SarbanesOxleyFocus.com

What is SAS-70 Report

admin — Sat, 18 Sep 2010 09:52:46 +0000

A SAS-70 (Statement Auditing Standards 70) is an audit that must be conducted by a public accounting firm, and the team that performs the audit must be made up of and supervised by CPAs. That being said, many firms require SAS-70s to be performed because they process financial transactions on behalf of other institutions.

The SAS-70 is a specialized report format that was developed by the American Institute of Certified Public Accountants (AICPA). The format was specifically targeted at determining the adequacy of an organization’s internal controls as part of its service offering. The report covers the following areas:
- Physical security
- Personnel management
- Logical access controls
- Environmental controls
- Change management process
- Policy and procedure
- Continuity planning and disaster recovery
- Problem reporting and management process
- Event monitoring

Organizations that need to have SAS-70s performed will generally have them done once a year. The final report will need to be made available to some customers and regulators.

ITIL/ITSM Benefits for Sarbanes Oxley (SOX) 404

admin — Sun, 13 Jun 2010 22:23:35 +0000

Some of direct or indirect benefits of ITIL/ITSM for Sarbanes Oxley (SOX) 404:

1. Sarbanes Oxley Act or SEC give no clear guidance for IT, so most of the CIO will enable the IT Infrastructure Library (ITIL), to ensure that their processes for supporting financial data are sound.

2. Sarbanes Oxley Act is about assessing risk. While risk assessment is an element of ITIL, it isn’t the framework’s primary focus.

3. The Sarbanes-Oxley Act requires only that companies establish controls over the systems relating directly to financial reporting. ITIL, Cobit and other frameworks for IT help companies put in place general controls for IT a good thing to have, but much broader than the narrow scope required by law.

4. The best practices in ITIL support some of the processes now required by Sarbanes Oxley Act

ITIL Maturity Assessment Report Templates

admin — Sun, 13 Jun 2010 22:17:54 +0000

Download Free ITIL (Information Technology and Infrastructure Library) Maturity Assessment Report Templates. This Template could be used as part of your SOX/Sarbanes Oxley Assessment for IT Readiness

This ITIL Assessment Report focusing on ITIL area such as: Service Desk, Incident Management, Problem Management, Change Management, and Service Level Management. The result of this report which contain observation and finding result explained below, such as:

Service Support Functions and Processes

Service Desk. Score 1.5
Recommendations for improvement:
- Document Service Desk support procedures
- Make the Service Desk the single point of contact for internal IT staff.
- Implement 24×7 phone coverage.
- Improve communication channels using newsletters, e-mails, web content, automated notifications and escalations.
- Upgrade Remedy to version 6.0
- Ensure Service Desk is part of the Change Management process so that the Service Desk is aware of changes that affect customers.
- Provide access to monitoring tools to provide a visual update on servers, switches and routers to alert the Service Desk of degraded or failed services.

Incident Management. Score .5
Recommendations:
- Develop processes, training and tools to support logging of all incidents (specifically password resets, after-hours calls, direct calls to support teams).
- Rework Category, Type, Item (CTI) lists and resolve codes to improve incident classification and reporting
- Enable automatic escalation within Remedy
- Formalize process to move tickets from resolved to closed status (7 day closure).
- Implement audit process.

Problem Management. Score 1
Recommendations:
- Define, document, and implement Problem Management process
- Develop and implement Problem Management processes beginning with urgent problems.
Download: ITIL Maturity Assessment Report Templates

Taxation Testing Control Matrix and SOD Templates

admin — Tue, 02 Mar 2010 21:31:58 +0000

Download free Taxation Testing Control Matrix and SOD Templates.

This templates covers Major process in Taxation cycle which are:
- Verification of Income Tax
- Verification of Accuracy of Tax Calculation
- Review and Ensure the the Tax Calculation is follow the standards

Segregation of Duties between:
- Authorization
- Custody of Assets
- Recording
- Control Activity

This template also can be used as supporting documents for Sarbanes Oxley (SOX) Compliances
Download Microsoft Excel 2007 xlsx
Download Microsoft Excel 2003 xls

Legal Checklist for IT Service Provider

admin — Tue, 22 Dec 2009 09:54:40 +0000

Download Free Legal Checklist for IT Service Provider. This checklist could be used for Law, Legal and Compliance requirements related with the IT Service Provider

