Sarbanes-Oxley (SOX) compliance

The Role of IT in the design and implementation of Internal Control over Financial Reporting

Mahesh Patwardhan

maheshpatwardhan@rediffmail.com

SOX

• The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley

• The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom.

• These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets. The act was passed to safeguard the investors and restore confidence in the securities markets.

• The gist of the act is that a company ‘s top management has to certify by way of internal and external audits that there is sufficient internal control on all systems impacting financial reporting.

Definitions

• COSO• Committee of Sponsoring Organizations of the Treadway Commission

• Model for evaluating internal controls• Generally accepted framework for internal control• Definitive standard against which organizations measure effectiveness of internal controls

• Internal Control :• A process, effected by an entity’s board of directors, management and

other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations• Reliability of financial reporting• Compliance with applicable laws and regulations

• Five Components of Internal Control System:• Control Environment• Risk Assessment• Control Activities• Information and Communication• Monitoring

IT Compliance Roadmap

Plan and Scope IT Controls

Assess IT Risk

Document Controls

Evaluate Control Design and Operating Effectiveness

Prioritize and Remediate Deficiencies

Internal Control Framework

Control Environment

• Integrity and Ethical Values

• Commitment to competence

• Board of Directors and audit committee

• Managements Philosophy and Operating Style

• Organizational Structure

• Assignment of Authority and Responsibility

• Human Resource Policies and Procedures

Risk Assessment

• Company-wide objectives

• Process-level objectives

• Risk Identification and Analysis

• Managing Change

Control Activities

• Policies and Procedures

• Security (Applications and Network)

• Application Change Management

• Business Continuity / Backups

• Outsourcing

Information and Communication

• Quality of Information

• Effectiveness of Communication

Monitoring

• Ongoing Monitoring

• Separate Evaluations

• Reporting Deficiencies

Control Activities

Policies and Procedures

•IT-Security Policy

•IT-Access Control Policy

•IT-Appropriate Usage Policy

•Email-Internet Policy

•End-user Computing

Security (Applications and

Network)

•Application Authorization Matrix

•End User Computing Trace ability Matrix

•IT – Landscape Diagram

•ISO

Application Change

Management

•Project Management

Business Continuity

•IT-Infrastructure Management

•Disaster Recovery

•Backup and Recovery Procedures

•Job Scheduling

IT Control Objectives for SOX

Acquire and Maintain Application Software

Acquire and Maintain Technology Infrastructure

Enable Operations

Install and accredit solutions and changes

Manage Changes

Define and Manage Service Levels

Manage Third Party Services

Ensure Systems Security

Manage the Configuration

Manage Problems and Incidents

Manage Data

Manage Operations

Types of Controls

Entity Level Controls

• Strategies and Plans

• Policies and Procedures

• Risk Assessment Activities

• Training and Education

• Quality Assurance

• Internal Audit

Application Controls

• Completeness

• Accuracy

• Existence/Authorization

• Presentation/Disclosure

IT General Controls

• Program Development

• Programs Changes

• Access to Programs and Data

• Computer Operations

Control Documentation

Entity Policy Manuals

IT Policies and Procedures

Narratives

Flowcharts Decision TablesProcedural Write-ups

Completed Questionnaires

Control Documentation

Entity Level

• Assessment of entity level controls including evidence to support the responses and opinions of management

Activity Level

• Description of the processes and related sub-processes (may be in narrative form, more effective to illustrate as a flowchart)

• Description of the risk associated with the process or subprocess, including an analysis of its impact and probability of occurrence

• Statement of the control objective designed to reduce the risk of the process or subprocess to an acceptable level and a description of its alignment to the COSO framework.

Activity Level

• Description of the control activity(ies) designed and performed to satisfy the control objective related to the process or subprocess. This should include the type of controls (preventive or detective) and the frequency they are performed.

• Description of the approach followed to confirm (test) the existence and operational effectiveness of the control activities.

• Conclusions reached about the effectiveness of controls, as a result of testing.