Computer Forensics, Business Intelligence and Sox 494



  • Yes, we are focused on documenting internal controls, trying to meet the compliance deadlines.
    Sox has also some important specific provisions that require companies to establish an internal investigation infrastructure. Very important consideration: The recovery and analysis of computer data. Companies must have the ability to acquire, analyze and preserve electronic data related to whistleblower complaints and other internal investigations.
    So, we need computer forensics tools to help identify potential cases of financial fraud and track how data is used and modified. We also need business intelligence tools to monitor ERP and e-mail systems for evidence of potential wrongdoing.
    What do you think about that?



  • So, we need computer forensics tools to help identify potential cases of financial fraud and track how data is used and modified. We also need business intelligence tools to monitor ERP and e-mail systems for evidence of potential wrongdoing.
    What do you think about that?
    This is above and beyond.



  • Well, we have SOX in place to avoid all these bad things… but:
    Internal auditors and consultants search for shredders… the same time sensitive information travel to the competitor in a number of ways…
    Do we just need compliance paperwork or results? :roll:



  • This is completely off the track… and has abolutley nothing to do with sox.



  • Holger, I agree with you. You have absolutely right. I just want to share with you some of my thoughts. I don’t like just to ‘work’ but I need to see results. 😉
    This is completely off the track… Yes.
    But, has it to do with SOX?
    Section 404 – Management Assessment of Internal Controls
    Requires companies to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse. This infrastructure must ensure there is no room for unauthorized alteration of records vital to maintaining the integrity of the business processes.
    Its too much… I know that, but next Enron will not do exactly what the previous one did.
    A last word
    ‘Moreover, if companies view the new laws as opportunities opportunities to improve internal controls, improve the performance of the board, and improve their public reporting they will ultimately be better run, more transparent, and therefore more attractive to investors.’
    William Donaldson, SEC Chairman
    Is there any hope?



  • Section 404 – Management Assessment of Internal Controls
    Requires companies to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse. This infrastructure must ensure there is no room for unauthorized alteration of records vital to maintaining the integrity of the business processes.
    Hang on a second George. That’s not what Section 404 says, that’s an interpretation. Furthermore, I would interpret what you’ve put there as a requirement to assess IT General Controls.
    What you are saying is interesting and has value, but lets be clear that this is not SOX. There is confusion enough out there wihtout adding to it.
    For the record, this is the entirety of section 404
    SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
    (a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall–
    (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
    (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
    (b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.



  • Yes, Denis, here is confusion enough out there. I have no intention to add to it.
    But, when I read (404)

    1. state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting;
      it is not clear, and it is not easy to interpret it and be sure that you did what was needed.

Log in to reply