國(guó)外簡(jiǎn)約大氣的ppt課件

1、The Importance of IT Controls to Sarbanes-Oxley Compliance. 1.2004 Deloitte & Touche LLP.2 Provide a high-level overview of Sarbanes-Oxley and the internal control certification requirements Discuss the importance of information technology in internal control over financial reporting Describe how th

2、e Sarbanes-Oxley section 404 rules impact information technology Provide an overview of the Cobit IT control framework Provide an example of a readiness program roadmap Summarize the importance and impact of IT controls to Sarbanes-Oxley complianceTodays Objectives 2003 Firm Name/Legal Entity.3Setti

3、ng the Stage2004 Deloitte & Touche LLP.4Setting the Stage What is internal control?Internal control is broadly defined as a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the foll

4、owing categories: Effectiveness and efficiency of operations Reliability of financial reportingCompliance with applicable laws and regulations Internal control is now the LawThe Sarbanes-Oxley Act of 2002 was created to restore investor confidence in the public marketsSection 404 of the Act requires

5、 management to establish and maintain internal control and requires the independent auditors to evaluateCompliance deadline: Year-ends on or after November 15, 2004 Preparing for Sarbanes-Oxley compliance is a significant and challenging taskThere are many requirements, including the identification

6、of significant financial statement accounts, processes and systems that support them and then documenting and testing them 2004 Deloitte & Touche LLP.5Overview of Internal Control Certification RequirementsSection 302 Certification OverviewCEO and CFO to make specific certifications as of the end of

7、 each quarterly and annual reporting period, including:Report contains no untrue statements Report is fairly presented in all material respectsResponsibility for design and maintenance of disclosure controls and procedures as well as internal controls over financial reporting Became effective in 200

8、2 (amended in June 2003)Section 404 Certification OverviewCEO and CFO to certify as of the end of every annual reporting period:Their responsibility for establishing and maintaining effective internal controls over financial reportingTheir assessment of internal controls, accompanied by the independ

9、ent auditors attestation report Effective for annual periods ending after November 15, 2004 (small business and foreign filers July15, 2005).2003 Firm Name/Legal Entity.6Understanding the Rules Impact to IT2004 Deloitte & Touche LLP.7Understanding the Rules Impact to IT Management is required to ass

10、ess the design and effectiveness of its internal control over financial reporting and provide an assertion to that effect in the published financial statements. The companys external auditors are required to express an opinion on managements assessment as well their own opinion on the companys inter

11、nal controls. Auditor must perform a walkthrough of major classes of transactions for significant processes to understand process flows, and assess the design and effectiveness of controls including application and IT general controls. Evaluate the design effectiveness of IT controls to determine wh

12、ether they are properly designed to achieve relevant assertions. Perform tests of the operating effectiveness of IT controls that are necessary to achieve relevant assertions.Key Compliance RequirementsImpact to IT Controls2004 Deloitte & Touche LLP.8(paragraph 47)“The auditor should obtain an under

13、standing of the design of specific controls by applying procedures that include tracing transactions through the information system relevant to financial reporting”(paragraph 73)“Most processes involve a series of tasks such as capturing input data, sorting and merging data, making calculations, upd

14、ating transactions and master files, generating transactions, and summarizing and displaying or reporting data. The processing procedures relevant for the auditor to understand the flow of transactions generally are those activities required to initiate, authorize, record, process and report transac

15、tions.” The PCAOB rules are clear - auditors must understand how transactions flow through the system not around itUnderstanding the Rules Impact to IT contd2004 Deloitte & Touche LLP.9(paragraph 69)“The auditor should identify each significant process over each major class of transactions affecting

16、 significant accounts or groups of accounts and Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported. Identify the points within the process at which a misstatement including a misstatement due to fraud related to each relevant

17、financial statement assertion could arise. Identify the controls that management has implemented to address these potential misstatements. Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the companys as

18、sets. PCAOB statements applicable to Application Controls:Understanding the Rules Impact to IT contd2004 Deloitte & Touche LLP.10(paragraph 40)“Determining which controls should be tested Generally, such controls include information technology general controls, on which other controls are dependent”

19、(paragraph 50)“Some controls have a pervasive effect on the achievement of many objectives for example, information technology general controls over program development, program changes, computer operations, and access to programs and data” PCAOB statements applicable to IT General Controls:Understa

20、nding the Rules Impact to IT contd2003 Firm Name/Legal Entity.11The Importance of Information Technology in Internal Control over Financial Reporting 2004 Deloitte & Touche LLP.12 For most organizations, IT is pervasive and critical to the financial reporting process Financial and routine business a

21、pplications are commonly used to initiate, authorize, record, process and report transactions Relevant IT controls includeapplication controls - those that are embedded in financial and business applicationsgeneral computer controls underlying infrastructure components that support the applications

22、Statements made by the Public Company Accounting and Oversight Board (PCAOB) on the impact of IT (paragraph 75):“The nature and characteristics of a companys use of information technology in its information system affect the companys internal control over financial reporting”The Importance of Inform

