1 Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister
2 Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles. I am an accountant with 28 years experience working in various International Control & IT roles. I am British and resident in the US. I am British and resident in the US. I speak 4 languages, but unfortunately not Japanese. I speak 4 languages, but unfortunately not Japanese. I was involved in the implementation of the BP SOX program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes. I was involved in the implementation of the BP SOX program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes.
3 AGENDA Some Context about Compliance Sarbanes Oxley Differences in Japan & Other countries The BP Process In SOX Using COBiT Selection & mapping. BP Gap Analysis & Remediation Criteria Key Learning s & Some Tips for You
4 Sarbanes-Oxley (SOX) Act Highlights Established the Public Company Accounting Oversight Board (PCAOB) and gave it broad powers to oversee the public accounting firms Introduced new limitations on auditors including mandatory partner rotation and limits on services Requires new disclosure controls that inform corporate officers of material information during the reporting period
6 SOX 404 Requires management to include an internal control report in each SEC filing that: - States the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and - Contains an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures Requires an audit of management s report on internal controls
7 SOX Effect on Other countries SOX legislation coming to Japan, Canada, South Africa & Europe. COBiT & COSO I Frameworks become more important in documenting and testing the effectiveness of internal controls. Some Differences external Auditors are NOT required to attest to Management s attestation on Internal Controls in Canada.
8 Relationships Between IT & Business Financial & Business Teams review manual and automated business process controls Business Processes Applications Data/DBMS Platforms Networks Physicals Application Manager and IT SOX perform Application General Controls and Application Security Reviews Data Center Operations Manager and IT SOX evaluate supporting infrastructure for all financial applications as a part of the IT General Controls review An effective automated business process control requires effective operating IT controls
9 Overview of SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate)
10 Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process
11 Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches IT Owns & Implements Application General Controls Application Security Review 100 Applications & 10 data centres Applications + 10 data centres IT General Controls
12 Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches Identified COBIT Gaps Identified COBIT Gaps Tier 1 IT Own, Fund, Deliver Plan Process embedded across IT IT Owns & Implements Application General Controls Application Security Review IT General Controls 100Applications & 150data centres Applications + 10 data centres Tier 2 Tier 3 Tier 4r Filter gaps Challenge gaps Integrate with IT plans IT Central (data centres) IT Segments & functions (applications) Repeatable annual process Staff trained Internal resource
13 Overview of SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches Identified COBIT Gaps Identified COBIT Gaps Tier 1 IT Own, Fund, Deliver Plan Process embedded across IT IT Owns & Implements Application General Controls Application Security Review IT General Controls 100 Applications 10 data centres Applications + 10 data centres Tier 2 Tier 3 Tier 4r Filter gaps Challenge gaps Integrate with IT plans IT Central (data centres) IT segments & functions (applications) Repeatable annual process Staff trained Internal resource Group-wide integrated plan Documented CETs & Gaps Prioritised set of gaps & Timeline Gaps remediated by IT IT own on-going process IT Progress Reporting:
14 Why COBiT. Page 29 How was CobiT chosen Control Systems considered COBIT ISO ITIL (Information Technology Infrastructure Library) Assessment criteria used Control needs of SOX: Consistency with the General and Application control needs of SOX. COBiT more comprehensive. Extent of use outside BP: The use of each system by other companies for this purpose
