120 likes | 583 Views
IT Control Objectives for Sarbanes-Oxley. Presented by Doug Moore, Jefferson Wells International and Christine Chaney, Continental Airlines. Managing Risk .
E N D
IT Control Objectives for Sarbanes-Oxley Presented by Doug Moore, Jefferson Wells International and Christine Chaney, Continental Airlines
Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information generated by their IT systems are not well versed in the intricacies of internal control. This is not to suggest that risk is not being managed by IT, but rather that it may not be formalized or structured in a way required by an organization’s management or its auditors.”
IT Key Areas of Responsibility • Understanding the organization’s internal control program and financial reporting process • Mapping the IT systems that support internal control and the financial reporting process to the financial statements • Identifying risks related to these systems • Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness • Documenting and testing IT controls
IT Key Areas of Responsibility • Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting process • Monitoring IT controls for effective operation over time • Participation by IT in the Sarbanes-Oxley project management office
ITGI Control Objectives • IT Control Environment • Computer Operations • Access to Programs and Data • Program Development and Program Change
IT Control Environment The PCAOB has indicated that an ineffective control environment should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists
What is the IT Control Environment? • IT Governance Process • IS Strategic Plan • IT risk management process • Compliance and Regulatory management • IT policies, procedures and standards Monitoring and reporting are required to ensure that IT is aligned with business requirements.
Computer Operations Computer operations should include controls over: • Effective acquisition • Implementation • Configuration and maintenance • Ongoing controls over operation address the day-to-day delivery of information services, service level mgt., management of third-party services, etc.
Access to Programs and Data Overall goal of access controls are to prevent “the unauthorized use of, and changes to, the system, and entity protects it data and program integrity.”
Program Development and Program Change • What are the acquisition and implementation risks of new applications and/or systems? • What are the risks of not having a good change management program?
Multi-location Considerations • Significant business units • Potential financial materiality and significant risk considerations, quantitative and qualitative and both aspects provide focus