版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
TheImportanceofITControlsto
Sarbanes-OxleyCompliance.
1ImportanceofITControlstoSarbanes-OxleyProvideahigh-leveloverviewofSarbanes-OxleyandtheinternalcontrolcertificationrequirementsDiscusstheimportanceofinformationtechnologyininternalcontroloverfinancialreportingDescribehowtheSarbanes-Oxleysection404rulesimpactinformationtechnologyProvideanoverviewoftheCobitITcontrolframeworkProvideanexampleofareadinessprogramroadmapSummarizetheimportanceandimpactofITcontrolstoSarbanes-OxleycomplianceToday’sObjectives2ImportanceofITControlstoSarbanes-OxleySettingtheStage3ImportanceofITControlstoSarbanes-OxleySettingtheStageWhatisinternalcontrol?Internalcontrolisbroadlydefinedasaprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesinthefollowingcategories:EffectivenessandefficiencyofoperationsReliabilityoffinancialreportingCompliancewithapplicablelawsandregulationsInternalcontrolisnowtheLawTheSarbanes-OxleyActof2002wascreatedtorestoreinvestorconfidenceinthepublicmarketsSection404oftheActrequiresmanagementtoestablishandmaintaininternalcontrol–andrequirestheindependentauditorstoevaluateCompliancedeadline:Year-endsonorafterNovember15,2004PreparingforSarbanes-OxleycomplianceisasignificantandchallengingtaskTherearemanyrequirements,includingtheidentificationofsignificantfinancialstatementaccounts,processesandsystemsthatsupportthemandthendocumentingandtestingthem4ImportanceofITControlstoSarbanes-OxleyOverviewofInternalControlCertificationRequirementsSection302CertificationOverview
CEOandCFOtomakespecificcertificationsasoftheendofeachquarterlyandannualreportingperiod,including:ReportcontainsnountruestatementsReportisfairlypresentedinallmaterialrespectsResponsibilityfordesignandmaintenanceofdisclosurecontrolsandproceduresaswellasinternalcontrolsoverfinancialreportingBecameeffectivein2002(amendedinJune2003)Section404CertificationOverview
CEOandCFOtocertifyasoftheendofeveryannualreportingperiod:TheirresponsibilityforestablishingandmaintainingeffectiveinternalcontrolsoverfinancialreportingTheirassessmentofinternalcontrols,accompaniedbytheindependentauditors’attestationreportEffectiveforannualperiodsendingafterNovember15,2004(smallbusinessandforeignfilersJuly15,2005).5ImportanceofITControlstoSarbanes-OxleyUnderstandingtheRulesImpacttoIT
6ImportanceofITControlstoSarbanes-OxleyUnderstandingtheRulesImpacttoITManagementisrequiredtoassessthedesignandeffectivenessofitsinternalcontroloverfinancialreportingandprovideanassertiontothateffectinthepublishedfinancialstatements.Thecompany’sexternalauditorsarerequiredtoexpressanopiniononmanagement’sassessmentaswelltheirownopiniononthecompany’sinternalcontrols.Auditormustperformawalkthroughofmajorclassesoftransactionsforsignificantprocessestounderstandprocessflows,andassessthedesignandeffectivenessofcontrolsincludingapplicationandITgeneralcontrols.EvaluatethedesigneffectivenessofITcontrolstodeterminewhethertheyareproperlydesignedtoachieverelevantassertions.PerformtestsoftheoperatingeffectivenessofITcontrolsthatarenecessarytoachieverelevantassertions.KeyComplianceRequirementsImpacttoITControls7ImportanceofITControlstoSarbanes-Oxley(paragraph47)
“Theauditorshouldobtainanunderstandingofthedesignofspecificcontrolsbyapplyingproceduresthatinclude…tracingtransactionsthroughtheinformationsystemrelevanttofinancialreporting”
(paragraph73)
“Mostprocessesinvolveaseriesoftaskssuchascapturinginputdata,sortingandmergingdata,makingcalculations,updatingtransactionsandmasterfiles,generatingtransactions,andsummarizinganddisplayingorreportingdata.Theprocessingproceduresrelevantfortheauditortounderstandtheflowoftransactionsgenerallyarethoseactivitiesrequiredtoinitiate,authorize,record,processandreporttransactions.”ThePCAOBrulesareclear-auditorsmustunderstandhowtransactionsflowthroughthesystem…notarounditUnderstandingtheRulesImpacttoITcont’d8ImportanceofITControlstoSarbanes-Oxley(paragraph69)
“Theauditorshouldidentifyeachsignificantprocessovereachmajorclassoftransactionsaffectingsignificantaccountsorgroupsofaccountsand…Understandtheflowoftransactions,includinghowtransactionsareinitiated,authorized,recorded,processed,andreported.Identifythepointswithintheprocessatwhichamisstatement–includingamisstatementduetofraud–relatedtoeachrelevantfinancialstatementassertioncouldarise.Identifythecontrolsthatmanagementhasimplementedtoaddressthesepotentialmisstatements.Identifythecontrolsthatmanagementhasimplementedoverthepreventionortimelydetectionofunauthorizedacquisition,use,ordispositionofthecompany'sassets.
