home

Articles

Blog

Books

Tools

Links

FAQ Page


Internal Controls and IT

Google
 
Web www.software-risk.co.uk

IT plays an ever increasing role in financial reporting. In particular the amount of automation. Internal controls over IT are essential. Consequently they are central to any evaluation of compliance with Sarbanes-Oxley and section 404.

Section 404 requires public companies to not only confirm that they have internal controls in relation to financial reporting. They have to be demonstrably effective.

IT has its own rules and good practice that act as guidance in setting internal controls. Financial reporting also has internal control guidance.

An important aspect of considering IT in relation to section 404, is that we only need to look at internal controls that touch upon financial reporting. Not all controls have an IT element nor, do all IT controls impact on reporting.

Reviewing IT controls is such huge subset of internal controls, received wisdom is that a sub-committee of the main Sarbanes-Oxley steering/evaluation committee should be set up.

We shall discuss in-depth, how to review IT related in upcoming articles. Three sources will be prominent in virtually all of them.

Internal controls and their evaluation for financial reporting, are extensively covered in the Internal Control - Integrated Framework published by the Committee of Sponsoring organisations of the Treadway Commission. (Referred to as the COSO framework.) This document is referred to in Sarbanes-Oxley as a source of guidance. Consequently it is the widely cited in evaluation.

The COSO framework identifies 5 elements that go to make up a company's internal controls.

The IT Governance Institute produce the industry standard on guidance for IT controls, Control Objectives for Information and related Technology. The scope of this framework covers the entire range of IT controls, far wider in fact than just those with financial implications.

A bridge between the two was needed to focus attention on the cross-over between the two frameworks. This has been provided by the Information Systems Audit and Control Association (ISACA). Their document, IT Control Objectives for Sarbanes-Oxley is required reading for any one evaluating this area of controls.

Related Articles
Crowe Chizek and Avamar Tie-in
SEC Proposes Years Exemption on 404
Sarbanes-Oxley Debacle
Republican Attack on Sarbanes-Oxley
COX - Sooner Rather than Later on SOX Reform
Millman Sarbanes-Oxley Security
Caterpillar and Internal Controls
GAO Supports SOX Cost Claims

Similar Areas

Process Improvement Items

Sarbanes-Oxley Items

Accounting Items

Management Items

Regulation Items

Selected Books

Keywords

Internal Controls

internal control

internal controls and IT

Sarbanes-Oxley

Sarbanes-Oxley compliance

section 404

Sarbanes-Oxley 404

section 302

public companies and IT

financial reporting and IT

COBIT

Sarbanes-Oxley steering

COSO

ISACA

IT Governance Insititute

Information Systems Audit and Control Association


See our Sarbanes-Oxley compliance, load testing and Financial Glossary pages.
Articles   Books   FAQ Page   home   Jobs   Links   Reviews Page   Tools  
Booklist   books   Measurement   Testing   Tools