George Jones, ChangeMakers, Inc. Walt Wolenski, EDS

George Jones, ChangeMakers, Inc.Walt Wolenski, EDSRay Slocumb, Partner, PWCGary Richardson, UHBarry Rupert, UH

Sarbanes-Oxley Act of 2002

http://www.bauer.uh.edu/

AgendaWelcome: Blake Ives

SOX: Review of Act: Barry Rupert

Introduction to Panel: Moderator: Gary Richardson, UH Panel Discussion


Upcoming Programs:Tentative DatesJanuary 15thFebruary 19thMarch 18thApril 15thMay 20th


January 15th

Sourcing Innovation Strategy

Jane C. LinderSenior Research FellowInstitute for Strategic ChangeAccenture


February 19th

Exporting Business Processes


February 19th

Exporting Business Processes

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture. Stuart Morstead

ISANI Group


March 18th

IT in the Early 21st Century: What has changed and what has not changed - A managers Guide

Warren McFarlanProfessorHarvard Business School


April 15th

Valuing the IT Investment

Panel Discussion of Best Practice inResponding to the “Does Doesn’t IT Matter”Challenge

“As information Technology’s power and ubiquity have grown, its strategic importance has diminished. The way you approach IT investment and management will need to change dramatically.”

“IT Doesn’t Matter”

Nicholas Carr

Harvard Business Review, May 2003


May 20th

Spring Planning Event



OverviewBarry Rupert


Gary Richardson, ModeratorGeorge Jones, ChangeMakers, Inc.Walt Wolenski, EDSRay Slocumb, PWC

SOX Panel


Information Systems Research Center

November 20, 2003

Sarbanes Oxley Act of 2002Overview


Disclaimer• Not intended as legal advice• Overview not a detailed review of the

Act and related rules• Rules are still being reviewed and

adopted• Check with your auditor or legal advisor

for final rules


Background• Sarbanes-Oxley Act (SOX) was a reaction to

corporate scandals and lack of investor confidence:– Enron– Arthur Andersen– MCI

• Typically what is referred to as SOX is actually a combination of:– Sarbanes Oxley Act of 2002 (H.R. 3763)– Pending and final rules of the Public Company Accounting

Oversight Board (PCAOB)– Pending and final Rules of the SEC– Studies by the GAO and others that may result in new laws and/or

new rules• Violation of SOX is considered a violation of

Securities and Exchange Act of 1934


Title IX: White Collar Crime Penalty EnhancementOverview

• Establishes a maximum fine of $1,000,000 and a maximum prison sentence of 10 years for CEO’s and CFO’s that certify a financial statement knowing that it is not consistent with all of the sections of the Act.

• Establishes a maximum fine of $5,000,000 and a maximum prison sentence of 20 years for CEO’s and CFO’s that willfully certify a financial statement knowing that it is not consistent with all of the sections of the Act.


ScopeEntities that come under the purview of SOX include:• “Issuers” – as defined in section 3 of the Securities and

Exchange Act of 1934 includes entities which:– Have securities registered under section 12 or– Are required to file reports under 15(d) or– Has or will file a registration statement that is or will become

effective and has not been withdrawn under the Securities Act of 1933.

• Layperson’s definition of “issuer”:– Any public company or company that plans to IPO– Alternatively, companies with more than $10 million in assets and

whose securities are held by more than 500 owners• Public accounting firms that perform audits for “issuers”• There may be special rules and/or rule effective dates for:

– Investment Companies– Foreign Private Issuers


Summary of ContentsTitle I Public Company Accounting Oversight BoardTitle II Auditor IndependenceTitle III Corporate ResponsibilityTitle IV Enhanced Financial DisclosuresTitle V Analyst Conflicts of InterestTitle VI Commission Resources and AuthorityTitle VII Studies and ReportsTitle VIII Corporate and Criminal Fraud AccountabilityTitle IX White-Collar Crime Penalty EnhancementsTitle X Corporate Tax ReturnsTitle XI Corporate Fraud and Accountability


Title I: Public Company Accounting Oversight Board

• Established by the Act• Organized as a nonprofit agency– not as a

government agency• Responsibilities

– Register and inspect public accounting firms– Establish standards for public accounting firms– Enforce compliance with the Act and Rules of the Board– Investigate firms and impose sanctions


Title III: Corporate ResponsibilityOverview

• Assigns the responsibility to appoint, compensate and oversee the public accounting firm that performs the audit to the audit committee.

