SOX - University of Waterloo

advertisement
Comparative Analysis of IT
Control Frameworks in the
Context of SOX
By: Malik Datardina, CA, CISA
University of Waterloo
Introduction
• SOX avg cost: $5 million/per company
• Impact on the way of business
• Increased focus on IT:
"The Sarbanes-Oxley legislation has
created a greater need for businesses
to have IT controls in place”
Bill Levant, Partner, Deloitte
Goal
• Some fundamental questions
–How does the SOX legislation result
in the implementation of IT
Controls?
–What IT Controls are expected to
be in place?
Agenda
• Basic issues to be covered:
Part I – SOX Basics:
• What does SOX actually mandate?
• What does the PCAOB require?
• What does COSO require? Are there alternatives?
Part II: The Frameworks
• How are COBIT, ITCG, ISO 17799, and SysTrust relevant to
SOX and analysis?
Part III: Discussion and Suggestions for Further
Research
Agenda
SOX
Sec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility
for Finan Reporting
Auditing Standard No. 2:
Audit of Internal Control over
Financial Reporting
Additional
Guidance
Minimum
Std
Public
Company
Sec 404 – Mgmt
Assessment of Int Ctrl
Sec 409 – Real time
issuer disclosures
Gen Controls: Application
-Oper Ctrls
Controls
-SDLC
-Access mgmt
IT Controls
Info Quality:
Timely, Current,
Accurate, Accessible,
etc.
What does SOX actually
mandate?
SOX
Sec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility
for Finan Reporting
Sec 404 – Mgmt
Assessment of Int Ctrl
Sec 409 – Real time
issuer disclosures
• Sec 101: Establishes the PCAOB
• Sec 302: CEO & CFO Responsibility of the FS
–
–
–
–
Designed effectively
Operating effectively within the last 90 days
Disclosure material weaknesses
Disclosure of frauds; material and otherwise
• Sec 404 – Mgmt’s Assessment of Controls
– Management is responsible
– Management assess operating effectiveness
– Auditors must also provide an independent
assessment of operating effectiveness
• Sec 409 – Real time disclosure of material
changes
What does the PCAOB
require?
SOX
Sec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility
for Finan Reporting
Auditing Standard No. 2:
Audit of Internal Control over
Financial Reporting
Guidance
Minimum
Std
Sec 404 – Mgmt
Assessment of Int Ctrl
Sec 409 – Real time
issuer disclosures
Gen Controls: Application
-Oper Ctrls
Controls
-SDLC
-Access mgmt
IT Controls
•Program Development/Program Chgs
•Computer Operations
• Access to programs and data
PCAOB
• Processing Integrity Controls
OBJECTIVES:
• Effectiveness and efficiency of
operations
• Reliability of financial reporting
• Compliance with the applicable
laws and regulations
KEY COMPONENTS:
• Control Environment (e.g. Tone
at the Top)
• Risk Assessment
• Control activities
• Information and
Communication (e.g.
information management).
• Monitoring
OBJECTIVES:
• Effectiveness and efficiency of
operations
• Reliability of internal and
external financial reporting
requirements
• Compliance with applicable
laws, regulations, and internal
policies.
KEY COMPONENTS:
•
•
•
•
Purpose
Commitment
Capability
Monitoring & Learning
OBJECTIVES:
•
•
•
Facilitate its effective and efficient
operation
Ensure the quality of internal and
external reporting
ensure compliance with applicable
laws, regulations, and internal
policies .
KEY COMPONENTS:
•
•
•
•
Maintaining a sound system of
internal control
Reviewing the effectiveness of
internal control
The board’s statement on internal
control
Internal audit
Differences
“…tighter, easier to grasp model of internal control than the
somewhat complex COSO framework.”
Robert Moeller on CoCo, former Audit Director of Sears
• CoCo: 20 Auditable Control Objectives
Similarities
• Similar objectives between all three standards
Other Considerations
• Consider cost-benefit in terms of familiarity with auditors, regulators,
etc.
