© 2010 The PowerTech Group, Inc.
All Rights Reserved
Sarbanes-Oxley compliance is a complex process. It requires documentation and testing of a wide range of internal controls over the financial reporting process.
It is necessary for a cross functional team to be established with full CEO/CFO support and representation from all groups involved including:
Finance
Internal audit
IT
The external auditor
A cross functional committee
Typically, SOX compliance started as a project in the finance department in 2003. Yet the vast majority of public companies today use some form of IT systems to support and generate financial reports. A company’s use of information technology in its information systems affects the company’s internal control over financial reporting.
Thus, SOX requires publicly traded companies to secure information systems to the extent necessary to ensure the effectiveness of internal controls over financial reporting.
Many companies have realized this too late and IT groups have been brought into the process after the fact. Unfortunately, IT groups often have to scramble to meet the compliance deadlines.
Section 404 of the Act has had the highest impact on Information Technology and Security. The IT-related issues that cause problems for SOX compliance in the context of Section 404 are generally related to access control of system users.
Without adequate access controls in place:
Users can perform functions/activities that are in conflict with their job responsibilities.
Users can modify/corrupt financial data.
Users can circumvent controls to initiate/record unauthorized transactions.
Users can commit fraud and cover their tracks.
While the Sarbanes-Oxley Act appears somewhat vague and subject to interpretation, what can companies and public accounting firms do to ensure compliance?
The first step is to identify significant and high risk processes. Identify the systems, data, or controls whose compromise could lead to a material misstatement.
Once such processes and assets have been identified, the next step is to identify control deficiencies, and remediate (not mitigate!) issues that are found.
Implement effective controls and define a regular frequency of evaluation to ensure that the controls remain in place and are effective.
The SEC has ruled that management must evaluate the company's internal control over financial reporting using a suitable, recognized control framework. Before SOX, public accounting firms used the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as their reference for controls over financial reporting.
Now it is generally accepted that controls also need to be established over information technology. Most large audit firms have looked to COBIT, a generally applicable and accepted standard for good Information Technology (IT) security and control practices which is promoted by ISACA (Information Systems Audit and Control Association).
COBIT provides a reference framework for management, users, IS audit, control and security practitioners. COBIT is a very rich and robust framework, comprising of 4 domains, 34 IT processes and 318 detailed control objectives.
COSO vs. COBIT |
|
COSO is still the official framework for controls over financial reporting, but does NOT provide controls for Information Technology. |
COBIT is directly based on COSO but COBIT DOES provide controls for Information Technology. The Purpose of COBIT is to:
|
© 2010 The PowerTech Group, Inc.
All Rights Reserved