23、ation Technology (IT) in Internal Control over Financial Reporting2004 Deloitte & Touche LLP.13Application Controls SoDData integrityCompletenessValidationGeneral Computing ControlsInformation SecurityOperationsDatabase Impl. & SupportNetwork SupportBusiness ProcessClasses of Transactions SalesRetur

24、nsWrite offsSignificant Account Balance Balance Sheet (AR)IncomeStatementG/LInventoryOtherAR Mgt ProcessFCRPSales ProcessProcess StagesInitiateRecordProcessReport Application Impl. & Maint.System Software SupportThe Role of Information Technology in Internal Control over Financial Reporting contd200

25、4 Deloitte & Touche LLP.14 Account balance: Trade AR, Sales Classes of Transactions:Invoices, Sales orders Business Process:AR, Sales Order processes Process Stages:Initiate, record, process Application Controls:Access controlsBuilt in limits for credit approvalRestricted access to pricing table GCC

26、 Controls:Program change Operations Network & system securityLink Accounts and Assertions to IT: An Example Customerorder entry Accounts Receivable Invoice controls SAP, Oracle, Other ApplicationsGeneral computing controls cover security access, change management, operations, systems and network sup

27、port, data retention, etc.Order ProcessingOrder & supplier controlsSalesSub-processCustomer controlsIT InfrastructureNetworksSystem SoftwareDatabases and InformationSecurityApplication controls cover authorized changes, segregation of duties, validity, completeness and timeliness of reporting of fin

28、ancial information.2003 Firm Name/Legal Entity.15Cobit IT Control Framework Overview2004 Deloitte & Touche LLP.16COBIT A Model for General Computer Controls The IT Governance Institute () has recently published “revised” guidance for IT professionals on how to address Sarbanes-Oxley from an IT persp

29、ective April 2004 “Sarbanes-Oxley; The importance of information technology in the design, implementation and sustainability of internal control” The publication is the result of a joint effort of industry and auditors, with leadership from Deloitte and others The ITGI is a recognized global leader

30、in IT governance, control and assurance with members in more than 100 countries2004 Deloitte & Touche LLP.17 PCAOB designates COSO as the prescribed standard control framework and has become the control framework of choice for SOX complianceAll 5 layers must be considered when evaluating internal co

31、ntrol However, COSO does not provide specific guidance around IT control. CobiT is a widely accepted IT control framework (ITGI)CobiT provides 4 domains of IT controlCobiT controls address the 5 layers of COSO With the development of this approach, organizations can be confident that they are taking

32、 an approach that reflects COSO requirementsControl EnvironmentRisk AssessmentControl ActivitiesInformation and CommunicationMonitoringCOSO ComponentsCobiT ObjectivesPlanning and OrganizationPlanning and OrganizationSection 302Section 302Delivery and SupportDelivery and SupportMonitoringMonitoringAc

33、quisition and ImplementationAcquisition and ImplementationSection 404Section 404Information Technology controls should consider the overall governance framework to support the quality and integrity of informationCompetency in all 5 layers of COSOs framework are necessary to achieve an integrated con

34、trol programControls in Information Technology are relevant to both Financial Reporting and Disclosure requirements of Sarbanes-OxleyCOBIT A Model for General Computer Controls contd2004 Deloitte & Touche LLP.18 The ITGI publication provides guidance to IT professionals on how to meet the Sarbanes-O

35、xley challenge Detailed control objectives are provided for each CobiT domain and mapped to their respective COSO component Other control guidelines were reviewed and reconciled to this approach during the development process, including ISO17799, Common Criteria, ITIL, and SysTrust Organizations sho

36、uld assess their requirements on an individual basis and tailor their approach accordingly COSO Component CobiT Control Objectives Control Environment Risk Assessment Control Activities Information & Communication Monitoring Planning & Organization Define a strategic IT plan Define the information a

37、rchitecture Determine technological direction Define the IT organization and relationships Manage the IT investment Communicate management aims and direction Manage human resources Ensure compliance with external requirements Assess risks Manage projects Manage quality Acquisition & Implementation I

38、dentify automated solutions Acquire and maintain application software Acquire and maintain technology infrastructure Develop and maintain procedures Install and accredit systems Manage changes Delivery & Support Define and manage service levels Manage third-party services Manage performance and capa

39、city Ensure continuous service Ensure systems security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations Monitoring Monitor the processes Assess internal control adequ

40、acy Obtain independent assurance Provide for independent audit COSO ComponentsCobiT ObjectivesCOBIT A Model for General Computer Controls contd2004 Deloitte & Touche LLP.19 The CobiT SOA framework identified a sub-set of these areas for the purpose of focusing on SOA requirementsCompany level: Plann

41、ing & Organizing / Monitoring COBIT A Model for General Computer Controls contdPlanning & OrganizationIT Strategic PlanningIT organization and relationshipsManagement of human resourcesEducate and train usersInformation architectureCommunication of mgmt aims and directionAssessment of risksManage th

