Comparative Analysis of IT Control Frameworks in the Context of SOX By: Malik Datardina, CA, CISA University of Waterloo Introduction • SOX avg cost: $5 million/per company • Impact on the way of business • Increased focus on IT: "The Sarbanes-Oxley legislation has created a greater need for businesses to have IT controls in place” Bill Levant, Partner, Deloitte Goal • Some fundamental questions –How does the SOX legislation result in the implementation of IT Controls? –What IT Controls are expected to be in place? Agenda • Basic issues to be covered: Part I – SOX Basics: • What does SOX actually mandate? • What does the PCAOB require? • What does COSO require? Are there alternatives? Part II: The Frameworks • How are COBIT, ITCG, ISO 17799, and SysTrust relevant to SOX and analysis? Part III: Discussion and Suggestions for Further Research Agenda SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Additional Guidance Minimum Std Public Company Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Gen Controls: Application -Oper Ctrls Controls -SDLC -Access mgmt IT Controls Info Quality: Timely, Current, Accurate, Accessible, etc. What does SOX actually mandate? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures • Sec 101: Establishes the PCAOB • Sec 302: CEO & CFO Responsibility of the FS – – – – Designed effectively Operating effectively within the last 90 days Disclosure material weaknesses Disclosure of frauds; material and otherwise • Sec 404 – Mgmt’s Assessment of Controls – Management is responsible – Management assess operating effectiveness – Auditors must also provide an independent assessment of operating effectiveness • Sec 409 – Real time disclosure of material changes What does the PCAOB require? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Guidance Minimum Std Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Gen Controls: Application -Oper Ctrls Controls -SDLC -Access mgmt IT Controls •Program Development/Program Chgs •Computer Operations • Access to programs and data PCAOB • Processing Integrity Controls OBJECTIVES: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with the applicable laws and regulations KEY COMPONENTS: • Control Environment (e.g. Tone at the Top) • Risk Assessment • Control activities • Information and Communication (e.g. information management). • Monitoring OBJECTIVES: • Effectiveness and efficiency of operations • Reliability of internal and external financial reporting requirements • Compliance with applicable laws, regulations, and internal policies. KEY COMPONENTS: • • • • Purpose Commitment Capability Monitoring & Learning OBJECTIVES: • • • Facilitate its effective and efficient operation Ensure the quality of internal and external reporting ensure compliance with applicable laws, regulations, and internal policies . KEY COMPONENTS: • • • • Maintaining a sound system of internal control Reviewing the effectiveness of internal control The board’s statement on internal control Internal audit Differences “…tighter, easier to grasp model of internal control than the somewhat complex COSO framework.” Robert Moeller on CoCo, former Audit Director of Sears • CoCo: 20 Auditable Control Objectives Similarities • Similar objectives between all three standards Other Considerations • Consider cost-benefit in terms of familiarity with auditors, regulators, etc. What does the COSO require? SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Additional Guidance Minimum Std Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Gen Controls: Application -Oper Ctrls Controls -SDLC -Access mgmt IT Controls COSO Info Quality: •Data Centr Oper Ctrls Timely, Current, Accurate, Accessible, etc. •System Sftware Ctrls • Applictn Systm Dvlpmnt and Maintenance Ctrls • Access Security Ctrls What does the COSO require? Category Systems Development Operations Security PCAOB COSO Program development System Software Controls Program changes Application System Development and Maintenance Controls Computer operations Data Center Operation Controls Access to programs and data Access security controls What does the COSO require? INFORMATION QUALITY • Information is timely, • Information is current, • Information is accurate, and • Information is accessible. OTHER COMPONENTS • Control environment (e.g. budget and IT) • Risk assessment • Monitoring PART II: The IT Control Framework SOX Sec 101 – Establishment of the PCAOB Sec 302 – Responsibility for Finan Reporting Auditing Standard No. 2: Audit of Internal Control over Financial Reporting Additional Guidance Minimum Std Public Company Sec 404 – Mgmt Assessment of Int Ctrl Sec 409 – Real time issuer disclosures Gen Controls: Application -Oper Ctrls Controls -SDLC -Access mgmt IT Controls Info Quality: Timely, Current, Accurate, Accessible, etc. COBIT PO2.1 Information Architecture Model CONTROL OBJECTIVE Information should be kept consistent with needs and should be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities effectively and on a timely basis. Accordingly, the IT function should create and regularly update an information architecture model, encompassing the corporate data model and the associated information systems. The information architecture model should be kept consistent with the IT long-range plan. PO or “Planning & Organization” represents 1 of the 4 “domains” “PO2.1 Information Architecture Model” represents the “detailed control objective”. The text that follows explains what is required of this objective. PO2 represents the High-Level Control 4domains 34 Hi-Level Objctvs 318 Detailed Objctvs ISO 17799 Security Control Clause (11) Main Security Category (39) Control (135): Each ‘control’ includes the following information: •Description of Control •Implementation guidance •Other information 11 Sec Ctrl Clause 39 Security Categories 135 Controls ITCG 7 Control Issues 31 Ctrl Objctives 162 Min Ctrl Stds 744 Control Techniques SysTrust Control Layers Security Availability Processing Integrity On-Line Privacy Confidentiality Policy 3 3 3 3 3 Communication 5 5 5 10 5 Procedures 12 15 19 18 15 Monitoring 3 3 3 3 3 23 26 30 24 26 Totals Fit with PCAOB/COSO COBIT ISO 17799 ITCG SysTrust General Controls X X X X Application controls X X X Specific category X Analysis: Suitable Criteria Frameworks COBIT ISO 17799 ITCG SysTrust Relevance High Medium High High Understan dability Medium High High High Complete ness High Medium High High Concisene ss Medium High High High Characteristics of Suitable Criteria ↓ • • • • • • Discussion and Suggestions for Further Research Ultimate goal: Aid management in stewardship SysTrust: Processing Integrity Principle Overlap between SysTrust, COBIT, ITCG Other frameworks: ITIL, ISO 9000-3, CMM, etc Outsourcing: SAS70, Sec5970 Other SOX sections: Sec. 409, sec. 802.