This form summarizes the nature and timing of the involvement of the company’s principal executive officer and its principal financial officer in the company’s process for assessing internal control effectiveness.
Project Planning
1. Review the composition of the project team and satisfy yourself that
a. The team as a whole has the skills to perform the work competently.
b. The project manager has sufficient status within the company to ensure sufficient internal control testing coverage and adequate consideration of, and actions on, the findings and recommendations of the individuals performing the testing.
Download
source: SOX Implementation Toolkit, Michael Ramos
Popularity: 19% [?]
Company management is responsible for evaluating the effectiveness of internal control and presenting a written assessment of that assessment as of the end of the fiscal year. Our chief executive officer and chief financial officer bear the ultimate responsibility for the planning and performance of our project to assess internal control effectiveness. To carry out the day-to-day performance and administration of the project, we formed a project team, which reports directly to those individuals responsible for management’s report on internal control effectiveness. To form our project team, we considered the need for individuals both internal and external to the company that possessed the following:
• Knowledge of company business processes and operations
• Knowledge of company control policies and procedures
• Expertise in information technology systems and controls
• Knowledge of financial accounting and reporting matters, including SEC reporting requirements
• Expertise in the design, documentation, testing, and evaluation of internal control
Popularity: 18% [?]
Below Sample SOX Policy Statements:
The design, implementation, and operation of all information technology systems and the business processes they support shall be done in a manner that respects the maintenance of privacy of personally identifying information, personal medical information, and personal financial information for customers and employees alike.
Employee measures: Adequate controls will be implemented across all systems to ensure that only employees and designated human resources office staff are permitted access to employee personal privacy information. The HR director only may grant managers access to employee privacy information upon authorization. Systems design will not permit access by system administrators; encryption in storage and passwords will be required for employee and HR access. (more…)
Popularity: 17% [?]
Below sample access control policy statements that can be used for your company or IT department policy:
- Data access will be restricted to those with a need to know, denying access to the data by all others. The business units will determine need to know for all employees.
- All possible control measures will be applied for maintaining the reliability and accuracy of published and nonpublished information without conflicting with read-only rights.
- Personal medical information will be managed for control of access in conformance with HIPAA regulations.
- Directory-enabled access controls will be used for all applications capable of integration with our service directory architecture either through standard LDAP API or custom coding.
- Finite access controls restricting access to by-name access rights will be used for all financial databases, spreadsheets, and reports.
Security Controls for Sarbanes-Oxley Section 404 IT Compliance 2006, Dennis Brewer
Popularity: 20% [?]