 |
|
|
| INFORMATION |
| Published : |
Nov 07, 2005 |
| Length : |
16 |
| Type : |
White Paper |
|
| |
|
|
| Overview : |
|
Achieving and maintaining compliance with the general IT controls specified in Section 404 of Sarbox involves far more than just establishing rigid control over various processes and access to information. It requires merging people, processes and technology into a unified, enterprise-wide compliance effort. This white paper from BMC Software discusses these topics and how to use technology to help meet General IT Control Objectives. |
|
 |
|
| |
| View All Items By This Company |
| Browse Related Categories : |
Compliance, Desktop Management, IT Management, Sarbanes Oxley Compliance, Service Management |
|
|
|
|
404 Compliance: Prompted by corporate financial scandals of recent years, the Sarbanes-Oxley Act of 2002, "Sarbox" as it is commonly known, is one of the most significant revisions to U.S. federal securities laws. Deadlines for Sarbox compliance, and subsequent company auditing, are fast approaching. Publicly traded U.S.-based companies must now be prepared for addressing Sarbox requirements, including Sarbox-compliant IT control processes, which could alter the claims that corporations make to upcoming annual reports. Companies must ensure their financial processes comply with Sarbox legislation, and senior executives must attest to the adequacy and effectiveness of their internal control of these processes. Many companies, however, are not fully prepared for their audits. Without proper guidance, any employee could unwittingly violate Sarbox requirements, putting a company in jeopardy.
Achieving and maintaining compliance with the general IT controls specified in Section 404 of Sarbox compliance involves far more than just establishing rigid control over various processes and access to information. It requires merging people, processes and technology into a unified, enterprise-wide compliance effort.
From a people perspective, compliance requires the philosophical adoption of the Sarbox compliance legislation across the enterprise. This involves the indoctrination of ownership onto every individual who has access to records that affect the company's ability to attest to and validate that the data it provides is accurate?whether or not an individual's access has been deemed significant.
With respect to processes, compliance to 404 oxley requires companies to establish processes and controls that ensure requirements are met and that readily demonstrate compliance. The interpretation of Sarbox is somewhat open, providing the flexibility to create processes that maintain compliance while still allowing efficient and profitable operations.
Finally, supporting technology is required to implement and enforce standard processes and to monitor and report on compliance.
It is important to note that Sarbanes Oxley 404 Compliance involves continuous assessment and continuing education. Assessment helps ensure that compliance is maintained; education helps keep compliance firmly at the forefront of each employee's mind.
Because most corporate financial processes are supported by information technology (IT) systems and the business processes related to those systems, the IT staff plays a primary role in Sarbox compliance. This paper focuses on Sarbanes-Oxley 404 Compliance from the perspective of the IT organization, although it does review some of the Sarbox-related responsibilities pertaining to general IT controls for people in other functional areas of the business. It presents guidelines for ensuring the awareness and adoption of the Sarbox philosophy by IT.
This paper also discusses the appropriate IT control framework for implementing processes to help achieve Sarbox compliance with general IT controls, and the criteria for selecting software solutions to implement the framework.
Section 404 of Sarbox has the greatest relevance and impact for IT. This section deals with the general IT controls that maintain the integrity of processing and reporting of financial data. According to Section 404, a company must attest to the adequacy and effectiveness of its internal controls for financial reporting. As shown in Figure 1, external auditors review current process and control documentation to meet the requirements of specific IT control objectives at three levels:
- Organization level: At this level, the auditor reviews control objectives related to the overall IT organization and structure. Discovering lack of controls at this level may cause an auditor to dig deeper at the other levels.
- Entity level: At this level, the auditor looks at the corporate organizational structure, and scopes the control requirements based on division of process and responsibilities within the business unit, division of process and responsibilities by geography, and assessment of third party service provider processes and responsibilities.
- Process level: At this level, the auditor evaluates process documentation that defines control objectives in three primary areas: application integration controls, application and data owner controls, and general IT controls.
This paper focuses on general IT controls because such controls can relieve a company from needing to prepare additional documentation and compensating controls for SOX 404 Compliance.
|
|
|
|
 |
|
