國(guó)外簡(jiǎn)約大氣的PPT模板_第1頁(yè)
國(guó)外簡(jiǎn)約大氣的PPT模板_第2頁(yè)
國(guó)外簡(jiǎn)約大氣的PPT模板_第3頁(yè)
國(guó)外簡(jiǎn)約大氣的PPT模板_第4頁(yè)
國(guó)外簡(jiǎn)約大氣的PPT模板_第5頁(yè)
已閱讀5頁(yè),還剩33頁(yè)未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

TheImportanceofITControlsto

Sarbanes-OxleyCompliance.

1ImportanceofITControlstoSarbanes-OxleyProvideahigh-leveloverviewofSarbanes-OxleyandtheinternalcontrolcertificationrequirementsDiscusstheimportanceofinformationtechnologyininternalcontroloverfinancialreportingDescribehowtheSarbanes-Oxleysection404rulesimpactinformationtechnologyProvideanoverviewoftheCobitITcontrolframeworkProvideanexampleofareadinessprogramroadmapSummarizetheimportanceandimpactofITcontrolstoSarbanes-OxleycomplianceToday’sObjectives2ImportanceofITControlstoSarbanes-OxleySettingtheStage3ImportanceofITControlstoSarbanes-OxleySettingtheStageWhatisinternalcontrol?Internalcontrolisbroadlydefinedasaprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesinthefollowingcategories:EffectivenessandefficiencyofoperationsReliabilityoffinancialreportingCompliancewithapplicablelawsandregulationsInternalcontrolisnowtheLawTheSarbanes-OxleyActof2002wascreatedtorestoreinvestorconfidenceinthepublicmarketsSection404oftheActrequiresmanagementtoestablishandmaintaininternalcontrol–andrequirestheindependentauditorstoevaluateCompliancedeadline:Year-endsonorafterNovember15,2004PreparingforSarbanes-OxleycomplianceisasignificantandchallengingtaskTherearemanyrequirements,includingtheidentificationofsignificantfinancialstatementaccounts,processesandsystemsthatsupportthemandthendocumentingandtestingthem4ImportanceofITControlstoSarbanes-OxleyOverviewofInternalControlCertificationRequirementsSection302CertificationOverview

CEOandCFOtomakespecificcertificationsasoftheendofeachquarterlyandannualreportingperiod,including:ReportcontainsnountruestatementsReportisfairlypresentedinallmaterialrespectsResponsibilityfordesignandmaintenanceofdisclosurecontrolsandproceduresaswellasinternalcontrolsoverfinancialreportingBecameeffectivein2002(amendedinJune2003)Section404CertificationOverview

CEOandCFOtocertifyasoftheendofeveryannualreportingperiod:TheirresponsibilityforestablishingandmaintainingeffectiveinternalcontrolsoverfinancialreportingTheirassessmentofinternalcontrols,accompaniedbytheindependentauditors’attestationreportEffectiveforannualperiodsendingafterNovember15,2004(smallbusinessandforeignfilersJuly15,2005).5ImportanceofITControlstoSarbanes-OxleyUnderstandingtheRulesImpacttoIT

6ImportanceofITControlstoSarbanes-OxleyUnderstandingtheRulesImpacttoITManagementisrequiredtoassessthedesignandeffectivenessofitsinternalcontroloverfinancialreportingandprovideanassertiontothateffectinthepublishedfinancialstatements.Thecompany’sexternalauditorsarerequiredtoexpressanopiniononmanagement’sassessmentaswelltheirownopiniononthecompany’sinternalcontrols.Auditormustperformawalkthroughofmajorclassesoftransactionsforsignificantprocessestounderstandprocessflows,andassessthedesignandeffectivenessofcontrolsincludingapplicationandITgeneralcontrols.EvaluatethedesigneffectivenessofITcontrolstodeterminewhethertheyareproperlydesignedtoachieverelevantassertions.PerformtestsoftheoperatingeffectivenessofITcontrolsthatarenecessarytoachieverelevantassertions.KeyComplianceRequirementsImpacttoITControls7ImportanceofITControlstoSarbanes-Oxley(paragraph47)

“Theauditorshouldobtainanunderstandingofthedesignofspecificcontrolsbyapplyingproceduresthatinclude…tracingtransactionsthroughtheinformationsystemrelevanttofinancialreporting”

