To date, the PCAOB and external auditors reviewing compliance with Sarbanes-Oxley have been attentive primarily to security, change management, and problem management. A key focus for the audit is integrity of the technology infrastructure for processing, storage, and communication of financial data. This is especially true when financial reports are generated from a data warehouse fed by multiple accounting and business operation systems.
Ownership of IT controls may be unclear, especially for application controls. Therefore, the audit in each area must integrate automated and manual controls at the business-process level. (more…)
Popularity: 15% [?]
Controls surrounding third-party services should ensure that roles and responsibilities of third parties are clearly defined, adhered to, and continue to satisfy requirements. Control measures are aimed at reviewing and monitoring existing contracts and procedures for their effectiveness and compliance with organization policy. The dissolution of a major contract could have significant impact on financial reporting. Thus it would fall within the guidelines for disclosure by the company officers.
During an audit, company organizations often will contend that they are not responsible for a given control because either the function is outsourced or the software was purchased from and maintained by a third party. According to legislative guidelines, a company can outsource service but not the responsibility for control of that service. It is next to impossible for a company to outsource problems and expect the problems to go away.
Documentation of the third-party controls is required for attestation by the independent auditor, so an assessment must determine the effectiveness and completeness of the service organization’s internal controls. If SAS 70 or similar audit opinions do not include controls testing, results of the testing, and the third-party service auditor’s opinion on control effectiveness, the reports are not sufficient for Sarbanes-Oxley compliance. Companies should be sure to note whether the specific environment, platforms, and applications used in fulfillment of the outsourced services are covered by the SAS 70 (or similar audit) reports. (more…)
Popularity: 9% [?]
Although members of the management team typically prepare the financial statements, it is the board’s responsibility to review and evaluate the statements. Most boards delegate this oversight responsibility to a committee within the board. In pubic organizations, this responsibility has increasingly fallen to the audit committee whose major task is to monitor the preparation and auditing of financial statements. In nonprofit organizations, these responsibilities typically fall to the finance committee, which has a broader charge. Since preserving the integrity of the financial statements is such an important responsibility, a nonprofit organization should consider forming a separate audit committee that can focus on the organization’s financial reporting practices, work directly with the external auditor, and develop policies to enhance the organization’s internal accounting system. (more…)
Popularity: 7% [?]
Since there is a lot of framework and methodology available, the company should choose the right framework and methodology that suitable for the company. Some guidance that could be used in these cases is the framework must:
1. Must be directed at the right target (more value from IT)
Since the target is for SOX compliance, the using COBIT for SOX sometimes more useful than using ISO 27001 for example. The management should measure the effectiveness using some of approach that based on the right target.
2. Must help to set the appropriate priorities,
Priority for SOX compliances are significant transactions. The chosen framework should be able to give more attention to significant transactions or activity. Selecting the appropriate priorities also would be confusing since there is a lot of interest between different departments.
3. Must be easy to use without requiring people to manipulate the system,
Framework must be easy to be understood by people from different department. Framework should also take to fulfill people aspiration to the IT. (more…)
Popularity: 20% [?]