IT & Sarbanes-Oxley Adam Bearhalter

Kristy KellyJulie BlandAlex Tiset

Introduction• Corporate & Accounting Scandals

• Public confidence

• Signed in July 30, 2002

• Reach

TitlesTITLE I—PUBLIC COMPANY ACCOUNTING OVERSIGHT

BOARDTITLE II—AUDITOR INDEPENDENCETITLE III—CORPORATE RESPONSIBILITYTITLE IV—ENHANCED FINANCIAL DISCLOSURESTITLE V—ANALYST CONFLICTS OF INTERESTTITLE VI—COMMISSION RESOURCES AND AUTHORITYTITLE VII—STUDIES AND REPORTSTITLE VIII—CORPORATE AND CRIMINAL FRAUD

ACCOUNTABILITYTITLE IX—WHITE-COLLAR CRIME PENALTY ENHANCEMENTSTITLE X—CORPORATE TAX RETURNSTITLE XI—CORPORATE FRAUD AND ACCOUNTABILITY

Key Provisions1. SOX Section 302: Internal control

certifications2. SOX Section 404: Assessment of

internal control3. SOX Section 802 Criminal Penalties

for Violation of SOX4. SOX Section 1107 Criminal Penalties

for Retaliation Against Whistleblowers

SOX Section 404Management must report on the

effectiveness of the company's internal controls over financial reporting.A statement of management's responsibility

over internal controlsManagement's assessment of the effectiveness

of the company's internal control Identify the framework used to evaluate

controlsState that their auditor has reported on their

internal controls as wellwww.sec.gov

SOX Section 404In today’s business environment IT systems

initiate, process, and report most financial transactions

Because they are so involved in the day to day financial transactions, the IT systems become key to financial reporting

Making the controls over the IT systems key to financial reporting as well

IT Governance Institute, 2006

SOX Section 404Management is required to implement an

internal control framework.COSO is most widely used framework for

SOX compliancePays little attention to IT controls

COBIT is one of the better known frameworks that relate to IT controls

IT Governance Institute, 2006

Key ControlsControls that are key to ensuring that the

values on the balance sheet are accurate and reliable Database triggers entry in general ledger. System to ensure emails are sent

•IT Auditor ensures that they are effective, reliable, and reproducible

General ControlsControls that go across all IT systems and are

essential to ensuring the integrity, reliability, and quality of the systemsSecurity PoliciesChange ManagementAdministration of Duties/Rights

Administration of Duties/RightsSeparation of Duties

Individual Permissions RolesLeast Privilege

Individual only given privileges needed to do their job

User ProvisioningNew users set up with correct privilegesStandard profile for each user

What if these 3 principles are not in place?The IT system has failed to meet SOX

Compliance

The Auditor must:Note the exceptionFlag it up to Management for remediation

Strategies for Sarbanes-Oxley ComplianceUnderstand SOX requirementsSet aside sufficient resourcesGet everyone involvedCreate independent audit

committeeEducate everyoneEvaluate auditorsMake required changesPrepare for the futureSource: www.afponline.org

Impact of SOX on IT and Management

Risk Assessment Control Environment Control Security Monitoring Information and

CommunicationSource: www.answers.com

Impact of SOXRisk AssessmentAreas of RiskExamination of systemsAccuracy of Documentation

Control EnvironmentEffectiveness of IC’sTone of OrganizationControl Environment FactorsSource: www.answers.com

Impact on SoxControl Security IT Security

MonitoringProcesses and Schedules Internal Audits

Information and Communication

Timely and Accurate InformationCommunication to ManagementSource: www.answers.com