《国外简约大气的PPT模板.ppt》由会员分享,可在线阅读,更多相关《国外简约大气的PPT模板.ppt(38页珍藏版)》请在三一文库上搜索。
1、The Importance of IT Controls to Sarbanes-Oxley Compliance.,Importance of IT Controls to Sarbanes-Oxley,2,Provide a high-level overview of Sarbanes-Oxley and the internal control certification requirements Discuss the importance of information technology in internal control over financial reporting
2、Describe how the Sarbanes-Oxley section 404 rules impact information technology Provide an overview of the Cobit IT control framework Provide an example of a readiness program roadmap Summarize the importance and impact of IT controls to Sarbanes-Oxley compliance,Todays Objectives,Importance of IT C
3、ontrols to Sarbanes-Oxley,3,Setting the Stage,Importance of IT Controls to Sarbanes-Oxley,4,Setting the Stage,What is internal control? Internal control is broadly defined as a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assuranc
4、e regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Internal control is now the Law The Sarbanes-Oxley Act of 2002 was created to restore investor confiden
5、ce in the public markets Section 404 of the Act requires management to establish and maintain internal control and requires the independent auditors to evaluate Compliance deadline: Year-ends on or after November 15, 2004 Preparing for Sarbanes-Oxley compliance is a significant and challenging task
6、There are many requirements, including the identification of significant financial statement accounts, processes and systems that support them and then documenting and testing them,Importance of IT Controls to Sarbanes-Oxley,5,Overview of Internal Control Certification Requirements,Section 302 Certi
7、fication Overview CEO and CFO to make specific certifications as of the end of each quarterly and annual reporting period, including: Report contains no untrue statements Report is fairly presented in all material respects Responsibility for design and maintenance of disclosure controls and procedur
8、es as well as internal controls over financial reporting Became effective in 2002 (amended in June 2003),Section 404 Certification Overview CEO and CFO to certify as of the end of every annual reporting period: Their responsibility for establishing and maintaining effective internal controls over fi
9、nancial reporting Their assessment of internal controls, accompanied by the independent auditors attestation report Effective for annual periods ending after November 15, 2004 (small business and foreign filers July15, 2005).,Importance of IT Controls to Sarbanes-Oxley,6,Understanding the Rules Impa
10、ct to IT,Importance of IT Controls to Sarbanes-Oxley,7,Understanding the Rules Impact to IT,Management is required to assess the design and effectiveness of its internal control over financial reporting and provide an assertion to that effect in the published financial statements. The companys exter
11、nal auditors are required to express an opinion on managements assessment as well their own opinion on the companys internal controls.,Auditor must perform a walkthrough of major classes of transactions for significant processes to understand process flows, and assess the design and effectiveness of
12、 controls including application and IT general controls. Evaluate the design effectiveness of IT controls to determine whether they are properly designed to achieve relevant assertions. Perform tests of the operating effectiveness of IT controls that are necessary to achieve relevant assertions.,Key
13、 Compliance Requirements,Impact to IT Controls,Importance of IT Controls to Sarbanes-Oxley,8,(paragraph 47) “The auditor should obtain an understanding of the design of specific controls by applying procedures that include tracing transactions through the information system relevant to financial rep
14、orting” (paragraph 73) “Most processes involve a series of tasks such as capturing input data, sorting and merging data, making calculations, updating transactions and master files, generating transactions, and summarizing and displaying or reporting data. The processing procedures relevant for the
15、auditor to understand the flow of transactions generally are those activities required to initiate, authorize, record, process and report transactions.”,The PCAOB rules are clear - auditors must understand how transactions flow through the system not around it,Understanding the Rules Impact to IT co
16、ntd,Importance of IT Controls to Sarbanes-Oxley,9,(paragraph 69) “The auditor should identify each significant process over each major class of transactions affecting significant accounts or groups of accounts and Understand the flow of transactions, including how transactions are initiated, authori
17、zed, recorded, processed, and reported. Identify the points within the process at which a misstatement including a misstatement due to fraud related to each relevant financial statement assertion could arise. Identify the controls that management has implemented to address these potential misstateme
18、nts. Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the companys assets.,PCAOB statements applicable to Application Controls:,Understanding the Rules Impact to IT contd,Importance of IT Controls to Sar
19、banes-Oxley,10,(paragraph 40) “Determining which controls should be tested Generally, such controls include information technology general controls, on which other controls are dependent” (paragraph 50) “Some controls have a pervasive effect on the achievement of many objectives for example, informa
20、tion technology general controls over program development, program changes, computer operations, and access to programs and data”,PCAOB statements applicable to IT General Controls:,Understanding the Rules Impact to IT contd,Importance of IT Controls to Sarbanes-Oxley,11,The Importance of Informatio
21、n Technology in Internal Control over Financial Reporting,Importance of IT Controls to Sarbanes-Oxley,12,For most organizations, IT is pervasive and critical to the financial reporting process Financial and routine business applications are commonly used to initiate, authorize, record, process and r
22、eport transactions Relevant IT controls include application controls - those that are embedded in financial and business applications general computer controls underlying infrastructure components that support the applications Statements made by the Public Company Accounting and Oversight Board (PCA
23、OB) on the impact of IT (paragraph 75): “The nature and characteristics of a companys use of information technology in its information system affect the companys internal control over financial reporting”,The Importance of Information Technology (IT) in Internal Control over Financial Reporting,Impo
24、rtance of IT Controls to Sarbanes-Oxley,13,Application Controls,SoD,Data integrity,Completeness,Validation,General Computing Controls,Information Security,Operations,Database Impl. The importance of information technology in the design, implementation and sustainability of internal control” The publ