• Requires CEO and CFO to – certify fairness of financial statements – take responsibility for disclosure controls

• Makes it unlawful to fraudulently influence, coerce, mislead an auditor• Provides for the forfeiture of certain compensation following the

issuance of a “non-compliant” financial document• Provides the SEC with greater flexibility to remove management or

board members• Blocks insider trading during pension fund blackout periods• Requires attorneys to report evidence of material violations• Provides that disgorged profits will benefit the victims


Title III: Corporate ResponsibilityHighlights

Section 301: Public Company Audit Committees • Companies that are not compliant with SEC audit committee

requirements are subject to delisting• Audit committee is responsible for oversight of auditors

including the resolution of disagreements between management and auditors

• Audit committees must set up procedures to receive and address “whistleblower” complaints

• Employees and others may take concerns directly to the audit committee.

• Audit committee members are required to be independent and a disclosure is required in proxy statements



Section 302: Corporate Responsibility for Financial Reports • Principal executive and financial officers are required to:

– Certify that the content of each report is accurate, complete and fairly presented.

– Take responsibility for maintaining and evaluating disclosure controls and procedures.

• Certification affirms that officers have made required disclosures about– Fraud; – Significant deficiencies, and material weaknesses, and significant

changes in internal controls; and – Evaluation of the effectiveness of the disclosure controls and

procedures.



Section 302: Corporate Responsibility for Financial Reports (cont.)• Companies must establish and maintain an overall system of

disclosure controls and procedures so that the CEO and CFO can– Supervise and review periodic evaluations of the disclosure system– Report the results to security holders

• Effectiveness of disclosure controls and procedures must be assessed within 90 days prior to filing dates of quarterly and annual reports

• Failure to maintain adequate disclosure controls and procedures may result in SEC action even if it doesn’t lead to flawed financial statements


Title IV: Enhanced Disclosure RequirementsOverview

• Requires disclosure of material off balance sheet arrangements• Establishes standards for reporting pro forma financial information• Prohibits companies from making loans to directors or executives• Requires earlier disclosure of equity transactions by directors, officers,

and other insiders• Requires management to establish and maintain adequate internal

controls and procedures for financial reporting• Exempts investment companies from several of the disclosure

requirements• Requires disclosure of a code of ethics for senior financial officers• Requires companies to disclose whether at least one of the audit

committee members is a financial expert• Requires rapid disclosure of changes in financial condition


Title IV: Enhanced Disclosure RequirementsHighlights

Section 404: Management Assessment of Internal Controls• Requires management to establish and maintain adequate

internal controls and procedures for financial reporting• Requires that each annual report includes a statement:

– Describing management’s responsibility for internal controls and procedures for financial reporting.

– Documenting management’s assessment of the effectiveness of the controls and financial reporting procedures

– Incorporating the independent auditor’s review of management’s assessment of internal controls and financial reporting procedures


Title IV: Enhanced Disclosure RequirementsHighlights

Section 404: Management Assessment of Internal Controls (cont.)• Related SEC releases define internal controls and procedures

for financial reporting as controls that provide reasonable assurances that:– Transactions are properly authorized– Assets are safeguarded against unauthorized or improper use– Transactions are properly recorded to permit the preparation of

financial statements that are presented consistent with GAAP• To meet the assessment requirement, management must select

a suitable recognized framework for assessing the effectiveness of internal controls


Find more information on SOX at:• www.findlaw.com – for the text of the Act• www.pcaobus.org – for the current status of rules of

the Public Company Accounting Oversight Board• www.sec.gov – for the status of SOX related SEC

rules. Of particular interest is www.sec.gov/rules/final/33-8238.htm which contains “Final Rule: Management’s Reports on Internal Controls Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports”

• www.aicpa.org – for general information on SOX and its implications

• www.isaca.org – for “IT Control Objectives for Sarbanes-Oxley” for a detailed discussion of this issue

http://www.findlaw.com/

http://www.pcaobus.org/

http://www.sec.gov/

http://www.sec.gov/rules/final/33-8238

http://www.aicpa.org/

http://www.isaca.org/

Gary Richardson, ModeratorGeorge Jones, ChangeMakers, Inc.Walt Wolenski, EDSRay Slocumb, PWC

SOX Panel


Copyright © 2003, ChangeMakers, Inc

Where Was IT ?

