sox misc
Download
Skip this Video
Download Presentation
SOX MISC .

Loading in 2 Seconds...

play fullscreen
1 / 20

SOX MISC . - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

SOX MISC. Raj Mehta – Partner CPA, CITP, CISA, CISSP 713-982-2955 [email protected] Enterprise Risk Services. DISCUSSION ITEMS. Trends in IT Documentation/Testing Definition and Evaluation of Deficiencies Rollforward Procedures Q&A. Trends in IT Documentation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' SOX MISC .' - jena-juarez


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
sox misc

SOX MISC.

Raj Mehta – Partner

CPA, CITP, CISA, CISSP

713-982-2955

[email protected]

Enterprise Risk Services

discussion items
DISCUSSION ITEMS
  • Trends in IT Documentation/Testing
  • Definition and Evaluation of Deficiencies
  • Rollforward Procedures
  • Q&A

IS Security Risk & Controls

trends in it documentation
Trends in IT Documentation
  • In scope applications, third-party providers, infrastructure, etc., still keep changing!
  • Documentation does not focus on key aspects related to financials

IS Security Risk & Controls

trends in it documentation1
Trends in IT Documentation
  • Documentation Trends

Very High Level

Too Granular Level

Who Cares?

How can you miss that?

IMPACT = STILL DOCUMENTING, COSTING MONEY & RESOURCES

IS Security Risk & Controls

trends in it documentation2
Trends in IT Documentation
  • SCOPE it right –
  • How important are the application control(s) for the transaction life cycle?

IS Security Risk & Controls

trends in it documentation3
Trends in IT Documentation
  • Disconnect of “process/manual” controls from application controls assessments based on “silo” approach.
  • Disconnect between authentication and authorization – if application has “weak” authentication controls, and so it fails, so does authorization.

IS Security Risk & Controls

evaluation of deficiency
Evaluation of Deficiency

Definitions:

  • A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company\'s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company\'s annual or interim financial statements that is more than inconsequential will not be prevented or detected.
  • A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

IS Security Risk & Controls

how to determine
How to determine?
  • Evaluate - magnitude and likelihood
  • Potential misstatements equal to or greater than 20% of overall annual or interim financial statement materiality are presumed to be more than inconsequential.
  • Potential misstatements less than 20% of overall annual or interim financial statement materiality may be concluded to be more than inconsequential as a result of the consideration of qualitative factors, as required by AS2.

IS Security Risk & Controls

themes
Themes
  • Important to correctly classify the type of control deficiency
    • Application control deficiencies
    • GCC deficiencies
  • GCC are evaluated in relation to their effect on application controls
    • GCC deficiencies do not directly result in misstatements
    • Misstatements result from ineffective application controls

IS Security Risk & Controls

how does this work of it controls
How does this work of IT Controls?
  • Application/Process Level Controls:
    • Group deficiencies together by Major Class of Transactions (related processes) – e.g., for Expenditure cycle include deficiencies from procurement, invoice processing, cash disbursements, etc.
    • For application specific issues, consider, what aspects of the transaction life cycle, volume and dollar amount of transactions (e.g., if authentication control fails for Payroll system, and no compensating/mitigating controls, then the Payroll Expense balance is the total exposure and has to be evaluated for materiality.)
  • General Computer Controls:
    • Can the failure be isolated to specific application(s) or is it truly pervasive? For example, UNIX security may just impact the Payroll system versus user access administration will likely impact all systems.

IS Security Risk & Controls

slide14
Consider factors related to the deficiency:
    • Nature and significance of deficiency
    • Proximity of control to applications and data
    • Pervasiveness of control across applications and processes
    • Complexity of entity’s systems environment
    • GCC deficiency supporting applications related to accounts susceptible to loss or fraud
    • Cause and frequency of known or detected exceptions in the operating effectiveness of GCC
    • An indication of increased risk evidenced by a history of misstatements relating to applications affected by the GCC

IS Security Risk & Controls

likely candidates for sd or higher related to it
Likely Candidates for SD or Higher related to IT?
  • Information Security
  • Change Controls

IS Security Risk & Controls

roll forward procedures
Roll Forward Procedures
  • Management has a responsibility to update/roll forward its interim evaluation for purposes of their assessment and reporting on the effectiveness of internal control to the “as of” date as required by the SEC’s Final Rule, Management\'s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports: The management of each company should perform evaluations of the design and operation of the company\'s entire system of internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the company\'s fiscal year, the design and operation of the company\'s internal control over financial reporting are effective.
  • The SEC Rule also requires: . . . a company\'s management, with the participation of the principal executive and financial officers, to evaluate any change in the company\'s internal control over financial reporting that occurred during a fiscal quarter (or the issuer\'s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the company\'s internal control over financial reporting.

IS Security Risk & Controls

roll forward procedures cont
Roll Forward Procedures (cont.)

Evaluation of Design Effectiveness:

Identify and evaluate significant changes in the business or the business environment in which the company operates that may impact the continued effectiveness of the design of ICFR. Procedures may include:

  • Considering the results of the monitoring processes
  • Identifying and responding to new risks as they are identified (continuously updating the risk assessment process)
  • Making inquiries of managers and others as to their knowledge of any significant changes or events that may affect the design of internal control
  • Updating the self-assessment process, whereby the organization confirms the continued design effectiveness of internal control.

IS Security Risk & Controls

roll forward procedures cont1
Roll Forward Procedures (cont.)

Tests of Operating Effectiveness:

Determine whether significant changes in the operating effectiveness of ICFR have occurred. Procedures may include:

  • Considering the results of the monitoring processes
  • Performing independent tests, whereby the test may be applied directly to the control activity or by:
      • Testing an effective control that specifically monitors the continued operation of the underlying control activity (e.g., review of the bank reconciliation)
      • Testing an effective control upon which the underlying control activity is dependent (e.g., program change controls)
  • Updating the self-assessment process, whereby the organization confirms the continued operation of the controls. To ensure integrity, the self-assessment process should be tested periodically by someone independent of the self-assessment process (e.g., internal audit).

IS Security Risk & Controls

slide19
Q&A
  • Any questions?
  • Thank you

IS Security Risk & Controls

slide20

A member firm of

Deloitte Touche Tohmatsu

Deloitte & Touche LLP

ad