Sarbanes-Oxley
Primer Index
Volume 1: Issue 1
Volume 1: Issue 2
Volume 1: Issue 3
Volume 1: Issue 4
Welcome to the
world of technology audit enthusiasts
This is the fourth biweekly issue of BetaWatch's Sarbanes-Oxley
Primer. We understand the challenge that you all have to keep up
with -- the stringency expected by stakeholders and the feds --
while maintaining a focus on your day-to-day operations. We hope you
will find this free e-note to be a quick, informative read.
COSO
Conventional wisdom puts the framework suggested by the COSO
Report as the best guidance for compliance with the Sarbanes-Oxley
Act, section 404. COSO provides universal definitions of risk and
internal control.
The COSO triangle illustrates the way an organization is best
managed. Its components are the evaluation criteria used to
measure internal control. Working from the base to the tip, the
evaluation criteria are:
| 1.
|
Control
Environment,
|
| 2.
|
Risk
Assessment,
|
| 3.
|
Control Activities, and
|
| 4.
|
Monitoring.
|
Wrap these
principles with Information and Communication, and you are ready
for section 404 Sarbanes-Oxley internal controls attestation.
The first volume of this Primer explains COSO evaluation criteria.
This issue describes COSO Monitoring.
MONITORING
Performance monitoring is the only process that enables the
assessment of the quality of the department's performance over
time. COSO monitoring is a separate evaluation, in which the
auditor reckons the monitoring efforts and instigates deficiency
correction. Its key components of monitoring include the following
evaluations and examples:
| Evaluation |
Context |
Example |
| System |
Effectiveness of
the internal control systems, processes and procedures |
Supporting
documentation and follow-up to fill the gap |
| Processes
Risk |
Assessment
procedures see: Sarbanes-Oxley Primer,
v1. 2 |
Written risks
policies |
| People |
Effectiveness
Assessment of the organization structure |
Who needs what
information from whom to do their jobs |
To comply with COSO monitoring, you
will need a system to record continuous monitoring activities and an
analysis tool. Microsoft Access and SQL are among the traditional
relational databases used to monitor controls.
PHASES OF SYSTEM MONITORING
| 1. |
Define goals and performance measurement indicators |
|
2. |
Ongoing monitoring, continuous supervisory function |
|
3. |
Periodically review system-related risks & opportunities |
|
4. |
Corrective actions, minimization of adverse effects, refinement
of goals and measures, refinement of policies and standards5.
Reporting of all phases of the monitoring process, including
subsequent actions, is an essential part of the control cycle. |
BETAWATCH'S COSO
MONITORING DICTUMS
| 1. |
Audit
must be acceptable to those being monitored |
| 2. |
Audit
cannot interrupt daily work |
| 3. |
Information
from monitoring process must be accurate and verifiable |
| 4. |
Monitoring
findings must enable corrective action |
| 5. |
Monitoring
must be adaptable to provide accurate and relevant information
in a hanging environment |
STATUS REPORTS
There also must be regular status reports on the extent to which
planned objectives have been achieved, performance targets met and
risks mitigated. This is a great opportunity to strengthen systems
and processes. System monitoring is the process of observing what
is happening and comparing it to a previously set standard.
In this biweekly, we have only described the details of system
monitoring. For more information and help in Sarbanes-Oxley
section 404 compliance, please call Temi Grafstein at
1.866.638.2382 or write to tgrafstein@betawatch.com
|