1. Incorporation/Partnership Documents
2. Financial Documents
3. Financing Documents
4. Process for Handling Customer Contracts
5. Process for Handling Vendor/Supplies Contracts
6. Legal Terms and Condition
- Standard Forms
- Service Levels
- Third-Party Performance/Warranties

7. Systems Security
- Disclaimers
- Passwords
- Electronic Signatures
- Encryption

8. Data Security
9. Insurance
10. Employee Issues
- Nondisclosure
- Employment Contracts

11. Public Communications
12. Alliances/Joint Ventures
13. Nondisclosures
14. Contractor Agreements
15. Business Continuity

Download

Download Free IT Risk Mitigation Templates

admin — Tue, 07 Apr 2009 21:21:34 +0000

Download Free IT Risk Mitigation Templates for Sarbanes Oxley compliances purpose or others related Regulatory Compliance that require an IT Risk Mitigation, this template is created using NIST-SP 800:30 standard for Risk Management Guide for Information Technology Systems. Including Prioritize Actions, Evaluate Recommended Control Options, Conduct Cost-Benefit Analysis, Select Control, Assign Responsibility, Develop a Safeguard Implementation Plan, Implement Selected Control(s) IT Risk Mitigation performed after getting understanding about IT Risk Assessment.
Download

IT Risk Assessment Template Free Download

admin — Wed, 01 Apr 2009 21:43:02 +0000

Download free IT Risk Assessment Template, this template give you simple guidance how to measure impact and likelihood for your IT Risk Management. Risk assessment is a step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat
download

Segregation of Duties Matrix Template free download

admin — Thu, 19 Mar 2009 13:54:31 +0000

Segregation of Duties should be enacted properly especially in the area that having a high risk level. Below sample of the SOD Matrix template that can be used to make your own segregation of duties matrix. Some of the key profile that covered in this templates are: Accounts Payable, Check Generation, Accounts Receivable, Cash Receipts, ABAP development and Transport control

Download

Top 13 Electronic Data Interface (EDI) Security Risk

admin — Sat, 28 Feb 2009 09:58:09 +0000

1. Loss of business continuity/going-concern problem. Inadvertent or deliberate corruption of EDI-related applications could a. ect every EDI transaction entered into by an organization, impacting customer satisfaction, supplier relations, and possibly business continuity eventually.

2. Loss of confidentiality of sensitive information. Sensitive information may be accidentally or deliberately divulged on the network or in the mailbox storage system to unauthorized parties including competitors.

3. Increased exposure to fraud. Access to computer systems may provide an increased opportunity to change the computer records of both a single organization and that of its trading partners by sta. of the trading parties or by third-party network

4. Manipulation of payment. A situation where amounts charged by or paid to suppliers are not reviewed before transmission. A erefore, there is a risk that payments could be made for goods not received, payment amounts could be excessive, or duplicate payment could occur.

5. Loss of transactions. Transactions could be lost as a result of processing disruptions at thirdparty network sites or en route to the recipient organization, which could cause losses to the organization and inaccurate financial reporting.

6. Errors in information and communication systems. Errors in the processing and communications systems, such as incorrect message repair, can result in the transmission of incorrect trading information or inaccurate reporting to management.

7. Loss of audit trail. EDI eliminates the need for hard copy.

8. Concentration of control. A ere will be increased reliance on computer controls where they replace manual controls, and they may not be suficiently timely.

9. Application failure. Application or EDI component failures could have a significant negative impact on partner organizations within the respective business cycles

10. Potential legal liability. A situation where liability is not clearly de. ned in trading partner agreements, legal liability may arise due to errors outside the control of an organization or by its own employees. A ere is still considerable uncertainty about the legal status of EDI documents or the inability to enforce contracts in unforeseen circumstances.

11. Overcharging by third-party service providers. Third-party suppliers may accidentally or deliberately overcharge an organization that is using their services.

12. Manipulation of organization. An information available to the proprietors of third-party networks may enable them or competitors to take unfair advantage of an organization.

13. Not achieving anticipated cost savings. Happens where the anticipated cost savings from the investment in EDI are not realized for some reason by an organization.

source: IT Control & Audit, Sandra Senft

Top 12 Application Control Risk and What Could Go Wrong (WCGW)

admin — Sun, 22 Feb 2009 07:42:06 +0000

1. Weak security
2. Unauthorized access to data
3. Unauthorized remote access
4. Inaccurate information
5. Erroneous or falsified data input
6. Misuse by authorized end users
7. Incomplete processing
8. Duplicate transactions
9. Untimely processing
10. Communications system failure
11. Inadequate training
12. Inadequate support