SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

Slides:



Advertisements
Similar presentations
Additional Assurance Services: Other Information
Advertisements

Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Audit Documentation PCAOB Auditing Standard no.3.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved Chapter 21 CHAPTER 21 ASSURANCE, ATTESTATION, AND OTHER FORMS OF SERVICES.
1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Professional Standards. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 2-2 Generally Accepted Auditing Standards-- General.
The CPA Profession Chapter 2.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Nature of an Integrated Audit
Information Systems Controls for System Reliability -Information Security-
Learning Objectives LO1 Describe the association framework. LO2 Determine whether a PA is associated with financial statements. LO3 Describe the three.
Internal Auditing and Outsourcing
Auditing Internal Control over Financial Reporting
Auditor's report Document prepared by the auditors appointed to examine and certify the accounting records and financial position of a firm. It must be.
Copyright © 2002 Open Applications Group, Inc. All rights reserved Project Definition Project name - RiskML Project Leader name – ? Date – 9/12/03.
The CPA Profession Chapter 2 By Arens et. al. Learning Objective 1 Describe the nature of CPA firms, what they do, and their structure.
The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.
Auditing Internal Control over Financial Reporting
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Chapter 5 Internal Control over Financial Reporting
Page 1 Internal Audit Outsourcing The Moss Adams Approach to Internal Audit Outsourcing Proposed SOX 404 Changes.
BusinessAllstars.com 1 BusinessAllstars.com Presents Copyright © 2004 by Gainbridge Associates All right reserved This material may not be used or reproduced.
Everyone’s Been Hacked Now What?. OakRidge What happened?
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Scandals (in the public and private sector)  Enron  Worldcom  Livent  Nortel  HRDC  Sponsorship Scandal.
1. IT AUDITS  IT audits: provide audit services where processes or data, or both, are embedded in technologies.  Subject to ethics, guidelines, and.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
5-1 McGraw-Hill/Irwin ©2007 by the McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Internal Control Evaluation: Assessing Control Risk.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Everyone’s Been Hacked Now What?. OakRidge What happened?
1 Auditing and the Public Accountant Profession Importance of Auditing Bodies required to have an annual audit: All public and larger private companies.
Casualty Loss Reserve Seminar General Session II September 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS,
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
Auditor’s Professional Roles and Responsibilities.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
BA 427 – Assurance and Attestation Services Lecture 7 Reporting on Internal Controls.
Case 6.2 Waste Management Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent.
Other Assurance Services. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved Relationship Between Assurance and Attestation.
18-1 Copyright © 2016 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Chapter 15A IT Controls Part I: Sarbanes-Oxley & IT Governance.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Chapter 1 The Demand for Audit Services
Service Organization Control (SOC)
Professional Standards
Internal control objectives
Chapter 1 The Demand for Audit Services
An overview of Internal Controls Structure & Mechanism
Presentation transcript:

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

SOX and the Audit Process Management must comply with Section 404 of the Section 404 Management Assessment Of Internal Controls … responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and … responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and …contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. …contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

SOX and the Audit Process (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

External Auditors Attestation Attestation by External Auditors Attestation by External Auditors “Further more, in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2006, based on criteria established in Internal Control – Integrated Framework issued by the COSO.” “Further more, in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of December 31, 2006, based on criteria established in Internal Control – Integrated Framework issued by the COSO.”

External Auditors Attestation Attestation made after: Attestation made after: –Understanding of internal controls over financial reporting, –Evaluating management’s assessment, –Testing and evaluating the design and operating effectiveness of internal controls.

Attestation Example of: CPA Attestation CPA Attestation

Section 302: …Requires a company’s management, with the participation of the principal executive and financial officers (the certifying officers), to make the following quarterly and annual certifications with respect to the company’s internal control over financial reporting:

Section 302: 1. A statement that the certifying officers are responsible for establishing and maintaining internal control over financial reporting.

