||December 17, 2012
Guide to the Sarbanes-Oxley Act: IT Risks and Controls FAQ: Table of Contents
View and download the entire booklet
Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley
- 1. Is there an overall approach to IT risk and control consideration that should be followed?
- 2. Why is it so important to consider IT when evaluating internal control over financial reporting?
- 3. How should Section 404 compliance teams define “IT risks and controls”?
- 4. How does management identify and prioritize IT risks?
- 5. What guidance does COSO provide with respect to IT controls?
- 6. What guidance is provided by the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework with respect to IT controls?
- 7. How do COSO and COBIT facilitate a Section 404 compliance effort?
- 8. If a Section 404 project strictly and only follows COBIT, will the project be compliant with the Section 404 compliance efforts?
- 9. Should management consider other IT control guidelines and standards, such as ISO/IEC 27000 series, ITIL and CMM?
- 10. If my company is compliant with Payment Card Industry (PCI) standards, are we compliance with IT SOX controls?
- 11. Is it possible to rely solely on manual controls, negating the need to evaluate IT risks and controls?
- 12. Overall, what are the key areas that must be considered when evaluating IT controls?
- 13. How does management get started using the approach outlined in Question 1?
- 14. When should IT controls be considered during the overall Section 404 project?
- 15. How does an ERP solution impact the evaluation of IT?
- 16. How does a shared-service center impact the assessment of internal control?
- 17. How does outsourcing (e.g., software as a service, data center services) of technology and IT activities impact a company’s control evaluation approach?
- 18. How does utilizing a software as a service (SaaS) application impact a company’s application control evaluation approach?
- 19. What are the different types of SSAE 16 reports, and how do they replace SAS 70 reports?
- 20. Do we need to address controls for business units that are outside the United States?
Activity/Process-Level Considerations – General Control Issues
- 21. What is the IT organization?
- 22. How does management consider the entity-level issues around IT risks and controls?
- 23. Are there separate “entities” that include just IT operations or processes?
- 24. What IT governance issues should be considered for purposes of complying with Sections 404 and 302 of Sarbanes-Oxley?
- 25. What differences does it make if management has strong entity-level IT-related controls?
- 26. How would management know if the entity-level controls provide a strong control environment?
- 27. What difference does it make if management has weak entity-level controls?
- 28. What are examples of a weak entity-level control environment?
Activity/Process-Level Considerations – The Role of Application and Data-Owner Processes
- 29. What are “general IT controls”?
- 30. What types of controls are “general IT controls”?
- 31. What technology stack layers (e.g., application, database management systems, operating systems) are required to be in scope for Section404?
- 32. What does the Section 404 compliance project team look for when evaluating security administration?
- 33. What does the Section 404 compliance project team look for when evaluating application change controls?
- 34. What does the Section 404 compliance project team look for when evaluating data backup and recovery?
- 35. What systems development life cycle (SDLC) controls should be considered for technology implementation projects or significant system upgrades?
- 36. We outsource our financial applications; do we need to do anything to be SOX compliant?
- 37. Do we have to hire more IT resources to mitigate risks related to segregation of duties issues?
Activity/Process-Level Considerations – Application-Level Controls
- 38. Who are the application and data owners?
- 39. What are the roles and responsibilities of the application and data owners in relation to the IT organization?
- 40. What processes should the application and data owners have in place to facilitate compliance with Sections 404 and 302?
- 41. What processes should be in place with respect to establishing proper security and segregation of duties?
- 42. What processes should be in place with respect to periodic review and approval of access to critical and/or sensitive transactions and data?
- 43. What processes should be in place from an internal control standpoint with respect to the application change management around initiating, testing and approving changes before making production application changes?
- 44. If application and data-owner process controls are designed and operating effectively, what is the impact on the evaluation of internal control over financial reporting?
- 45. If application and data-owner process controls are not designed and operating effectively, what is the impact on the evaluation of internal control over financial reporting?
- 46. What are the application-level control considerations?
- 47. How is an appropriate application baseline established?
- 48. How does the Section 404 compliance team determine the critical applications for each key business process?
- 49. How should the Section 404 compliance team integrate the consideration of application-level controls with business-process controls at the activity/process level?
- 50. What should management do if the Section 404 compliance team finds weak application controls at the business-process level?
- 51. What should management do if the Section 404 compliance team finds weak application controls at the business-process level?
- 52. How can an organization decrease its reliance on spreadsheets?
- 53. What are some application control considerations for the order-to-cash cycle?
- 54. What are some application control considerations for the procure-to-pay cycle?
- 55. What are some application control considerations for the close-the-books/financial-reporting cycle?
- 56. How much documentation should the IT organization and the application and data owners have in place to evidence the controls and functioning of the applications?
- 57. How should the Section 404 compliance team document the IT controls at the entity level?
- 58. How should the Section 404 compliance team document the IT controls for the IT general controls at the activity/Process level?
- 59. How should the Section 404 compliance team document the IT controls for the processes controlled by application and data owners for the specific application areas?
Addressing Deficiencies and Reporting
- 60. How are IT controls tested?
- 61. How should management address deficiencies and gaps in IT controls?
- 62. How will the external auditor view IT controls during the attestation process?