Because of European corporate scandals comparable with those in the United States, the EU Commission is imposing similar requirements for improvement in auditing standards, oversight, and responsibilities by creating directives related to corporate governance, transparency, audit, accounting standards, and information services. A major difference is that the U.S. Sarbanes-Oxley Act carries fines and criminal sanctions, whereas the EU Commission does not recommend that level of enforcement.
Although the Sarbanes-Oxley legislation originated in the United States, there are ramifications for companies headquartered in other countries. Emerging European professional standards such as those established by the International Accounting Standards Board and the Basel II Capital Accord also will affect many multinational companies. (more…)
Popularity: 8% [?]
This form summarizes the nature and timing of the involvement of the company’s principal executive officer and its principal financial officer in the company’s process for assessing internal control effectiveness.
Project Planning
1. Review the composition of the project team and satisfy yourself that
a. The team as a whole has the skills to perform the work competently.
b. The project manager has sufficient status within the company to ensure sufficient internal control testing coverage and adequate consideration of, and actions on, the findings and recommendations of the individuals performing the testing.
Download
source: SOX Implementation Toolkit, Michael Ramos
Popularity: 19% [?]
Below Sample SOX Policy Statements:
The design, implementation, and operation of all information technology systems and the business processes they support shall be done in a manner that respects the maintenance of privacy of personally identifying information, personal medical information, and personal financial information for customers and employees alike.
Employee measures: Adequate controls will be implemented across all systems to ensure that only employees and designated human resources office staff are permitted access to employee personal privacy information. The HR director only may grant managers access to employee privacy information upon authorization. Systems design will not permit access by system administrators; encryption in storage and passwords will be required for employee and HR access. (more…)
Popularity: 17% [?]
Below sample access control policy statements that can be used for your company or IT department policy:
- Data access will be restricted to those with a need to know, denying access to the data by all others. The business units will determine need to know for all employees.
- All possible control measures will be applied for maintaining the reliability and accuracy of published and nonpublished information without conflicting with read-only rights.
- Personal medical information will be managed for control of access in conformance with HIPAA regulations.
- Directory-enabled access controls will be used for all applications capable of integration with our service directory architecture either through standard LDAP API or custom coding.
- Finite access controls restricting access to by-name access rights will be used for all financial databases, spreadsheets, and reports.
Security Controls for Sarbanes-Oxley Section 404 IT Compliance 2006, Dennis Brewer
Popularity: 21% [?]
Governance guidelines, which are the policies and rules of the game for a company that explain how the company will be run to best meet its obligations and pursue the business strategy, are set forth by senior management. The operational executives then carry out programs and put in place controls that ensure compliance, frequently with the help of consultants or auditors who are expert in applying GRC. Risk management results in the creation of mechanisms so that risks can be brought to the attention of senior managers who then take steps to reduce them.
Popularity: 11% [?]