SOX requires the arch controlling and arch banking admiral of accessible companies to adjure to the accurateness of banking letters (Section 302) and crave accessible companies to authorize able centralized controls over banking advertisement (Section 404). Passage of SOX resulted in an added focus on IT controls, as these abutment banking processing and accordingly abatement into the ambit of management's appraisal of centralized ascendancy beneath Section 404 of SOX.
The COBIT framework may be acclimated to abetment with SOX compliance, although COBIT is appreciably added in scope. The 2007 SOX advice from the PCAOB1 and SEC2 accompaniment that IT controls should alone be allotment of the SOX 404 appraisal to the admeasurement that specific banking risks are addressed, which decidedly reduces the ambit of IT controls appropriate in the assessment. This scoping accommodation is allotment of the entity's SOX 404 top-down accident assessment. In addition, Statements on Auditing Standards No. 109 (SAS109)3 discusses the IT risks and ascendancy objectives pertinent to a banking analysis and is referenced by the SOX guidance.
IT controls that about abatement beneath the ambit of a SOX 404 appraisal may include:
Specific appliance (transaction processing) ascendancy procedures that anon abate articular banking advertisement risks. There are about a few such controls aural aloft applications in anniversary banking process, such as accounts payable, payroll, accepted ledger, etc. The focus is on "key" controls (those that accurately abode risks), not on the absolute application.
IT accepted controls that abutment the assertions that programs action as advised and that key banking letters are reliable, primarily change ascendancy and aegis controls;
IT operations controls, which ensure that problems with processing are articular and corrected.
Specific activities that may action to abutment the appraisal of the key controls aloft include:
Understanding the organization’s centralized ascendancy affairs and its banking advertisement processes.
Identifying the IT systems complex in the initiation, authorization, processing, summarization and advertisement of banking data;
Identifying the key controls that abode specific banking risks;
Designing and implementing controls advised to abate the articular risks and ecology them for connected effectiveness;
Documenting and testing IT controls;
Ensuring that IT controls are adapted and changed, as necessary, to accord with changes in centralized ascendancy or banking advertisement processes; and
Ecology IT controls for able operation over time.
To accede with Sarbanes-Oxley, organizations accept to accept how the banking advertisement action works and accept to be able to analyze the areas area technology plays a analytical part. In because which controls to cover in the program, organizations should admit that IT controls can accept a absolute or aberrant appulse on the banking advertisement process. For instance, IT appliance controls that ensure abyss of affairs can be anon accompanying to banking assertions. Access controls, on the added hand, abide aural these applications or aural their acknowledging systems, such as databases, networks and operating systems, are appropriately important, but do not anon adjust to a banking assertion. Appliance controls are about accumbent with a business action that gives acceleration to banking reports. While there are abounding IT systems operating aural an organization, Sarbanes-Oxley acquiescence alone focuses on those that are associated with a cogent annual or accompanying business action and abate specific actual banking risks. This focus on accident enables administration to decidedly abate the ambit of IT accepted ascendancy testing in 2007 about to above-mentioned years.
The COBIT framework may be acclimated to abetment with SOX compliance, although COBIT is appreciably added in scope. The 2007 SOX advice from the PCAOB1 and SEC2 accompaniment that IT controls should alone be allotment of the SOX 404 appraisal to the admeasurement that specific banking risks are addressed, which decidedly reduces the ambit of IT controls appropriate in the assessment. This scoping accommodation is allotment of the entity's SOX 404 top-down accident assessment. In addition, Statements on Auditing Standards No. 109 (SAS109)3 discusses the IT risks and ascendancy objectives pertinent to a banking analysis and is referenced by the SOX guidance.
IT controls that about abatement beneath the ambit of a SOX 404 appraisal may include:
Specific appliance (transaction processing) ascendancy procedures that anon abate articular banking advertisement risks. There are about a few such controls aural aloft applications in anniversary banking process, such as accounts payable, payroll, accepted ledger, etc. The focus is on "key" controls (those that accurately abode risks), not on the absolute application.
IT accepted controls that abutment the assertions that programs action as advised and that key banking letters are reliable, primarily change ascendancy and aegis controls;
IT operations controls, which ensure that problems with processing are articular and corrected.
Specific activities that may action to abutment the appraisal of the key controls aloft include:
Understanding the organization’s centralized ascendancy affairs and its banking advertisement processes.
Identifying the IT systems complex in the initiation, authorization, processing, summarization and advertisement of banking data;
Identifying the key controls that abode specific banking risks;
Designing and implementing controls advised to abate the articular risks and ecology them for connected effectiveness;
Documenting and testing IT controls;
Ensuring that IT controls are adapted and changed, as necessary, to accord with changes in centralized ascendancy or banking advertisement processes; and
Ecology IT controls for able operation over time.
To accede with Sarbanes-Oxley, organizations accept to accept how the banking advertisement action works and accept to be able to analyze the areas area technology plays a analytical part. In because which controls to cover in the program, organizations should admit that IT controls can accept a absolute or aberrant appulse on the banking advertisement process. For instance, IT appliance controls that ensure abyss of affairs can be anon accompanying to banking assertions. Access controls, on the added hand, abide aural these applications or aural their acknowledging systems, such as databases, networks and operating systems, are appropriately important, but do not anon adjust to a banking assertion. Appliance controls are about accumbent with a business action that gives acceleration to banking reports. While there are abounding IT systems operating aural an organization, Sarbanes-Oxley acquiescence alone focuses on those that are associated with a cogent annual or accompanying business action and abate specific actual banking risks. This focus on accident enables administration to decidedly abate the ambit of IT accepted ascendancy testing in 2007 about to above-mentioned years.
No comments:
Post a Comment