Sox and it audit programs
Download
1 / 27

SOX and IT Audit Programs - PowerPoint PPT Presentation


  • 342 Views
  • Updated On :

SOX and IT Audit Programs. John R. Robles Thursday, May 31, 2007 Email: [email protected] Tel: 787-647-396. SOX and the Audit Process. Management must comply with Section 404 of the Section 404 Management Assessment Of Internal Controls

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SOX and IT Audit Programs' - Audrey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Sox and it audit programs l.jpg

SOX and IT Audit Programs

John R. Robles

Thursday, May 31, 2007

Email: [email protected]

Tel: 787-647-396


Sox and the audit process l.jpg
SOX and the Audit Process

Management must comply with Section 404 of the Section 404

Management Assessment Of Internal Controls

  • … responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

  • …contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.


Sox and the audit process3 l.jpg
SOX and the Audit Process

  • (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.


External auditors attestation l.jpg
External Auditors Attestation

  • Attestation by External Auditors

  • “Further more, in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2006, based on criteria established in Internal Control – Integrated Framework issued by the COSO.”


External auditors attestation6 l.jpg
External Auditors Attestation

  • Attestation made after:

    • Understanding of internal controls over financial reporting,

    • Evaluating management’s assessment,

    • Testing and evaluating the design and operating effectiveness of internal controls.


Attestation l.jpg
Attestation

Example of:

CPA Attestation


Section 302 l.jpg
Section 302:

…Requires a company’s management, with the participation of the principal executive and financial officers (the certifying officers), to make the following quarterly and annual certifications with respect to the company’s internal control over financial reporting:


Section 3029 l.jpg
Section 302:

1. A statement that the certifying officers are responsible for establishing and maintaining internal control over financial reporting.


Section 30210 l.jpg
Section 302:

2. A statement that the certifying officers have designed such internal control over financial reporting, …


Section 30211 l.jpg
Section 302:

3. A statement that the report discloses any changes in the company’s internal control over financial reporting that occurred during the most recent fiscal quarter …


Certifications l.jpg
Certifications

Example of:

CEO Certification and CFO Certification


Slide13 l.jpg
Section 404 - Management’s report on internal control over financial reporting is required to include the following:

1. A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company.


Slide14 l.jpg
Section 404 - Management’s report on internal control over financial reporting is required to include the following:

2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control over financial reporting.


Slide15 l.jpg
Section 404 - Management’s report on internal control over financial reporting is required to include the following:

3. An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective.


Slide16 l.jpg
Section 404 - Management’s report on internal control over financial reporting is required to include the following:

4. A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting.


Report on assessment l.jpg
Report on Assessment financial reporting is required to include the following:

Example of:

Management Assessment Report


Key control l.jpg
Key control financial reporting is required to include the following:

A control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be prevented or detected on a timely basis.

In other words, a key control is one that provides reasonable assurance that material errors will be prevented or timely detected.


Testing of key internal controls l.jpg
Testing of Key Internal Controls financial reporting is required to include the following:

“The auditor should select for testing only those controls that to the auditor’s conclusion about whether the company’s controls sufficiently address the assessed risk of misstatement to a given relevant assertion that could result in a material misstatement to the company’s financial statements”.


Testing of key internal controls20 l.jpg
Testing of Key Internal Controls financial reporting is required to include the following:

  • The auditor’s testing of the operating effectiveness of such controls should occur at the time the controls are operating.

  • Controls “as of” a specific date encompass controls that are. Relevant to the company’s internal control over financial reporting “as of” that specific date, even though such controls might not operate until after that specific date.


It control objectives for sox l.jpg
IT Control Objectives for SOX financial reporting is required to include the following:

  • AI2 - Acquire and Maintain application software

    • High-level Design

    • Detailed Design

    • Application Control and Auditability

  • AI3 - Acquire and maintain technology infrastructure

    • Technological Infrastructure Acquisition Plan

    • Infrastructure Resource Protection and Availability

    • Infrastructure Maintenance

  • AI4 - Enable Operation and use

    • Planning for Operational Solutions

    • Knowledge Transfer to Business Management

    • Knowledge Transfer to End Users


It control objectives for sox22 l.jpg
IT Control Objectives for SOX financial reporting is required to include the following:

  • AI7 - Install and accredit solutions and changes

    • Training

    • Test Planning

    • Implementation Planning

  • AI6 - Manage changes

    • Change Standards and Procedures

    • Impact Assessment, Prioritization and Authorization

    • Emergency Changes


It control objectives for sox23 l.jpg
IT Control Objectives for SOX financial reporting is required to include the following:

  • DS1 - Define and manage service levels

    • Service Level Management Framework

    • Definition of Service

    • Service Level Agreements

  • DS2 - Manage third-party services

    • Identification of All Supplier Relationships

    • Supplier Relationship Management

    • Supplier Risk Management

  • DS5 - Ensure systems security

    • Management of IT Security

    • IT Security Plan

    • Identity Management


It control objectives for sox24 l.jpg
IT Control Objectives for SOX financial reporting is required to include the following:

  • DS9 - Manage the configuration

    • Configuration Repository and Baseline

    • Identification and Maintenance of Configuration Items

    • Configuration Integrity Review

  • DS8 - Manage service desk and incidents

    • Service Desk

    • Registration of Costumer Queries

    • Incident Escalation


It control objectives for sox25 l.jpg
IT Control Objectives for SOX financial reporting is required to include the following:

  • DS10 - Manage problems

    • Identification and Classification of Problems

    • Problem Tracking and Resolution

    • Problem Closure

  • DS11 - Manage data

    • Business Requirement of Data Management

    • Storage an Retention Agreements

    • Media Library Management System


It control objectives for sox26 l.jpg
IT Control Objectives for SOX financial reporting is required to include the following:

  • DS12 - Manage physical environment

    • Site Selection and Layout

    • Physical Security Measures

    • Physical Access

  • DS13 - Manage operations

    • Operation Procedures and Instructions

    • Job Scheduling

    • IT Infrastructure Monitoring


Sox and audit programs l.jpg
SOX and Audit Programs financial reporting is required to include the following:

Thank You!

John R. Robles

Thursday, May 31, 2007

Email: [email protected]

Tel: 787-647-396


ad