Vijay V Vijayakumar. SOX Act Difference between IT Management and IT Governance Internal Controls Frameworks for Implementing SOX COSO - Committee.

Vijay V Vijayakumar

SOX Act Difference between IT Management and IT Governance Internal Controls Frameworks for Implementing SOX

COSO - Committee of Sponsoring Organizations of Treadway Commission

COBIT - Control Objectives for Information and related Technology

Comparison of COSO and COBIT Issues

Need ◦ Wide Spread Malpractices in financial accounting of Public Corporations

e.g. Enron◦ Cost investors billions of dollars◦ Sarbanes-Oxley Act(SOX) was passed in 2002 to prevent such

occurrences◦ All public corporations have to comply with SOX

Intent◦ To protect investors by improving the accuracy and reliability of

corporate disclosures made pursuant to the securities laws, and for other purposes.

◦ Create new standards for corporate accountability as well as new penalties for acts of wrongdoing.

Impact: More focus on IT Governance(Internal Controls), transparency in business practices, more responsibility and accountability on Top Management.

• 6 Areas of Importance Auditor Oversight Auditor Independence Corporate Responsibility Financial Disclosures Analyst conflicts of interest civil and criminal penalties for fraud and document

destruction

Auditor Oversight◦ common source of error.◦ No getting away from errors whether done intentional or

unintentional by the auditor

Auditor Independence ◦ More independence to auditors

Corporate responsibility – requires CEOs and CFOs to certify that reports have been

reviewed and to the best of their knowledge. CEO’s must evaluate internal controls before every

reporting

Financial Disclosures: All disclosures should be attested by top management. All events that might have impact on financial conditions

must be reported as soon as 48 hrs Analyst conflicts of interest : Manipulation is under scrutiny of top management thereby

reducing analyst conflicts of interest. Civil and criminal penalties : fine of up to $1,000,000, or imprisonment for not more

than 10 years, or both

IT Governance can be helpful in placing internal controls and thereby comply with SOX Act

IT Management: ◦ Narrow focus◦ ensures supply of IT services for normal operation.

IT Governance: ◦ includes IT Management◦ to plan how the organization could meet its goals through

optimal use of IT resources.

What are Internal Controls?

policies, procedures, practices, and organizational structures put in place to reduce risks

Are put in place all through the organization to reduce risks involved in various stages of operation

Objectives: economy and efficiency of operations reliability of financial and management reports compliance with laws and regulations

Unified approach for evaluation of Internal Control System Focuses on processes and people Has 5 control components that assures sound business

practices: ◦ Control Environment: management defines and communicates policies and

procedures to employees◦ Risk Management: Should be able to identify and analyze risks involved in

business.◦ Control Activities: Processes like approval, authorization, verification. Covers

entire organization.

◦ Information and Communication: Information should be able to make its way to the

appropriate person in a timely way through proper communication channels.

◦ Monitoring: Controls checked for proper functioning periodically .

Remedies made known to auditors and action taken.

Latest Version includes Objective setting, event identification and risk response

Framework consistent with COSO. Rich, robust and most widely used 4 domains , 34 control objectives Latest version is 4.1 Aligns IT with business objectives, quality standards,

monetary controls and security needs

Planning and Organization : Assess how IT will be able to meet business needs

Acquisition and Implementation : IT solutions have to be developed or acquired to meet objectives

Delivery and Support : Continuous delivery and support of systems

Monitoring: monitors all IT process for quality and compliance with control requirement

COSO is useful for management while COBIT is useful for IT management, users, and auditors.

COSO is focused on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations

COBIT is used to support business requirements and the associated IT resources and processes

COSO is the model of choice for The Security and Exchange Commission

Cost of Compliance: Average industry spending per year – $6 billion. Not suitable for small corporations.

Continuous checking of Internal Controls Maintaining Data Integrity Security Communication and Integrity

http://en.wikipedia.org/wiki/COBIT#COBIT_structure

http://www.sox-online.com