The Implications of the Sarbanes-Oxley Act

George P. JonesPrincipal


Where Was IT?

“Where Was IT?” - - A Legitimate Question

The Sarbanes-Oxley Challenge for IT

Would a “Better” IT Organization assist in preventing financial wrongdoing and if so, what does “Better” mean?


Where Was IT?

The Mutual Funds Scandal

The MCI Allegations *

The Health South Fraud

……………………* MCI denies these particular allegations


The Sarbanes-Oxley Challenge

The Requirement for Disclosure

Bad News must be reported upwards

IT’s projects have potential financial impact

IT’s activity provides a cross company view

“See No Evil” is not allowed


The Sarbanes-Oxley Challenge The Internal Controls Report

Disclosure Reporting Controls• Company wide disclosure reporting mechanisms• IT organization’s own disclosure reporting

Financial Transaction Controls• Data related• Software (logic) related• Third Party product related IT must help evaluate, strengthen and monitor


What is a “Better” IT Organization?

Characteristics that define “Better”

Skills needed to support those characteristics

Training needed to support those skills

Organization and culture


Objectives of “Better”

Able to help prevent and detect financial abuse

Responsive to requirements of Sarbanes-Oxley


Characteristics of “Better”

Knowledge of relevant law and regulations Knowledge of accounting rules Knowledge of business ethics

Able to ask the right questions

Able to make recommendations

Able to analyze relevant design and operations issues



Expertise in Financial Controls Financial control objectives Design of financial controls in systems Financial control reporting

Able to design and implement financial controls

Able to evaluate controls in third party products

Able to analyze controls and recommend improvements



Knowledge of the Company’s Business

What we do and how we operate

Understanding the significance of the operational numbers

Able to spot ‘interesting’ deviations



Healthy, Collaborative Relationships with Internal accounting Internal audit External audit

Treat as a priority activity Implement their recommendations Contribute recommendations

Financial Controls Operations Reporting



Familiar with the requirements of Sarbanes-Oxley

Responsibility of disclosure Control of disclosure Formal disclosure mechanisms Importance of internal controls


Required Knowledge & Skills

Legal and regulatory environment Company’s contractual obligations Accounting standards Industry standards Business and professional ethics Design and implementation of financial controls


Training Gaps

Sarbanes-Oxley requirements Industry legal and regulatory issues Financial accounting Business and professional ethics Accepted Industry practices Financial controls design & implementation


Organization and Culture

“See No Evil” is not allowed Bad News MUST move up Requires an open management style without

retribution for bad news

Culture is the most difficult thing to change


Conclusions

Sarbanes-Oxley Impact is more than technical, more than analytical, more than financial

SOX places a burden of responsibility on all employees, not just the accountants

SOX impacts IT priorities and “To do” list SOX will impact the role of IT in its users’

business and data SOX will challenge any IT organization whose

culture is one of containment

IT Strategies and SOXIT Strategies and SOX

The different acts within the legislation can be categorized into six major themes

Auditor Independence (II)

FinancialDisclosure Enhancements (IV)

Resources and Authority (VI)

Studies and Reports (VII)

Corporate Responsibility (III)

Analyst Conflicts of Interest (V)

PCAOB (I)

Corporate Accountability (XI)

Corporate and Criminal Fraud Accountability (VIII)

Tax Returns (X)

White Collar PenaltyEnhancements (IX)

Act Sections Themes

Increase oversight (101-109)

Auditor conflicts of Interest(201-209)

Mgmt assessment of controls(404)

Disclosures accountability(302)

Whistleblower protection(301)

Acceleration of disclosures(408-409)

IT Opportunity or Challenge

Meeting the requirements of Sarbanes-Oxley will require a significant effort by corporations

“…survey of mostly mid-cap companies...found that the average price to remain public has close to doubled…” – Foley & Larnder Law

“Enterprises will not be able to easily or inexpensively fulfill government-driven public disclosure tasks.” – Aberdeen Group