15 Why COBIT H O W HIGH ITIL ISO COBIT D E T A I L E D MED LOW COSO TURNBULL LOW MED HIGH BREADTH OF IT CONTROL COVERAGE
16 Why COBiT.
17 Why COBiT.
18 Why COBiT.
19 CobiT v3 Overview July RED IT Processes are a part of the DCT SOX Control Framework [12 Control processes- 68 Control Activities] Monitor the Process Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit Define the IT Plan Define the Information Architecture Define the Technology Direction Define the Organization and Relationships Manage the IT Investment Planning and Organization Communicate Management Aims Manage HR Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality Monitoring Information and IT Systems Acquisition and Implementation Define Service Levels Manage Third Party Services Manage Performance and Capacity Ensure Continuous Service Ensure System Security Identify and Attribute Costs Educate and Train Users Delivery and Support Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Facilities Manage Data Manage Operations Identify Solutions Acquire (Develop) and Maintain Application Software Acquire and Maintain Technology Infrastructure Develop & Maintain Procedures Install and Accredit Systems Manage Changes
20 CobiT v4 Overview August 2006 Amendments for Compliance Business as Usual RED IT Processes are a part of the DCT Compliance Control Framework [11 Control processes 32 Control Activities] Monitor & Evaluate IT performance Monitor & Evaluate Internal Control Ensure regulatory Compliance Provide IT Governance Define the IT Plan Define the Information Architecture Define the Technology Direction Define the IT processes, Organization and Relationships Manage the IT Investment Planning and Organization Communicate Management Aims Manage HR Manage Quality Assess & Manage IT Risks Manage Projects Monitoring Information and IT Systems Acquisition and Implementation Define Service Levels Manage Third Party Services Manage Performance and Capacity Ensure Continuous Service Ensure System Security Identify and Allocate Costs Educate and Train Users Delivery and Support Manage Service Desk & Incidents Manage the Configuration Manage Problems Manage Data Manage Physical Environment Manage Operations Identify Automated Solutions Acquire (Develop) and Maintain Application Software Acquire and Maintain Technology Infrastructure Enable Operations & Use Procure IT Resources Manage Changes Install and Accredit Systems
21 IT Risk Analysis Criteria Filter Activity Identified BP BP COBIT COBIT Gaps Gaps 1) 1) COBIT COBIT Summary Summary Rank CP CP Level Level 2) 2) COBIT COBIT Detailed Detailed ranking CO CO level level 3) 3) ICE ICE Financial Financial Tier Tier Rankings Rankings 1st Filter 2nd Filter 3 rd Filter COBIT Gap Criteria Control Process Level COBIT Gap Criteria Control Objective level Tier 1 to Tier 4 4) 4) Additional Additional Business Business info info 4 th Filter A prioritised set of Sarbanes Oxley gaps Global vs. Local, Prior Audit etc. E-learning suitability
23 Key GAP Prioritization Explained 1) 1) COBIT COBIT Summary Summary Rank CP CP Level Level Identified COBIT Gaps Identified COBIT Gaps Effectiveness The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line] Tier 1 Tier 2 Tier 3 Tier 4r 2) 2) COBIT COBIT Detailed Detailed ranking CO CO level level
24 Key GAP Prioritization Explained 1) 1) COBIT COBIT Summary Summary Rank CP CP Level Level Effectiveness The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line] Identified COBIT Gaps Identified COBIT Gaps Tier 1 Tier 2 Tier 3 Tier 4r 2) 2) COBIT COBIT Detailed Detailed ranking CO CO level level Colour Coding: COBIT HIGH split into Very High AI6 & DS5 VH Change Management & Ensure System Security. Maps to ICE tier 1 HIGH Remaining COBIT Reds Maps to ICE Tier 2 H M L N Medium As Per COBIT- Maps to Ice Tier 3 Low As per COBIT maps to ICE Tier 4 No Gap 0 Rank Maps to BP Risk convention
25 Key GAP Prioritization Explained 3) 3) ICE ICE Financial Financial Tier Tier Rankings Rankings Identified COBIT Gaps Identified COBIT Gaps Tier 1 Tier 2 Tier 3 Tier 4r 4) 4) Additional Additional Business Business info info Financial Criteria Maps one to one with the COBIT ranking - Tier One - = > $100m COBiT Very High - Tier Two < $100m > $20m COBiT High - Tier Three < $20m > $1m COBiT Medium - Tier Four < $1m - COBiT Low Other Criteria Example Application $ Throughput - Very High - > $1b - High > $1b < $1b > $250m - Medium < $250m > $100m - Low < $100m
27 Key Learning s & Some Tips For you Do Not Use COSO alone, it is not detailed enough for IT. ISO is NOT ENOUGH. It does not cover well the following:- - Data Management - Third Party processes - IT Delivery & Support Operations - Audit & Governance issues - Software & Hardware development controls - Segregation of Duties Consult & Agree your framework with your external auditors before you implement your program. Do not select too many COBiT control objectives and control practices. Simplify & Simplify. Concentrate on Key IT Control deficiencies that are high or are a critical risk:- - Change Management Issues - Access Controls & Segregation of Duties - Some Data Management Issues like back ups & storage. Include your IT applications (e.g. SAP) with your business process documentation. Why? Most of your business controls are defined by your systems and applications.
