搜索
TheImportanceofITControlstoSarbanes-OxleyCompliance.©2004Deloitte&ToucheLLPImportanceofITControlstoSarbanes-Oxley2•Provideahigh-leveloverviewofSarbanes-Oxleyandtheinternalcontrolcertificationrequirements•Discusstheimportanceofinformationtechnologyininternalcontroloverfinancialreporting•DescribehowtheSarbanes-Oxleysection404rulesimpactinformationtechnology•ProvideanoverviewoftheCobitITcontrolframework•Provideanexampleofareadinessprogramroadmap•SummarizetheimportanceandimpactofITcontrolstoSarbanes-OxleycomplianceToday’sObjectives©2003FirmName/LegalEntityImportanceofITControlstoSarbanes-Oxley3SettingtheStage©2004Deloitte&ToucheLLPImportanceofITControlstoSarbanes-Oxley4SettingtheStage•Whatisinternalcontrol?–Internalcontrolisbroadlydefinedasaprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesinthefollowingcategories:–Effectivenessandefficiencyofoperations–Reliabilityoffinancialreporting–Compliancewithapplicablelawsandregulations•InternalcontrolisnowtheLaw–TheSarbanes-OxleyActof2002wascreatedtorestoreinvestorconfidenceinthepublicmarkets–Section404oftheActrequiresmanagementtoestablishandmaintaininternalcontrol–andrequirestheindependentauditorstoevaluate–Compliancedeadline:Year-endsonorafterNovember15,2004•PreparingforSarbanes-Oxleycomplianceisasignificantandchallengingtask–Therearemanyrequirements,includingtheidentificationofsignificantfinancialstatementaccounts,processesandsystemsthatsupportthemandthendocumentingandtestingthem©2004Deloitte&ToucheLLPImportanceofITControlstoSarbanes-Oxley5OverviewofInternalControlCertificationRequirementsSection302CertificationOverview•CEOandCFOtomakespecificcertificationsasoftheendofeachquarterlyandannualreportingperiod,including:–Reportcontainsnountruestatements–Reportisfairlypresentedinallmaterialrespects–Responsibilityfordesignandmaintenanceofdisclosurecontrolsandproceduresaswellasinternalcontrolsoverfinancialreporting•Becameeffectivein2002(amendedinJune2003)Section404CertificationOverview•CEOandCFOtocertifyasoftheendofeveryannualreportingperiod:–Theirresponsibilityforestablishingandmaintainingeffectiveinternalcontrolsoverfinancialreporting–Theirassessmentofinternalcontrols,accompaniedbytheindependentauditors’attestationreport•EffectiveforannualperiodsendingafterNovember15,2004(smallbusinessandforeignfilersJuly15,2005).©2003FirmName/LegalEntityImportanceofITControlstoSarbanes-Oxley6UnderstandingtheRulesImpacttoIT©2004Deloitte&ToucheLLPImportanceofITControlstoSarbanes-Oxley7UnderstandingtheRulesImpacttoIT•Managementisrequiredtoassessthedesignandeffectivenessofitsinternalcontroloverfinancialreportingandprovideanassertiontothateffectinthepublishedfinancialstatements.•Thecompany’sexternalauditorsarerequiredtoexpressanopiniononmanagement’sassessmentaswelltheirownopiniononthecompany’sinternalcontrols.•Auditormustperformawalkthroughofmajorclassesoftransactionsforsignificantprocessestounderstandprocessflows,andassessthedesignandeffectivenessofcontrolsincludingapplicationandITgeneralcontrols.•EvaluatethedesigneffectivenessofITcontrolstodeterminewhethertheyareproperlydesignedtoachieverelevantassertions.•PerformtestsoftheoperatingeffectivenessofITcontrolsthatarenecessarytoachieverelevantassertions.KeyComplianceRequirementsImpacttoITControls©2004Deloitte&ToucheLLPImportanceofITControlstoSarbanes-Oxley8(paragraph47)“Theauditorshouldobtainanunderstandingofthedesignofspecificcontrolsbyapplyingproceduresthatinclude…tracingtransactionsthroughtheinformationsystemrelevanttofinancialreporting”(paragraph73)“Mostprocessesinvolveaseriesoftaskssuchascapturinginputdata,sortingandmergingdata,makingcalculations,updatingtransactionsandmasterfiles,generatingtransactions,andsummarizinganddisplayingorreportingdata.Theprocessingproceduresrelevantfortheauditortounderstandtheflowoftransactionsgenerallyarethoseactivitiesrequiredtoinitiate,authorize,record,processandreporttransactions.”•ThePCAOBrulesareclear-auditorsmustunderstandhowtransactionsflowthroughthesystem…notarounditUnderstandingtheRulesImpacttoITcont’d©2004Deloitte&ToucheLLPImportanceofITControlstoSarbanes-Oxley9(paragraph69)“Theauditorshouldidentifyeachsignificantprocessovereachmajorclassoftransactionsaffectingsignificantaccountsorgroupsofaccountsand…•Understandtheflowoftransactions,includinghowtransactionsareinitiated,authorized,recorded,processed,andreported.•Identifythepointswithintheprocessatwhichamisstatement–includingamisstatementduetofraud–relatedtoeachrelevantfinancialstatementassertioncouldarise.•Identifythecontrolsthatmanagementhasimplementedtoaddressthesepotentialmisstatements.•Identifythecontrolsthatmanagementhasimplementedoverthepreventionortimelydetectionofunauthorizedacquisition,use,ordispositionofthecompany'sassets.•PCAOBstatementsapplicabletoApplicationControls:UnderstandingtheRulesImpacttoITcont’d©2004Deloitte&ToucheLLPImportanceofITControlstoSarbanes-Oxley10(paragraph40)“Determiningwhichcontrolsshouldbetested…Generally,suchcontrolsinclude…in