Embed Size (px)
Citation preview
SOX and IT Audit ProgramsSOX and IT Audit Programs
John R. RoblesJohn R. RoblesThursday, May 31, 2007Thursday, May 31, 2007Email: Email: [email protected]@coqui.net
Tel: 787-647-396Tel: 787-647-396
SOX and the Audit SOX and the Audit ProcessProcessManagement must comply with Section 404 of Management must comply with Section 404 of
the the Section 404Section 404 Management Assessment Of Internal ControlsManagement Assessment Of Internal Controls … … responsibility of management for responsibility of management for
establishing and maintaining an adequate establishing and maintaining an adequate internal control structure and procedures for internal control structure and procedures for financial reporting; andfinancial reporting; and
……contain an assessment, as of the end of the contain an assessment, as of the end of the most recent fiscal year of the issuer, of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure effectiveness of the internal control structure and procedures of the issuer for financial and procedures of the issuer for financial reporting.reporting.
SOX and the Audit SOX and the Audit Process Process (b) INTERNAL CONTROL EVALUATION AND (b) INTERNAL CONTROL EVALUATION AND
REPORTING- With respect to the internal REPORTING- With respect to the internal control assessment required by subsection (a), control assessment required by subsection (a), each registered public accounting firm that each registered public accounting firm that prepares or issues the audit report for the prepares or issues the audit report for the issuer shall attest to, and report on, the issuer shall attest to, and report on, the assessment made by the management of the assessment made by the management of the issuer. An attestation made under this issuer. An attestation made under this subsection shall be made in accordance with subsection shall be made in accordance with standards for attestation engagements issued standards for attestation engagements issued or adopted by the Board. Any such attestation or adopted by the Board. Any such attestation shall not be the subject of a separate shall not be the subject of a separate engagement.engagement.
SOX and Auditors
Management
Assess the Effectiveness of Internal Controls
CEO & CFO Certificy effectiveness of Internal
Controls
Audit of the Assessment of the Effectiveness of
Internal Controls
External Auditors - CPA Firms (Big 4 & Local
Firms)
Internal Auditors - CIA's & CISA's
Operations
Financial
Information Technology
Sign Financial Statements
External Auditors External Auditors AttestationAttestation Attestation by External AuditorsAttestation by External Auditors ““Further more, in our opinion, the Further more, in our opinion, the
Company maintained, in all material Company maintained, in all material respects, effective internal control respects, effective internal control over financial reporting as of over financial reporting as of December 31, 2006, based on criteria December 31, 2006, based on criteria established in established in Internal Control – Internal Control – Integrated FrameworkIntegrated Framework issued by the issued by the COSO.”COSO.”
External Auditors External Auditors AttestationAttestation Attestation made after:Attestation made after:
– Understanding of internal controls Understanding of internal controls over financial reporting,over financial reporting,
– Evaluating management’s Evaluating management’s assessment,assessment,
– Testing and evaluating the design Testing and evaluating the design and operating effectiveness of and operating effectiveness of internal controls.internal controls.
AttestationAttestation
Example of: Example of:
CPA AttestationCPA Attestation
Section 302:Section 302:
……Requires a company’s Requires a company’s management, with the participation of the management, with the participation of the principal executive and financial officers principal executive and financial officers (the certifying officers), to make the (the certifying officers), to make the following quarterly and annual following quarterly and annual certifications with respect to the company’s certifications with respect to the company’s internal control over financial reporting:internal control over financial reporting:
Section 302:Section 302:
1. A statement that the certifying 1. A statement that the certifying officers are responsible for establishing officers are responsible for establishing and maintaining internal control over and maintaining internal control over financial reporting.financial reporting.
Section 302:Section 302:
2. A statement that the certifying 2. A statement that the certifying officers have designed such internal officers have designed such internal control over financial reporting, … control over financial reporting, …
Section 302:Section 302:
3. A statement that the report 3. A statement that the report discloses any changes in the company’s discloses any changes in the company’s internal control over financial reporting internal control over financial reporting that occurred during the most recent fiscal that occurred during the most recent fiscal quarter … quarter …
CertificationsCertifications
Example of: Example of:
CEO Certification and CFO CertificatCEO Certification and CFO Certificationion
Section 404 - Management’s report Section 404 - Management’s report on internal control over financial on internal control over financial reporting is required to include the reporting is required to include the following:following:
1. A statement of management’s 1. A statement of management’s responsibility for establishing and responsibility for establishing and maintaining adequate internal control maintaining adequate internal control over financial reporting for the company.over financial reporting for the company.
Section 404 - Management’s report Section 404 - Management’s report on internal control over financial on internal control over financial reporting is required to include the reporting is required to include the following:following:
2. A statement identifying the 2. A statement identifying the framework used by management to framework used by management to conduct the required assessment of the conduct the required assessment of the effectiveness of the company’s internal effectiveness of the company’s internal control over financial reporting.control over financial reporting.
Section 404 - Management’s report Section 404 - Management’s report on internal control over financial on internal control over financial reporting is required to include the reporting is required to include the following:following:
3. An assessment of the effectiveness 3. An assessment of the effectiveness of the company’s internal control over of the company’s internal control over financial reporting as of the end of the financial reporting as of the end of the company’s most recent fiscal year, company’s most recent fiscal year, including an explicit statement as to including an explicit statement as to whether that internal control over financial whether that internal control over financial reporting is effective.reporting is effective.
Section 404 - Management’s report Section 404 - Management’s report on internal control over financial on internal control over financial reporting is required to include the reporting is required to include the following:following:
4. A statement that the registered 4. A statement that the registered public accounting firm that audited the public accounting firm that audited the financial statements included in the annual financial statements included in the annual report has issued an attestation report on report has issued an attestation report on management’s assessment of the management’s assessment of the company’s internal control over financial company’s internal control over financial reporting.reporting.