28 Key Learning s & Tips continued.. Do not Test too many applications & processes take a Risk & Business Impact Approach. Look out for spreadsheets. Errors in relatively simple spreadsheets can result in potentially material misstatements in financial results. - The best feature is their worst flexibility - Use Pricewaterhouse-Coopers Five step process - Inventory Spreadsheets - Evaluate use, complexity - Determine level of controls - Evaluate existing controls - Develop remediation
29 Key Learning s & Tips continued.. Use Frameworks like COSO & COBiT as benchmarks, they don t give you the answers or the specific controls, only the templates; tailor them to your company s needs Beware . E.G. Spreadsheets ed to controllers for consolidation. Potential security & storage issue. Beware use of compliance tools/software. It is still not a mature market. Consider how you will administer Third Parties & Outsourced Partners Assign Accountabilities for each Business & IT process (e.g. Order to Pay for Business & Change Management for IT Note Segregation of Duties is a business accountability but facilitated by IT)
31 Thank you
33 What Role Does IT Play? Infrastructure Application Controls Business Partner to ensure controls are operating effectively across the organization New Applications
34 Process vs. Control Control Objective: User access to network is appropriately assigned. Example of Process: Management reviews user access on a monthly basis. Example of Control: Management reviews and signs off on a report generated on a monthly basis containing user accounts and roles to ensure appropriateness and accuracy.
35 A New Internal Control Paradigm PCAOB Guidance Examples of Documentation: Documentation that provides reasonable support for management s assessment of the effectiveness of internal control over financial reporting covers: The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements, Information about how significant transactions are initiated, recorded, processed, and reported, Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur, Controls designed to prevent or detect fraud, Controls over the period-end financial reporting process, Controls over safeguarding of assets, and The results of management s testing and evaluation.
36 Identification of Control Points Definition of a control point: 1. An action within a process where the key data changes form; 2. A handoff between individuals or programs within a process; or 3. A handoff between software applications
37 Control Type Categories Identifying the control types may reveal an over-reliance on a particular type of control or an absence of a key control type Policies & Procedures Authorization Controls Key Performance Indicators Management Review Detailed (Data Comparison) Reconciliation Segregation of Duties System Access Automated Exception Report
38 Control Categories - Definitions Policies & Procedures Policy and procedure control documentation is often needed where directly linked adhering to standard policies and procedures is critical to the effectiveness of the control, especially where control procedures cross organizational or geographic boundaries. Policies and procedures related controls generally include formal written documents that have been recently updated, and is both accessible and used by the individuals involved in executing the control activities documented. Authorization Controls Approval of transactions executed in accordance within authority as set by senior management's general or specific policies and procedures Key Performance Indicators Key performance indicators are financial and non-financial quantitative measurements that are: Collected by the entity, either continuously or periodically Used by management to evaluate the extent of progress toward meeting the entity's defined objectives In order for key performance indicators to be an effective control, they must have a level of precision that enables detection of errors 38
39 Control Categories - Definitions Management Review Management review is a review conducted by someone, other than the preparer of the transaction or journal entry, who analyses and oversees activities performed. In many instances, it will be a manager reviewing the work of a subordinate. However, it is not limited to this. It may include co-workers reviewing each other's work. Detailed A detailed control activity consists of a comparison between two sets of data. An example of a detailed control could be a comparison between two sets of information where the individual components of the data are compared. This control can be either a detailed manual control when the comparison is performed by humans, or a detailed automated control when the activity is performed by a system. Reconciliation A reconciliation is a control designed to check whether two sums match and identifying the differences between the two sums. It does not involve comparing on an item by item basis the information in two different sets of data.. 39
40 Control Categories - Definitions Segregation of Duties Segregation of duties is the separating of duties and responsibilities of authorizing transactions, recording transactions, and maintaining custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity. System Access System access are the access rights that individual users or groups of users have within a computer information system-processing environment, as determined and defined by the configuration of the system. Automated Exception Reports An exception report control shows a violation of a set standard to a responsible party who conducts follow ups and resolves the item. 40
41 General IT Controls
42 EXAMPLES GENERAL IT CONTROLS Information Security Management Of Philosophy & Policy Logical Security Over the Operating System Logical security Over Data Security within Applications Systems Administration & The Use of Privileged Accounts Physical Security Network/Dial-up Access External Network Connections
43 Computer Operations Service Level Agreements Problem Management Business Continuity Network Management Operational Performance & Data Centre Environment. Scheduling, preparing & running batch processes. Backup & Recovery Upgrades To System software.
