A Practical IT Approach To Sarbanes-Oxley Compliance. Ecora and Sarbanes-Oxley Compliance. Agenda Sarbanes-Oxley -- What is It? Some Definitions Where are companies in compliance effort? Why should I care? Why a Framework? COSO COSO IT Controls IT General Controls
Federal law that imposes strict new financial reporting requirements for publicly traded companies.
Places burden on management to devise safeguards around the financial reporting process
Specifically identifies IT as a key component of process and audit activity
Section 302 – Quarterly and annual reporting – set up internal controls. CEO and CFO own it.
Section 404 – Management Assessment of Internal Controls
SOX is changing IT
IT an integral part of the financial reporting and control process
1. SOX Mandate -- Assessment of effectiveness requires “..suitable, recognized control framework...”
2. It makes sense
A common sense approach to implementing internal controls
Information and Communication
COSO identifies two broad groupings of information system control activities.
Application controls – apply to business processes and designed within applications to prevent/detect unauthorized transactions.
General Controls – apply to all information systems, support secure and continuous operation. They support all other controls
Business Processes/ Transaction Classes
IT Infrastructure Services
NetworkIT General Controls
IT general controls are foundation for all IT controls
Adapted from IT Control Objectives for Sarbanes-Oxley by the IT Governance Institute
IT General Controls are IT processes and related controls that are generally applied to support the computer application level. However, they may be performed on a single platform or application.
IT general controls provide a focus for IT to identify, assess, and develop internal controls around defined areas of operation as they relate to financial controls
Tests for controls are specific activities or processes that demonstrate and document proof that the controls are real and in place.
Remember -- the whole point of SOX is financial reporting – the objective is to provide documented proof that IT systems associated with financial reporting are locked down.
System (OS) Access to System
System (OS) Access to Data
Your infrastructure figuratively surrounds you’re your financial reporting data. You need controls at each level.
Financial Reporting Data
NetworkHow Ecora helps with IT General Controls
Ecora Auditor maps to IT general controls. We provide documented proof that you are complying with internal controls for IT systems that impact financial reporting.
Ecora Infrastructure Coverage
Ecora Enterprise Auditor
Database MS-SQL, Oracle
Operating System Windows, Solaris, HP- UX, AIX, Red Hat Linux, Novell
Sarbanes-Oxley is here to stay – annual and quarterly
Internal controls defined by each company
IT will bear an increasing burden of SOX compliance
Framework can be guide
IT general controls are foundation of all controls
Sustainability is requirement
Automation tools will make your job easier
Ecora Software, Inc. and Enterprise Auditor