Report on AssessmentReport on Assessment
Example of:Example of:
Management Assessment ReportManagement Assessment Report
Key controlKey control
A control that, if it fails, means there is at A control that, if it fails, means there is at least a reasonable likelihood that a material error least a reasonable likelihood that a material error in the financial statements would not be in the financial statements would not be prevented or detected on a timely basis. prevented or detected on a timely basis.
In other words, a key control is one that In other words, a key control is one that provides reasonable assurance that material provides reasonable assurance that material errors will be prevented or timely detected.errors will be prevented or timely detected.
Testing of Key Internal Testing of Key Internal ControlsControls
““The auditor should select for testing only The auditor should select for testing only those controls that to the auditor’s those controls that to the auditor’s conclusion about whether the company’s conclusion about whether the company’s controls sufficiently address the assessed controls sufficiently address the assessed risk of misstatement to a given relevant risk of misstatement to a given relevant assertion that could result in a material assertion that could result in a material misstatement to the company’s financial misstatement to the company’s financial statements”.statements”.
Testing of Key Internal Testing of Key Internal ControlsControls
The auditor’s testing of the operating The auditor’s testing of the operating effectiveness of such controls should occur at the effectiveness of such controls should occur at the time the controls are operating.time the controls are operating.
Controls “as of” a specific date encompass Controls “as of” a specific date encompass controls that are. Relevant to the company’s controls that are. Relevant to the company’s internal control over financial reporting “as of” internal control over financial reporting “as of” that specific date, even though such controls that specific date, even though such controls might not operate until after that specific date.might not operate until after that specific date.
IT Control Objectives IT Control Objectives for SOXfor SOX AI2 - Acquire and Maintain application softwareAI2 - Acquire and Maintain application software
– High-level DesignHigh-level Design– Detailed DesignDetailed Design– Application Control and AuditabilityApplication Control and Auditability
AI3 - Acquire and maintain technology infrastructure AI3 - Acquire and maintain technology infrastructure – Technological Infrastructure Acquisition PlanTechnological Infrastructure Acquisition Plan– Infrastructure Resource Protection and AvailabilityInfrastructure Resource Protection and Availability– Infrastructure MaintenanceInfrastructure Maintenance
AI4 - Enable Operation and useAI4 - Enable Operation and use– Planning for Operational SolutionsPlanning for Operational Solutions– Knowledge Transfer to Business ManagementKnowledge Transfer to Business Management– Knowledge Transfer to End UsersKnowledge Transfer to End Users
IT Control Objectives IT Control Objectives for SOXfor SOX AI7 - Install and accredit solutions and changesAI7 - Install and accredit solutions and changes
– TrainingTraining
– Test PlanningTest Planning
– Implementation PlanningImplementation Planning AI6 - Manage changesAI6 - Manage changes
– Change Standards and ProceduresChange Standards and Procedures
– Impact Assessment, Prioritization and AuthorizationImpact Assessment, Prioritization and Authorization
– Emergency ChangesEmergency Changes
IT Control Objectives IT Control Objectives for SOXfor SOX DS1 - Define and manage service levelsDS1 - Define and manage service levels
– Service Level Management FrameworkService Level Management Framework– Definition of ServiceDefinition of Service– Service Level AgreementsService Level Agreements
DS2 - Manage third-party servicesDS2 - Manage third-party services– Identification of All Supplier RelationshipsIdentification of All Supplier Relationships– Supplier Relationship ManagementSupplier Relationship Management– Supplier Risk ManagementSupplier Risk Management
DS5 - Ensure systems securityDS5 - Ensure systems security– Management of IT SecurityManagement of IT Security– IT Security PlanIT Security Plan– Identity ManagementIdentity Management
IT Control Objectives IT Control Objectives for SOXfor SOX DS9 - Manage the configurationDS9 - Manage the configuration
– Configuration Repository and BaselineConfiguration Repository and Baseline
– Identification and Maintenance of Configuration Identification and Maintenance of Configuration ItemsItems
– Configuration Integrity ReviewConfiguration Integrity Review DS8 - Manage service desk and incidentsDS8 - Manage service desk and incidents
– Service DeskService Desk
– Registration of Costumer QueriesRegistration of Costumer Queries
– Incident EscalationIncident Escalation
IT Control Objectives IT Control Objectives for SOXfor SOX DS10 - Manage problemsDS10 - Manage problems
– Identification and Classification of ProblemsIdentification and Classification of Problems– Problem Tracking and ResolutionProblem Tracking and Resolution– Problem ClosureProblem Closure
DS11 - Manage dataDS11 - Manage data– Business Requirement of Data ManagementBusiness Requirement of Data Management– Storage an Retention AgreementsStorage an Retention Agreements– Media Library Management SystemMedia Library Management System
IT Control Objectives IT Control Objectives for SOXfor SOX DS12 - Manage physical environmentDS12 - Manage physical environment
– Site Selection and LayoutSite Selection and Layout– Physical Security MeasuresPhysical Security Measures– Physical AccessPhysical Access
DS13 - Manage operationsDS13 - Manage operations– Operation Procedures and InstructionsOperation Procedures and Instructions– Job SchedulingJob Scheduling– IT Infrastructure MonitoringIT Infrastructure Monitoring
SOX and Audit ProgramsSOX and Audit Programs
Thank You!Thank You!
John R. RoblesJohn R. Robles
Thursday, May 31, 2007Thursday, May 31, 2007
Email: Email: [email protected]@coqui.net
Tel: 787-647-396Tel: 787-647-396
