Adam Bearhalter
Kristy Kelly
Julie Bland
Alex Tiset
Introduction
• Corporate & Accounting Scandals
• Public confidence
• Signed in July 30, 2002
• Reach
Titles
 TITLE I—PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD
 TITLE II—AUDITOR INDEPENDENCE
 TITLE III—CORPORATE RESPONSIBILITY
 TITLE IV—ENHANCED FINANCIAL DISCLOSURES
 TITLE V—ANALYST CONFLICTS OF INTEREST
 TITLE VI—COMMISSION RESOURCES AND AUTHORITY
 TITLE VII—STUDIES AND REPORTS
 TITLE VIII—CORPORATE AND CRIMINAL FRAUD
ACCOUNTABILITY
 TITLE IX—WHITE-COLLAR CRIME PENALTY ENHANCEMENTS
 TITLE X—CORPORATE TAX RETURNS
 TITLE XI—CORPORATE FRAUD AND ACCOUNTABILITY
Key Provisions
1. SOX Section 302: Internal control
certifications
2. SOX Section 404: Assessment of internal
control
3. SOX Section 802 Criminal Penalties for
Violation of SOX
4. SOX Section 1107 Criminal Penalties for
Retaliation Against Whistleblowers
SOX Section 404
 Management must report on the effectiveness of
the company's internal controls over financial
reporting.
 A statement of management's responsibility over
internal controls
 Management's assessment of the effectiveness of the
company's internal control
 Identify the framework used to evaluate controls
 State that their auditor has reported on their internal
controls as well
www.sec.gov
SOX Section 404
 In today’s business environment IT systems initiate,
process, and report most financial transactions
 Because they are so involved in the day to day financial
transactions, the IT systems become key to financial
reporting
 Making the controls over the IT systems key to
financial reporting as well
IT Governance Institute, 2006
SOX Section 404
 Management is required to implement an internal
control framework.
 COSO is most widely used framework for SOX
compliance
 Pays little attention to IT controls
 COBIT is one of the better known frameworks that
relate to IT controls
IT Governance Institute, 2006
Key Controls
 Controls that are key to ensuring that the values on the
balance sheet are accurate and reliable
 Database triggers entry in general ledger.
 System to ensure emails are sent
•IT Auditor ensures that they are effective, reliable, and reproducible
General Controls
 Controls that go across all IT systems and are essential
to ensuring the integrity, reliability, and quality of the
systems
 Security Policies
 Change Management
 Administration of Duties/Rights
Administration of Duties/Rights
 Separation of Duties
 Individual Permissions Roles
 Least Privilege
 Individual only given privileges needed to do their job
 User Provisioning
 New users set up with correct privileges
 Standard profile for each user
What if these 3 principles are not in place?
The IT system has failed to meet SOX Compliance
The Auditor must:
 Note the exception
 Flag it up to Management for remediation
Strategies for Sarbanes-Oxley Compliance
 Understand SOX requirements
 Set aside sufficient resources
 Get everyone involved
 Create independent audit committee
 Educate everyone
 Evaluate auditors
 Make required changes
 Prepare for the future
Source: www.afponline.org
Impact of SOX on IT and Management





Risk Assessment
Control Environment
Control Security
Monitoring
Information and
Communication
Source: www.answers.com
Impact of SOX
Risk Assessment
 Areas of Risk
 Examination of systems
 Accuracy of Documentation
Control Environment
 Effectiveness of IC’s
 Tone of Organization
 Control Environment Factors
Source: www.answers.com
Impact on Sox
Control Security
 IT Security
Monitoring
 Processes and Schedules
 Internal Audits
Information and Communication
 Timely and Accurate Information
 Communication to Management
Source: www.answers.com