IT Control Evaluation Readiness
|
IT departments are allegedly straining with the weight of Sarbanes-Oxley compliance requirements. Not to mention Basel II, HIPAA….. How ready are they? We concentrate here on their existing IT control evaluation. Formal management of IT has been around for many years. The pervasiveness of IT in the modern firm make controls over IT essential. These IT controls, may have been through design, operational and evaluation processes. Management may have taken the decision to base the IT control structure on a recognised framework. IT controls, may have been through a formal auditing process to give assurance. Sarbanes-Oxley, and Section 404 however has re-built the environment. U.S. public companies and their auditors now have to attest to the effectiveness of internal controls in relation to financial reporting. Whilst there are an extensive number of controls that a company can place on its IT operations and infrastructure, we are only concerned with those having an impact on financial reporting. Does the IT organisation already document, evaluate IT controls? If they do, then taking part in any SOX review becomes a much less onerous task. If they are totally devoid of existing control documentation, a torrid time is likely. Two frameworks are important in establishling the current state of control implementation. From a IT manageme viewpoint, the Control Objectives for IT (COBIT) framework, produced by the IT Governance Institute is incredibly influential. The second is Internal Control - Integrated Framework from the Committee Of the Sponsoring Organisations (COSO) of the Treadway Commission for the prevention of fraud. In terms of SOX, the COSO report or framework is much more influential, as the auditing standards, strongly recommend its use. The level of readiness in the the IT organisation depends on the extent to which they have already implemented IT controls. A number of questions can be asked. Business process owners written reqs? In particular this refers to processes involving financial reporting. IT should support the business. However this has to be a two way street. Business managers have to inform IT what they need. If managers involved in processes for financial processing, have not laid down requirements, then this will create extra work in the review. Do IT controls meet requirements? Previously this would have been a purely internal question. The IT organisation and business counterparts could be as vague or accurate as they wanted. Any review of internal controls for Sarbanes-Oxley will ask this question. Again, as much prior work conducted to prove that IT does in fact meet requirements, bodes well for the review. Are policies documented? Policies that should be documented already cover IT security, availability and processing integrity. Note the documentation can be held electronically. A number of tools are available to handle the documentation. These include the Corporate Assessment Accelerator and the IT Governance Center. Both from Mercury. Roles and responsibilities understood and documented? This question need only concern those personnel connected with IT for financial systems. Not only should everyone understand what their role is, but they should also know how section 404 will affect them. When it comes to evaluating the IT controls, it will be essential that the right question is asked of the right person. Otherwises miscommunications and simple errors will raise the cost of compliance. Does IT document, evaluate, remediate IT controls annually It would be wonderful if every organisation were to evaluate and remediate every year. However this is a function of a highly optimized process oriented organisation. Hence, not many entities will do it. Every bit of documentation and evaluation that is done before the SOX review will be useful. Is a formal process in place for IT control deficiencies? An important part of complying with Section 404 is identifying material weaknesses and fixing them. Should the IT organisation already do this in the area of IT control deficiencies, then it should not be too much of a jump to SOX. Is IT Control effectiveness monitored and followed up? Does the senior management check that the overall IT control framework is effective?
|
Related Articles
Similar Areas Selected Books Keywords Sarbanes-Oxley and documentation
|