IT component of Sarbanes Oxley 90



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Hi Michelle,
    I have to admit that it is a little bit irritating. But I try to make it a little more transparent. In parts both of you have the right view.

    1. IT is not in a SOX scope. That’s because IT itself is not a financial reporting process.
    2. Parts of the IT environment, espcially those directly involved in support the financial reporting systems are involved.
    3. There is a thing called generell IT controls on which all the other/application controls rely on (e.g. user authorization, access controls, archiving and so on). These are also within the SOX scope. You may referr to the www.itgi.org there is a document avialable called IT control objectives for sox.
      Enjoy…


  • Thanks for your take on things… however, my client could go out of business overnight if there was just a few hours of downtime of their IT systems so shouldnt I evaluate the viability of their systems as part of the SOX audit, as they are so key to the financial viability of the company?



  • Your concerns are reasonable. As far as Sarbanes is concerned, all key internal controls are part of the scope for 404 compliance.
    More obvious key controls are finannce related. However other key controls are some times operational and some time IT related.

    1. As long as your IT system contributes to Origination, Accuracy and Completenes of the Financial Reporting, those systems and related processes are under the scope of Sarbanes Audit.
    2. COSO is an endorsed standard for Sarbanes- As part of Risk Assesments within COSO guidlines, your critical systems and processes need to be audited evaluating the risk, exposure and the impact on the company to operate normally.
      I am an Internal Auditor with a large CPA firm and understand both sides -IT and Financials.
      Let me know if I can be of further help
      Madhav Vedula
      audit_pro_at_yahoo.com


  • Still - the downtime of an IT System, even if it is essential to the business represents ‘only’ an so called operational risk.
    The company can be bankrupt, as long as it is stated correctly in the fincancial records.
    But - for example, if the IT system represents or is collection data essential for the billing process and your’re losing billing data while the IT systems is down. You’ll have a SOX topic. That’s because if this is the case you’ll show you accounts recieveable incorrect.
    That’s why the both of you are somewhat right… ;o)



  • General IT controls are definitely in-scope for Sarbanes-Oxley compliance. The application controls that business processes depend on are, in-turn, dependent on general IT controls around software development, access controls for both applications and data, and operational controls around proper functioning of the applications, including the numerous interfaces that typically make up an application portfolio.
    I recommend you get ‘IT Control Objectives for Sarbanes-Oxley’ from the IT Governance Institute at isaca.org
    I am trying to put together a collaborative project on Sarbanes-Oxley compliance and would be happy to send your our project proposal.



  • Very interesting topic. Actually I have the same dilemma about IT part in SOX compliance.



  • I’m not saying that IT general Controls are not in scope.
    What I was trying to get across is, that you only have to document IT general controls as far as they are related to IT systems which carry the risk of a financial misstatement.



  • Hello.
    I agree with the other posters that IT process that are in-scope only relate to financial reporting.
    If it can adversly effect financial reporting then its in-scope.
    There is a huge grey area of general IT controls. UPS, Firewalls, IDS etc etc.
    If you are using a Cobit or COSO framework for evaluation I think you will find these to be in-scope for SOX but ONLY for those systems that deal with finacial controls.
    Because time is so limited a firm handle on Scoping is extremely important. Beware Scope Creep.
    However, document any weak spots you come across during your assessments and bring them to IT managements attention.
    Some we have decided to fix because the fixes go along with code changes that are in-scope for SOX etc… Some we put them on our post SOX compliance to do list.


Log in to reply