PCAOBstatementsapplicabletoApplicationControls:UnderstandingtheRulesImpacttoITcont’d9ImportanceofITControlstoSarbanes-Oxley (paragraph40)
“Determiningwhichcontrolsshouldbetested…Generally,suchcontrolsinclude…informationtechnologygeneralcontrols,onwhichothercontrolsaredependent” (paragraph50)
“Somecontrolshaveapervasiveeffectontheachievementofmanyobjectives…forexample,informationtechnologygeneralcontrolsoverprogramdevelopment,programchanges,computeroperations,andaccesstoprogramsanddata”PCAOBstatementsapplicabletoITGeneralControls:UnderstandingtheRulesImpacttoITcont’d10ImportanceofITControlstoSarbanes-OxleyTheImportanceof
InformationTechnologyinInternalControloverFinancialReporting
11ImportanceofITControlstoSarbanes-OxleyFormostorganizations,ITispervasiveandcriticaltothefinancialreportingprocessFinancialandroutinebusinessapplicationsarecommonlyusedtoinitiate,authorize,record,processandreporttransactionsRelevantITcontrolsincludeapplicationcontrols-thosethatareembeddedinfinancialandbusinessapplicationsgeneralcomputercontrols–underlyinginfrastructurecomponentsthatsupporttheapplicationsStatementsmadebythePublicCompanyAccountingandOversightBoard(PCAOB)ontheimpactofIT(paragraph75):
“Thenatureandcharacteristicsofacompany'suseofinformationtechnologyinitsinformationsystemaffectthecompany'sinternalcontroloverfinancialreporting”TheImportanceofInformationTechnology(IT)inInternalControloverFinancialReporting12ImportanceofITControlstoSarbanes-OxleyApplicationControlsSoDDataintegrityCompletenessValidationGeneralComputingControlsInformationSecurityOperationsDatabaseImpl.&SupportNetworkSupportBusinessProcessClassesofTransactionsSalesReturnsWriteoffsSignificantAccountBalanceBalance
Sheet(A\R)Income
StatementG/LInventoryOtherA\RMgtProcessFCRPSalesProcessProcessStagesInitiateRecordProcessReportApplicationImpl.&Maint.SystemSoftwareSupportTheRoleofInformationTechnologyinInternalControloverFinancialReportingcont’d13ImportanceofITControlstoSarbanes-OxleyAccountbalance:TradeA\R,SalesClassesofTransactions:Invoices,SalesordersBusinessProcess:A\R,SalesOrderprocessesProcessStages:Initiate,record,processApplicationControls:AccesscontrolsBuiltinlimitsforcreditapprovalRestrictedaccesstopricingtableGCCControls:ProgramchangeOperationsNetwork&systemsecurityLinkAccountsandAssertionstoIT:AnExample
Customer
order
entry
AccountsReceivable
Invoicecontrols
SAP,Oracle,OtherApplicationsGeneralcomputingcontrolscoversecurityaccess,changemanagement,operations,systemsandnetworksupport,dataretention,etc.OrderProcessingOrder&suppliercontrolsSales
Sub-processCustomercontrolsITInfrastructureNetworksSystemSoftwareDatabasesandInformationSecurityApplicationcontrolscoverauthorizedchanges,segregationofduties,validity,completenessandtimelinessofreportingoffinancialinformation.14ImportanceofITControlstoSarbanes-OxleyCobitITControlFrameworkOverview15ImportanceofITControlstoSarbanes-OxleyCOBIT–AModelforGeneralComputerControlsTheITGovernanceInstitute(www.ITGI.org)hasrecentlypublished“revised”guidanceforITprofessionalsonhowtoaddressSarbanes-OxleyfromanITperspective–April2004“Sarbanes-Oxley;Theimportanceofinformation
technologyinthedesign,implementationand
sustainabilityofinternalcontrol”Thepublicationistheresultofa
jointeffortofindustryandauditors,
