1. Set responsibility for IT risk management.
2. Set objectives and define risk appetite and tolerance.
3. Identify, analyse and describe risk.
4. Monitor risk exposure.
5. Treat IT risk.
6. Link with existing guidance to manage risk.
Developing good IT risk Management is a key to successful Sarbanes Oxley Implementation, and above all the basic six activities that support them.
Popularity: 11% [?]
The Sarbanes-Oxley Act has many provisions. Sections 101, 302, 404, 409, and 906 are the key sections with relevance and impact on information services departments.
In section 101, the PCAOB is established as the governing agency to create auditing standards and rules for public companies. In addition, the PCAOB is given the authority to regulate the accounting firms that audit public companies. The rules issued by the PCAOB and approved by the SEC are referred to as Auditing Standards.
The primary guidance from the PCAOB in regard to auditing internal controls is provided in Auditing Standard No. 2, effective June 17, 2004, entitled, “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” We will explore Auditing Standard No. 2 later in this chapter.
Section 302 specifies the legal responsibilities of the company’s CEO and CFO. According to the Sarbanes-Oxley Act, the CEO and CFO are responsible for all internal controls and for reporting quarterly on any significant changes to internal controls that could affect the company’s financial statement. Basically, these two officers must personally certify that they are responsible for and knowledgeable about all financial statements submitted quarterly and annually. They also must certify that they have knowledge of the design and have evaluated the effectiveness of all internal controls and that these controls ensure that complete and accurate information is reported to them. Significant changes to disclosure controls and any deficiencies, weaknesses, or fraudulent acts that may compromise the accuracy of reporting must be disclosed. (more…)
Popularity: 12% [?]
Top Six US Regularatory that impact information security and controls, yup it excludes Sarbanes Oxley Sec 404
1. U.S. Health Insurance and Portability and Accountability Act (HIPAA)—U.S. standards on management of health-care data
2. Basel Accord Standard II—European banking requirements
3. U.S. Federal Information Security Management Act (FISMA)—Security standards for U.S. government systems
4. Committee for Sponsoring Organizations of the Treadway Commission (COSO)—A private industry initiative to identify factors that lead to fraudulent financial reporting and to be used as a voluntary internal framework of controls
5. U.S. Supervisory Controls and Data Acquisition (SCADA)—Enhanced security for automated control systems
6. U.S. Fair and Accurate Credit Transaction ACT of 2003 (FACTA)—Legislation to reduce fraud and identity theft
Popularity: 4% [?]
Below top 10 tips how to build effective application control for your information system audit, sarbanes oxley audit or just want to improve your internal application security controls:
1. Apply defense-in-depth.
2. Use a positive security model.
3. Fail safely.
4. Run with least privilege.
5. Avoid security by obscurity.
6. Keep security simple. (more…)
Popularity: 10% [?]
1. Perform Assessment with current and future internal controls strategy
Reperform assessment with current and future internal controls strategy is the first thing that should be done on cost reduction strategy.
2. Limiting the number of key controls
(i.e., the controls that have to be tested) by adopting a top-down, risk-based approach that focuses on controls that will prevent or detect material errors. Companies and external auditors have historically tested controls that are not key under this definition: that they are required to prevent or detect material errors. Controls that are not likely to result in material error should not be considered “key” and do not need to be within management’s scope for Section 404.
3. Using the top-down approach to identify direct entity-level controls
(e.g., month-to-month payroll variance analyses performed during the period-end close process) that provide reasonable assurance that a material misstatement due to a failure in controls within the business process (e.g., within payroll) would be detected. In this situation, it may be possible to remove any business process controls from the scope of work. (more…)
Popularity: 16% [?]
Powered by WordPress