Sarbanes-Oxley
Primer Index
Volume 1: Issue 1
Volume 1: Issue 2
Volume 1: Issue 3
Welcome to the
world of technology audit enthusiasts
This is the third biweekly issue of BetaWatch's Sarbanes-Oxley
Primer. We understand the challenge that you all have to keep up with --
the stringency expected by stakeholders and the feds -- while
maintaining a focus on your day-to-day operations. We hope you will find
this free e-note to be a quick, informative read.
Why COSO?
Intended to provide a common understanding and standards of internal
control amongst stakeholders and to aid C level people to exercise
control over an enterprise, the COSO Framework evaluates hard controls,
like segregation of duties, as well as soft controls, such as the
competence and professionalism of employees.
The consensus amongst auditors is that Sarbanes-Oxley section 404 is to
use COSO evaluation criteria because it is a process that provides
assurance regarding the achievement of effectiveness and efficiency of
operations and compliance with applicable laws and regulations.
The COSO triangle illustrates the way an organization is best managed.
Its components are the evaluation criteria used to measure internal
control. Working from the base to the tip the evaluation criteria are:
1) Control Environment, 2) Risk Assessment, 3) Control Activities, and
4) Monitoring. Wrap these principles with Information and Communication
and you are ready for section 404 Sarbanes-Oxley internal controls
attestation.
The first volume of this Primer explains COSO evaluation criteria.
Documenting+Testing=Controlling
Since the end of ledgers, business
machinations are seemingly virtual unless they are documented,
verified and validated. We have observed that most organizations do
have some sort of documentation albeit in a drawer, not modified
since the last upgrade or in an employee's mind. To achieve
compliance, look to the foundation of internal controls and
financial reporting -- that is the systems and software run by IT
departments.
COSO
Control Activities
On the third layer above Risk Assessment COSO evaluation criteria,
is Control Activities. IT runs the systems that manages internal
controls and is responsible to provide consistent and formal
documentation to auditors. Only when auditors know the
activities can they reckon the risk assessment.
http://betawatch.com/sarbanes-oxley-primer/v1issue2.htm#cont
Auditors can begin with a VISIO of the IT systems that support
internal control and financial reporting. Policies and procedures
as directed by management will be comprehensively written by IT
and tested by a third party auditor. For your reference we have
listed below some of the software and system consistent documentating
and testing according to COSO Control Activities.
Sample Checklist
(vital to mitigating risk)
| 1) |
Knowledge,
Information, and Data Management Controls -- people, process, and
system must be documented: the processes and system include data
center setup, scheduling, backup and recovery procedures, disaster
recovery. |
| 2) |
Best Practice
Technology, Product, Process and Service Controls --
implementation and maintenance of systems and software, database
management, telecommunications, security utilities. |
| 3) |
Security Controls --
separation of programmers and transactions, transaction
authorization, VPN, Firewall, encryption, authentication. |
| 4) |
HTTP controls --
thresholds and tolerances. |
| 5) |
Reporting Controls --
forty-eight hour snapshot on knowledge dashboard. |
|