withleadershipfromDeloitteandothersTheITGIisarecognizedgloballeaderinITgovernance,controlandassurancewithmembersinmorethan100countries16ImportanceofITControlstoSarbanes-OxleyPCAOBdesignatesCOSOastheprescribedstandardcontrolframeworkandhasbecomethecontrolframeworkofchoiceforSOXcomplianceAll5layersmustbeconsideredwhenevaluatinginternalcontrolHowever,COSOdoesnotprovidespecificguidancearoundITcontrol.CobiTisawidelyacceptedITcontrolframework(ITGI)CobiTprovides4domainsofITcontrolCobiTcontrolsaddressthe5layersofCOSOWiththedevelopmentofthisapproach,organizationscanbeconfidentthattheyaretakinganapproachthatreflectsCOSOrequirementsCOBIT–AModelforGeneralComputerControlscont’d17ImportanceofITControlstoSarbanes-OxleyTheITGIpublicationprovidesguidancetoITprofessionalsonhowtomeettheSarbanes-OxleychallengeDetailedcontrolobjectivesareprovidedforeachCobiTdomainandmappedtotheirrespectiveCOSOcomponentOthercontrolguidelineswerereviewedandreconciledtothisapproachduringthedevelopmentprocess,includingISO17799,CommonCriteria,ITIL,andSysTrustOrganizationsshouldassesstheirrequirementsonanindividualbasisandtailortheirapproachaccordinglyCOSOComponentsCobiT
ObjectivesCOBIT–AModelforGeneralComputerControlscont’d18ImportanceofITControlstoSarbanes-OxleyTheCobiTSOAframeworkidentifiedasub-setoftheseareasforthepurposeoffocusingonSOArequirementsCompanylevel:Planning&Organizing/MonitoringCOBIT–AModelforGeneralComputerControlscont’dPlanning&OrganizationITStrategicPlanningITorganizationandrelationshipsManagementofhumanresourcesEducateandtrainusersInformationarchitectureCommunicationofmgmtaimsanddirectionAssessmentofrisksManagetheITinvestmentManageprojectsMonitoringCompliancewithexternalrequirementsManagementofqualityEnsurecontinuousservicePerformanceandcapacityMonitoringAdequacyofinternalcontrolsIndependentassuranceInternalauditActivitylevel:AcquisitionandImplementation/DeliveryandSupportProgramDevelopment(SDLC)ProgramChangesComputerOperations(scheduling,backup,problemmanagement)Accesstoprogramsanddata(applications,database,operatingsystem,network)19ImportanceofITControlstoSarbanes-OxleyTop5List–404ITControlsRequirementsSecurityApplicationandplatformbasedFocusedonapplicationsthatmayimpactfinancialsandsupportinginfrastructureRequiressecureoperatingsystems,database,network,firewallsandinfrastructureAuditorswilllookforexcessiveaccess;lackofsegregationofduties;inadequateapprovalofaccess;theywillbetestingkeyprocessestodeterminethattheyareeffectiveChangeControlNeedtoensurethatproceduresareinplacetocontrolandensureproperapprovalofchangestoproductionTechnicalcontrolsmusttightlylimitandcontroldeveloperaccesstoproductionDisasterRecoveryFocuswillbeonbasicbackupandrecoverabilityoffinancialdataITGovernanceFocuswillbeondeterminingofthereareclearpolicies,procedures,andcommunicationswithinITArethereclearsegregationofduties?Istheretheappropriate“toneatthetop”oftheITorganization?DevelopmentAndImplementationActivitiesPropercontrolsneedtobebuiltinbeforeanewsystemorsystemchangesgointheproductionenvironmentAuditorsmayevaluatenewfinancialsystems;dataconversionandtestingarecritical20ImportanceofITControlstoSarbanes-OxleyMostCommonITControlGapsToRemediateChangecontrolprocessesnotfullyinplace(especiallyindistributedorwebbasedenvironments)Securityprocedures,strategies,andprofilestructuresnotdocumentedforcriticalapplications.Organizationalsecuritypolicies,procedures,androlesandresponsibilitygaps.SecurityadministrationprocedureslackappropriatecontrolsorconsistencyInadequatecontrolstodeleteorchangeaccesswhenindividualleavesofchangesjobresponsibilities(especiallycontractors)InadequateapprovalofaccesschangesAccesslevelsnotregularlyreviewedandapprovedbymanagementExcessiveaccesstosystemsPrivilegedaccesstooperatingsystem,database,andapplicationenvironmentInadequatesegregationofdutiesApplicationdevelopersandDBAshaveaccesstoproductionInfrastructuresupportingapplicationsisnotsecure(network,operatingsystem,database)ITcontrolsnotintegratedintokeybusinessprocesses(e.g.SDLC,changecontrol,compliance,testinganddataconversionprocedures)Lackofaregularprocesstoverifythatcontrolscontinuetobeadequateandeffective(atleastquarterly)NolongtermstrategytoevaluateandaddressrisksTheareasthatwillgethithardestaresecurityandchangecontrol21ImportanceofITControlstoSarbanes-OxleyITControlReadinessRoadmap
