70 likes | 390 Views
Information Technology Controls and Sarbanes-Oxley. ISACA Roundtable Discussion April 15, 2004. What are IT Controls?. IT processes embedded within the Business Processes (application level controls) – e.g., SAP security restricts access to vendor master file
E N D
Information Technology Controls and Sarbanes-Oxley ISACA Roundtable Discussion April 15, 2004
What are IT Controls? • IT processes embedded within the Business Processes (application level controls) – e.g., SAP security restricts access to vendor master file • Infrastructure/General Computer Controls – e.g., Change Management, UNIX security • How do you determine what is in SOX scope?
Financial • Statements • Balance Sheet • Income State • Cash Flow Stmt • Footnotes • Identify • Significant • Accounts • Individual • In Aggregate Major Classes of Transactions Processes Develop Materiality/ Threshold Applications (e.g., SAP) Infrastructure (Database, Network, Operating Systems)
Minimum Documentation • Information Security • Policies, Procedures, Standards • Risk Assessment • Authentication Controls • Authorization Controls (including Administrator/Super User level) • User Access Administration (Granting, Terminating and Employee Transfers, Contractors) • Security Logging and Monitoring Controls • Other Technical Configurations • Physical Security • Systems Development and Change Management Controls • Request/Approvals • Prioritizations • Development Standards • SDLC • Testing, QA, Migration • Documentation Maintenance • Computer Operations • Batch Jobs (Abends, Performance/Capacity Monitoring) • Backups • Relevant application controls (e.g.,Access Controls, Edit/Validation Checks, Interfaces, Audit Trails, etc.)