1 / 26

Impacts of Sarbanes-Oxley and the US Patriot Act on Information Technology

Society for Information Management (SIM). Impacts of Sarbanes-Oxley and the US Patriot Act on Information Technology. October 15, 2003. Agenda. Introduction Sarbanes-Oxley Act - Background and Overview - Section 404 - COSO - Audit Requirements - Impact on IT

stacy
Télécharger la présentation

Impacts of Sarbanes-Oxley and the US Patriot Act on Information Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Society for Information Management (SIM) Impacts of Sarbanes-Oxley and the US Patriot Act on Information Technology October 15, 2003

  2. Agenda • Introduction • Sarbanes-Oxley Act - Background and Overview - Section 404 - COSO - Audit Requirements - Impact on IT • Assessment of IT Controls - Approach - Application Controls - General Controls - Challenges • Whistleblower Provision • US Patriot Act

  3. Introduction • George Graves • KPMG LLP • 503-205-6103

  4. Sarbanes-Oxley Act

  5. Background and Overview • Public Company Accounting Reform and Investor Protection Act of 2002 • Sponsored by: - Sen. Paul Sarbanes (D-Md.),ex-Chairman of the Committee on Banking, Housing and Urban Affairs in the Senate - Rep. Michael Oxley (R-Ohio), current Financial Services Committee Chair in the House • Signed into law on July 30, 2002 • Law signed as result of past fraud events such as Enron and WorldCom. • Intended to support efforts to increase public confidence in capital markets by seeking to improve corporate governance and audit quality

  6. Background and Overview (cont.) • Sarbanes-Oxley Includes the following sections: • Public Company Accounting Oversight Board • Auditor Independence • Corporate Responsibility - Section 302: Corporate responsibility for financial reports • Enhanced Financial Disclosures - Section 404: Management assessment of internal controls (*) • Analyst Conflicts of Interest • Corporate and Criminal Fraud Accountability • White-Collar Crime Penalty Enhancements • Corporate Fraud and Accountability

  7. Section 404 • Management’s assessment of internal controls • Annual report must contain a report from management on internal control. • - States management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting • - Contains management’s assessment as of the end of the fiscal year of the effectiveness of internal control related to financial reporting • - Signed by CEO and CFO • Effective Date - Issuers whose fiscal years end on or after June 15, 2004. (U.S. companies that have equity market capitalization over $75m and have filed an annual report with SEC. All other issuers will be required to comply for their fiscal years ending on or after April 15, 2005)

  8. Section 404 (cont.) The SEC defined internal control over financial reporting as: “a process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: (1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer; (2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.”

  9. Section 404 (cont.) • The final rules require management's report to identify the framework used by management to assess the effectiveness of the company's internal control over financial reporting (ICFR) • Criteria for an acceptable framework: - Complete (relevant factors) - Free from bias - Permit consistent qualitative and quantitative measurements of ICFR - Relevant to an evaluation of ICFR • The adopting release recognized that the COSO framework satisfied the above criteria and could be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements.

  10. COSO • Background – Committee of Sponsoring Organizations • COSO Framework defines 5 elements of Internal Control: • Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people • Risk Assessment – Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level • Control Activities – Policies and procedures to help ensure management directives are carried out • Information and Communication – Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components • Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time

  11. COSO (cont.) COSO encompasses internal controls requirements for operations, financial reporting and compliance. However, section 404 only addresses internal controls as they relate to financial reporting.

  12. COSO (cont.) • Entity level assessment and Activity level assessment of internal controls. • Management’s assessment of control activities

  13. Audit Requirements • Current draft (10/03) will require an that the organization’s external auditing firm express an annual opinion upon the internal controls of the organization (in accordance with the framework selected). • Focus is on key business processes controls and significant locations (specific significant risk, significant when aggregated, not significant).