“…the IS organization must create near real-time reporting to meet requirements for greater transparency and quicker deadlines for report filing”- Gartner Group

Companies are taking various approaches to SOX compliance activities and initiatives

• Triage approach to changes • Strategic approach to changes

Albatross Opportunity

• Focus on legal compliance

• Duct tape and twine

• Budget from current initiatives

• Focus on business intelligence

• Systematic changes and upgrades

• Budget based on opportunity

Companies are approaching systematic remedies in a variety of manners

010203040506070

Source: AMR Research

Different sections of the act are driving or will drive changes in the financial organization

• Section 302 & 404

– Process mapping

– Systematic remedies

– Process changes

– Collaboration and teaming

• Section 409

– Systematic remedies

– Major process changes

Supporting the Sarbanes-Oxley work teams can provide a simple way to create positive impact

Who makes up the work team?

Compliance personnel increase 267% (Foley & Lardner)

ControlControlOwner(s)Owner(s)

Internal Internal AuditAudit

ExternalExternalConsultantsConsultants

AccountingAccountingFirmFirm

Process Process OwnersOwners

SystemSystemOwnersOwners

CEO/CFOCEO/CFO

AuditAuditCommitteeCommittee

SOXSOXComplianceCompliance

TeamTeam

What Makes A Team Successful?

• The Law of the Big Picture– The goal is more important than the role

• The Law of the Compass– Vision gives team members direction

• The Law of the Scoreboard– The team can make adjustments when it knows where it

stands• The Law of Communication

– Interaction fuels action• The Law of Dividends

– Investing in the team compounds over time

From “The 17 Indisputable Laws of Teamwork – John C. Maxwell”

There are no other options but to succeed with SOX compliance…

Providing real-time visibility into SOX activities and initiatives can create near-term and long term benefits

• Visibility to status of reports

• Immediate awareness of problem areas through use of visual cues

• Dashboard metrics adjustable as internal processes are changed

• Customizable to track any metric related entity (controls, process, projects, etc)

• Track test dates• Track certification dates• Overall status• Assign ownership

www.eds.com/dwe

The Sarbanes-Oxley Act of 2002 54PricewaterhouseCoopers

Introduction of Panel Members

The Sarbanes-Oxley Act of 2002

Overview and Impact to IT

Insert

Worlds Image /

Client Specific Image

Here


Sarbanes-Oxley Act - Background

Public company accounting reform and investor protection act.

Passed in July 2002.

Legislative action in reaction to Enron, Worldcom, and other corporate scandals.

Bill written by Paul Sarbanes, U.S. Senator from Maryland, and Michael Oxley, U.S. Congressman from Ohio.


Sarbanes-Oxley Act - Summary

The Act was signed into law on July 30, 2002 and includes eleven titled sections:

Title I Public Company Accounting Oversight BoardTitle II Auditor IndependenceTitle III Corporate ResponsibilityTitle IV Enhanced Financial Disclosures Title V Analyst Conflicts of InterestTitle VI Commission Resources and AuthorityTitle VII Studies and ReportsTitle VIII Corporate and Criminal Fraud AccountabilityTitle IX White Collar Crime Penalty EnhancementsTitle X Corporate Tax ReturnsTitle XI Corporate Fraud and Accountability



Requires quarterly certification by the CEO / CFO of all companies filing periodic reports under section 13 (a) or 15 (d) of the Securities Exchange Act of 1934 regarding the completeness and accuracy of such reports as well as the nature and effectiveness of internal controls supporting the quality of information included in such reports.

Requires an annual report by management regarding internal controls and procedures for financial reporting, and an attestation as to the accuracy of that report by the company’s auditors.

Section 302

Section 404


Management’s Requirements under Section 404

Section 404 – Management Must Assess Internal Controls Annually (for fiscal years ending 6/15/04 and later) Internal control report states management’s

responsibility for establishing and maintaining adequate internal control structure and procedures for financial reporting.

Management must assess effectiveness of internal control structure and procedures for financial reporting as of the end of the most recent fiscal year.

Attestation by external auditor (Section 404 and 103).


The Final 404 Rule Provisions—Background

Final Rule Provisions Affect Company Actions Under Sections 404 and 302.