(paragraph73)

“Mostprocessesinvolveaseriesoftaskssuchascapturinginputdata,sortingandmergingdata,makingcalculations,updatingtransactionsandmasterfiles,generatingtransactions,andsummarizinganddisplayingorreportingdata.Theprocessingproceduresrelevantfortheauditortounderstandtheflowoftransactionsgenerallyarethoseactivitiesrequiredtoinitiate,authorize,record,processandreporttransactions.”ThePCAOBrulesareclear-auditorsmustunderstandhowtransactionsflowthroughthesystem…notarounditUnderstandingtheRulesImpacttoITcont’d8ImportanceofITControlstoSarbanes-Oxley(paragraph69)

“Theauditorshouldidentifyeachsignificantprocessovereachmajorclassoftransactionsaffectingsignificantaccountsorgroupsofaccountsand…Understandtheflowoftransactions,includinghowtransactionsareinitiated,authorized,recorded,processed,andreported.Identifythepointswithintheprocessatwhichamisstatement–includingamisstatementduetofraud–relatedtoeachrelevantfinancialstatementassertioncouldarise.Identifythecontrolsthatmanagementhasimplementedtoaddressthesepotentialmisstatements.Identifythecontrolsthatmanagementhasimplementedoverthepreventionortimelydetectionofunauthorizedacquisition,use,ordispositionofthecompany'sassets.

PCAOBstatementsapplicabletoApplicationControls:UnderstandingtheRulesImpacttoITcont’d9ImportanceofITControlstoSarbanes-Oxley (paragraph40)

“Determiningwhichcontrolsshouldbetested…Generally,suchcontrolsinclude…informationtechnologygeneralcontrols,onwhichothercontrolsaredependent” (paragraph50)

“Somecontrolshaveapervasiveeffectontheachievementofmanyobjectives…forexample,informationtechnologygeneralcontrolsoverprogramdevelopment,programchanges,computeroperations,andaccesstoprogramsanddata”PCAOBstatementsapplicabletoITGeneralControls:UnderstandingtheRulesImpacttoITcont’d10ImportanceofITControlstoSarbanes-OxleyTheImportanceof

InformationTechnologyinInternalControloverFinancialReporting

11ImportanceofITControlstoSarbanes-OxleyFormostorganizations,ITispervasiveandcriticaltothefinancialreportingprocessFinancialandroutinebusinessapplicationsarecommonlyusedtoinitiate,authorize,record,processandreporttransactionsRelevantITcontrolsincludeapplicationcontrols-thosethatareembeddedinfinancialandbusinessapplicationsgeneralcomputercontrols–underlyinginfrastructurecomponentsthatsupporttheapplicationsStatementsmadebythePublicCompanyAccountingandOversightBoard(PCAOB)ontheimpactofIT(paragraph75):

“Thenatureandcharacteristicsofacompany'suseofinformationtechnologyinitsinformationsystemaffectthecompany'sinternalcontroloverfinancialreporting”TheImportanceofInformationTechnology(IT)inInternalControloverFinancialReporting12ImportanceofITControlstoSarbanes-OxleyApplicationControlsSoDDataintegrityCompletenessValidationGeneralComputingControlsInformationSecurityOperationsDatabaseImpl.&SupportNetworkSupportBusinessProcessClassesofTransactionsSalesReturnsWriteoffsSignificantAccountBalanceBalance

Sheet(A\R)Income

StatementG/LInventoryOtherA\RMgtProcessFCRPSalesProcessProcessStagesInitiateRecordProcessReportApplicationImpl.&Maint.SystemSoftwareSupportTheRoleofInformationTechnologyinInternalControloverFinancialReportingcont’d13ImportanceofITControlstoSarbanes-OxleyAccountbalance:TradeA\R,SalesClassesofTransactions:Invoices,SalesordersBusinessProcess:A\R,SalesOrderprocessesProcessStages:Initiate,record,processApplicationControls:AccesscontrolsBuiltinlimitsforcreditapprovalRestrictedaccesstopricingtableGCCControls:ProgramchangeOperationsNetwork&systemsecurityLinkAccountsandAssertionstoIT:AnExample

