Presentation is loading. Please wait.

Presentation is loading. Please wait.

Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo.

Published byConstance Burke Modified over 9 years ago

Similar presentations

Presentation on theme: "Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo."— Presentation transcript:

1 Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo

2 Introduction SOX avg cost: $5 million/per company Impact on the way of business Increased focus on IT: "The Sarbanes-Oxley legislation has created a greater need for businesses to have IT controls in place” Bill Levant, Partner, Deloitte

3 Goal Some fundamental questions –How does the SOX legislation result in the implementation of IT Controls? –What IT Controls are expected to be in place?

4 Agenda Basic issues to be covered: Part I – SOX Basics: What does SOX actually mandate? What does the PCAOB require? What does COSO require? Are there alternatives? Part II: The Frameworks How are COBIT, ITCG, ISO 17799, and SysTrust relevant to SOX and analysis? Part III: Discussion and Suggestions for Further Research

5 Agenda Public Company SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Minimum Std  Gen Controls: -Oper Ctrls -SDLC -Access mgmt IT Controls  Application Controls  Info Quality : Timely, Current, Accurate, Accessible, etc. Additional Guidance

6 What does SOX actually mandate? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Sec 101: Establishes the PCAOB Sec 302: CEO & CFO Responsibility of the FS –Designed effectively –Operating effectively within the last 90 days –Disclosure material weaknesses –Disclosure of frauds; material and otherwise Sec 404 – Mgmt’s Assessment of Controls –Management is responsible –Management assess operating effectiveness –Auditors must also provide an independent assessment of operating effectiveness Sec 409 – Real time disclosure of material changes

7 What does the PCAOB require? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures  Gen Controls: -Oper Ctrls -SDLC -Access mgmt IT Controls  Application Controls Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Minimum Std Guidance Program Development/Program Chgs Computer Operations Access to programs and data Processing Integrity Controls PCAOB

8 OBJECTIVES: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with the applicable laws and regulations KEY COMPONENTS: Control Environment (e.g. Tone at the Top) Risk Assessment Control activities Information and Communication (e.g. information management). Monitoring

9 OBJECTIVES: Effectiveness and efficiency of operations Reliability of internal and external financial reporting requirements Compliance with applicable laws, regulations, and internal policies. KEY COMPONENTS: Purpose Commitment Capability Monitoring & Learning

10 OBJECTIVES: Facilitate its effective and efficient operation Ensure the quality of internal and external reporting ensure compliance with applicable laws, regulations, and internal policies. KEY COMPONENTS: Maintaining a sound system of internal control Reviewing the effectiveness of internal control The board’s statement on internal control Internal audit

11 Differences “…tighter, easier to grasp model of internal control than the somewhat complex COSO framework.” Robert Moeller on CoCo, former Audit Director of Sears CoCo: 20 Auditable Control Objectives Similarities Similar objectives between all three standards Other Considerations Consider cost-benefit in terms of familiarity with auditors, regulators, etc.

12 What does the COSO require? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Minimum Std Additional Guidance  Gen Controls: -Oper Ctrls -SDLC -Access mgmt IT Controls  Application Controls  Info Quality : Timely, Current, Accurate, Accessible, etc. Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Data Centr Oper Ctrls System Sftware Ctrls Applictn Systm Dvlpmnt and Maintenance Ctrls Access Security Ctrls COSO

13 What does the COSO require? CategoryPCAOBCOSO Systems Development Program development  Program changes   System Software Controls  Application System Development and Maintenance Controls OperationsComputer operations  Data Center Operation Controls SecurityAccess to programs and data  Access security controls

14 What does the COSO require? INFORMATION QUALITY Information is timely, Information is current, Information is accurate, and Information is accessible. OTHER COMPONENTS Control environment (e.g. budget and IT) Risk assessment Monitoring

15 Public Company SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Minimum Std  Gen Controls: -Oper Ctrls -SDLC -Access mgmt IT Controls  Application Controls  Info Quality : Timely, Current, Accurate, Accessible, etc. Additional Guidance PART II: The IT Control Framework

16 COBIT PO2.1 Information Architecture Model CONTROL OBJECTIVE Information should be kept consistent with needs and should be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities effectively and on a timely basis. Accordingly, the IT function should create and regularly update an information architecture model, encompassing the corporate data model and the associated information systems. The information architecture model should be kept consistent with the IT long-range plan. PO or “Planning & Organization” represents 1 of the 4 “domains” PO2 represents the High-Level Control “PO2.1 Information Architecture Model” represents the “detailed control objective”. The text that follows explains what is required of this objective. 4domains 34 Hi-Level Objctvs 318 Detailed Objctvs

17 ISO 17799 Security Control Clause (11) Main Security Category (39) Control (135): Each ‘control’ includes the following information: Description of Control Implementation guidance Other information 11 Sec Ctrl Clause 39 Security Categories 135 Controls

18 ITCG 7 Control Issues 31 Ctrl Objctives 162 Min Ctrl Stds 744 Control Techniques

19 SysTrust Control LayersSecurityAvailabilityProcessing Integrity On-Line Privacy Confidentiality Policy 33333 Communication 555105 Procedures 1215191815 Monitoring 33333 Totals 2326302426

20 Fit with PCAOB/COSO COBITISO 17799ITCGSysTrust General Controls XXXX Application controls XXX Specific category X

21 Analysis: Suitable Criteria Frameworks  COBITISO 17799ITCGSysTrust Characteristics of Suitable Criteria ↓ RelevanceHighMediumHigh Understan dability MediumHigh Complete ness HighMediumHigh Concisene ss MediumHigh

22 Discussion and Suggestions for Further Research Ultimate goal: Aid management in stewardship SysTrust: Processing Integrity Principle Overlap between SysTrust, COBIT, ITCG Other frameworks: ITIL, ISO 9000-3, CMM, etc Outsourcing: SAS70, Sec5970 Other SOX sections: Sec. 409, sec. 802.

Download ppt "Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo."

Similar presentations

Internal Control–Integrated Framework

Internal Control–Integrated Framework
Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Sarbanes-Oxley Act of 2002 UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.

Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.

PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
1 Archive Access Audit Keys to Effective Compliance Lifecycle Management.

1 Archive Access Audit Keys to Effective Compliance Lifecycle Management.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.

Internal Control Pertemuan 05 s.d 06 Matakuliah: F0712 / Lab Sistem Informasi Akuntansi Tahun: 2007.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Similar presentations

Ads by Google