Section 404: Requires an annual report by management regarding the effectiveness of internal control over financial reporting, and an attestation by the company’s auditors as to the accuracy of management’s assessment.

Section 302: Requires quarterly certification by the CEO / CFO regarding the completeness and accuracy of quarterly reports as well as the nature and effectiveness of disclosure controls and procedures (DC&P) supporting the quality of information included in such reports.


Disclosure Controls and Procedures versus Internal Control Over Financial Reporting

Disclosure Requirements

Internal Controls Over Financial Reporting

Disclosure Controls and Procedures

Internal Controls over Disclosure Requirements

LEGEND

Internal Accounting

Controls

Financial Reporting

Compliance&

Regulatory

Operations


Audit of Financial Statements vs. 404 Controls Attestation

Audit of Financial Statements Understanding and

consideration of internal controls only to develop the audit approach

Overall objective is the rendering of an opinion on the financial statements, not to opine on internal controls

Internal control reports have been very rare in practice and are the subject of different auditing standards

404 Attestation 100% controls-based approach

over the entire control environment

Must evaluate and test controls across business and functional areas to opine on effectiveness (broad and deep)

Lack of errors, historically, in financial statements is not de-facto evidence unto itself, of an appropriate internal control structure


COSO is an integrated framework for internal control which, when implemented, can provide a baseline to establish a control structure that

meetsSection 302 requirements and supports 404 attestation.

COSO Is Currently the Only Recognized Internal Control Framework

While Internal Control was not defined in the Act, the COSO definition has been accepted by the US government and its agencies, incorporated in US auditing standards (AU 319), and is a generally accepted integrated framework for control infrastructure. Under regulations for Section 404, the SEC will use AU319 as the reference.

Internal Control is defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations

COSO identifies five components of control that need to be in place and integrated to ensure the achievement of each of the objectives.


The Five Components under the COSO Framework

Control Activities Policies/procedures that ensure

management directives are carried out.

Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Monitoring Assessment of a control

system’s performance over time.

Combination of ongoing and separate evaluation.

Management and supervisory activities.

Internal audit activities.

Control Environment Sets tone of organization-

influencing control consciousness of its people.

Factors include integrity, ethical values, competence, authority, responsibility.

Foundation for all other components of control.

Information and Communication

Pertinent information identified, captured and communicated in a timely manner.

Access to internal and externally generated information.

Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.

Risk Assessment Risk assessment is the

identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.

All five components must be in place for a control to be effective.


Introduction of Panel Members

Impact on Information Technology

Insert

Worlds Image /

Client Specific Image

Here


Sarbanes-Oxley Act – Role of IT

“Some controls … might have a pervasive effect on achieving many overall objectives of the control criteria. For example, information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively.” – PCAOB’s Proposed Auditing Standard for Section 404

“With widespread reliance on information systems, controls are needed over all such systems: financial, compliance and operational, large and small… Two broad groupings of information systems control activities can be used. The first is general controls -- which apply to many if not all application systems and help ensure their continued, proper operation. The second category is application controls, which include computerized steps within the application software and related manual procedures to control the processing of various types of transactions. Together, these controls serve to ensure completeness, accuracy and validity of the financial and other information in the system.” – COSO Report: Internal Control - Integrated Framework


Controls over the IT environment

Most Business Processes are either partially or wholly enabled by IT

Achieving control objectives is often dependant on IT based controls

Many controls depend on data generated by IT systems

IT controls need to be considered at 2 levels:

– Controls over the IT environment (General Controls)

– Controls over individual applications (Application Controls)


General computer controls (GCC) - Definition

Controls used to manage and control the information technology activities and computer environment. Comprised of 4 major areas:

Information security – both physical and logical access Maintenance of existing systems (program change controls)Computer operationsDevelopment and implementation of new systems

The controls within the GCC environment are considered “pervasive”. They help assure that assure that specific controls over processing of transactions are operating effectively.


