Sox misc
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

SOX MISC . PowerPoint PPT Presentation


  • 59 Views
  • Uploaded on
  • Presentation posted in: General

SOX MISC. Raj Mehta – Partner CPA, CITP, CISA, CISSP 713-982-2955 [email protected] Enterprise Risk Services. DISCUSSION ITEMS. Trends in IT Documentation/Testing Definition and Evaluation of Deficiencies Rollforward Procedures Q&A. Trends in IT Documentation.

Download Presentation

SOX MISC .

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Sox misc

SOX MISC.

Raj Mehta – Partner

CPA, CITP, CISA, CISSP

713-982-2955

[email protected]

Enterprise Risk Services


Discussion items

DISCUSSION ITEMS

  • Trends in IT Documentation/Testing

  • Definition and Evaluation of Deficiencies

  • Rollforward Procedures

  • Q&A

IS Security Risk & Controls


Trends in it documentation

Trends in IT Documentation

  • In scope applications, third-party providers, infrastructure, etc., still keep changing!

  • Documentation does not focus on key aspects related to financials

IS Security Risk & Controls


Trends in it documentation1

Trends in IT Documentation

  • Documentation Trends

Very High Level

Too Granular Level

Who Cares?

How can you miss that?

IMPACT = STILL DOCUMENTING, COSTING MONEY & RESOURCES

IS Security Risk & Controls


Trends in it documentation2

Trends in IT Documentation

  • SCOPE it right –

  • How important are the application control(s) for the transaction life cycle?

IS Security Risk & Controls


Trends in it documentation3

Trends in IT Documentation

  • Disconnect of “process/manual” controls from application controls assessments based on “silo” approach.

  • Disconnect between authentication and authorization – if application has “weak” authentication controls, and so it fails, so does authorization.

IS Security Risk & Controls


Evaluation of deficiency

Evaluation of Deficiency

Definitions:

  • A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected.

  • A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.

IS Security Risk & Controls


How to determine

How to determine?

  • Evaluate - magnitude and likelihood

  • Potential misstatements equal to or greater than 20% of overall annual or interim financial statement materiality are presumed to be more than inconsequential.

  • Potential misstatements less than 20% of overall annual or interim financial statement materiality may be concluded to be more than inconsequential as a result of the consideration of qualitative factors, as required by AS2.

IS Security Risk & Controls


Themes

Themes

  • Important to correctly classify the type of control deficiency

    • Application control deficiencies

    • GCC deficiencies

  • GCC are evaluated in relation to their effect on application controls

    • GCC deficiencies do not directly result in misstatements

    • Misstatements result from ineffective application controls

IS Security Risk & Controls


Theory evaluating process level controls applications

Theory – Evaluating Process Level Controls (Applications)

IS Security Risk & Controls


Theory evaluating process level controls applications cont

Theory – Evaluating Process Level Controls (Applications) – cont.

IS Security Risk & Controls


Sox misc

IS Security Risk & Controls


How does this work of it controls

How does this work of IT Controls?

  • Application/Process Level Controls:

    • Group deficiencies together by Major Class of Transactions (related processes) – e.g., for Expenditure cycle include deficiencies from procurement, invoice processing, cash disbursements, etc.

    • For application specific issues, consider, what aspects of the transaction life cycle, volume and dollar amount of transactions (e.g., if authentication control fails for Payroll system, and no compensating/mitigating controls, then the Payroll Expense balance is the total exposure and has to be evaluated for materiality.)

  • General Computer Controls:

    • Can the failure be isolated to specific application(s) or is it truly pervasive? For example, UNIX security may just impact the Payroll system versus user access administration will likely impact all systems.

IS Security Risk & Controls


Sox misc

  • Consider factors related to the deficiency:

    • Nature and significance of deficiency

    • Proximity of control to applications and data

    • Pervasiveness of control across applications and processes

    • Complexity of entity’s systems environment

    • GCC deficiency supporting applications related to accounts susceptible to loss or fraud

    • Cause and frequency of known or detected exceptions in the operating effectiveness of GCC

    • An indication of increased risk evidenced by a history of misstatements relating to applications affected by the GCC

IS Security Risk & Controls


Likely candidates for sd or higher related to it

Likely Candidates for SD or Higher related to IT?

  • Information Security

  • Change Controls

IS Security Risk & Controls


Roll forward procedures

Roll Forward Procedures

  • Management has a responsibility to update/roll forward its interim evaluation for purposes of their assessment and reporting on the effectiveness of internal control to the “as of” date as required by the SEC’s Final Rule, Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports: The management of each company should perform evaluations of the design and operation of the company's entire system of internal control over financial reporting over a period of time that is adequate for it to determine whether, as of the end of the company's fiscal year, the design and operation of the company's internal control over financial reporting are effective.

  • The SEC Rule also requires: . . . a company's management, with the participation of the principal executive and financial officers, to evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter (or the issuer's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting.

IS Security Risk & Controls


Roll forward procedures cont

Roll Forward Procedures (cont.)

Evaluation of Design Effectiveness:

Identify and evaluate significant changes in the business or the business environment in which the company operates that may impact the continued effectiveness of the design of ICFR. Procedures may include:

  • Considering the results of the monitoring processes

  • Identifying and responding to new risks as they are identified (continuously updating the risk assessment process)

  • Making inquiries of managers and others as to their knowledge of any significant changes or events that may affect the design of internal control

  • Updating the self-assessment process, whereby the organization confirms the continued design effectiveness of internal control.

IS Security Risk & Controls


Roll forward procedures cont1

Roll Forward Procedures (cont.)

Tests of Operating Effectiveness:

Determine whether significant changes in the operating effectiveness of ICFR have occurred. Procedures may include:

  • Considering the results of the monitoring processes

  • Performing independent tests, whereby the test may be applied directly to the control activity or by:

    • Testing an effective control that specifically monitors the continued operation of the underlying control activity (e.g., review of the bank reconciliation)

    • Testing an effective control upon which the underlying control activity is dependent (e.g., program change controls)

  • Updating the self-assessment process, whereby the organization confirms the continued operation of the controls. To ensure integrity, the self-assessment process should be tested periodically by someone independent of the self-assessment process (e.g., internal audit).

  • IS Security Risk & Controls


    Sox misc

    Q&A

    • Any questions?

    • Thank you

    IS Security Risk & Controls


    Sox misc

    A member firm of

    Deloitte Touche Tohmatsu

    Deloitte & Touche LLP


  • Login