Sarbanes-Oxley (SOX) compliance

The Role of IT in the design and implementation of Internal Control over Financial Reporting

Mahesh Patwardhan

• The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley • The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. • These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. The act was passed to safeguard the investors and restore confidence in the securities markets. • The gist of the act is that a company ‘s top management has to certify by way of internal and external audits that there is sufficient internal control on all systems impacting financial reporting.

• • •

• Committee of Sponsoring Organizations of the Treadway Commission

Model for evaluating internal controls Generally accepted framework for internal control Definitive standard against which organizations measure effectiveness of internal controls

• Internal Control :

• A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:
• • • Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations

Five Components of Internal Control System:
• • • • • Control Environment Risk Assessment Control Activities Information and Communication Monitoring

IT Compliance Roadmap

Document Controls Assess IT Risk Plan and Scope IT Controls

Evaluate Control Design and Operating Effectiveness

Prioritize and Remediate Deficiencies

Internal Control Framework
Control Environment
• Integrity and Ethical Values • Commitment to competence • Board of Directors and audit committee • Managements Philosophy and Operating Style • Organizational Structure • Assignment of Authority and Responsibility • Human Resource Policies and Procedures

Risk Assessment
• Company-wide objectives • Process-level objectives • Risk Identification and Analysis • Managing Change

Control Activities
• Policies and Procedures • Security (Applications and Network) • Application Change Management • Business Continuity / Backups • Outsourcing

Information and Communication
• Quality of Information • Effectiveness of Communication

• Ongoing Monitoring • Separate Evaluations • Reporting Deficiencies

Control Activities

Policies and Procedures •IT-Security Policy •IT-Access Control Policy •IT-Appropriate Usage Policy •Email-Internet Policy •End-user Computing

Security (Applications and Network) •Application Authorization Matrix •End User Computing Trace ability Matrix •IT – Landscape Diagram •ISO

Application Change Management •Project Management

Business Continuity •IT-Infrastructure Management •Disaster Recovery •Backup and Recovery Procedures •Job Scheduling

IT Control Objectives for SOX
Acquire and Maintain Application Software Acquire and Maintain Technology Infrastructure Enable Operations Install and accredit solutions and changes Manage Changes Define and Manage Service Levels Manage the Configuration

Manage Third Party Services
Ensure Systems Security

Manage Problems and Incidents
Manage Data

Manage Operations

Types of Controls
Entity Level Controls
• Strategies and Plans • Policies and Procedures • Risk Assessment Activities • Training and Education • Quality Assurance • Internal Audit

Application Controls
• Completeness • Accuracy • Existence/Authoriz ation • Presentation/Disclo sure

IT General Controls
• Program Development • Programs Changes • Access to Programs and Data • Computer Operations

Control Documentation
Entity Policy Manuals IT Policies and Procedures



Decision Tables

Procedural Write-ups

Completed Questionnaires

Control Documentation
Entity Level
• Assessment of entity level controls including evidence to support the responses and opinions of management

Activity Level
• Description of the processes and related sub-processes (may be in narrative form, more effective to illustrate as a flowchart) • Description of the risk associated with the process or subprocess, including an analysis of its impact and probability of occurrence • Statement of the control objective designed to reduce the risk of the process or subprocess to an acceptable level and a description of its alignment to the COSO framework.

Activity Level
• Description of the control activity(ies) designed and performed to satisfy the control objective related to the process or subprocess. This should include the type of controls (preventive or detective) and the frequency they are performed.
• Description of the approach followed to confirm (test) the existence and operational effectiveness of the control activities. • Conclusions reached about the effectiveness of controls, as a result of testing.

Sign up to vote on this title
UsefulNot useful