Customer

order

entry

AccountsReceivable

Invoicecontrols

SAP,Oracle,OtherApplicationsGeneralcomputingcontrolscoversecurityaccess,changemanagement,operations,systemsandnetworksupport,dataretention,etc.OrderProcessingOrder&suppliercontrolsSales

Sub-processCustomercontrolsITInfrastructureNetworksSystemSoftwareDatabasesandInformationSecurityApplicationcontrolscoverauthorizedchanges,segregationofduties,validity,completenessandtimelinessofreportingoffinancialinformation.14ImportanceofITControlstoSarbanes-OxleyCobitITControlFrameworkOverview15ImportanceofITControlstoSarbanes-OxleyCOBIT–AModelforGeneralComputerControlsTheITGovernanceInstitute(www.ITGI.org)hasrecentlypublished“revised”guidanceforITprofessionalsonhowtoaddressSarbanes-OxleyfromanITperspective–April2004“Sarbanes-Oxley;Theimportanceofinformation

technologyinthedesign,implementationand

sustainabilityofinternalcontrol”Thepublicationistheresultofa

jointeffortofindustryandauditors,

withleadershipfromDeloitteandothersTheITGIisarecognizedgloballeaderinITgovernance,controlandassurancewithmembersinmorethan100countries16ImportanceofITControlstoSarbanes-OxleyPCAOBdesignatesCOSOastheprescribedstandardcontrolframeworkandhasbecomethecontrolframeworkofchoiceforSOXcomplianceAll5layersmustbeconsideredwhenevaluatinginternalcontrolHowever,COSOdoesnotprovidespecificguidancearoundITcontrol.CobiTisawidelyacceptedITcontrolframework(ITGI)CobiTprovides4domainsofITcontrolCobiTcontrolsaddressthe5layersofCOSOWiththedevelopmentofthisapproach,organizationscanbeconfidentthattheyaretakinganapproachthatreflectsCOSOrequirementsCOBIT–AModelforGeneralComputerControlscont’d17ImportanceofITControlstoSarbanes-OxleyTheITGIpublicationprovidesguidancetoITprofessionalsonhowtomeettheSarbanes-OxleychallengeDetailedcontrolobjectivesareprovidedforeachCobiTdomainandmappedtotheirrespectiveCOSOcomponentOthercontrolguidelineswerereviewedandreconciledtothisapproachduringthedevelopmentprocess,includingISO17799,CommonCriteria,ITIL,andSysTrustOrganizationsshouldassesstheirrequirementsonanindividualbasisandtailortheirapproachaccordinglyCOSOComponentsCobiT

ObjectivesCOBIT–AModelforGeneralComputerControlscont’d18ImportanceofITControlstoSarbanes-OxleyTheCobiTSOAframeworkidentifiedasub-setoftheseareasforthepurposeoffocusingonSOArequirementsCompanylevel:Planning&Organizing/MonitoringCOBIT–AModelforGeneralComputerControlscont’dPlanning&OrganizationITStrategicPlanningITorganizationandrelationshipsManagementofhumanresourcesEducateandtrainusersInformationarchitectureCommunicationofmgmtaimsanddirectionAssessmentofrisksManagetheITinvestmentManageprojectsMonitoringCompliancewithexternalrequirementsManagementofqualityEnsurecontinuousservicePerformanceandcapacityMonitoringAdequacyofinternalcontrolsIndependentassuranceInternalauditActivitylevel:AcquisitionandImplementation/DeliveryandSupportProgramDevelopment(SDLC)ProgramChangesComputerOperations(scheduling,backup,problemmanagement)Accesstoprogramsanddata(applications,database,operatingsystem,network)19ImportanceofITControlstoSarbanes-OxleyTop5List–404ITControlsRequirementsSecurityApplicationandplatformbasedFocusedonapplicationsthatmayimpactfinancialsandsupportinginfrastructureRequiressecureoperatingsystems,database,network,firewallsandinfrastructureAuditorswilllookforexcessiveaccess;lackofsegregationofduties;inadequateapprovalofaccess;theywillbetestingkeyprocessestodeterminethattheyareeffectiveChangeControlNeedtoensurethatproceduresareinplacetocontrolandensureproperapprovalofchangestoproductionTechnicalcontrolsmusttightlylimitandcontroldeveloperaccesstoproductionDisasterRecoveryFocuswillbeonbasicbackupandrecoverabilityoffinancialdataITGovernanceFocuswillbeondeterminingofthereareclearpolicies,procedures,andcommunicationswithinITArethereclearsegregationofduties?Istheretheappropriate“toneatthetop”oftheITorganization?DevelopmentAndImplementationActivitiesPropercontrolsneedtobebuiltinbeforeanewsystemorsystemchangesgointheproductionenvironmentAuditorsmayevaluatenewfinancialsystems;dataconversionandtestingarecritical20ImportanceofITControlstoSarbanes-OxleyMostCommonITControlGapsToRemediateChangecontrolprocessesnotfullyinplace(especiallyindistributedorwebbasedenvironments)Securityprocedures,strategies,andprofilestructuresnotdocumentedforcriticalapplications.Organizationalsecuritypolicies,procedures,androlesandresponsibilitygaps.SecurityadministrationprocedureslackappropriatecontrolsorconsistencyInadequatecontrolstodeleteorchangeaccesswhenindividualleavesofchangesjobresponsibilities(especiallycontractors)InadequateapprovalofaccesschangesAccesslevelsnotregularlyreviewedandapprovedbymanagementExcessiveaccesstosystemsPrivilegedaccesstooperatingsystem,database,andapplicationenvironmentInadequatesegregationofdutiesApplicationdevelopersandDBAshaveaccesstoproductionInfrastructuresupportingapplicationsisnotsecure(network,operatingsystem,database)ITcontrolsnotintegratedintokeybusinessprocesses(e.g.SDLC,changecontrol,compliance,testinganddataconversionprocedures)Lackofaregularprocesstoverifythatcontrolscontinuetobeadequateandeffective(atleastquarterly)NolongtermstrategytoevaluateandaddressrisksTheareasthatwillgethithardestaresecurityandchangecontrol21ImportanceofITControlstoSarbanes-OxleyITControlReadinessRoadmap

