Web www.software-risk.co.uk

Evaluating IT controls within the context of the Sarbanes-Oxley Act 2002 is a huge subject, but an important one. Any evalulation for section 404 has to take this into account.

The two most important sources of information are the Control Objectives for Information and related Technology (COBIT) for IT manangement. For Sarbanes-Oxley the main document is Internal Control - Integrated Framework.

COSO splits IT into two types of control, general and application.

Application controls are supported by the wider general controls. They are needed in conjunction to ensure the accuracy of information processing and the integrity of the resulting information.

General Controls are designed to ensure that the organisation can rely upon the information generated from its applications. Examples:-

 *System software controls - these relate to the acquisition, implementation and maintenance of software, database management, security software, telecommunications software and utilities.
 *Data centre operations - operator actions, data backup, job setup and scheduling and recovery procedures.
 *Access security controls - these prevent inappropriate and unauthorized use of the system.
 *Application system development and maintenance controls - change management, development methodology, system design, system implementation, documentation requirements, approvals and checkpoints to control projects.

Application Controls prevent or detect unauthorized transactions. They are embedded within the software programs that make up the application. Combined with other controls as necessarry they ensure the completeness, accuracy, authorization and validity of transactions processed by the application.

Types of application controls:-

 *Pre-defined data listings - these restrict the user to a certain range of options. For instance credit checked customers.
 *Check digits - Account numbers have a check digits as validation.
 *Balancing control activities - this can detect data entry errors by reconciling captured amounts to a control total. This can be done automatically or manually.
 *Data reasonableness tests - does the data fall within limits set. For instance a request to print a welfare cheque for $100,000 would have to be investigated.
 *Logic tests - tests include range limit or value/alphanumeric tests. For instance, bank sort codes have a pre-defined format and ranges for individual banks.

Increasingly, application controls are automated. The effect is that the general controls are increasing in importance.

The two most important sources of information are the Control Objectives for Information and related Technology (COBIT) for IT manangement. For Sarbanes-Oxley the main document is Internal Control - Integrated Framework.

In terms of the five elements make up the COSO integrated control framework for internal controls, most IT controls correlate to control activities. However they do touch on the other 4.

Related Articles
Crowe Chizek and Avamar Tie-in
SEC Proposes Years Exemption on 404
Sarbanes-Oxley Debacle
Republican Attack on Sarbanes-Oxley
COX - Sooner Rather than Later on SOX Reform
Caterpillar and Internal Controls
SEC Chief Account Defends SOX
Spirit AeroSystems

Similar Areas

Software Development Items

Risk Management Items

Sarbanes-Oxley Items

Finance Items

Regulation Items

Selected Books

Keywords

IT controls

internal controls

Sarbanes-Oxley Act

Sarbanse-Oxley compliance

section 404

404

internal control

application controls

general controls

system software controls

system acquisition

system implementation

telecommunications software

data center operations

access security

security controls

applicaton system development

system design

requirements

balancing control

application controls automation

internal controls and IT

control activities