22ImportanceofITControlstoSarbanes-OxleySOAReadinessRoadmapPreparingforSOX404requiresastructuredandmeasuredapproach,otherwiseyouwillfindyourselfdoing“toomuch”or“toolittle”ThecurrentPCAOBrulesrequireauditorstoatteston“managementassessmentprocess”Assuch,thereadinessroadmapthatmanyorganizationsarefollowingdemonstratestheassessmentprocessthroughaseriesofstepsandactivitiesthataligntothePCAOBrules23ImportanceofITControlstoSarbanes-OxleySOAReadinessRoadmapBusinessValueSarbanes-OxleyITCompliance1.Plan&ScopeFinancialreportingprocessSupportingsystems3.IdentifySignificantControlsApplicationcontrols-overinitiating,recording,processing&reportingITGeneralControls5.EvaluateControlDesignMitigatescontrolrisktoanacceptablelevelUnderstoodbyusers8.DocumentProcess&ResultsCoordinationwithAuditorsInternalsign-off(302,404)Independent
sign-off(404)7.Identify&RemediateDeficienciesSignificantdeficienciesMaterialweaknessRemediation6.EvaluateOperationalEffectivenessInternalauditTechnicaltestingSelfassessmentInquiry+Alllocationsandcontrols(annual)4.DocumentControlsPolicymanualsProceduresNarrativesFlowchartsConfigurationsAssessmentquestionnaires2.PerformRiskAssessmentProbability&ImpacttobusinessSize/complexity9.BuildSustainabilityInternalevaluationExternalevaluation24ImportanceofITControlstoSarbanes-OxleyAReadinessRoadmap
Plan&ScopeKeyConsiderationsIn-scopevsout-of-scopesystemsOpportunitiesforimprovementPrevention,identificationanddetectionoffraudKeyComponentsFinancialreportingprocessesInitiatingRecordingProcessingReportingClassesoftransactionsNon-routineandsystematicUnderstandthefinancialreportingprocessandidentifytheinformationsystemsandrelatedresourcesthatareused.25ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance
PerformRiskAssessmentKeyComponentsITRisksQualityandIntegrityfailureSecurityfailureAvailabilityfailureRiskassessmentProbabilityoffailureImpacttothebusinessKeyConsiderationsSpecificriskareasDatavalidationDataconversionInterfacesManagementreportsComplexorcriticalcalculationsSpreadsheetsIdentifyrisksassociatedtheinformationsystemsandrelatedITresources(ie.whatcouldgowrong?)26ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance
IdentifySignificantControlsKeyComponentsApplicationcontrolsEmbeddedwithinbusinessprocessesDirectlysupportfinancialassertionsGeneralcontrolsProgramdevelopmentProgramchangesProgramoperationsAccesscontrolKeyConsiderationsControlframework-CobiTTMRevised–April2004***12primarycontrolobjectivesattheprocesslevelControlenvironmentquestionnaireforentitylevelIdentifyapplicationandgeneralcontrols27ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance
DocumentControlsKeyComponentsProcessdescriptionRiskassessmentControlobjectiveControlactivityTestofthecontrolConclusionsandremediationplansKeyConsiderationsIncludecompensatingcontrolsImpactonoverallSOAtestingprogramReportgapsindocumentationSufficienttosupportmanagementassertionDocumentcontrolprocessestosupportmanagement’sassessment28ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance
EvaluateControlDesignKeyComponentsSufficienttodemonstrate:ControldesignedtopreventordetectmaterialerrorsConclusionthattestswereappropriatelyconductedResultsoftestsappropriatelyevaluatedKeyConsiderationsPreventativevs.detectiveAutomatedvs.manualPeople,processandtechnologyControlmaturitylevel–controlsaredefined,managed,measuredandrepeatableControlsshouldbedesignedtoreducetheriskoferrortoanacceptablelevel29ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance
EvaluateOperationalEffectivenessKeyComponentsApplicationcontrolsandgeneralcontrolsReliabilityPerformedbyknowledgeablepersonPerformedconsistentlyAppropriatelymonitoredProblemsfolloweduponatimelybasisKeyConsiderationsPeriodoftimevs.pointintimeAuditevidence–inquiryaloneisnotenoughSamplesizes–mustbeadequategivenfrequencyofcontroloperationServiceorganizations–SAS70Testcontrolstoensuretheyareareoperatingasdesignedandconsistentlyoveraperiodoftime30ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance
Identify&RemediateDeficienciesKeyComponentsImpacttothefinancialstatementsIsitmorethaninconsequential?LikelihoodofoccurrenceIstheremorethanaremotelikelihoodofoccurrence?CompensatingcontrolsKeyConsiderationsIsolated/manualerrorsvs.systematicerrorsPeriodofeffectiveoperationHasimpactassessmentbeenperformedtodeterminetheimportancetothefinancialreportingprocess?MayneedtorevisitcontroldesignoroperationifdeficienciesareobservedIdentifyweaknessesandremediate/retestpriortocompliancedeadline31ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance
DocumentProcess&ResultsKeyComponentsOverallassessmentprocessConsiderriskassessmentresultsDiscloseallknowncontroldeficienciesandweaknessesIncludeassessmentofcontroldesigneffectivenessKeyConsiderationsShow-stoppersMaterialweaknessesSignificantdeficienciesMaintainsufficientevidencetosupportmanagementassessmentprocess32ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance
BuildSustainabilityKeyComponentsContinuouseffectivenessofinternalcontrolMonitoringactivitiesChangemanagementKnowledgecaptureandsharingKeyConsiderationsContinuousimprovementprocessRules,approachesandbestpracticesareevolving–staytunedEstablisha‘CenterofExcellence’modeltosupportongoingSOAcompliance33ImportanceofITControlstoSarbanes-OxleyInSummary34ImportanceofITControlstoSarbanes-OxleyInSummaryWiththedependenceonITforreliablefinancialreportingprocesses,ITplaysakeyroleincompliancewithSection404ofSarbanes-OxleyFormanyorganizationsSarbanes-Oxleyissimplyacodificationofexistingresponsibilities.TheseITcontrolresponsibilitiesalreadyexist;however,Sarbanes-Oxleymayrequireadditionalformalizationandsignificanteffortstodocumentandtest.CompaniesshouldensureIThasanactiveroleinSarbanes-Oxleyefforts:ParticipateonthecompliancesteeringcommitteeUnderstandthefinancialreportingprocessandcommunicatethedependencyonIT(applications,infrastructure,security,etc.)EstablishIT’sroleinensuringadequatecontrolsoverthefinancialreportingprocessDocumentITrisksandcontrolsrelatedtothefinancialreportingprocessRegularlytestcontrolsandremediatesignificantweaknessesEstablishmonitoringactivitie
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2026江苏盐城市射阳县陈洋实验初中学科教师和管理人员招聘26人考试模拟试题及答案详解
- 水果店保鲜技术安全与操作指南
- 童话中的勇气与梦想:小学主题班会课件
- 2026中国储备粮管理集团有限公司夏季招聘(河北有岗)考试模拟试题及答案详解
- 2026年廊坊市安次区事业单位人员招聘笔试模拟试题及答案详解
- 2026年汕头市澄海区事业单位人员招聘考试备考题库及答案详解
- 2026年乌鲁木齐市达坂城区事业单位人员招聘笔试模拟试题及答案详解
- 小学主题班会课件:健康成长从心理健康做起
- 黑龙江省铁力市第四中学2027届八年级物理第一学期期末综合测试试题含解析
- 广东省佛山市顺德区容桂中学2026-2027学年八上物理期末学业质量监测试题含解析
- 2026四川广安安农发展集团有限公司第三批次招聘劳务派遣制员工10人备考题库完整答案详解
- 2026学年江苏省邳州市二年级语文期末自测模拟知识串联题附答案详细答案和解析
- 2026江西宜春樟树市工业园区投资开发有限公司市场化招聘工作人员4人笔试备考试题及答案详解
- 历史福建泉州市2026届普通高中毕业班高三年级练习题库(泉州高三三检)(5.7-5.9)
- 2026年书画等级考试CCPT毛笔书法真题
- 2026年医学实验室检验外包服务质量管理
- 冀教版六年级科学下册知识点
- 公司入职offer通知模板
- 义务教育信息科技课程标准(2022年版2025年修订)解读
- 2026年人教部编版初一语文下学期期末考试卷及答案(共五套)
- 合成生物学伦理的全球框架
评论
0/150
提交评论