44 Development & Implementation Requirements Definition Design & build in-house systems or package selection. Unit, system & user testing Data Conversion Go-Live decision Documentation & training
45 Program Change Control Management of maintenance activities Specification, authorization & tracking of change requests. Unit, system & user testing Authorization of transfers to live environment Updating technical & user documentation & training. Database Administration
46 Relationship Between General IT & Application Controls. General IT Controls contribute to the effectiveness of application controls. General controls do not provide direct coverage of application control objectives.( E.g. completeness, accuracy, validity, restricted access) When designing & relying on application controls, the strength of the underlining general controls needs to be considered.
47 Relationship Between General IT & Application Controls General Controls Ensure that overall It environment is well controlled The It Organization meets its intended purposes & there is proper management control over IT. Physical & logical security is correctly implemented & maintained. New apps & changes to existing apps are properly authorized. Application Controls Ensure that computer applications process as intended Business processes may be enabled by one or more applications. Many Common applications utilize configurable controls. Controls to ensure the maintenance of data quality should be considered.
48 Relationship Between General IT & Application Controls Platform Security (IT) &Restricted Application Level Access. Inappropriate access to data libraries at for example the UNIX platform level, circumvents any good application level access controls that limits user access to specific transactions. External Network Security (IT) & validity controls ( Application) Weak Network Security that allows outsiders to access the internal network (e.g. from the internet, dial-up, or third party connections) increases the likelihood that unauthorized individuals will have an opportunity to enter invalid transaction data or standing data.
49 Relationship Between General IT & Application Controls Backup & Recovery (IT) & Completeness Controls (application) If a full day s transactions is lost due to a system disk crash, then all completed transactions entered that day would be lost and be required to be reentered the next day if possible Development & Implementation (IT) & Accuracy Controls ( Application) User acceptance testing performed by business area personnel during the system development lifecycle will help ensure that the necessary accuracy controls built into the application are working as planned prior to production rollout.
50 Relationship Between General IT & Application Controls Program Change Control (IT) & Accuracy Controls Application. Inadequate change control procedures over the application program code could allow programmers to modify the manner in which the application processes a transaction. This could intentionally or unintentionally disable input and /or balancing controls within the application that would identify transaction problems.
51 Relationship Between General IT & Application Controls Problem Management (IT) & Completeness Controls (Application) Inadequate procedures to identify and resolve system problems, could result in numerous application transactions being processed incompetently. For example, if the nightly batch processing was interrupted, good problem management procedures would be required to identify the problem, notify the proper personnel, correct the problem and restart the batch from the prior stopping point. Application Control for accuracy that requires a code to be present on a database is compromised if IT controls don t limit programmers form updating the database.
52 Application Controls
53 Application Controls Manual and automated controls exist to ensure that information within the business process is: Complete Accurate Valid and authorized Restricted form unauthorized access A combination of controls is needed to PREVENT, DETECT and CORRECT processing errors.
54 Application Control Objectives CAVIAR Completeness Accuracy Validity Restricted Access
55 Application Controls- Completeness All transactions are recorded, input and accepted for processing once and only once. All transactions that are input and accepted for processing are updated to the appropriate data file. Duplicates are rejected Rejected transactions are evaluated and reentered Once data is updated to a file, that data remains correct and current on the file and represents balances that exist.
