1. Sarbanes-Oxley (SOX) compliance
The Role of IT in the design and implementation of Internal
Control over Financial Reporting
Mahesh Patwardhan
maheshpatwardhan@rediffmail.com
2. SOX
• The Sarbanes–Oxley Act of 2002 commonly called SOX, is a United States
federal law enacted on July 30, 2002. It is named after sponsors U.S.
Senator Paul Sarbanes and U.S. Representative Michael G. Oxley
• The bill was enacted as a reaction to a number of major corporate and
accounting scandals including those affecting Enron, Tyco International,
Adelphia, Peregrine Systems and WorldCom.
• These scandals, which cost investors billions of dollars when the share
prices of affected companies collapsed, shook public confidence in the
nation's securities markets. The act was passed to safeguard the investors
and restore confidence in the securities markets.
• The gist of the act is that a company ‘s top management has to certify by
way of internal and external audits that there is sufficient internal control
on all systems impacting financial reporting.
3. Definitions
• COSO
• Committee of Sponsoring Organizations of the Treadway Commission
• Model for evaluating internal controls
• Generally accepted framework for internal control
• Definitive standard against which organizations measure effectiveness of internal controls
• Internal Control :
• A process, effected by an entity’s board of directors, management and
other personnel, designed to provide reasonable assurance of the
achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Five Components of Internal Control System:
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
4. IT Compliance Roadmap
Prioritize
Evaluate and
Control Remediate
Document Design and Deficiencies
Controls Operating
Effectiveness
Assess IT
Risk
Plan and
Scope IT
Controls
5. Internal Control Framework
Control Risk Control Information and
Environment Assessment Activities Communication Monitoring
• Integrity and • Company-wide • Policies and • Quality of • Ongoing
Ethical Values objectives Procedures Information Monitoring
• Commitment to
competence • Process-level • Security • Effectiveness of • Separate
• Board of objectives (Applications Communication Evaluations
Directors and and Network)
audit • Risk
committee • Reporting
Identification • Application
• Managements Deficiencies
and Analysis Change
Philosophy and Management
Operating Style
• Managing
• Organizational Change • Business
Structure
Continuity /
• Assignment of Backups
Authority and
Responsibility
• Outsourcing
• Human
Resource
Policies and
Procedures
6. Control Activities
Security Application
Policies and Business
(Applications and Change
Procedures Continuity
Network) Management
•IT-Security Policy •Application •Project •IT-Infrastructure
•IT-Access Control Authorization Management Management
Policy Matrix •Disaster
•IT-Appropriate •End User Recovery
Usage Policy Computing Trace •Backup and
•Email-Internet ability Matrix Recovery
Policy •IT – Landscape Procedures
•End-user Diagram •Job Scheduling
Computing •ISO
7. IT Control Objectives for SOX
Acquire and Maintain Manage Changes Manage the
Application Software Configuration
Define and Manage
Acquire and Maintain Service Levels Manage Problems and
Technology Incidents
Infrastructure Manage Third Party
Services Manage Data
Enable Operations Manage Operations
Ensure Systems Security
Install and accredit
solutions and changes
8. Types of Controls
Entity Level Application IT General
Controls Controls Controls
• Strategies and • Completeness • Program
Plans • Accuracy Development
• Policies and • Existence/Authoriz • Programs Changes
Procedures ation • Access to Programs
• Risk Assessment • Presentation/Disclo and Data
Activities sure • Computer
• Training and Operations
Education
• Quality Assurance
• Internal Audit
9. Control Documentation
Entity Policy IT Policies and
Narratives
Manuals Procedures
Procedural
Flowcharts Decision Tables
Write-ups
Completed
Questionnaires
10. Control Documentation
Entity Level Activity Level Activity Level
• Assessment of entity level • Description of the processes • Description of the control
controls including evidence to and related sub-processes activity(ies) designed and
support the responses and (may be in narrative form, performed to satisfy the
opinions of management more effective to illustrate as control objective related to
a flowchart) the process or subprocess.
This should include the type of
• Description of the risk controls (preventive or
associated with the process or detective) and the frequency
subprocess, including an they are performed.
analysis of its impact and
probability of occurrence • Description of the approach
followed to confirm (test) the
• Statement of the control existence and operational
objective designed to reduce effectiveness of the control
the risk of the process or activities.
subprocess to an acceptable
level and a description of its • Conclusions reached about
alignment to the COSO the effectiveness of controls,
framework. as a result of testing.