a practical it approach to sarbanes oxley compliance l.
Skip this Video
Loading SlideShow in 5 Seconds..
A Practical IT Approach To Sarbanes-Oxley Compliance PowerPoint Presentation
Download Presentation
A Practical IT Approach To Sarbanes-Oxley Compliance

Loading in 2 Seconds...

play fullscreen
1 / 25

A Practical IT Approach To Sarbanes-Oxley Compliance - PowerPoint PPT Presentation

  • Uploaded on

A Practical IT Approach To Sarbanes-Oxley Compliance. Ecora and Sarbanes-Oxley Compliance. Agenda Sarbanes-Oxley -- What is It? Some Definitions Where are companies in compliance effort? Why should I care? Why a Framework? COSO COSO IT Controls IT General Controls

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'A Practical IT Approach To Sarbanes-Oxley Compliance' - mike_john

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ecora and sarbanes oxley compliance
Ecora and Sarbanes-Oxley Compliance


  • Sarbanes-Oxley -- What is It?
  • Some Definitions
  • Where are companies in compliance effort?
  • Why should I care?
  • Why a Framework?
  • COSO
    • COSO IT Controls
    • IT General Controls
  • Example of compliance work with a customer
  • Summary
sarbanes oxley what is it
Sarbanes-Oxley – What is it?

Federal law that imposes strict new financial reporting requirements for publicly traded companies.

Places burden on management to devise safeguards around the financial reporting process

Specifically identifies IT as a key component of process and audit activity

sarbanes oxley definitions
Sarbanes-Oxley – Definitions

Section 302 – Quarterly and annual reporting – set up internal controls. CEO and CFO own it.

Section 404 – Management Assessment of Internal Controls

  • Annual evaluation of internal controls
  • Quarterly filing of material changes to internal controls
  • Independent audit of internal controls
  • Recognized control framework required for assessment
sarbanes oxley definitions5
Sarbanes-Oxley – Definitions
  • PCAOB – Public Company Accounting Oversight Board – established to oversee audits…
  • Audit Standard No. 2 -- 200 page document defines SOX auditing standards
  • COSO -- Committee of Sponsoring Organizations of the Treadway Commission – Internal Control – Integrated Framework, PCAOB referenced framework
  • CobIT – Control Objectives for Information and Related Technology – another well known framework
  • Internal Control – A process designed….to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles…. (SEC Definition)
sarbanes oxley definitions6
Sarbanes-Oxley – Definitions
  • Internal Control (cont.) – Internal control is not “one-size-fits-all,” and the nature and extent of controls that are necessary depend, to a great extent, on the size and complexity of the company. PCAOB Auditing Standard No. 2
  • Control Deficiency – exists when design or operation of a control does not allow management or employees …to prevent or detect misstatements on a timely basis.
  • Significant Deficiency – control deficiency (or combination of CDs) that adversely affects company’s ability to initiate, authorize, record, process, or report external financial data reliably
  • Material Weakness – significant deficiency (or combination of SDs) that results in more than remote likelihood that a material misstatement of annual or interim financial statements will not be prevented or detected
where are companies in the process





Where are companies in the process?

Two Groups

< $75M Market Cap – 11/15/04

64% Testing

34% Documentation

2% Reporting

> $75M Market Cap – 7/15/05

60% Testing

34% Documentation

3% Reporting

3% Planning

Ernst&Young 2004

sarbanes oxley why should i care
Sarbanes-Oxley – Why should I care?

SOX is changing IT

  • No more IT closed “black box”
  • Auditors – with technical expertise -- are now looking closely at IT
  • E&Y projects that next year IT portion of SOX audit will grow from 10% to 25%.
sarbanes oxley why should i care9
Sarbanes-Oxley – Why should I care?

IT an integral part of the financial reporting and control process

  • Management’s heavy dependency on IT
      • High degree of automation in processing day to day transactions
      • IT data elements are the primary source of data used in decision-making
      • IT availability / integrity critical to the financial statement close and reporting processes
why a framework
Why a Framework?

1. SOX Mandate -- Assessment of effectiveness requires “..suitable, recognized control framework...”

  • Must be identified in annual report
  • COSO is specifically referenced by PCAOB and forms foundation of its Auditing Standard No. 2.

2. It makes sense

  • Provides structure
  • Identifies functional areas of focus
coso framework
COSO Framework

A common sense approach to implementing internal controls

Control Environment

Risk Assessment

Control Activities

Information and Communication


coso it controls
COSO IT Controls

COSO identifies two broad groupings of information system control activities.

Control Activities

Application Controls

Application controls – apply to business processes and designed within applications to prevent/detect unauthorized transactions.

General Controls

General Controls – apply to all information systems, support secure and continuous operation. They support all other controls

it general controls

Significant Accounts in Financial Statements

Balance Sheet

Income Statement




Business Processes/ Transaction Classes

Process 1

Process 1

Process 1

Financial Applications

Application X

Application Y

Application Z

IT Infrastructure Services


Operating System


IT General Controls

IT general controls are foundation for all IT controls

Application Controls

General Controls

Adapted from IT Control Objectives for Sarbanes-Oxley by the IT Governance Institute

it general controls14
IT General Controls

IT General Controls are IT processes and related controls that are generally applied to support the computer application level. However, they may be performed on a single platform or application.

IT general controls provide a focus for IT to identify, assess, and develop internal controls around defined areas of operation as they relate to financial controls

Tests for controls are specific activities or processes that demonstrate and document proof that the controls are real and in place.

Remember -- the whole point of SOX is financial reporting – the objective is to provide documented proof that IT systems associated with financial reporting are locked down.

it general controls15
IT General Controls

Network Access

System (OS) Access to System

System (OS) Access to Data

Database Access

Your infrastructure figuratively surrounds you’re your financial reporting data. You need controls at each level.

Financial Reporting Data

how ecora helps with it general controls

IT Infrastructure Services


Operating System


How Ecora helps with IT General Controls

Ecora Auditor maps to IT general controls. We provide documented proof that you are complying with internal controls for IT systems that impact financial reporting.

General Controls

Ecora Infrastructure Coverage

Ecora Enterprise Auditor

Database MS-SQL, Oracle

Operating System Windows, Solaris, HP- UX, AIX, Red Hat Linux, Novell

Network Cisco

client example
Client Example

Database Internal Controls

client example18
Client Example

Database Internal Controls

client example19
Client Example

Database Internal Controls

client example20
Client Example

OS Internal Controls

client example21
Client Example

OS Internal Controls

client example22
Client Example

OS Internal Controls

client example23
Client Example

OS Internal Controls


Sarbanes-Oxley is here to stay – annual and quarterly

Internal controls defined by each company

IT will bear an increasing burden of SOX compliance

Framework can be guide

IT general controls are foundation of all controls

Sustainability is requirement

Automation tools will make your job easier

and now a word from our sponsor
And now a word from our sponsor…

Ecora Software, Inc. and Enterprise Auditor

  • Enterprise Auditor automates the collection of configuration data from the major infrastructure applications, databases, OSs, and network components and delivers audit ready reports.
  • Ecora’s Enterprise Auditor forms the foundation for Sarbanes-Oxley IT internal controls. It gives you a platform for, and proof of compliance with IT internal controls.
  • Solution Express combines Enterprises Auditor and an Ecora Systems Engineer (no-charge) to get your IT Sarbanes-Oxley compliance effort on a fast track.