To date, the PCAOB and external auditors reviewing compliance with Sarbanes-Oxley have been attentive primarily to security, change management, and problem management. A key focus for the audit is integrity of the technology infrastructure for processing, storage, and communication of financial data. This is especially true when financial reports are generated from a data warehouse fed by multiple accounting and business operation systems.
Ownership of IT controls may be unclear, especially for application controls. Therefore, the audit in each area must integrate automated and manual controls at the business-process level. (more…)
Popularity: 15% [?]
Controls surrounding third-party services should ensure that roles and responsibilities of third parties are clearly defined, adhered to, and continue to satisfy requirements. Control measures are aimed at reviewing and monitoring existing contracts and procedures for their effectiveness and compliance with organization policy. The dissolution of a major contract could have significant impact on financial reporting. Thus it would fall within the guidelines for disclosure by the company officers.
During an audit, company organizations often will contend that they are not responsible for a given control because either the function is outsourced or the software was purchased from and maintained by a third party. According to legislative guidelines, a company can outsource service but not the responsibility for control of that service. It is next to impossible for a company to outsource problems and expect the problems to go away.
Documentation of the third-party controls is required for attestation by the independent auditor, so an assessment must determine the effectiveness and completeness of the service organization’s internal controls. If SAS 70 or similar audit opinions do not include controls testing, results of the testing, and the third-party service auditor’s opinion on control effectiveness, the reports are not sufficient for Sarbanes-Oxley compliance. Companies should be sure to note whether the specific environment, platforms, and applications used in fulfillment of the outsourced services are covered by the SAS 70 (or similar audit) reports. (more…)
Popularity: 9% [?]
Below Sample SOX Policy Statements:
The design, implementation, and operation of all information technology systems and the business processes they support shall be done in a manner that respects the maintenance of privacy of personally identifying information, personal medical information, and personal financial information for customers and employees alike.
Employee measures: Adequate controls will be implemented across all systems to ensure that only employees and designated human resources office staff are permitted access to employee personal privacy information. The HR director only may grant managers access to employee privacy information upon authorization. Systems design will not permit access by system administrators; encryption in storage and passwords will be required for employee and HR access. (more…)
Popularity: 17% [?]
Below sample access control policy statements that can be used for your company or IT department policy:
- Data access will be restricted to those with a need to know, denying access to the data by all others. The business units will determine need to know for all employees.
- All possible control measures will be applied for maintaining the reliability and accuracy of published and nonpublished information without conflicting with read-only rights.
- Personal medical information will be managed for control of access in conformance with HIPAA regulations.
- Directory-enabled access controls will be used for all applications capable of integration with our service directory architecture either through standard LDAP API or custom coding.
- Finite access controls restricting access to by-name access rights will be used for all financial databases, spreadsheets, and reports.
Security Controls for Sarbanes-Oxley Section 404 IT Compliance 2006, Dennis Brewer
Popularity: 20% [?]
Policy: This policy establishes the standards and procedures for accounting system security in compliance with management’s objectives.
Procedures: In order to gain access to the accounting system, an ABC Co. Accounting System Request Form must be completed and approved by the requester’s manager. This form is also used if it is necessary to change an existing user’s access in the event of a job change.
Download detail Accounting System Security Policy in word.
Popularity: 17% [?]