56 Application Controls- Completeness Examples Invoice Numbering should be system assigned and sequential. Any interfaces to the General Ledger should be complete and accurate. When entering account information, all key fields are required to ensure completeness.
57 Application Controls- Accuracy Key Data elements are recorded and input to the system accurately through data entry design features. Changes to standing data are accurately input All transactions input and accepted for processing, update the appropriate file All transactions affect the proper accounting period **** Accuracy Controls are evaluated at the data element level.
58 Application Controls- Accuracy Examples SSN Data field enforces entry of 9 numeric characters. Customer credit limits determine amount range Business Unit limited to using their own GL accounts Correct Zip code required in address field Sales can only be entered in proper accounting period. Foreign currency tables are updated daily.
59 Application Controls- Validity Transactions are Authorized Transactions are not fictitious and they relate to the company. Changes To standard Data are authorized & reviewed
60 Application Controls- Validity Examples Buyer limits force to supervisor for additional approval. Customers who require non-standard prices require management approval. Only the HR manager can approve a new employee to be added via a special user ID. A sales Order will not be accepted unless customer number is present on Customer Master File. To achieve appropriate segregation of duties, no one user has the ability to: a) Update/create vendor in vendor master file b) Enter new invoices c) Select invoices for payment. Rate tables are maintained only by authorized users.
61 Application Controls Restricted Access Protect against unauthorized amendments of data. Ensure confidentiality of data. Protect physical assets such as cash and inventory from theft or misuse.
62 Application Controls Restricted Access Examples Periodic review of users on the system is performed to ensure users have access to those functions and data required to perform their job functions. IT personnel are granted only temporary access to production data. Sales teams have the ability to view all of their accounts and current opportunities Pending contracts are restricted from all but the legal dept. once terms are set. System controls user access by function User access forms are completed, appropriately approved & submitted to the Security Administrator
Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers
Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 email@example.com
IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai firstname.lastname@example.org May 3 rd, 2007 1 Table of Contents: Abstract...3
A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt email@example.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT
Risk and Controls 101 Agenda What is a Risk and Control? Controls 101 What is Risk and Control? Control Types Control Execution Control Categories A-123 Process here at LBNL Wrap-up Process Risk Map Control
Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated
SARBANES-OXLEY SECTION 404 A TOOLKIT FOR MANAGEMENT AND AUDITORS VOLUME 2 Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (PCAOB) was established by Congress under
Sarbanes-Oxley Section 404: Compliance s for Foreign Private Issuers Table of Contents Requirements of the Act.............................................................. 1 Accelerated Filer s...........................................................
1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN
Industry Sound Practices for Financial and Accounting Controls at Financial Institutions Federal Reserve Bank of New York January 2006 FINANCIAL AND ACCOUNTING CONTROLS: INDUSTRY SOUND PRACTICES FOR FINANCIAL
Sarbanes-Oxley Section 404: Management s Assessment Process Frequently Asked Questions ADVISORY Contents 1 Introduction 2 Providing a Road Map for Management 3 Questions and Answers 3 Section I. Planning
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the
IT Governance and Control: An Analysis of CobIT 4.1 Prepared by: Mark Longo December 15, 2008 Table of Contents Introduction Page 3 Project Scope Page 3 IT Governance.Page 3 CobIT Framework..Page 4 General
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers
SECURITIES AND EXCHANGE COMMISSION 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting
WHITE PAPER Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements TABLE OF CONTENTS Executive Summary 2 Sarbanes-Oxley Section 404 Internal Controls 3 IT Involvement
The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* July 2004 *connectedthinking The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Introduction
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
Compliance and Ethics at the Federal Reserve Bank of New York Operational Risk and Internal Audit Course Marina Adams, Compliance Officer and AVP David K. Clune, Compliance and Ethics Officer Kevin White,
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service
G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS
Accountability is unable to govern service processes No consistent or communicated policies procedures structure is inadequate Policies procedures are maintained Roles responsibilities are identified Policies
Sarbanes-Oxley Section 404: Compliance s for Foreign Private Issuers As of March 14, 2005 Table of Contents Requirements of the Act.............................................................. 1 Accelerated
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
FLASH REPORT Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and On February 15, 2007, the Business Accounting Council of the
Communicating Internal Control 1843 AU Section 325 Communicating Internal Control Related Matters Identified in an Audit (Supersedes SAS No. 112.) Source: SAS No. 115. Effective for audits of financial
DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls...
