|
Dot.com
Compliance
According to SEC regulations,
an outsourced business process is no different from one handled
internally. If a regulatory filer is dependent on a system or
process that effects financials, security or controls, the filer
is responsible for ensuring that the company providing the outsourced
process and licensed technology is managed accordingly.
Of course, the corollary is
that the service providers who have publicly registered companies
as customers must prepare for demands for information concerning
their "management of internal controls." If the system,
process and responsible people fall under Control Environment
and Risk Assessment -- the first two components of SEC's de facto
COSO framework, then a risk audit is required.
Here is a sample list of activities
for which regulatory filers must be accountable:
- Cash Management;
- Processing Accounts Receivable/Payable;
- Payroll;
- Capital Expenditure Processing;
- Fixed Asset Management;
- Purchasing;
- Inventory Management;
- Technology Management;
- Safety;
- Marketing & Sales;
- Financial Reporting.
Regulatory filers may want
to visit their technology providers to test controls, see an
audit report or review a recent SAS 70 (type2) report, which
documents the design and operating effectiveness of the internal
controls and financial reporting. Some regulatory filers may
require a proper Section 404, with an accompanying CEO and CFO
attestation.
If you are a technology provider
to a regulatory filer, consider the following:
|
Q. |
When must the
written risk audit report be completed? |
|
A. |
This depends on your customers'
fiscal year end. |
|
Q. |
If we have
a recent SAS 70 (type 2) audit, is the scope adequate to meet
the needs of customers' auditors? |
|
A. |
Seek an opinion from an independent
technology risk auditor. |
|
Q. |
Our customer
wants to conduct an evaluation. How do we prepare? |
|
A. |
Become experts in COSO, the de
facto management of internal control evaluation. Or hire an independent
technology risk auditor who is an expert in COSO. |
|
Q. |
We have never
heard of an SAS 70 audit or Section 404, management of internal
controls. What should we do? |
|
A. |
First ascertain if your company
has the resources to handle additional requests that are resulting
from regulations. If not then assign the task to an independent
technology risk auditor. |
Team ßetaWatch International
offers management of
internal controls, and that provides assurance regarding the
achievement of effectiveness and efficiency of operations and
compliance with applicable laws and regulations. BetaWatch has
expert knowledge regarding with the International Organization
for Standardization's document ISO 9126, a worldwide standard
for software-product evaluation and quality, and are experts
in COSO and SEC-mandated evaluation criteria. http://betawatch.com/Sarbanes-Oxley-Primer
BetaWatch provides technology audit risk service that allows
stakeholders to gain control over the risk-management process.
This enables the board of directors and the audit committee to
comply with higher standards of governance and to identify appropriate
accountable measures. |