  14. Impact on IT • As financial data is most likely originated, captured, processed, stored, distributed, and reported from one or multiple Information System(s), the requirements of section 404 will impact the IT organization. • The impact on the organization and management of information technology will depend upon the level of automation (sophistication) and inherent reliance placed on information systems as part of the company’s system of internal control over financial reporting. • The extent to which an IT organization is impacted may also depend on the maturity level of the environment (defined policies, formalized processes and active monitoring). • Outsourced operations which process financial transactions may require 3rd party assurance (ex - SAS 70 report).

  15. Assessment of IT Controls

  16. Approach • COSO has limited guidance with respects to Information Technology, but does distinguish between applications controls and general computer controls. • Most organizations are including application controls in the identification and evaluation of controls in the respective business process. • General computer controls that support those information systems (application controls) utilized in the business process are generally being addressed as part of an information management process. • COBIT (Control Objectives for Information Technology) is being considered by some as the framework for the evaluation of general Information Technology controls. The Information Systems and Control Association (ISACA) has developed guidance to bridge the gap between COSO and COBIT. • However, COBIT’s four domains are broader than internal controls over financial reporting (focus is overall IT Governance) and will not be the framework selected by management as its basis for assessment under section 404.

  17. Establish internal control evaluation process. Determine significant controls and locations/ business units to be included. Define project approach, milestones, timeline, and resources. Launch project. 1 Plan & Scope the Evaluation Document design of significant controls for all significant locations and business units. 2 Document Controls Evaluate design and operating effectiveness of internal control over financial reporting and document results of evaluation. 3 Evaluate Design & Operating Effectiveness Identify, accumulate and evaluate design and operating control deficiencies; communicate findings and correct deficiencies. 4 Identify & Correct Deficiencies Prepare management’s written assertion on the effectiveness of internal control over financial reporting. 5 Report on Internal Control Prepare for independent auditor to conduct the internal control audit. 6 Independent Audit of Internal Control Approach (cont.)

  18. Application Controls • Application controls are generally being identified and evaluated as part of a given business process (sales, purchasing, inventory mgmt, etc..). They may include the following control types: • Authorization control • Configuration / account mapping control • Exception / Edit report control • Interface / conversion control • Key performance indicator • System access control (segregation of duties)

  19. General Controls • Some organizations are utilizing the control objectives generally described for general computer controls in a SAS 70 audit (examples provided by the AICPA). Examples of these include: • System Development and Program Change Management • User Administration and Logical Security • Operations Management and Organization • Vital Records Management • Problem Management • Physical and Environment Security • Network Security • Virus Protection • Similar control objectives are described in COBIT.

  20. Challenges • The impact of Sarbanes-Oxley on IT presents many challenges including: • Control identification and documentation • Audit trails and control testing • Time and resource constraints • Terminology • Coordination of Finance and IT organizations • Change in culture (policies and procedures, testing, monitoring)

  21. Whistle-blower Provision

  22. Whistle-blower provision • Provision applies to both public and private companies • Requires that employees must be given the means to anonymously notify federal regulators or corporate audit committees of any potential wrongdoing within their companies • No major impact on IT, beyond the need to provide confidential methods of communication

  23. US Patriot Act

  24. Patriot Act • Signed into law by President Bush in October 2001. • Requires financial services companies to develop improved capabilities to identify customers and flag suspicious transactions including: • Increasing the amount of filings of suspicious activity reports (SARs) • Requiring companies that must report cash transactions greater than $10,000 to file SARs • Prohibiting financial institutions from maintaining correspondent accounts with foreign shell banks • Preventing customers from concealing their financial activities and increasing the minimum standards for customer identification at account opening • Establishing identification standards to verify the identity of foreign customers • Maintaining anti-money laundering programs including internal policies, training, and independent audit feature • Providing anti-money laundering records upon request from federal agencies

  25. Patriot Act (cont.) • Any comprehensive response to new regulatory requirements will require the CIOs to be heavily involved in implementing any recommendations coming from a compliance office • Data collected need to be provided to the regulators in a single format • Key to success: Gaining familiarity with the company’s technology infrastructure. Understand which applications create data, where data is stored, and the most efficient way to access that data

  26. Questions

More Related