General computer controls (GCC) – Information security

Examples of controls in this area include: Authentication of users (e.g, log-in ids and passwords) Password controls (e.g., password expiry, minimum

length, etc.) Security administration (new user set-up, removing

terminated employees, password resets, etc.) Security monitoring Physical security of computers and business facility


General computer controls (GCC) – Program change controls

Examples of controls in this area include: All program change requests are appropriate and

authorized Segregation of duties exists between those that make

the changes and those that move the changes to the live processing environment

Version control exists so that two programmers are not modifying the same program which would result in lost changes or conflicts

Testing of the changes to ensure they are accurate Sign off by the business users who requested the

changes to ensure the changes meet the business needs


General computer controls (GCC) – Computer operations

Examples of controls in this area include: Computer systems are monitored Job scheduling (batch programs) are monitored Computer systems are protected against fire/flood Backups of data are taken daily A disaster recovery plan (DRP) exists and has been

tested recently


General computer controls (GCC) – Development & implementation of new systems

Relevant when the company implements new applications or systems.

Examples of controls in this area include: Converted account balances are reconciled Testing has occurred Training has occurred Data integrity controls are in place In general, an effective Systems Development

Lifecycle (SDLC) and implementation methodology should be followed.


Application Controls

Application Control Objectives (CAVR)

Completeness Controls that assist management in ensuring financial transactions and data are complete.

Accuracy Controls that assist management in ensuring financial transactions and data are accurate.

Validity Controls that assist management in ensuring financial transactions and data are valid.

Restricted Access Controls that assist management in ensuring financial transactions and are restricted to the appropriate personnel and are segregated from incompatible duties.


Summary Application Control Types

xPrerecorded Input

xPhysical Locks

xProgrammed Checks

xxxxComputer Matching

xComputer Sequence Check

xxBatch/Control Totals

xxxxOne-for One Checking

Restricted AccessValidityAccuracyCompleteness

xPrerecorded Input

xPhysical Locks

xProgrammed Checks

xxxxComputer Matching

xComputer Sequence Check

xxBatch/Control Totals

xxxxOne-for One Checking

Restricted AccessValidityAccuracyCompleteness


Linkage between Controls and Financial Statements

BusinessRisks

related to achieving Objectives

………………

Business Process A CompletenessAccuracyValidityRestricted Access

Business Process B CompletenessAccuracyValidityRestricted Access

Business Process C CompletenessAccuracyValidityRestricted Access

Account Balances and Transactions


General Computer Controls


Financial Statement Assertions

CompletenessAccuracyRights & ObligationsExistence / OccurrenceValuation / AllocationPresentation / DisclosureCutoff

Business Objectives


What guidance is available to help IT meet SOX requirements?

Several standards exist that provide guidance on internal controls from an IT perspective

Application controls: COSO – Internal Control: Integrated Framework COBIT – Control Objectives for Information and

Related TechnologyGeneral computer controls:

COBIT ISO 17799 – Information Security Management ITIL – IT Infrastructure Library SAC – Systems Auditability and Control (IIA)


Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

COBIT is a framework well-suited to the needs of SOX 404

Domains PO: Planning & Organization AI: Acquisition & Implementation DS: Delivery & Support M: Monitoring

Processes (example): AI 1: Identify automated solutions AI 2: Acquire and maintain application software AI 3: Acquire and maintain technology

infrastructure AI 4: Develop and maintain procedures AI 5: Install and accredit systems AI 6: Manage Changes

Control Objectives

IT Resources People Application systems Technology Facilities Data

COBIT Overview


IT Governance Institute: Control Objectives for Sarbanes-Oxley

Discussion document issued in October 2003

Based on COBIT

Maps COBIT to COSO

Proposes IT control objectives that are relevant to Sarbanes-Oxley

Control objectives are a subset of COBIT controls objectives COBIT has 318 control objectives ITGI proposes 136 for Sarbanes-Oxley

Discussion document can be obtained at www.isaca.org


Summary

IT plays a key role in a company’s internal control framework, and therefore has a key role to play in compliance with Sarbanes-Oxley

IT controls include general controls, which ensure the continued, proper operation of computer systems, and application controls, which control the processing of transactions within computer applications.

General controls have a pervasive impact on the overall control environment, and are therefore very important.

Automated application controls must be considered as part of the relevant business process, requiring communication between IT and the business.

George Jones, ChangeMakers, Inc. Walt Wolenski, EDS

Documents

eds ray slocumb

maximum prison sentence

audit committee members

financial statement knowing

moderator george jones

enhanced disclosure requirements

ensuring financial transactions

ceo cfo