Upload
sabina-harris
View
233
Download
5
Tags:
Embed Size (px)
Citation preview
SOX Act Difference between IT Management and IT Governance Internal Controls Frameworks for Implementing SOX
COSO - Committee of Sponsoring Organizations of Treadway Commission
COBIT - Control Objectives for Information and related Technology
Comparison of COSO and COBIT Issues
Need ◦ Wide Spread Malpractices in financial accounting of Public Corporations
e.g. Enron◦ Cost investors billions of dollars◦ Sarbanes-Oxley Act(SOX) was passed in 2002 to prevent such
occurrences◦ All public corporations have to comply with SOX
Intent◦ To protect investors by improving the accuracy and reliability of
corporate disclosures made pursuant to the securities laws, and for other purposes.
◦ Create new standards for corporate accountability as well as new penalties for acts of wrongdoing.
Impact: More focus on IT Governance(Internal Controls), transparency in business practices, more responsibility and accountability on Top Management.
• 6 Areas of Importance Auditor Oversight Auditor Independence Corporate Responsibility Financial Disclosures Analyst conflicts of interest civil and criminal penalties for fraud and document
destruction
Auditor Oversight◦ common source of error.◦ No getting away from errors whether done intentional or
unintentional by the auditor
Auditor Independence ◦ More independence to auditors
Corporate responsibility – requires CEOs and CFOs to certify that reports have been
reviewed and to the best of their knowledge. CEO’s must evaluate internal controls before every
reporting
Financial Disclosures: All disclosures should be attested by top management. All events that might have impact on financial conditions
must be reported as soon as 48 hrs Analyst conflicts of interest : Manipulation is under scrutiny of top management thereby
reducing analyst conflicts of interest. Civil and criminal penalties : fine of up to $1,000,000, or imprisonment for not more
than 10 years, or both
IT Governance can be helpful in placing internal controls and thereby comply with SOX Act
IT Management: ◦ Narrow focus◦ ensures supply of IT services for normal operation.
IT Governance: ◦ includes IT Management◦ to plan how the organization could meet its goals through
optimal use of IT resources.
What are Internal Controls?
policies, procedures, practices, and organizational structures put in place to reduce risks
Are put in place all through the organization to reduce risks involved in various stages of operation
Objectives: economy and efficiency of operations reliability of financial and management reports compliance with laws and regulations
Unified approach for evaluation of Internal Control System Focuses on processes and people Has 5 control components that assures sound business
practices: ◦ Control Environment: management defines and communicates policies and
procedures to employees◦ Risk Management: Should be able to identify and analyze risks involved in
business.◦ Control Activities: Processes like approval, authorization, verification. Covers
entire organization.
◦ Information and Communication: Information should be able to make its way to the
appropriate person in a timely way through proper communication channels.
◦ Monitoring: Controls checked for proper functioning periodically .
Remedies made known to auditors and action taken.
Latest Version includes Objective setting, event identification and risk response
Framework consistent with COSO. Rich, robust and most widely used 4 domains , 34 control objectives Latest version is 4.1 Aligns IT with business objectives, quality standards,
monetary controls and security needs
Planning and Organization : Assess how IT will be able to meet business needs
Acquisition and Implementation : IT solutions have to be developed or acquired to meet objectives
Delivery and Support : Continuous delivery and support of systems
Monitoring: monitors all IT process for quality and compliance with control requirement
COSO is useful for management while COBIT is useful for IT management, users, and auditors.
COSO is focused on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations
COBIT is used to support business requirements and the associated IT resources and processes
COSO is the model of choice for The Security and Exchange Commission
Cost of Compliance: Average industry spending per year – $6 billion. Not suitable for small corporations.
Continuous checking of Internal Controls Maintaining Data Integrity Security Communication and Integrity