IT Controls and The Sarbanes-Oxley Act (SOX)
SOX requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports (Section 302) and require public companies to establish adequate internal controls over financial reporting (Section 404). Passage of SOX resulted in an increased focus on IT controls, as these support financial processing and therefore fall into the scope of management's assessment of internal control under Section 404 of SOX.
The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB and SEC state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's SOX 404 top-down risk assessment. In addition, Statements on Auditing Standards No. 109 (SAS109) discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance.
IT controls that typically fall under the scope of a SOX 404 assessment may include:
- Specific application (transaction processing) control procedures that directly mitigate identified financial reporting risks. There are typically a few such controls within major applications in each financial process, such as accounts payable, payroll, general ledger, etc. The focus is on "key" controls (those that specifically address risks), not on the entire application.
- IT general controls that support the assertions that programs function as intended and that key financial reports are reliable, primarily change control and security controls;
- IT operations controls, which ensure that problems with processing are identified and corrected.
Specific activities that may occur to support the assessment of the key controls above include:
- Understanding the organization’s internal control program and its financial reporting processes.
- Identifying the IT systems involved in the initiation, authorization, processing, summarization and reporting of financial data;
- Identifying the key controls that address specific financial risks;
- Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness;
- Documenting and testing IT controls;
- Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes; and
- Monitoring IT controls for effective operation over time.
To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as databases, networks and operating systems, are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a business process that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years.
|
|
|
|
| 302 | Corporate Responsibility for Financial Reports | Certifies that financial statement accuracy and operational activities have been documented and provided to the CEO and CFO for certification |
| 404 | Management Assessment of Internal Controls | Operational processes are documented and practiced demonstrating the origins of data within the balance sheet. SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. |
| 409 | Real-time Issuer Disclosures | Public companies must disclose changes in their financial condition or operations in real time to protect investors from delayed reporting of material events |
| 802 | Criminal Penalties for Altering Documents | Requires public companies and their public accounting firms to retain records, including electronic records that impact the company’s assets or performance.
Fines and imprisonment for those who knowingly and willfully violate this section with respect to (1) destruction, alteration, or falsification of records in federal investigations and bankruptcy and (2) destruction of corporate audit records. |
Read more about this topic: Information Technology Controls
Famous quotes containing the words controls and/or act:
“We’ve got to figure these things a little bit different than most people. Y’know, there’s something about going out in a plane that beats any other way.... A guy that washes out at the controls of his own ship, well, he goes down doing the thing that he loved the best. It seems to me that that’s a very special way to die.”
—Dalton Trumbo (1905–1976)
“The terrible thing is that one cannot be a Communist and not let oneself in for the shameful act of recantation. One cannot be a Communist and preserve an iota of one’s personal integrity.”
—Milovan Djilas (b. 1911)