《国外简约大气的PPT模板.ppt》由会员分享,可在线阅读,更多相关《国外简约大气的PPT模板.ppt(38页珍藏版)》请在三一办公上搜索。
1、The Importance of IT Controls to Sarbanes-Oxley Compliance.,Importance of IT Controls to Sarbanes-Oxley,2,Provide a high-level overview of Sarbanes-Oxley and the internal control certification requirementsDiscuss the importance of information technology in internal control over financial reportingDe
2、scribe how the Sarbanes-Oxley section 404 rules impact information technology Provide an overview of the Cobit IT control frameworkProvide an example of a readiness program roadmapSummarize the importance and impact of IT controls to Sarbanes-Oxley compliance,Todays Objectives,Importance of IT Contr
3、ols to Sarbanes-Oxley,3,Setting the Stage,Importance of IT Controls to Sarbanes-Oxley,4,Setting the Stage,What is internal control?Internal control is broadly defined as a process,effected by an entitys board of directors,management and other personnel,designed to provide reasonable assurance regard
4、ing the achievement of objectives in the following categories:Effectiveness and efficiency of operations Reliability of financial reportingCompliance with applicable laws and regulationsInternal control is now the LawThe Sarbanes-Oxley Act of 2002 was created to restore investor confidence in the pu
5、blic marketsSection 404 of the Act requires management to establish and maintain internal control and requires the independent auditors to evaluateCompliance deadline:Year-ends on or after November 15,2004Preparing for Sarbanes-Oxley compliance is a significant and challenging taskThere are many req
6、uirements,including the identification of significant financial statement accounts,processes and systems that support them and then documenting and testing them,Importance of IT Controls to Sarbanes-Oxley,5,Overview of Internal Control Certification Requirements,Section 302 Certification OverviewCEO
7、 and CFO to make specific certifications as of the end of each quarterly and annual reporting period,including:Report contains no untrue statements Report is fairly presented in all material respectsResponsibility for design and maintenance of disclosure controls and procedures as well as internal c
8、ontrols over financial reportingBecame effective in 2002(amended in June 2003),Section 404 Certification OverviewCEO and CFO to certify as of the end of every annual reporting period:Their responsibility for establishing and maintaining effective internal controls over financial reportingTheir asses
9、sment of internal controls,accompanied by the independent auditors attestation reportEffective for annual periods ending after November 15,2004(small business and foreign filers July15,2005).,Importance of IT Controls to Sarbanes-Oxley,6,Understanding the Rules Impact to IT,Importance of IT Controls
10、 to Sarbanes-Oxley,7,Understanding the Rules Impact to IT,Management is required to assess the design and effectiveness of its internal control over financial reporting and provide an assertion to that effect in the published financial statements.The companys external auditors are required to expres
11、s an opinion on managements assessment as well their own opinion on the companys internal controls.,Auditor must perform a walkthrough of major classes of transactions for significant processes to understand process flows,and assess the design and effectiveness of controls including application and
12、IT general controls.Evaluate the design effectiveness of IT controls to determine whether they are properly designed to achieve relevant assertions.Perform tests of the operating effectiveness of IT controls that are necessary to achieve relevant assertions.,Key Compliance Requirements,Impact to IT
13、Controls,Importance of IT Controls to Sarbanes-Oxley,8,(paragraph 47)“The auditor should obtain an understanding of the design of specific controls by applying procedures that include tracing transactions through the information system relevant to financial reporting”(paragraph 73)“Most processes in
14、volve a series of tasks such as capturing input data,sorting and merging data,making calculations,updating transactions and master files,generating transactions,and summarizing and displaying or reporting data.The processing procedures relevant for the auditor to understand the flow of transactions
15、generally are those activities required to initiate,authorize,record,process and report transactions.”,The PCAOB rules are clear-auditors must understand how transactions flow through the system not around it,Understanding the Rules Impact to IT contd,Importance of IT Controls to Sarbanes-Oxley,9,(p
16、aragraph 69)“The auditor should identify each significant process over each major class of transactions affecting significant accounts or groups of accounts andUnderstand the flow of transactions,including how transactions are initiated,authorized,recorded,processed,and reported.Identify the points
17、within the process at which a misstatement including a misstatement due to fraud related to each relevant financial statement assertion could arise.Identify the controls that management has implemented to address these potential misstatements.Identify the controls that management has implemented ove
