|
-Use back arrow to return-
|
||||
|
SARBANES-OXLEY ACT |
||||
|
IT financial controls pertaining to the availability, integrity, non-repudiation, and confidentiality of financial information must be demonstrated. This means that once the IT financial controls have been implemented, the proof that the controls are monitored, measured, and documented must be available to the firm that will be conducting the independent audit.
IT hardware and software that processes, stores, or transmits financial information must have documentation that provides a baseline of current configurations, patches, etc. In this documentation a schedule of when it was review and validation must be documentation as well as the results. For servers, the Trusted Facility Manual template can be used to document configuration of each server operating system along with the business applications that reside on that server. This methodology is called "Secure Infrastructure" and has been used successfully since 2000 by TESS. In addition, processes must be developed to assure auditors that compliance with security policies regarding financial information are being implemented with a repeatable and measurable processes to protect financial information and ensure separation of duties. The IT financial controls for security covers all the areas shown in the following diagram.
PCAOB Release No. 2005-009, May 16, 2005 stated the following: "The Top-down Approach and Role of Risk Assessment - Auditing Standard No. 2 was designed to be applied from the top down. That is, the standard focuses the auditor first on company-level controls and then on significant accounts, which lead the auditor to significant processes and, finally, individual controls at the process, transaction, or application levels. Knowledge obtained at each step guides the auditor toward the higher risk areas within the next succeeding level of controls. By approaching the task in this way, the auditor is naturally steered toward higher risk areas and away from those with less potential to have a material impact on the financials. This approach also provides a road map through the control system to ensure that the individual controls selected for testing are, in fact, relevant to internal control over financial reporting." The following document is one example of a CobIT/COSO objective that TESS has in its template library - CobIT/COSO Objective - Backup of Programs and Data PDF.
Most Board members and senior executives understand IT Governance, CobIT, COSO, and the Sarbanes-Oxley Act, but few have knowledge or understanding of the importance that Information Security will play in implementing this Act. Very few Information Technology Departments have documented IT financial controls or understand the need to do so, which will lead to the spending of significant corporate expenditures. Do it right the first time - hire TESS consultants to act as your Sarbanes-Oxley Compliance Project Manager to ensure that your Company will pass an independent audit.
|
||||