25、ication is the result of a joint effort of industry and auditors, with leadership from Deloitte and others The ITGI is a recognized global leader in IT governance, control and assurance with members in more than 100 countries,Importance of IT Controls to Sarbanes-Oxley,17,PCAOB designates COSO as th
26、e prescribed standard control framework and has become the control framework of choice for SOX compliance All 5 layers must be considered when evaluating internal control However, COSO does not provide specific guidance around IT control. CobiT is a widely accepted IT control framework (ITGI) CobiT
27、provides 4 domains of IT control CobiT controls address the 5 layers of COSO With the development of this approach, organizations can be confident that they are taking an approach that reflects COSO requirements,COBIT A Model for General Computer Controls contd,Importance of IT Controls to Sarbanes-
28、Oxley,18,The ITGI publication provides guidance to IT professionals on how to meet the Sarbanes-Oxley challenge Detailed control objectives are provided for each CobiT domain and mapped to their respective COSO component Other control guidelines were reviewed and reconciled to this approach during t
29、he development process, including ISO17799, Common Criteria, ITIL, and SysTrust Organizations should assess their requirements on an individual basis and tailor their approach accordingly,COSO Components,CobiT Objectives,COBIT A Model for General Computer Controls contd,Importance of IT Controls to
30、Sarbanes-Oxley,19,The CobiT SOA framework identified a sub-set of these areas for the purpose of focusing on SOA requirements Company level: Planning lack of segregation of duties; inadequate approval of access; they will be testing key processes to determine that they are effective Change Control N
31、eed to ensure that procedures are in place to control and ensure proper approval of changes to production Technical controls must tightly limit and control developer access to production Disaster Recovery Focus will be on basic backup and recoverability of financial data IT Governance Focus will be
32、on determining of there are clear policies, procedures, and communications within IT Are there clear segregation of duties? Is there the appropriate “tone at the top” of the IT organization? Development And Implementation Activities Proper controls need to be built in before a new system or system c
33、hanges go in the production environment Auditors may evaluate new financial systems; data conversion and testing are critical,Importance of IT Controls to Sarbanes-Oxley,21,Most Common IT Control Gaps To Remediate,Change control processes not fully in place (especially in distributed or web based en
34、vironments) Security procedures, strategies, and profile structures not documented for critical applications. Organizational security policies, procedures, and roles and responsibility gaps. Security administration procedures lack appropriate controls or consistency Inadequate controls to delete or
35、change access when individual leaves of changes job responsibilities (especially contractors) Inadequate approval of access changes Access levels not regularly reviewed and approved by management Excessive access to systems Privileged access to operating system, database, and application environment
36、 Inadequate segregation of duties Application developers and DBAs have access to production Infrastructure supporting applications is not secure (network, operating system, database) IT controls not integrated into key business processes (e.g. SDLC, change control, compliance, testing and data conve
37、rsion procedures) Lack of a regular process to verify that controls continue to be adequate and effective (at least quarterly) No long term strategy to evaluate and address risks,The areas that will get hit hardest are security and change control,Importance of IT Controls to Sarbanes-Oxley,22,IT Con
38、trol Readiness Roadmap,Importance of IT Controls to Sarbanes-Oxley,23,SOA Readiness Roadmap,Preparing for SOX 404 requires a structured and measured approach, otherwise you will find yourself doing “too much” or “too little” The current PCAOB rules require auditors to attest on “management assessmen
39、t process” As such, the readiness roadmap that many organizations are following demonstrates the assessment process through a series of steps and activities that align to the PCAOB rules,Importance of IT Controls to Sarbanes-Oxley,24,SOA Readiness Roadmap,Business Value,Sarbanes-Oxley IT Compliance,
40、1. Plan however, Sarbanes-Oxley may require additional formalization and significant efforts to document and test. Companies should ensure IT has an active role in Sarbanes-Oxley efforts: Participate on the compliance steering committee Understand the financial reporting process and communicate the
41、dependency on IT (applications, infrastructure, security, etc.) Establish ITs role in ensuring adequate controls over the financial reporting process Document IT risks and controls related to the financial reporting process Regularly test controls and remediate significant weaknesses Establish monit
42、oring activities to ensure the effectiveness of IT controls over time,Importance of IT Controls to Sarbanes-Oxley,36,For More Information:,Tim Okrie, CPA Senior Manager, Deloitte & Touche Phone: 1-312-946-2801 Email: ,2003 Deloitte & Touche USA LLP. All rights reserved.,A member firm of Deloitte Tou
43、che Tohmatsu,Importance of IT Controls to Sarbanes-Oxley,38,About Deloitte Deloitte, one of the nations leading professional services firms, provides audit, tax, consulting, and financial advisory services through nearly 30,000 people in more than 80 U.S. cities. Known as an employer of choice for i
44、nnovative human resources programs, the firm is dedicated to helping its clients and its people excel. Deloitte refers to the associated partnerships of Deloitte & Touche USA LLP (Deloitte & Touche LLP and Deloitte Consulting LLP) and subsidiaries. Deloitte is the U.S. member firm of Deloitte Touche
45、 Tohmatsu. For more information, please visit Deloittes Web site at Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence in providing professional services and advice. We are focused on client service through a global strategy executed locally in nearly 150 countries. Wi
46、th access to the deep intellectual capital of 120,000 people worldwide, our member firms, including their affiliates, deliver services in four professional areas: audit, tax, consulting, and financial advisory services. Our member firms serve more than one-half of the worlds largest companies, as we
47、ll as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each othe
48、rs acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” Deloitte & Touche, Deloitte Touche Tohmatsu, or other, related names. The services described herein are provided by the member firms and not by the Deloitte Touche Tohmatsu Verein. For regulatory and other reasons, certain member firms do not provide services in all four professional areas listed above.,