18、r the prevention or timely detection of unauthorized acquisition,use,or disposition of the companys assets.,PCAOB statements applicable to Application Controls:,Understanding the Rules Impact to IT contd,Importance of IT Controls to Sarbanes-Oxley,10,(paragraph 40)“Determining which controls should
19、be tested Generally,such controls include information technology general controls,on which other controls are dependent”(paragraph 50)“Some controls have a pervasive effect on the achievement of many objectives for example,information technology general controls over program development,program chan
20、ges,computer operations,and access to programs and data”,PCAOB statements applicable to IT General Controls:,Understanding the Rules Impact to IT contd,Importance of IT Controls to Sarbanes-Oxley,11,The Importance of Information Technology in Internal Control over Financial Reporting,Importance of I
21、T Controls to Sarbanes-Oxley,12,For most organizations,IT is pervasive and critical to the financial reporting process Financial and routine business applications are commonly used to initiate,authorize,record,process and report transactionsRelevant IT controls includeapplication controls-those that
22、 are embedded in financial and business applicationsgeneral computer controls underlying infrastructure components that support the applicationsStatements made by the Public Company Accounting and Oversight Board(PCAOB)on the impact of IT(paragraph 75):“The nature and characteristics of a companys u
23、se of information technology in its information system affect the companys internal control over financial reporting”,The Importance of Information Technology(IT)in Internal Control over Financial Reporting,Importance of IT Controls to Sarbanes-Oxley,13,Application Controls,SoD,Data integrity,Comple
24、teness,Validation,General Computing Controls,Information Security,Operations,Database Impl.&Support,Network Support,Business Process,Classes of Transactions,Sales,Returns,Write offs,Significant Account Balance,Balance Sheet(AR),IncomeStatement,G/L,Inventory,Other,AR Mgt Process,FCRP,Sales Process,Pr
25、ocess Stages,Initiate,Record,Process,Report,Application Impl.&Maint.,System Software Support,The Role of Information Technology in Internal Control over Financial Reporting contd,Importance of IT Controls to Sarbanes-Oxley,14,Account balance:Trade AR,SalesClasses of Transactions:Invoices,Sales order
26、sBusiness Process:AR,Sales Order processesProcess Stages:Initiate,record,processApplication Controls:Access controlsBuilt in limits for credit approvalRestricted access to pricing table GCC Controls:Program change Operations Network&system security,Link Accounts and Assertions to IT:An Example,Custo
27、merorder entry,SAP,Oracle,Other Applications,General computing controls cover security access,change management,operations,systems and network support,data retention,etc.,Order Processing,Order&supplier controls,SalesSub-process,Customer controls,IT Infrastructure,Networks,System Software,Databases
28、and Information,Security,Application controls cover authorized changes,segregation of duties,validity,completeness and timeliness of reporting of financial information.,Importance of IT Controls to Sarbanes-Oxley,15,Cobit IT Control Framework Overview,Importance of IT Controls to Sarbanes-Oxley,16,C
29、OBIT A Model for General Computer Controls,The IT Governance Institute(www.ITGI.org)has recently published“revised”guidance for IT professionals on how to address Sarbanes-Oxley from an IT perspective April 2004“Sarbanes-Oxley;The importance of information technology in the design,implementation and
30、 sustainability of internal control”The publication is the result of a joint effort of industry and auditors,with leadership from Deloitte and othersThe ITGI is a recognized global leader in IT governance,control and assurance with members in more than 100 countries,Importance of IT Controls to Sarb
31、anes-Oxley,17,PCAOB designates COSO as the prescribed standard control framework and has become the control framework of choice for SOX complianceAll 5 layers must be considered when evaluating internal controlHowever,COSO does not provide specific guidance around IT control.CobiT is a widely accept
32、ed IT control framework(ITGI)CobiT provides 4 domains of IT controlCobiT controls address the 5 layers of COSOWith the development of this approach,organizations can be confident that they are taking an approach that reflects COSO requirements,COBIT A Model for General Computer Controls contd,Import
33、ance of IT Controls to Sarbanes-Oxley,18,The ITGI publication provides guidance to IT professionals on how to meet the Sarbanes-Oxley challengeDetailed control objectives are provided for each CobiT domain and mapped to their respective COSO componentOther control guidelines were reviewed and reconc
