comparative analysis of it control frameworks in the context of sox by: malik datardina, ca, cisa...
TRANSCRIPT
Comparative Analysis of IT Control Frameworks in the
Context of SOX
By: Malik Datardina, CA, CISA
University of Waterloo
Introduction
• SOX avg cost: $5 million/per company• Impact on the way of business• Increased focus on IT:
"The Sarbanes-Oxley legislation has created a greater need for businesses
to have IT controls in place”Bill Levant, Partner, Deloitte
Goal
• Some fundamental questions –How does the SOX legislation result
in the implementation of IT Controls?
–What IT Controls are expected to be in place?
Agenda
• Basic issues to be covered:
Part I – SOX Basics:• What does SOX actually mandate?• What does the PCAOB require?• What does COSO require? Are there alternatives?
Part II: The Frameworks• How are COBIT, ITCG, ISO 17799, and SysTrust relevant to
SOX and analysis?
Part III: Discussion and Suggestions for Further Research
Agenda
Public Company
SOXSec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility for Finan Reporting
Sec 404 – Mgmt Assessment of Int Ctrl
Sec 409 – Real time issuer disclosures
Auditing Standard No. 2: Audit of Internal Control over
Financial Reporting MinimumStd
Gen Controls:-Oper Ctrls-SDLC-Access mgmt
IT Controls
Application Controls
Info Quality:
Timely, Current, Accurate, Accessible, etc.
AdditionalGuidance
What does SOX actually mandate?
SOXSec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility for Finan Reporting
Sec 404 – Mgmt Assessment of Int Ctrl
Sec 409 – Real time issuer disclosures
• Sec 101: Establishes the PCAOB• Sec 302: CEO & CFO Responsibility of the FS
– Designed effectively – Operating effectively within the last 90 days– Disclosure material weaknesses – Disclosure of frauds; material and otherwise
• Sec 404 – Mgmt’s Assessment of Controls– Management is responsible– Management assess operating effectiveness – Auditors must also provide an independent
assessment of operating effectiveness
• Sec 409 – Real time disclosure of material changes
What does the PCAOB require?
SOXSec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility for Finan Reporting
Sec 404 – Mgmt Assessment of Int Ctrl
Sec 409 – Real time issuer disclosures
Gen Controls:-Oper Ctrls-SDLC-Access mgmt
IT Controls
Application Controls
Auditing Standard No. 2: Audit of Internal Control over
Financial Reporting MinimumStd
Guidance
•Program Development/Program Chgs
•Computer Operations
• Access to programs and data
• Processing Integrity ControlsPCAOB
OBJECTIVES:• Effectiveness and efficiency of
operations• Reliability of financial reporting• Compliance with the applicable
laws and regulations
KEY COMPONENTS:• Control Environment (e.g.
Tone at the Top)• Risk Assessment• Control activities• Information and
Communication (e.g. information management).
• Monitoring
OBJECTIVES:• Effectiveness and efficiency of
operations• Reliability of internal and
external financial reporting requirements
• Compliance with applicable laws, regulations, and internal policies.
KEY COMPONENTS:• Purpose• Commitment• Capability• Monitoring & Learning
OBJECTIVES:• Facilitate its effective and efficient
operation • Ensure the quality of internal and
external reporting • ensure compliance with applicable
laws, regulations, and internal policies .
KEY COMPONENTS:• Maintaining a sound system of
internal control• Reviewing the effectiveness of
internal control• The board’s statement on internal
control• Internal audit
Differences“…tighter, easier to grasp model of internal control than the
somewhat complex COSO framework.” Robert Moeller on CoCo, former Audit Director of Sears
• CoCo: 20 Auditable Control Objectives
Similarities• Similar objectives between all three standards
Other Considerations• Consider cost-benefit in terms of familiarity with auditors, regulators,
etc.
What does the COSO require?
SOXSec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility for Finan Reporting
Sec 404 – Mgmt Assessment of Int Ctrl
Sec 409 – Real time issuer disclosures
MinimumStd
AdditionalGuidance
Gen Controls:-Oper Ctrls-SDLC-Access mgmt
IT Controls
Application Controls
Info Quality:
Timely, Current, Accurate, Accessible, etc.
Auditing Standard No. 2: Audit of Internal Control over
Financial Reporting
•Data Centr Oper Ctrls
•System Sftware Ctrls
• Applictn Systm Dvlpmnt and Maintenance Ctrls
• Access Security CtrlsCOSO
What does the COSO require?
Category PCAOB COSOSystems Development
Program development Program changes
System Software Controls Application System Development and Maintenance Controls
Operations Computer operations Data Center Operation Controls
Security Access to programs and data Access security controls
What does the COSO require?
INFORMATION QUALITY• Information is timely, • Information is current, • Information is accurate, and • Information is accessible.
OTHER COMPONENTS• Control environment (e.g. budget and IT) • Risk assessment • Monitoring
Public Company
SOXSec 101 – Establishment
of the PCAOB
Sec 302 – Responsibility for Finan Reporting
Sec 404 – Mgmt Assessment of Int Ctrl
Sec 409 – Real time issuer disclosures
Auditing Standard No. 2: Audit of Internal Control over
Financial Reporting MinimumStd
Gen Controls:-Oper Ctrls-SDLC-Access mgmt
IT Controls
Application Controls
Info Quality:
Timely, Current, Accurate, Accessible, etc.
AdditionalGuidance
PART II: The IT Control Framework
COBIT
PO2.1 Information Architecture ModelCONTROL OBJECTIVE Information should be kept consistent with needs and should be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities effectively and on a timely basis. Accordingly, the IT function should create and regularly update an information architecture model, encompassing the corporate data model and the associated information systems. The information architecture model should be kept consistent with the IT long-range plan.
PO or “Planning & Organization” represents
1 of the 4 “domains”
PO2 represents the High-Level Control
“PO2.1 Information Architecture Model” represents the “detailed control objective”. The text that follows
explains what is required of this objective.
4domains34 Hi-Level Objctvs
318 Detailed Objctvs
ISO 17799
Security Control Clause (11)
Main Security Category (39)
Control (135):
Each ‘control’ includes the following information:•Description of Control•Implementation guidance•Other information
11 Sec Ctrl Clause39 Security Categories
135 Controls
ITCG
7 Control Issues31 Ctrl Objctives162 Min Ctrl Stds
744 Control Techniques
SysTrust
Control Layers Security Availability ProcessingIntegrity
On-LinePrivacy
Confidentiality
Policy 3 3 3 3 3
Communication 5 5 5 10 5
Procedures 12 15 19 18 15
Monitoring 3 3 3 3 3
Totals 23 26 30 24 26
Fit with PCAOB/COSO
COBIT ISO 17799 ITCG SysTrust
General Controls
X X X X
Application controls
X X X Specific category
X
Analysis: Suitable Criteria
Frameworks COBIT ISO 17799 ITCG SysTrustCharacteristics
of Suitable Criteria ↓
Relevance High Medium High High
Understandability
Medium High High High
Completeness
High Medium High High
Conciseness
Medium High High High
Discussion and Suggestions for Further
Research
• Ultimate goal: Aid management in stewardship
• SysTrust: Processing Integrity Principle
• Overlap between SysTrust, COBIT, ITCG
• Other frameworks: ITIL, ISO 9000-3, CMM, etc
• Outsourcing: SAS70, Sec5970
• Other SOX sections: Sec. 409, sec. 802.