KnowledgeLeader Blog

Protiviti publishes new “Guide to the Sarbanes-Oxley Act: IT Risks and Controls”

Posted by Dave Goff on Wed, Jan 02, 2013 @ 04:47 AM

""Protiviti has published the second edition of its popular booklet, Guide to the Sarbanes-Oxley Act: IT Risks and Controls.

This publication is the definitive resource guide on IT risks and control issues related to compliance with SOX Section 404. This is a 45 page booklet covering an array of SOX-related topics in a questions and answers format.

There are seven sections, outlined below:

Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley

Sample questions answered -

  • Is there and overall approach to IT risk and control consideration that should be followed?

  • Why is it so important to consider IT when evaluating internal control over financial reporting?

  • What guidance does COSO provide with respect to IT controls?

  • If a Section 404 project strictly and only follows COBIT, will the project be compliant with the Section 404 compliance efforts?

There are a total of 20 questions answered in this section.

Entity Level Considerations

Sample questions answered -

  • How does management consider the entity-level issues around IT risks and controls?
  • What IT governance issues should be considered for purposes of complying with Sections 404 and 302 of Sarbanes-Oxley (SOX)?
  • What are examples of weak entity-level control environments?

There are a total of 8 questions answered in this section.

Activity/Process-Level Considerations – The Role of Application and Data-Owner processes.

Sample questions answered -

  • What are the roles and responsibilities of the application and data owners in relation to the IT organization?
  • What processes should be in place with respect to establishing proper security and segregation of duties?
  • If application and data-owner process controls are designed and operating effectively, what is the impact on the evaluation of internal control over financial reporting?

There are a total of 8 questions answered in this section.

Activity/Process-Level Considerations – Application-Level Controls

Sample questions answered –

  • What are the application-level control considerations?
  • How is an appropriate application baseline established?
  • How does the Section 404 compliance team determine the critical applications for each key business process?

There are a total of 10 questions answered in this section.

Documentation

Sample questions answered -

  • How much documentation should the IT organization and the application and data owners have in place to evidence the controls and functioning of the applications?
  • How should the Section 404 compliance team document the IT controls at the entity level?

There are a total of 4 questions answered in this section.

Testing

There is one question answered in this section:

  • How are IT controls tested?

Addressing Deficiencies and Reporting

There are two questions answered in this section:

  • How should management address deficiencies and gaps in IT controls?
  • How will the external auditor view IT controls during the attestation process?

The questions listed in this booklet are ones that have arisen in Protiviti’s discussions with clients and others in the marketplace who are dealing with the discussed requirements. The responses and points of view are based on Protiviti’s extensive experience assisting companies as they document, evaluate and improve their internal control over financial reporting, and as they continue to improve their executive certification process.

This is an incredible resource for companies currently dealing with the Sarbanes-Oxley Act (SOX) and the associated IT Risks and Control issues.

Find the Guide to the Sarbanes-Oxley Act: IT Risks and Controls Here.

 

Topics: enterprise risk management, Sarbanes-Oxley, audit team, IT audit, COSO Framework, COSO, SOX, Data Integrity Risk, IT strategy, methodology, Application-Level Controls

Add a Comment:

Subscribe to Our Blog

About KnowledgeLeader

KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

 Tour the Site

Recent Posts

Posts by Topic

see all