||June 5, 2006
Guide to the Sarbanes-Oxley Act FAQ: Table of Contents
View and download the entire booklet
General Application Risk and Control Considerations for Complying with Sarbanes-Oxley
Application Control Considerations
- What does SOX Section 404 say about an organization’s reliance on critical business applications?
- What is a public company required to disclose regarding an ERP/application implementation?
- What are the typical application control types as they related to SOX Section 404 compliance?
- Why is it so important to consider embedded system-based (e.g., ERP) controls for financial reporting and Sarbanes-Oxley compliance?
- How should the Section 404 compliance team determine the critical applications for each key business process?
- Should the evaluation of application controls be integrated within business processes or performed separately?
- How is an appropriate application baseline established?
- Is it possible to rely solely on manual controls, negating the need to consider and evaluate application controls?
- What re the benefits of control automation?
- What factors should an organization consider when determining which manual controls to automate?
- How can an organization decrease its reliance on spreadsheets?
Access Security Considerations
- What are configurable controls?
- How are key application controls identified for documentation and testing?
- What are some application control considerations for the Order to Cash cycle?
- What are some application control considerations for the Procure to Pay cycle?
- What are some application control considerations for the Close the Books/Financial Reporting cycle?
General IT Controls Related to Applications
- What are the principal risks related to access security?
- What should be considered when assessing user access rights and privileges for compliance?
- What processes should be in place with respect to establishing proper user access security and segregation of duties?
- What processes should be in place with respect to periodic review and approval of access to critical and/or sensitive transactions and data?
- What are the roles of the business and the IT organization in controlling user access processes and segregation of duties?
- How can an organization improve its ability to manage appropriate security without incurring excessive cost and time bottlenecks?
- What is the best method for organizing user access authorization rules?
- What other control elements should be considered regarding powerful authorities and systems administration duties?
- Does security maintenance have to go through the change management process?
- How does the organization assess ERP security structures for compliance exposures due to segregation of duties and sensitive access?
- What control principles should be considered during an assessment or a redesign of security in an ERP?
- How does management decide whether to remediate individual security and segregation of duties problems versus reengineer user access overall?
- What is an efficient way to document segregation of duties and sensitive access?
- Can automated tools be used to assess segregation of duties and sensitive access for compliance exposures and provide ongoing monitoring?
Implementation Controls and Considerations
- What does the Section 404 compliance team look for when evaluating application change controls?
- What elements of data management and disaster recovery should be evaluated by Section 404 compliance teams as they related to applications?
- What elements should be considered with respect to the network, operating system and databases to support effective application control?
- What are interface risks and how are they managed?
- What are the primary risks of implementing a new application, and how are they managed?
- What are the primary risks relative to data conversions relating to an implementation, and how are they managed?
- What are the risks to functional testing when implementing a new application, and how are they managed?
- How should the Section 404 compliance team document the IT controls addressing the processes controlled by application and data owners for the specific application areas?
- How much documentation should the IT organization and the application and data owners have in place to evidence the controls and functioning of a critical application?
- Given the emphasis placed on the “Initiating, recording, processing and reporting” of transactions by the PCAOB, what is the best way to document transaction flows?
Addressing Deficiencies and Reporting
- How are IT controls tested?
- Who should test automated controls?
- How are application controls tested?
ERP Compliance Software and Automated Testing Tools
- How should management address deficiencies and gaps in application controls?
- How will the external auditor view application controls during the attestation process?
- What are some examples of SOX enablement software to consider?
- What questions should be addressed with respect to evaluating an application’s capability to support a SOX compliance effort?
- How does the Section 404 compliance team differentiate between SOX-relevant controls in the ERP (Which require documentation and testing) and the SOX compliance functionality?