Resource question. 371



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • SOX requires that a company has control over their financial statements, their disclosures and the processes related to those. Therefore you need a functioning control environment. SOX suggests that you implement COSO and for IT purposes a reduced CoBIT. There is a PDF on ISACA’s / ITGI’s website called IT Control Objectives for Sarbanes-Oxley which I suggest you should read. Please don’t underestimate the effort for documenting and testing the IT Controls. You should also get in contact with the IT Auditors of your ext. Audit Firm.



  • Holger --%0A Thanks …%0AThat is the main title of the one I read, why i did not type that rather than the mess of stuff I did is beyond me. :oops: %0AThe more I read on this, the more confused I am getting. I just hope I am going down the right path. Our company set up a list of risks and From what I gather I just have to ‘answer’ how we are approaching them. however I am not 100% sure how much documentation we need both electronic and hard copy. We are also questioning what we need in the way of Program change documentation. %0AThanks again…%0Aangi



  • The logic for determining the work required on IT controls is (VERY briefly) as follows:

    1. The project needs to look at the Company’s financial statements and how those are built up and go through a process to determine SIGNIFICANT ACCOUNTS, based on materiality and risk, such as Turnover, Inventory and Accounts Payable
    2. It then needs to consider the BUSINESS PROCESSES that affect those signifcant accounts e.g. purchase to pay, inventory valuation
    3. In evaluating business processes (using a framework such as COSO) a number of FINANCIAL STATEMENTS ASSERTIONS wil be made and CONTROLS need to be identified to address those assertions. Those controls will have a variety of characteristics including whether they are AUTOMATED or MANUAL. Additionally, there should be identified a subset of controls which need to be tested, these are KEY CONTROLS.
    4. Where KEY CONTROLS are AUTOMATED then the IT systems on which those controls are dependent need to have GENERAL COMPUTER CONTROLS evaluated, these are evaluated using a framework such as COBIT which is where the paper that you refer to comes in.
      It is probably only step 4 that you need to be concerned with to ‘do the IT side’ but steps 1-3 also determine the scope of your work. As a starting point I would look for the following from your project team:
    5. A list of automated key controls identified within the business processes and the systems on which they are dependent, and thus
    6. Agreement on the specific systems that are in scope for IT review
      If a system has a small number of key controls depending on it you may want to have a discussion on whether it is more effective to find alternative manual controls than to test the system.


  • ok- now I feel like i am about to ask a dumb question. (‘the only dumb question is the one not asked.’ right?) :oops:
    COBIT and COSO - are they ‘software’ packages that need to be installed. I thought they were strategies or guidelines to follow. (See how unprepared i am.)
    Will the ‘IT control objectives for Sarbanes-Oxley’ from IT governance institute only going to help if we use one of these?
    Are both CobiT and COSO for the IT side? We are all split into groups doing our own thing. I am waiting for a Template that one of the IT managers from another site is to give me to follow but that has been coming since before i got involved last week.
    I AM SO CONFUSSED… 😞
    [/img]



  • You are right that the only dumb question is the one you don’t ask. 😉
    COSO and COBIT are not software packages and they are something more than guidelines.
    COSO is an organisation coso.org which has priduced framework (i.e. methodology) on internal control that has been in existence for approx. 20 years. This framework is specifically referenced by the SOX rules - it basically says that a Company in evaluating its system of internal control should use a suitable framework, such as COSO - hence COSO is the de facto standard.
    COBIT isaca.org/Template.cfm?Section=COBIT6-and-Template=/TaggedPage/TaggedPageDisplay.cfm-and-TPLID=55-and-ContentID=7981 is a framework for evaluating IT Controls.
    The paper ‘IT Control Objectives for Sarbanes-Oxley’ maps COBIT control objectives to COSO - facilitating the use of COBIT for the IT component of SOX.
    Bottom line is that COSO is the standard for evaluating controls overall and COBIT is the standard for evaluating IT controls.



  • Not that this will make you feel better, but I’ve been working on the Sarbanes documentation and changes to our internal IT processes for several months, and I still don’t feel like I’ve got a handle on everything that is likely to come up during the audit. And we’ve had some advice from consultants to help us.
    I’m not sure how a single person with a month or two of time can produce all the needed documentation of processes, even if you already understood what was required and had perfect processes in place (and if you did, they’d probably already be documented…)
    My point is, you should probably tell your management you need more guidance and more help.
    We have a pretty small IT department (20 people total), and we’re struggling to cope with the demands of the Sarbanes process. We’re applying all the resources we can to deal with it, between documenting our processes and coming up with new, better controlled, processes that will pass an audit.



  • thanks you SOO much.
    I am sure I will have more questions as I get more into this web known as SOX.
    I am so happy I found this forum.
    😄
    angi



  • You’re welcome and good luck



  • You should be aware, that there won’t be a ready to use checklist. SOX requires you to aim at the Controls within your financial statements environment. How you will acomplish that is up to you. They only point out some helpful frameworks.
    As to your list of risks. I would look closely at them and measure if they really impact the financial statements. If so I would add assertions to those risks, to show that you made a link to COSO. After that you go to the process documentation. That’s to enable you to show what your key controls in the process are and where they reside within the process. Than you go back to your risk template and add the key controls to the identified risks to show that you meet all of your assertions.
    After that the Testing starts.
    Have fun…



  • Hi there,
    What you to do is to look at SoX from a business prospective. you do not need to be an IT guru to implement COBIT.
    Regards


Log in to reply