22ImportanceofITControlstoSarbanes-OxleySOAReadinessRoadmapPreparingforSOX404requiresastructuredandmeasuredapproach,otherwiseyouwillfindyourselfdoing“toomuch”or“toolittle”ThecurrentPCAOBrulesrequireauditorstoatteston“managementassessmentprocess”Assuch,thereadinessroadmapthatmanyorganizationsarefollowingdemonstratestheassessmentprocessthroughaseriesofstepsandactivitiesthataligntothePCAOBrules23ImportanceofITControlstoSarbanes-OxleySOAReadinessRoadmapBusinessValueSarbanes-OxleyITCompliance1.Plan&ScopeFinancialreportingprocessSupportingsystems3.IdentifySignificantControlsApplicationcontrols-overinitiating,recording,processing&reportingITGeneralControls5.EvaluateControlDesignMitigatescontrolrisktoanacceptablelevelUnderstoodbyusers8.DocumentProcess&ResultsCoordinationwithAuditorsInternalsign-off(302,404)Independent

sign-off(404)7.Identify&RemediateDeficienciesSignificantdeficienciesMaterialweaknessRemediation6.EvaluateOperationalEffectivenessInternalauditTechnicaltestingSelfassessmentInquiry+Alllocationsandcontrols(annual)4.DocumentControlsPolicymanualsProceduresNarrativesFlowchartsConfigurationsAssessmentquestionnaires2.PerformRiskAssessmentProbability&ImpacttobusinessSize/complexity9.BuildSustainabilityInternalevaluationExternalevaluation24ImportanceofITControlstoSarbanes-OxleyAReadinessRoadmap

Plan&ScopeKeyConsiderationsIn-scopevsout-of-scopesystemsOpportunitiesforimprovementPrevention,identificationanddetectionoffraudKeyComponentsFinancialreportingprocessesInitiatingRecordingProcessingReportingClassesoftransactionsNon-routineandsystematicUnderstandthefinancialreportingprocessandidentifytheinformationsystemsandrelatedresourcesthatareused.25ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

PerformRiskAssessmentKeyComponentsITRisksQualityandIntegrityfailureSecurityfailureAvailabilityfailureRiskassessmentProbabilityoffailureImpacttothebusinessKeyConsiderationsSpecificriskareasDatavalidationDataconversionInterfacesManagementreportsComplexorcriticalcalculationsSpreadsheetsIdentifyrisksassociatedtheinformationsystemsandrelatedITresources(ie.whatcouldgowrong?)26ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

