Web www.software-risk.co.uk

IT departments are overburdened with work to prove Sarbanes-Oxley compliance, so the computer press say. How can we measure the readiness of IT organisations to face up to regulatory requirements?

This article concentrates on Sarbanes-Oxley, however a raft of other new regulatory regimes also face them, including the International Financial Reporting Standards (IFRS) and Basel II. Any measurement of readiness for SOX can be extrapolated out to these as well.

Only Sarbanes-Oxley though applies to all publicly listed companies in the US. Foreign companies listed in the US and subsidiaries of US companies are also affected.

When embarking on a review of the section 404 related IT controls, it is appropriate to consider the readiness of the IT organisation to handle such an enterprise.

IT readiness is not a one size fits all measurement. Each organisation has to be viewed independently and evaluated accordingly.

Two frameworks are very important in any evaluation of IT controls and internal controls. Control Objectives for Information Technology (COBIT) and the Committee Of the Sponsoring Organisations of the Treadway Commission for the prevention of fraud.

The COSO report is important because it is specifically mentioned in the Securities Exchange Commission guidance on implementing section 404.

Section 404 requires public companies and their auditors to not only confirm that they have internal controls, but to their effectiveness as well.

IT controls are only important in the context of 404, as far as they impact on financial reporting. It is important to remember that, every company or entity is different. An IT control at company A has a huge impact on financial reporting, at company B, it might have little or no impact.

Before the evaluation can begin in earnest, the IT organisation needs to take a look at itself. The auditors and the overall SOX steering team also need to know the readiness of IT.

To determine the readiness of IT to help evaluate the IT controls for SOX purposes, we need to ask three questions.

1) Is the IT department involved with financial reporting integrated with the review of internal controls for section 404?

2) Does the IT department document and evaluate their IT controls?

3) Does the executive management of the company appreciate the the impact that IT controls and IT in general have on financial reporting and consequently, section 404?

In the coming weeks we shall be looking at this in subject in greater depth.

Related Articles
Crowe Chizek and Avamar Tie-in
SEC Proposes Years Exemption on 404
Republican Attack on Sarbanes-Oxley
COX - Sooner Rather than Later on SOX Reform
Millman Sarbanes-Oxley Security
Caterpillar and Internal Controls
GAO Supports SOX Cost Claims
Panelists Named for Sarbanes-Oxley Roundable

Similar Areas

Risk Management Items

Basel II Items

Sarbanes-Oxley Items

Finance Items

Accounting Items

Selected Books

Keywords

IT controls

internal control

internal controls

Sarbanes-Oxley compliance

SOX compliance

IT departments

IFRS

Basel II

US companies

public companies

Section 404

404

404 and IT controls

COBIT

COSO

COBIT and COSO

auditors

financial reporting

IT control documentation

SOX steering

Sarbanes-Oxley steering