1 / 21

Sarbanes-Oxley Act Section 404: An IT Perspective

Gain insights into the impact of SOX Act Section 404 on IT controls, documentation considerations, possible errors, relevant controls, and deficiency evaluation. Learn about the challenges and findings related to IT processes in meeting compliance requirements.

paulsparker
Download Presentation

Sarbanes-Oxley Act Section 404: An IT Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sarbanes-Oxley Act (404) An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Senior Manager

  2. 404 IT Agenda • Section 404: Overview and Impact • IT Controls Overview • 404 IT Focus • Significant Accounts and Processes • IT Documentation Considerations • Identifying Possible IT Errors • Identifying Relevant IT Controls • Evaluating and Reporting Deficiencies • 404 IT Viewpoint • Summary

  3. Overview of Section 404 • Internal Control Evaluation and Reporting • Sarbanes-Oxley Act Language Excerpt “…each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.” • Background on Standards • PCAOB Standards Language Excerpt “The bottom line for Congress, and for the PCAOB, is the reliability of the company's financial statements – statements relied on by shareholders, management, directors, regulators, lenders, investors and the market at large.”

  4. Overview of Section 404 • Two Attestations • Financial Statement Opinion • Internal Control Opinion • Compliance Deadline • Accelerated Filers November 15, 2004 • Others (ie, Market Cap.<$75M) July 15, 2005

  5. Impact of Section 404 • Compliance costs in the tens of billions • Substantial and direct impact to information systems and related environments • Creation of specific 404 job positions • Impact from disclosure of material weaknesses unknown

  6. IT Controls Overview • Standards and Guidance • Entity Level Controls • General Controls • Application Controls

  7. IT Controls Overview Standards and Guidance • PCAOB • Internal Control Standards Issued March 9, 2004 • Based on COSO • AICPA • SAS 94 – “The effect of IT on internal control in a financial statement audit.” • IT Governance Institute • Guidance on IT Related Controls Specific to 404 • Based on COBIT

  8. Entity Level Controls Strategic Planning Organizational Structure Policies and Procedures Risk Assessment Third Party Management General Controls Logical Access Program Change Program Development Computer Operations Application Level Controls Input Transmission Processing / Recording Output / Reporting IT Controls Overview 404 requires an assessment at the following levels of controls:

  9. 404 IT Focus • Significant Accounts and Processes • Virtually every process is IT dependent in some form or fashion • Transaction flows are typically automated • Management often relies on programmed controls for routine and non-routine processes • Estimation processes are normally dependent on IT generated data elements

  10. 404 IT Focus • IT Documentation Considerations • Should describe flow of transaction initiation, recording, processing and reporting • Flowcharts, diagrams and narratives • Level of required system and control documentation dependent on: • Number of businesses / locations • Degree of IT centralization • Nature / complexity of transactions • Degree of management reliance on IT systems

  11. 404 IT Focus • Identifying Possible IT Errors • Errors that individually or collectively could have a material effect on the financial statements • Root cause for errors include: • Integrity of major input sources • Significant processing procedures • Access to important data files • Erroneous factors and assumptions • Competency of personnel • Functional segregation of duties

  12. 404 IT Focus • Identifying Relevant IT Controls • Should involve a collaboration with process owners and knowledgeable IT personnel • Automated application controls • System generated information • IT general controls

  13. 404 IT Focus • Evaluating & Reporting Control Deficiencies • Deficiency • Significant Deficiency • Material Weakness

  14. 404 IT Viewpoint • Summary of Findings • IT has been an integral part of the evaluation process. • Organizations are taking advantage of new ERP implementations to also meet SOX requirements. • IT functions that are segregated across multiple locations have been using a “teaming” and sometimes automated approach to document controls. • Organizations are looking to streamline and improve IT processes as a result of the documentation effort. • Organizations have placed heavy reliance on manual controls. As a result, application controls are not effectively used.

  15. 404 IT Viewpoint • Summary of Findings • Focus has been on key and selective IT controls to be used for testing. • Organizations without proper IT audit experience and knowledge appear to have developed “inadequate” documentation. • Documentation has been in narrative format vs flowcharts to save time and effort. • IT documentation has been kept separate from the manual / financial process documentation.

  16. 404 IT Viewpoint • Challenges • Organizations who require IT assistance have had difficulty finding resources internally or externally. Resources are extremely scarce! • Determining what and how much to document are key areas of concerns. • Integrating the IT documentation within the manual / financial process documentation is difficult. • Coordination and documentation efforts for decentralized IT operations is challenging. • Organizations don’t have access to automated tools to efficiently analyze application controls.

  17. 404 IT Viewpoint • Leading Practices • Include IT executives on project team. • Hire or engage qualified IT auditors. • Consider COBIT standards as a baseline for consideration of IT controls. • Use automated tools to analyze financial applications. • Documentation should describe flow of transaction initiation, recording, processing and reporting • Consider documenting controls in the form of flowcharts rather than narratives, or a combination of the two.

  18. 404 IT Viewpoint • Leading Practices • Consider standard surveys and questionnaires for organizations with decentralized IT operations. • Validate and test only those IT controls considered critical and key to the financial process. • Meet with your external auditor frequently to obtain “buy-in”. • Consider using application controls to reduce dependence on manual controls

  19. 404 IT Viewpoint • Moving Forward – Year 2 • Maintaining ownership of IT processes and controls • Building sustainability for long term • Gaining efficiencies through centralized IT processes and increased use of application controls • Building skill sets internally vs use of auditing firms • Ongoing software implementations / upgrades • Implementing enhanced documentation tools

  20. Summary • Key Things to Remember about 404 from an IT Perspective: • Controls help to maintain the integrity of business processes, including financial reporting • Information systems play a key role in these processes • Stronger control environments will reduce the likelihood of another Enron or Worldcom • 404 requires extensive documentation

  21. Thanks For Listening!Questions / Answers

More Related