|
 |
 |
 |
 |
|
The Sarbanes-Oxley Act of 2002 was passed in response to a number of major corporate and accounting scandals which had resulted in a decline of public trust in accounting and reporting practices. The Act establishes a new quasi-government agency, the Public Company Accounting Oversight Board (PCAOB) to oversee independent auditing firms and covers issues such as auditor independence, corporate governance and enhanced financial disclosures. Of all the major provisions, arguably the most significant for public companies is the requirement that they evaluate and disclose the effectiveness of internal controls as they relate to financial reporting and that the independent auditors attest to the disclosure. These requirements are covered by two sections, 302 and 404. Section 302, which mandates that company officers certify that they are responsible for establishing internal controls and that they have evaluated the effectiveness of those internal controls. They are also required to report on any significant changes to the company’s internal controls over financial reporting. Section 404 requires an internal control report which accompanies the company’s annual report which contains management’s assessment on the effectiveness of the company’s internal controls structure and procedures over financial reporting. Both the PCAOB and the SEC, who are charged with enforcing implementation of the Act, require the use of a control framework, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the assessment of controls. Financial reporting processes are largely driven by IT systems, thus companies need to place reliance on internal controls in IT systems. Management has typically used the Information Technology Governance Institute (ITGI) control framework COBIT: Control Objectives for Information and Related Technology to evaluate these IT controls. One of the many “lessons learned” from the first year implementation of Sarbanes-Oxley 302 and 404 was the need to find a more efficient and effective process of evaluating internal controls. Indeed, many institutions received the comment from their external auditor this year that they had too many key controls, which placed a larger-than-necessary demand on the information systems department, the internal auditor, and the external auditor; all of which translated to lost productivity and increased operations and audit costs. Therefore, a holistic approach to identifying key controls is what is required going forward. In this Webinar we will discuss an approach to identifying, evaluating and testing key IT controls and how they relate to the COSO and COBIT control frameworks. The session will start by reviewing the key provisions of Sarbanes-Oxley 302 and 404 and how they related to Information Technology processes. Next, we will review the concepts of internal control over financial reporting and the COSO and COBIT control frameworks. We will look at controls implemented at the highest levels of an organization (entity level controls) and those implemented within a particular business process. In addition we will review the two fundamental types of IT controls, application controls and general controls. The controls we review during the webinar can be used as a foundation for any Sarbanes-Oxley control assessment. |
||||||||||||||||||||||||||||||||
RSS Syndication