Six Question related with SOX section 404 implementation
Confuse implementing SOX IT Section, here is six question that every SOX auditor should answer
1. Has the organization established an IT-specific internal control framework to guide its section 404 compliance activities with respect to IT?
An IT-specific internal control framework provides vital structure to an organization’s effort to develop and maintain effective internal control in its IT environment. Failure to identify such a framework may indicate that the organization has failed to examine IT controls as systematically or as deeply as required to support section 404 compliance. One possible IT-specific control framework to build upon is the CobiT framework, described by the IT Governance Institute in its 2000 publication, “Control Objectives for Information and Related Technology.” While the full CobiT framework goes far beyond section 404 compliance requirements, companies seeking guidance regarding IT controls would be well advised to customize the applicable portions of CobiT for their own particular section 404 compliance needs.
2. Is the IT environment highly customized?
Custom-built applications and platforms are a fertile ground for internal control issues for two reasons. One, the original technology’s vendor may not be able or willing to provide technical support once its product has been significantly modified. And two, no matter how competent a company’s IT personnel or service providers, there’s always a much higher risk of errors in new, untried software than in standardized, widely used, and well-tested software.
3. Does the IT department have a high turnover rate?
Technology specialists, as a group, tend to gravitate toward best-of-breed, sophisticated, cutting-edge IT environments. A high turnover rate among IT professionals may indicate their dissatisfaction with dated, refractory technology whose unreliability could compromise internal control effectiveness.
4. Is there a large backlog of outstanding program maintenance requests?
If your IT professionals, though competent, are having trouble keeping up with program maintenance requests, chances are that the systems are overly complex and tedious to work with, casting doubt on their reliability with regard to internal control.
5. Has the company needed to extensively rework or retrofit an installed ERP system(s)?
Badly designed or incompletely activated ERP controls can create significant internal control gaps.
6. Does the company rely on disparate legacy systems to manage financial reporting?
Every time information needs to be altered for purposes of inter-system compatibility, the risk of introducing errors goes up. In addition, high variability in a company’s financial applications increases both the time required to consolidate the information at year-end and the effort of managing risks and controls for each individual application.
read also: Nine Question with SOX
Popularity: 3% [?]
