Sarbanes-Oxley IT Governance

A. Overview of SOX Section

- Section 302 requires corporate management to certify financial and other information
contained in the organization’s quarterly and annual reports.
- Section 404 requires the management of public companies to assess the effectiveness
of their organization’s internal controls over financial reporting.
Relationship Between It Controls And Financial Reporting
- Information technology drives the financial reporting processes of modern
organizations. Automated systems initiate, authorize, record, and report the effects of
financial transactions.
- As such, they are inextricable elements of the financial reporting processes that SOX
considers and must be controlled.
- SAS 78/ COSO identifies two broad groupings of information system controls:
application controls and general controls.
o The objectives of application controls are to ensure the validity,
completeness, and accuracy of financial transactions.
o General controls (general computer controls and information technology
controls). they include controls over IT governance, IT infrastructure, security
and access to operating systems and databases, application acquisition and
development, and program changes.
B. IT Governance
1. Organizational Structure Control
a. Segregate the task of transaction authorization from transaction processing.
b. Segregate record keeping from asset custody.
c. Divide transaction-processing tasks among individuals so that fraud will require
collusion between two or more individuals
2. Computer Center Security and Controls
a. Computer Center Controls
o Physical Location
o Construction
o Access
o Air Conditioning
o Fire Suppression
Audit Objectives Relating to Computer Center Security
the auditor must verify that
o physical security controls are adequate to reasonably protect the organization
from physical exposures;
o insurance coverage on equipment is adequate to compensate the organization
for the destruction of, or damage to, its computer center; and
 o operator documentation is adequate to deal with routine operations as well as
system failures.
3. Disaster Recovery Planning
A disaster recovery plan (DRP) is a comprehensive statement of all actions to be
taken before, during, and after a disaster, along with documented, tested procedures
that will ensure the continuity of operations. the following control issues:
1. Providing second-site backup : provides for duplicate data processing facilities
following a disaster. The viable options available include:
o the empty shell,
o recovery operations center, and
o internally provided backup
2. identifying critical applications : Another essential element of a DRP involves
procedures to identify the critical applications and data files of the firm to be
restored
3. performing backup and off-site storage procedures : All data files, application
documentation, and supplies needed to perform critical functions should be
specified in the DRP. Data processing personnel should routinely perform backup
and storage procedures to safeguard these critical resources.
4. creating a disaster recovery team: To avoid serious omissions or duplication of
efforts during implementation of the contingency plan, individual task
responsibility must be clearly defined and communicated to the personnel
involved.
5. testing the DRP : A test is most useful in the form of a surprise simulation of a
disruption. When the mock disaster is announced, the status of all processing that
it affects should be documented
C. Outsourcing IT Function
Often-cited benefits of IT outsourcing include improved core business performance,
improved IT performance (because of the vendor’s expertise), and reduced IT costs.
Risk Inherent to IT Outsorcing
1. Failure to Perform
2. Vendor Exploitation
3. Outsourcing Costs Exceed Benefits
4. Reduced Security
5. Loss of Strategic Advantage

Security and Accsess

A. Controlling the Operating System
 1. Operating System Objective
The operating system performs three main tasks.
a. it translates high-level languages, such as COBOL, Cþþ, BASIC, and SQL, into
the machine-level language that the computer can execute
b. allocates computer resources to users, workgroups, and applications
c. manages the tasks of job scheduling and multiprogramming
five fundamental control objectives
1. The operating system must protect itself from users.
2. The operating system must protect users from each other.
3. The operating system must protect users from themselves
4. The operating system must be protected from itself.
5. The operating system must be protected from its environment.
2. Operating system security
involves policies, procedures, and controls that determine who can access the
operating system, which resources (files, programs, printers) they can access, and
what actions they can take. The following security components are found in secure
operating systems:
o log-on procedure,
o access token,
o access control list, and
o discretionary access privileges.
Audit Objectives Relating to Access Privileges
The objective of the auditor is to verify that access privileges are granted in a manner
that is consistent with the need to separate incompatible functions and is in
accordance with the organization’s policy
B. Control Database Management System
1. Accsess Controls
- User View
- Database Authorization Table
- User Defined Procedures
- Data Encryption
- Biometric Devices
2. Backup Controls
- Database Backup
- Transaction Log (Jurnal)
- Checkpoint Feature
- Recovery Module
C. Controlling Networks
1. Controlling Risks From Subversive Threats
o Firewalls : is a system that enforces access control between two networks
 o Controlling Denial of Service Attacks
o Encryption is the conversion of data into a secret code for storage in databases
and transmission over networks. (private key and public key encryption.)
2. Controlling Risks From Equipment Failure
o Line Errors: Echo Check, Parity Check
D. Electronic Data Interchange (EDI)
1. Transaction Authorization and Validation
a. Some VANs have the capability of validating passwords and user ID
codes for the vendor by matching these against a valid customer file. The
VAN rejects any unauthorized trading partner transactions before they
reach the vendor’s system.
b. Before being converted, the translation software can validate the trading
partner’s ID and password against a validation file in the firm’s database.
c. Before processing, the trading partner’s application software references
the valid customer and vendor files to validate the transaction.
2. Access Control
To function smoothly, EDI trading partners must permit a degree of access to
private data files that would be forbidden in a traditional environment

System Development, Program Changes and Application Controls

 A. System Development Control
1. Controlling System Development Activities
- System Authorization Activities
- User Specification Activities
- Technical Design Activities
- Internal Audit Participation
- Program Testing
- User Test and Acceptance Procedures
2. Controlling Program Change Activities
Upon implementation, the information system enters the maintenance phase of the SDLC.
This is the longest period in the SDLC, often spanning several years. Most systems do not
remain static throughout this period. Maintenance access to systems increases the risk that
logic will be corrupted either by accident or intent to defraud. To minimize the risk, all
maintenance actions should require, as a minimum, four controls: formal authorizations,
technical specifications, testing, and documentation updates
3. Source Program Library
a. The worst case situation : No Control
In this situation, access to application programs is completely unrestricted. Legitimate
maintenance programmers or others may access any programs stored in the library,
which has no provision for detecting an unauthorized intrusion
b. A controlled SPL Environment
o Password Control
o Separation of Test Librarie
o Audit Trail and Management Reports
o Program Version Numbers
o Controlling Access to Maintenance Commands
B. Application Control
1. Input Control
Input controls are programmed procedures (routines) that perform tests on transaction
data to ensure that they are free from errors.
2. Processing Control
Processing controls are programmed procedures and may be divided into three
categories: batch controls, run-torun controls, and audit trail controls.
3. Output controls
are a combination of programmed routines and other procedures to ensure that system
output is not lost, misdirected, or corrupted and that privacy is not violated.
C. Testing Computer Application Control
1. the black box (around the computer) approach
analyze flowcharts and interview knowledgeable personnel in the client’s organization to
understand the functional characteristics of the application
2. the white box (through the computer) approach
relies on an in-depth understanding of the internal logic of the application being tested
D. Substantive Testing Techniques
Substantive Testing Techniques Substantive tests are so named because they are used to
substantiate dollar amounts in account balances. Substantive tests include but are not limited
to the following:
1. Determining the correct value of inventory.
2. Determining the accuracy of prepayments and accruals.
3. Confirming accounts receivable with customers.
4. Searching for unrecorded liabilities.
1. Embedded Audit Module
2. Generalized Audit Software