42、e IT investmentManage projectsMonitoringCompliance with external requirementsManagement of qualityEnsure continuous servicePerformance and capacityMonitoringAdequacy of internal controlsIndependent assuranceInternal auditActivity level: Acquisition and Implementation / Delivery and SupportProgram De

43、velopment (SDLC)Program ChangesComputer Operations (scheduling, backup, problem management)Access to programs and data (applications, database, operating system, network)2004 Deloitte & Touche LLP.20Top 5 List 404 IT Controls Requirements SecurityApplication and platform basedFocused on applications

44、 that may impact financials and supporting infrastructure Requires secure operating systems, database, network, firewalls and infrastructureAuditors will look for excessive access; lack of segregation of duties; inadequate approval of access; they will be testing key processes to determine that they

45、 are effective Change ControlNeed to ensure that procedures are in place to control and ensure proper approval of changes to productionTechnical controls must tightly limit and control developer access to production Disaster RecoveryFocus will be on basic backup and recoverability of financial data

46、IT GovernanceFocus will be on determining of there are clear policies, procedures, and communications within ITAre there clear segregation of duties? Is there the appropriate “tone at the top” of the IT organization? Development And Implementation ActivitiesProper controls need to be built in before

47、 a new system or system changes go in the production environmentAuditors may evaluate new financial systems; data conversion and testing are critical2004 Deloitte & Touche LLP.21Most Common IT Control Gaps To Remediate Change control processes not fully in place (especially in distributed or web bas

48、ed environments) Security procedures, strategies, and pro not documented for critical applications. Organizational security policies, procedures, and roles and responsibility gaps. Security administration procedures lack appropriate controls or consistencyInadequate controls to delete or change acce

49、ss when individual leaves of changes job responsibilities (especially contractors) Inadequate approval of access changesAccess levels not regularly reviewed and approved by management Excessive access to systemsPrivileged access to operating system, database, and application environmentInadequate se

50、gregation of dutiesApplication developers and DBAs have access to production Infrastructure supporting applications is not secure (network, operating system, database) IT controls not integrated into key business processes (e.g. SDLC, change control, compliance, testing and data conversion procedure

51、s) Lack of a regular process to verify that controls continue to be adequate and effective (at least quarterly) No long term strategy to evaluate and address risksThe areas that will get hit hardest are security and change control2003 Firm Name/Legal Entity.22IT Control Readiness Roadmap2004 Deloitt

52、e & Touche LLP.23SOA Readiness Roadmap Preparing for SOX 404 requires a structured and measured approach, otherwise you will find yourself doing “too much” or “too little” The current PCAOB rules require auditors to attest on “management assessment process” As such, the readiness roadmap that many o

53、rganizations are following demonstrates the assessment process through a series of steps and activities that align to the PCAOB rules2004 Deloitte & Touche LLP.24SOA Readiness RoadmapBusiness ValueSarbanes-Oxley IT Compliance1. Plan & ScopeFinancial reporting processSupporting systems3. Identify Sig

54、nificant ControlsApplication controls - over initiating, recording, processing & reportingIT General Controls5. Evaluate Control DesignMitigates control risk to an acceptable levelUnderstood by users8. Document Process & ResultsCoordination with AuditorsInternal sign-off (302, 404)Independent sign-o

55、ff (404) 7. Identify & Remediate DeficienciesSignificant deficienciesMaterial weaknessRemediation6. Evaluate Operational EffectivenessInternal auditTechnical testingSelf assessmentInquiry +All locations and controls (annual)4. Document Controls Policy manualsProceduresNarrativesFlowchartsConfigurati

56、onsAssessment questionnaires2. Perform Risk AssessmentProbability & Impact to businessSize / complexity9. Build SustainabilityInternal evaluationExternal evaluation2004 Deloitte & Touche LLP.25A Readiness RoadmapPlan & ScopeKey Considerations In-scope vs out-of-scope systems Opportunities for improv

57、ement Prevention, identification and detection of fraudKey Components Financial reporting processes Initiating Recording Processing Reporting Classes of transactions Non-routine and systematic Understand the financial reporting process and identify the information systems and related resources that

58、are used.2004 Deloitte & Touche LLP.26A Roadmap for CompliancePerform Risk AssessmentKey Components IT RisksQuality and Integrity failureSecurity failureAvailability failure Risk assessmentProbability of failureImpact to the businessKey Considerations Specific risk areasData validation Data conversi

59、onInterfacesManagement reportsComplex or critical calculationsSpreadsheets Identify risks associated the information systems and related IT resources (ie. what could go wrong?)2004 Deloitte & Touche LLP.27A Roadmap for ComplianceIdentify Significant ControlsKey ComponentsApplication controls Embedde

60、d within business processes Directly support financial assertionsGeneral controls Program development Program changes Program operations Access controlKey Considerations Control framework - CobiTTMRevised April 2004*12 primary control objectives at the process levelControl environment questionnaire