34、iled to this approach during the development process,including ISO17799,Common Criteria,ITIL,and SysTrustOrganizations should assess their requirements on an individual basis and tailor their approach accordingly,COSO Components,CobiT Objectives,COBIT A Model for General Computer Controls contd,Impo
35、rtance of IT Controls to Sarbanes-Oxley,19,The CobiT SOA framework identified a sub-set of these areas for the purpose of focusing on SOA requirementsCompany level:Planning&Organizing/Monitoring,COBIT A Model for General Computer Controls contd,Planning&OrganizationIT Strategic PlanningIT organizati
36、on and relationshipsManagement of human resourcesEducate and train usersInformation architectureCommunication of mgmt aims and directionAssessment of risksManage the IT investmentManage projects,MonitoringCompliance with external requirementsManagement of qualityEnsure continuous servicePerformance
37、and capacityMonitoringAdequacy of internal controlsIndependent assuranceInternal audit,Activity level:Acquisition and Implementation/Delivery and SupportProgram Development(SDLC)Program ChangesComputer Operations(scheduling,backup,problem management)Access to programs and data(applications,database,
38、operating system,network),Importance of IT Controls to Sarbanes-Oxley,20,Top 5 List 404 IT Controls Requirements,SecurityApplication and platform basedFocused on applications that may impact financials and supporting infrastructure Requires secure operating systems,database,network,firewalls and inf
39、rastructureAuditors will look for excessive access;lack of segregation of duties;inadequate approval of access;they will be testing key processes to determine that they are effectiveChange ControlNeed to ensure that procedures are in place to control and ensure proper approval of changes to producti
40、onTechnical controls must tightly limit and control developer access to productionDisaster RecoveryFocus will be on basic backup and recoverability of financial dataIT GovernanceFocus will be on determining of there are clear policies,procedures,and communications within ITAre there clear segregatio
41、n of duties?Is there the appropriate“tone at the top”of the IT organization?Development And Implementation ActivitiesProper controls need to be built in before a new system or system changes go in the production environmentAuditors may evaluate new financial systems;data conversion and testing are c
42、ritical,Importance of IT Controls to Sarbanes-Oxley,21,Most Common IT Control Gaps To Remediate,Change control processes not fully in place(especially in distributed or web based environments)Security procedures,strategies,and profile structures not documented for critical applications.Organizationa
43、l security policies,procedures,and roles and responsibility gaps.Security administration procedures lack appropriate controls or consistencyInadequate controls to delete or change access when individual leaves of changes job responsibilities(especially contractors)Inadequate approval of access chang
44、esAccess levels not regularly reviewed and approved by managementExcessive access to systemsPrivileged access to operating system,database,and application environmentInadequate segregation of dutiesApplication developers and DBAs have access to production Infrastructure supporting applications is no
45、t secure(network,operating system,database)IT controls not integrated into key business processes(e.g.SDLC,change control,compliance,testing and data conversion procedures)Lack of a regular process to verify that controls continue to be adequate and effective(at least quarterly)No long term strategy
46、 to evaluate and address risks,The areas that will get hit hardest are security and change control,Importance of IT Controls to Sarbanes-Oxley,22,IT Control Readiness Roadmap,Importance of IT Controls to Sarbanes-Oxley,23,SOA Readiness Roadmap,Preparing for SOX 404 requires a structured and measured
47、 approach,otherwise you will find yourself doing“too much”or“too little”The current PCAOB rules require auditors to attest on“management assessment process”As such,the readiness roadmap that many organizations are following demonstrates the assessment process through a series of steps and activities
48、 that align to the PCAOB rules,Importance of IT Controls to Sarbanes-Oxley,24,SOA Readiness Roadmap,Business Value,Sarbanes-Oxley IT Compliance,1.Plan&ScopeFinancial reporting processSupporting systems,3.Identify Significant ControlsApplication controls-over initiating,recording,processing&reporting
49、IT General Controls,5.Evaluate Control DesignMitigates control risk to an acceptable levelUnderstood by users,8.Document Process&ResultsCoordination with AuditorsInternal sign-off(302,404)Independent sign-off(404),7.Identify&Remediate DeficienciesSignificant deficienciesMaterial weaknessRemediation,
50、6.Evaluate Operational EffectivenessInternal auditTechnical testingSelf assessmentInquiry+All locations and controls(annual),4.Document Controls Policy manualsProceduresNarrativesFlowchartsConfigurationsAssessment questionnaires,2.Perform Risk AssessmentProbability&Impact to businessSize/complexity,
