-->

Home » Audit » INFORMATION TECHNOLOGY CONTROLS AND THE SARBANES-OXLEY ACT (SOx)

INFORMATION TECHNOLOGY CONTROLS AND THE SARBANES-OXLEY ACT (SOx)

By : Piruluk tanMay 23, 2016


The discussion of ITGC would have been incomplete without a mention of
Sarbanes-Oxley Act. SOx requires the chief executive and chief financial officers
of public companies to attest to the accuracy of financial reports (Section 302)
and require public companies to establish adequate internal controls over
financial reporting (Section 404). Passage of SOx resulted in an increased focus
on IT controls, as these support financial processing and therefore fall into the
scope of management’s assessment of internal control under Section 404 of
SOx.
The COBIT framework may be used to assist with SOx compliance, although
COBIT is considerably wider in scope. The 2007 SOx guidance from the PCAOB
and SEC state that IT controls should only be part of the SOx 404 assessment to
the extent that specific financial risks are addressed, which significantly reduces
the scope of IT controls required in the assessment.
This scoping decision is part of the entity’s SOx 404 top-down risk assessment.
In addition, Statements on Auditing Standards No. 109 (SAS109) discusses
the IT risks and control objectives pertinent to a financial audit and is referenced
by the SOx guidance.
IT controls that typically fall under the scope of a SOx 404 assessment may
include:
(a) Specific application (transaction processing) control procedures that
directly mitigate identified financial reporting risks. There are typically
a few such controls within major applications in each financial process,
such as accounts payable, payroll, general ledger, etc. The focus is on
“key” controls (those that specifically address risks), not on the entire
application;
(b) IT general controls that support the assertions that programs function
as intended and that key financial reports are reliable, primarily change
control and security controls;
(c) IT operation controls which ensure that problems with processing are
identified and corrected.
Specific activities that may occur to support the assessment of the key controls
above include:
(a) Understanding the organisation’s internal control program and its
financial reporting processes;
(b) Identifying the IT systems involved in the initiation, authorisation,
processing, summarisation and reporting of financial data;
(c) Identifying the key controls that address specific financial risks;
(d) Designing and implementing controls designed to mitigate the
identified risks and monitoring them for continued effectiveness;
(e) Documenting and testing IT controls;
(f) Ensuring that IT controls are updated and changed, as necessary, to
correspond with changes in internal control or financial reporting
processes; and
(g) Monitoring IT controls for effective operation over time.
In order to comply with Sarbanes-Oxley, companies and institutions should
appreciate how the financial reporting process works and ascertain the areas
where technology plays a critical role. In considering which controls to include
in the program, organisations should recognise that IT controls can have a
direct or indirect impact on the financial reporting process. For instance, IT
application controls that ensure completeness of transactions can be directly
related to financial assertions.
In another development, Access Controls which may exist within these
applications or within equally important supporting systems such as databases,
networks and operating systems, may not directly align to a financial assertion.
Similarly, Application Controls are generally aligned with a business process
that gives rise to financial reports.
While there are many IT systems operating within an organisation, Sarbanes-
Oxley compliance only focuses on those that are associated with a significant
account or related business process and mitigate specific material financial
risks. This focus on risk enabled management to significantly reduce the scope
of IT general control testing in 2007 relative to prior years. Readers wishing to
get more details on SOx and its related sections may visit the net or get hold of
Public Company Accounting Oversight Board (PCAOB) auditing standards No.5,
SEC interpretative guidance and/or American Institute of Certified Public
Accountants (AICPA) auditing standard No. 109.

Share : Facebook Twitter Google+ Digg

Jika Anda menyukai Artikel di blog ini, Silahkan klik disini untuk berlangganan gratis via email, Anda akan mendapat kiriman artikel setiap ada artikel yang terbit di Our Akuntansi


0 komentar:

Post a Comment