SARBANES OXLEY: ACHIEVING COMPLIANCE BY STARTING WITH ISO 17799 Dwight A. Haworth and Leah R. Pietron Compliance with the Sarbanes Oxley Act of 2002 (SOX) has been hampered by the lack of implementation
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
Report on Office of the Superintendent of Financial Institutions Corporate Services Sector Human Resources Payroll April 2010 Table of Contents 1. Background... 3 2. Audit Objectives, Scope and Approach...
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
Activity Code 11510 B-1 Planning Considerations Information Technology General System Controls Audit Specific Independence Determination Members of the audit team and internal specialists consulting on
COBIT & ITIL usage for SOX current and future Robert E Stroud International Vice President ISACA Evangelist ITSM & IT Governance CA, Inc. Japan, November 8, 2007 Trademark Notice ITIL is a registered trademark
As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons
1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of
STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT ORGANIZATION,
ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk
Internal Control ACCA P1 Internal Control Turnbull Report 1999 provided guidance for creating strong internal control system and later incorporated into Combined code, it was last revised in 2005 and still
Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international
Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of
Page 1 of 7 A. GENERAL 1. PURPOSE The purpose of the Audit Committee (the Committee ) of the Board of Directors (the Board ) of Teck Resources Limited ( the Corporation ) is to provide an open avenue of
3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting
What Should IS Majors Know About Regulatory Compliance? Working Paper Series 08-12 August 2008 Craig A. VanLengen Professor of Computer Information Systems/Accounting Northern Arizona University The W.
CREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 13-28 June 28, 2013 Henry Mendoza, Chair Lupe C. Garcia, Vice Chair Rebecca D. Eisen Steven M. Glazer William Hauck Hugo N. Morales Members,
Sarbanes Oxley Act Statement of Ability An AdRem Software White Paper 2009 AdRem Software, Inc. This document is written by AdRem Software and represents the views and opinions of AdRem Software regarding
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
W H I T E P A P E R The Challenges and Myths of Sarbanes-Oxley Compliance Meeting the requirements of regulatory legislation on the iseries. SOX-001 REV1b FEBRUARY 2005 Bytware, Inc. All Rights Reserved.
Auditor General s Office Governance and Management of City Computer Software Needs Improvement Transmittal Report Audit Report Management s Response Jeffrey Griffiths, C.A., C.F.E Auditor General, City
COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,
Sarbanes-Oxley Compliance for Cloud Applications What Is Sarbanes-Oxley? Sarbanes-Oxley Act (SOX) aims to protect investors and the general public from accounting errors and fraudulent practices. For this
Fraud and Role of Information Technology September 2008 Agenda IT Value Proposition Slide 2 Prior Interpretations of Internal Control Structure Have Addressed Three Separate Parts Which Were Audited Somewhat
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:
Internal Audit Audit Report Audit of NSERC Award Management Information System TABLE OF CONTENTS 1. EXECUTIVE SUMMARY... 2 2. INTRODUCTION... 3 3. AUDIT FINDINGS- BUSINESS PROCESS CONTROLS... 5 4. AUDIT
1 Introduction The Information Technology Infrastructure Library (ITIL) aims to improve the management of IT services within the organization, for lowered costs, improved efficiency and productivity. But
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
Using Assurance Models in IT Audit Engagements Adrian Baldwin, Yolanta Beres, Simon Shiu Trusted Systems Laboratory HP Laboratories Bristol HPL-2006-148R1 January 29, 2008* audit, assurance, compliance,
Using SIEM for Compliance Adrian Lane Security Strategist Securosis.com Overview SIM/SEM Introduction Compliance Initiatives Implementation Examples Tips Other Considerations Evolution of Terminology SIM
COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)
CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Audit of Information Technology Services Department Project No. AU10-012 September 1, 2011 Audit of Information Technology Services Department Executive Summary
Audit Report Financial Management Information System Centralized Operations March 2003 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested
Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government