Section 302: 2. A statement that the certifying officers have designed such internal control over financial reporting, …

Section 302: 3. A statement that the report discloses any changes in the company’s internal control over financial reporting that occurred during the most recent fiscal quarter …

Certifications Example of: CEO Certification and CFO Certification CEO Certification and CFO Certification

Section Management’s report on internal control over financial reporting is required to include the following: 1. A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company.

Section Management’s report on internal control over financial reporting is required to include the following: 2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control over financial reporting.

Section Management’s report on internal control over financial reporting is required to include the following: 3. An assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year, including an explicit statement as to whether that internal control over financial reporting is effective.

Section Management’s report on internal control over financial reporting is required to include the following: 4. A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the company’s internal control over financial reporting.

Report on Assessment Example of: Management Assessment Report Management Assessment Report

Key control A control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be prevented or detected on a timely basis. In other words, a key control is one that provides reasonable assurance that material errors will be prevented or timely detected.

Testing of Key Internal Controls “The auditor should select for testing only those controls that to the auditor’s conclusion about whether the company’s controls sufficiently address the assessed risk of misstatement to a given relevant assertion that could result in a material misstatement to the company’s financial statements”.

Testing of Key Internal Controls The auditor’s testing of the operating effectiveness of such controls should occur at the time the controls are operating. The auditor’s testing of the operating effectiveness of such controls should occur at the time the controls are operating. Controls “as of” a specific date encompass controls that are. Relevant to the company’s internal control over financial reporting “as of” that specific date, even though such controls might not operate until after that specific date. Controls “as of” a specific date encompass controls that are. Relevant to the company’s internal control over financial reporting “as of” that specific date, even though such controls might not operate until after that specific date.

IT Control Objectives for SOX AI2 - Acquire and Maintain application software AI2 - Acquire and Maintain application software –High-level Design –Detailed Design –Application Control and Auditability AI3 - Acquire and maintain technology infrastructure AI3 - Acquire and maintain technology infrastructure –Technological Infrastructure Acquisition Plan –Infrastructure Resource Protection and Availability –Infrastructure Maintenance AI4 - Enable Operation and use AI4 - Enable Operation and use –Planning for Operational Solutions –Knowledge Transfer to Business Management –Knowledge Transfer to End Users

IT Control Objectives for SOX AI7 - Install and accredit solutions and changes AI7 - Install and accredit solutions and changes –Training –Test Planning –Implementation Planning AI6 - Manage changes AI6 - Manage changes –Change Standards and Procedures –Impact Assessment, Prioritization and Authorization –Emergency Changes

IT Control Objectives for SOX DS1 - Define and manage service levels DS1 - Define and manage service levels –Service Level Management Framework –Definition of Service –Service Level Agreements DS2 - Manage third-party services DS2 - Manage third-party services –Identification of All Supplier Relationships –Supplier Relationship Management –Supplier Risk Management DS5 - Ensure systems security DS5 - Ensure systems security –Management of IT Security –IT Security Plan –Identity Management

IT Control Objectives for SOX DS9 - Manage the configuration DS9 - Manage the configuration –Configuration Repository and Baseline –Identification and Maintenance of Configuration Items –Configuration Integrity Review DS8 - Manage service desk and incidents DS8 - Manage service desk and incidents –Service Desk –Registration of Costumer Queries –Incident Escalation

IT Control Objectives for SOX DS10 - Manage problems DS10 - Manage problems –Identification and Classification of Problems –Problem Tracking and Resolution –Problem Closure DS11 - Manage data DS11 - Manage data –Business Requirement of Data Management –Storage an Retention Agreements –Media Library Management System

IT Control Objectives for SOX DS12 - Manage physical environment DS12 - Manage physical environment –Site Selection and Layout –Physical Security Measures –Physical Access DS13 - Manage operations DS13 - Manage operations –Operation Procedures and Instructions –Job Scheduling –IT Infrastructure Monitoring

SOX and Audit Programs Thank You! John R. Robles Thursday, May 31, Tel:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.