What does the COSO
require?
SOX
Sec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility
for Finan Reporting
Auditing Standard No. 2:
Audit of Internal Control over
Financial Reporting
Additional
Guidance
Minimum
Std
Sec 404 – Mgmt
Assessment of Int Ctrl
Sec 409 – Real time
issuer disclosures
Gen Controls: Application
-Oper Ctrls
Controls
-SDLC
-Access mgmt
IT Controls
COSO
Info Quality:
•Data Centr Oper Ctrls
Timely, Current,
Accurate, Accessible,
etc.
•System Sftware Ctrls
• Applictn Systm Dvlpmnt
and Maintenance Ctrls
• Access Security Ctrls
What does the COSO
require?
Category
Systems
Development
Operations
Security
PCAOB
COSO
Program development   System Software Controls
Program changes   Application System Development
and Maintenance Controls
Computer operations  Data Center Operation Controls
Access to programs and data   Access security controls
What does the COSO
require?
INFORMATION QUALITY
• Information is timely,
• Information is current,
• Information is accurate, and
• Information is accessible.
OTHER COMPONENTS
• Control environment (e.g. budget and IT)
• Risk assessment
• Monitoring
PART II: The IT Control
Framework
SOX
Sec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility
for Finan Reporting
Auditing Standard No. 2:
Audit of Internal Control over
Financial Reporting
Additional
Guidance
Minimum
Std
Public
Company
Sec 404 – Mgmt
Assessment of Int Ctrl
Sec 409 – Real time
issuer disclosures
Gen Controls: Application
-Oper Ctrls
Controls
-SDLC
-Access mgmt
IT Controls
Info Quality:
Timely, Current,
Accurate, Accessible,
etc.
COBIT
PO2.1
Information Architecture Model
CONTROL OBJECTIVE Information should be kept consistent with needs and should be identified,
captured and communicated in a form and timeframe that enables people to carry out their
responsibilities effectively and on a timely basis. Accordingly, the IT function should create and
regularly update an information architecture model, encompassing the corporate data model and
the associated information systems. The information architecture model should be kept consistent
with the IT long-range plan.
PO or “Planning &
Organization” represents
1 of the 4 “domains”
“PO2.1 Information Architecture Model” represents
the “detailed control objective”. The text that follows
explains what is required of this objective.
PO2 represents the High-Level Control
4domains
34 Hi-Level Objctvs
318 Detailed
Objctvs
ISO 17799
Security Control Clause
(11)
Main Security Category
(39)
Control (135):
Each ‘control’ includes the
following information:
•Description of Control
•Implementation guidance
•Other information
11 Sec Ctrl Clause
39 Security Categories
135 Controls
ITCG
7 Control Issues
31 Ctrl Objctives
162 Min Ctrl Stds
744 Control Techniques
SysTrust
Control Layers
Security
Availability
Processing
Integrity
On-Line
Privacy
Confidentiality
Policy
3
3
3
3
3
Communication
5
5
5
10
5
Procedures
12
15
19
18
15
Monitoring
3
3
3
3
3
23
26
30
24
26
Totals
Fit with PCAOB/COSO
COBIT
ISO 17799
ITCG
SysTrust
General
Controls
X
X
X
X
Application
controls
X
X
X
Specific
category
X
Analysis: Suitable Criteria
Frameworks
COBIT
ISO 17799
ITCG
SysTrust
Relevance
High
Medium
High
High
Understan
dability
Medium
High
High
High
Complete
ness
High
Medium
High
High
Concisene
ss
Medium
High
High
High
Characteristics
of Suitable
Criteria ↓
•
•
•
•
•
•
Discussion and
Suggestions for Further
Research
Ultimate goal: Aid management in
stewardship
SysTrust: Processing Integrity Principle
Overlap between SysTrust, COBIT, ITCG
Other frameworks: ITIL, ISO 9000-3,
CMM, etc
Outsourcing: SAS70, Sec5970
Other SOX sections: Sec. 409, sec. 802.
Download