaveaccesstoproductionInfrastructuresupportingapplicationsisnotsecure(network,operatingsystem,database)ITcontrolsnotintegratedintokeybusinessprocesses(e.g.SDLC,changecontrol,compliance,testinganddataconversionprocedures)Lackofaregularprocesstoverifythatcontrolscontinuetobeadequateandeffective(atleastquarterly)Nolongtermstrategytoevaluateandaddressrisks,Theareasthatwillgethithardestaresecurityandchangecontrol,ImportanceofITControlstoSarbanes-Oxley,22,ITControlReadinessRoadmap,ImportanceofITControlstoSarbanes-Oxley,23,SOAReadinessRoadmap,PreparingforSOX404requiresastructuredandmeasuredapproach,otherwiseyouwillfindyourselfdoing“toomuch”or“toolittle”ThecurrentPCAOBrulesrequireauditorstoatteston“managementassessmentprocess”Assuch,thereadinessroadmapthatmanyorganizationsarefollowingdemonstratestheassessmentprocessthroughaseriesofstepsandactivitiesthataligntothePCAOBrules,ImportanceofITControlstoSarbanes-Oxley,24,SOAReadinessRoadmap,BusinessValue,Sarbanes-OxleyITCompliance,1.Planhowever,Sarbanes-Oxleymayrequireadditionalformalizationandsignificanteffortstodocumentandtest.CompaniesshouldensureIThasanactiveroleinSarbanes-Oxleyefforts:ParticipateonthecompliancesteeringcommitteeUnderstandthefinancialreportingprocessandcommunicatethedependencyonIT(applications,infrastructure,security,etc.)EstablishITsroleinensuringadequatecontrolsoverthefinancialreportingprocessDocumentITrisksandcontrolsrelatedtothefinancialreportingprocessRegularlytestcontrolsandremediatesignificantweaknessesEstablishmonitoringactivitiestoensuretheeffectivenessofITcontrolsovertime,ImportanceofITControlstoSarbanes-Oxley,36,ForMoreInformation:,TimOkrie,CPASeniorManager,Deloitte&TouchePhone:1-312-946-2801Email:tokrie,2