IdentifySignificantControlsKeyComponentsApplicationcontrolsEmbeddedwithinbusinessprocessesDirectlysupportfinancialassertionsGeneralcontrolsProgramdevelopmentProgramchangesProgramoperationsAccesscontrolKeyConsiderationsControlframework-CobiTTMRevised–April2004***12primarycontrolobjectivesattheprocesslevelControlenvironmentquestionnaireforentitylevelIdentifyapplicationandgeneralcontrols27ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

DocumentControlsKeyComponentsProcessdescriptionRiskassessmentControlobjectiveControlactivityTestofthecontrolConclusionsandremediationplansKeyConsiderationsIncludecompensatingcontrolsImpactonoverallSOAtestingprogramReportgapsindocumentationSufficienttosupportmanagementassertionDocumentcontrolprocessestosupportmanagement’sassessment28ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

EvaluateControlDesignKeyComponentsSufficienttodemonstrate:ControldesignedtopreventordetectmaterialerrorsConclusionthattestswereappropriatelyconductedResultsoftestsappropriatelyevaluatedKeyConsiderationsPreventativevs.detectiveAutomatedvs.manualPeople,processandtechnologyControlmaturitylevel–controlsaredefined,managed,measuredandrepeatableControlsshouldbedesignedtoreducetheriskoferrortoanacceptablelevel29ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

EvaluateOperationalEffectivenessKeyComponentsApplicationcontrolsandgeneralcontrolsReliabilityPerformedbyknowledgeablepersonPerformedconsistentlyAppropriatelymonitoredProblemsfolloweduponatimelybasisKeyConsiderationsPeriodoftimevs.pointintimeAuditevidence–inquiryaloneisnotenoughSamplesizes–mustbeadequategivenfrequencyofcontroloperationServiceorganizations–SAS70Testcontrolstoensuretheyareareoperatingasdesignedandconsistentlyoveraperiodoftime30ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

Identify&RemediateDeficienciesKeyComponentsImpacttothefinancialstatementsIsitmorethaninconsequential?LikelihoodofoccurrenceIstheremorethanaremotelikelihoodofoccurrence?CompensatingcontrolsKeyConsiderationsIsolated/manualerrorsvs.systematicerrorsPeriodofeffectiveoperationHasimpactassessmentbeenperformedtodeterminetheimportancetothefinancialreportingprocess?MayneedtorevisitcontroldesignoroperationifdeficienciesareobservedIdentifyweaknessesandremediate/retestpriortocompliancedeadline31ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

DocumentProcess&ResultsKeyComponentsOverallassessmentprocessConsiderriskassessmentresultsDiscloseallknowncontroldeficienciesandweaknessesIncludeassessmentofcontroldesigneffectivenessKeyConsiderationsShow-stoppersMaterialweaknessesSignificantdeficienciesMaintainsufficientevidencetosupportmanagementassessmentprocess32ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

BuildSustainabilityKeyComponentsContinuouseffectivenessofinternalcontrolMonitoringactivitiesChangemanagementKnowledgecaptureandsharingKeyConsiderationsContinuousimprovementprocessRules,approachesandbestpracticesareevolving–staytunedEstablisha‘CenterofExcellence’modeltosupportongoingSOAcompliance33ImportanceofITControlstoSarbanes-OxleyInSummary34ImportanceofITControlstoSarbanes-OxleyInSummaryWiththedependenceonITforreliablefinancialreportingprocesses,ITplaysakeyroleincompliancewithSection404ofSarbanes-OxleyFormanyorganizationsSarbanes-Oxleyissimplyacodificationofexistingresponsibilities.TheseITcontrolresponsibilitiesalreadyexist;however,Sarbanes-Oxleymayrequireadditionalformalizationandsignificanteffortstodocumentandtest.CompaniesshouldensureIThasanactiveroleinSarbanes-Oxleyefforts:ParticipateonthecompliancesteeringcommitteeUnderstandthefinancialreportingprocessandcommunicatethedependencyonIT(applications,infrastructure,security,etc.)EstablishIT’sroleinensuringadequatecontrolsoverthefinancialreportingprocessDocumentITrisksandcontrolsrelatedtothefinancialreportingprocessRegularlytestcontrolsandremediatesignificantweaknessesEstablishmonitoringactivitie

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論