Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo

Introduction SOX avg cost: $5 million/per company Impact on the way of business Increased focus on IT: "The Sarbanes-Oxley legislation has created a greater need for businesses to have IT controls in place” Bill Levant, Partner, Deloitte

Goal Some fundamental questions –How does the SOX legislation result in the implementation of IT Controls? –What IT Controls are expected to be in place?

Agenda Basic issues to be covered: Part I – SOX Basics: What does SOX actually mandate? What does the PCAOB require? What does COSO require? Are there alternatives? Part II: The Frameworks How are COBIT, ITCG, ISO 17799, and SysTrust relevant to SOX and analysis? Part III: Discussion and Suggestions for Further Research

Agenda Public Company SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Minimum Std  Gen Controls: -Oper Ctrls -SDLC -Access mgmt IT Controls  Application Controls  Info Quality : Timely, Current, Accurate, Accessible, etc. Additional Guidance

What does SOX actually mandate? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Sec 101: Establishes the PCAOB Sec 302: CEO & CFO Responsibility of the FS –Designed effectively –Operating effectively within the last 90 days –Disclosure material weaknesses –Disclosure of frauds; material and otherwise Sec 404 – Mgmt’s Assessment of Controls –Management is responsible –Management assess operating effectiveness –Auditors must also provide an independent assessment of operating effectiveness Sec 409 – Real time disclosure of material changes

What does the PCAOB require? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures  Gen Controls: -Oper Ctrls -SDLC -Access mgmt IT Controls  Application Controls Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Minimum Std Guidance Program Development/Program Chgs Computer Operations Access to programs and data Processing Integrity Controls PCAOB

OBJECTIVES: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with the applicable laws and regulations KEY COMPONENTS: Control Environment (e.g. Tone at the Top) Risk Assessment Control activities Information and Communication (e.g. information management). Monitoring

OBJECTIVES: Effectiveness and efficiency of operations Reliability of internal and external financial reporting requirements Compliance with applicable laws, regulations, and internal policies. KEY COMPONENTS: Purpose Commitment Capability Monitoring & Learning

OBJECTIVES: Facilitate its effective and efficient operation Ensure the quality of internal and external reporting ensure compliance with applicable laws, regulations, and internal policies. KEY COMPONENTS: Maintaining a sound system of internal control Reviewing the effectiveness of internal control The board’s statement on internal control Internal audit

Differences “…tighter, easier to grasp model of internal control than the somewhat complex COSO framework.” Robert Moeller on CoCo, former Audit Director of Sears CoCo: 20 Auditable Control Objectives Similarities Similar objectives between all three standards Other Considerations Consider cost-benefit in terms of familiarity with auditors, regulators, etc.

What does the COSO require? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Minimum Std Additional Guidance  Gen Controls: -Oper Ctrls -SDLC -Access mgmt IT Controls  Application Controls  Info Quality : Timely, Current, Accurate, Accessible, etc. Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Data Centr Oper Ctrls System Sftware Ctrls Applictn Systm Dvlpmnt and Maintenance Ctrls Access Security Ctrls COSO

What does the COSO require? CategoryPCAOBCOSO Systems Development Program development  Program changes   System Software Controls  Application System Development and Maintenance Controls OperationsComputer operations  Data Center Operation Controls SecurityAccess to programs and data  Access security controls

What does the COSO require? INFORMATION QUALITY Information is timely, Information is current, Information is accurate, and Information is accessible. OTHER COMPONENTS Control environment (e.g. budget and IT) Risk assessment Monitoring

Public Company SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Minimum Std  Gen Controls: -Oper Ctrls -SDLC -Access mgmt IT Controls  Application Controls  Info Quality : Timely, Current, Accurate, Accessible, etc. Additional Guidance PART II: The IT Control Framework

COBIT PO2.1 Information Architecture Model CONTROL OBJECTIVE Information should be kept consistent with needs and should be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities effectively and on a timely basis. Accordingly, the IT function should create and regularly update an information architecture model, encompassing the corporate data model and the associated information systems. The information architecture model should be kept consistent with the IT long-range plan. PO or “Planning & Organization” represents 1 of the 4 “domains” PO2 represents the High-Level Control “PO2.1 Information Architecture Model” represents the “detailed control objective”. The text that follows explains what is required of this objective. 4domains 34 Hi-Level Objctvs 318 Detailed Objctvs

ISO Security Control Clause (11) Main Security Category (39) Control (135): Each ‘control’ includes the following information: Description of Control Implementation guidance Other information 11 Sec Ctrl Clause 39 Security Categories 135 Controls

ITCG 7 Control Issues 31 Ctrl Objctives 162 Min Ctrl Stds 744 Control Techniques

SysTrust Control LayersSecurityAvailabilityProcessing Integrity On-Line Privacy Confidentiality Policy Communication Procedures Monitoring Totals

Fit with PCAOB/COSO COBITISO 17799ITCGSysTrust General Controls XXXX Application controls XXX Specific category X

Analysis: Suitable Criteria Frameworks  COBITISO 17799ITCGSysTrust Characteristics of Suitable Criteria ↓ RelevanceHighMediumHigh Understan dability MediumHigh Complete ness HighMediumHigh Concisene ss MediumHigh

Discussion and Suggestions for Further Research Ultimate goal: Aid management in stewardship SysTrust: Processing Integrity Principle Overlap between SysTrust, COBIT, ITCG Other frameworks: ITIL, ISO , CMM, etc Outsourcing: SAS70, Sec5970 Other SOX sections: Sec. 409, sec. 802.