Adam Bearhalter Kristy Kelly Julie Bland Alex Tiset Introduction • Corporate & Accounting Scandals • Public confidence • Signed in July 30, 2002 • Reach Titles TITLE I—PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD TITLE II—AUDITOR INDEPENDENCE TITLE III—CORPORATE RESPONSIBILITY TITLE IV—ENHANCED FINANCIAL DISCLOSURES TITLE V—ANALYST CONFLICTS OF INTEREST TITLE VI—COMMISSION RESOURCES AND AUTHORITY TITLE VII—STUDIES AND REPORTS TITLE VIII—CORPORATE AND CRIMINAL FRAUD ACCOUNTABILITY TITLE IX—WHITE-COLLAR CRIME PENALTY ENHANCEMENTS TITLE X—CORPORATE TAX RETURNS TITLE XI—CORPORATE FRAUD AND ACCOUNTABILITY Key Provisions 1. SOX Section 302: Internal control certifications 2. SOX Section 404: Assessment of internal control 3. SOX Section 802 Criminal Penalties for Violation of SOX 4. SOX Section 1107 Criminal Penalties for Retaliation Against Whistleblowers SOX Section 404 Management must report on the effectiveness of the company's internal controls over financial reporting. A statement of management's responsibility over internal controls Management's assessment of the effectiveness of the company's internal control Identify the framework used to evaluate controls State that their auditor has reported on their internal controls as well www.sec.gov SOX Section 404 In today’s business environment IT systems initiate, process, and report most financial transactions Because they are so involved in the day to day financial transactions, the IT systems become key to financial reporting Making the controls over the IT systems key to financial reporting as well IT Governance Institute, 2006 SOX Section 404 Management is required to implement an internal control framework. COSO is most widely used framework for SOX compliance Pays little attention to IT controls COBIT is one of the better known frameworks that relate to IT controls IT Governance Institute, 2006 Key Controls Controls that are key to ensuring that the values on the balance sheet are accurate and reliable Database triggers entry in general ledger. System to ensure emails are sent •IT Auditor ensures that they are effective, reliable, and reproducible General Controls Controls that go across all IT systems and are essential to ensuring the integrity, reliability, and quality of the systems Security Policies Change Management Administration of Duties/Rights Administration of Duties/Rights Separation of Duties Individual Permissions Roles Least Privilege Individual only given privileges needed to do their job User Provisioning New users set up with correct privileges Standard profile for each user What if these 3 principles are not in place? The IT system has failed to meet SOX Compliance The Auditor must: Note the exception Flag it up to Management for remediation Strategies for Sarbanes-Oxley Compliance Understand SOX requirements Set aside sufficient resources Get everyone involved Create independent audit committee Educate everyone Evaluate auditors Make required changes Prepare for the future Source: www.afponline.org Impact of SOX on IT and Management Risk Assessment Control Environment Control Security Monitoring Information and Communication Source: www.answers.com Impact of SOX Risk Assessment Areas of Risk Examination of systems Accuracy of Documentation Control Environment Effectiveness of IC’s Tone of Organization Control Environment Factors Source: www.answers.com Impact on Sox Control Security IT Security Monitoring Processes and Schedules Internal Audits Information and Communication Timely and Accurate Information Communication to Management Source: www.answers.com