Professional Documents
Culture Documents
A survival guide
White paper
2
documentation that Section 404 of Sarbanes-Oxley requires, and they can also lower the cost of
compliance in years to come.
The effect of Sarbanes-Oxley: Legal liability for the CEO and CFO
The goal of the Sarbanes-Oxley Act is to restore confidence in the public markets, following a series
of high-profile accounting scandals. Sarbanes-Oxley does this by:
Requiring that a documented system of checks and balances is in place
Requiring that a companys CEO and CFO formally attest to the accuracy of financial statements
and the systems and processes that underlie them
Mandating complete transparency in corporate governance
Simply put, Sarbanes-Oxley is designed to make company executives legally responsible for the
accuracy of the financial statements in their annual reports. In addition, Section 404 of Sarbanes-
Oxley says that the annual report must contain an internal control report, which documents the
companys control structure and procedures for financial reporting and assesses the effectiveness of
those controls and procedures.
It is Section 404 of Sarbanes-Oxley that has the most relevance for the IT professional.
3
Independent auditors evaluate both preventative and detective types of controls in order to validate
that there are no control deficiencies that present more than a remote likelihood that a material
weakness exists. Preventive controls are those designed to keep errors and omissions from happening,
while detective controls are designed to find and correct errors and omissions after they happen.
4
Implementing a process for forwarding significant infrastructure changes to the internal Change
Advisory Board for review and further documentation
IT asset management
A fully-implemented IT asset management practice helps safeguard IT assets that can have a material
effect on financial statements while also representing the financial value of those assets more
accurately. Because IT asset management addresses the full lifecycle of technology assets from both
an operational and financial point of view, asset value can be updated based on key events:
Acquisition
Deployment, particularly in the area of software licensing)
Disposal
General ledger reconciliation
IT asset management provides complete visibility into an enterprise asset portfolio at all times:
location, ownership, status and balance sheet value. IT asset management also provides control over
software compliance, making it easy to eliminate purchasing unnecessary licenses and to spot rogue
applications that pose significant risks to IT operations.
It is important to note that ERP systems typically do not provide the level of operational and financial
granularity required to maintain an accurate view of current asset value. By implementing an IT asset
management practice, IT information and processes can be integrated with existing ERP processes,
creating direct links to fixed assets, procurement and human resources. This integration provides the
detailed financial information and documented processes critical to financial managers.
IT asset management can also help in risk assessment and control activities required by PCAOB. As
such, IT professionals should leverage the capabilities of IT asset management for proper Sarbanes-
Oxley 404 compliance.
5
3. Control activities. These are the policies, processes and procedures that address control
weaknesses and mitigate the identified risks.
4. Information and communication. Data gathered by the control activities must be processed
and communicated across the enterprise so that reports can be prepared, individuals can
properly discharge their responsibilities, and the tone at the top can be reinforced.
5. Monitoring. Internal control systems must be monitored and evaluated continuously for
maximum effectiveness. Such monitoring should be an integral part of how these control
systems are designed.
The COSO framework is mentioned extensively in the PCAOBs auditing guidelines. In fact, in many
cases the PCAOB simply refers to it as the frameworkan indication of its perceived importance.
Given the PCAOBs attitude toward COSO, chances are that an auditor will use the framework.
Therefore, IT professionals should be aware of COSO and the framework.
The following table shows some of the specific tasks required for using change management and IT
asset management practices to support the five components of the COSO framework.
SO Component Activity
6
Asset Library) and ISO 17779 generally refer to Control Activities (COSO component #3): they help
define the controls that are in place and identify control weaknesses.
These control frameworks are not designed to be alternatives to COSO; rather, they work within the
COSO framework for compliance in their specific areas. COBIT deals with overall IT processes, ITIL
covers IT service and software asset management and ISO17779 addresses security.
For instance, ITIL processes are well-known and accepted, so the implementation of a set of change
management controls specified by ITIL would likely satisfy an auditor checking for Sarbanes-Oxley
404 compliance relating to control activities.
The following table shows the specific objectives, risks and activities involved in implementing COSO-
related controls and documentation using IT asset management.
Owner of control VP, IT Asset Management VP, IT Asset Management VP, IT Asset Management
Illustrative IT assets are procured Copies of software are IT assets are disposed of
objective using corporate guidelines procured using corporate using corporate guidelines
and are accounted for guidelines
accurately
Software licenses are
accounted for accurately
Information and Communicate the resulting Communicate the resulting Communicate the resulting
communication data and documentation to data and documentation to data and documentation to
everyone concerned everyone concerned everyone concerned
Monitoring Monitor performance and Monitor performance and Monitor performance and
make necessary make necessary make necessary
adjustments adjustments adjustments
7
Summary
For CIOs and other IT professionals, taking a wait and see attitude about Sarbanes-Oxley
compliance is no longer an option. The time to act is now. Section 404 complianceas defined by
the PCAOB auditing standardsis the most critical Sarbanes-Oxley issue facing large companies and
their IT organizations.
In order to meet the PCAOBs compliance standards, companies must:
Exhibit controls over the IT components that make up financial reporting systems
Safeguard IT assets, particularly if those assets make up a significant percentage of total capital
assets
Sarbanes-Oxley and the PCAOB standards clearly justify implementing strong general IT controls,
such as change management and IT asset management. Implementing these controls delivers benefits
that go far beyond simply surviving a Sarbanes-Oxley audit. They provide opportunities for improving
processes and reducing costs, redundancies, complexity and waste.
As a blueprint for implementing these controls, the PCAOB has virtually mandated using the COSO
framework. Through COSO, companies can establish a comprehensive and interrelated set of
controls that are fully integrated into the management process and monitor the effectiveness of
business operations.
The COSO frameworks five basic components are:
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Other frameworks, such as COBIT, ITIL and ISO 17779, can work in conjunction with COSO to
demonstrate control activities.
Finally, meeting the Sarbanes-Oxley 404 compliance standards is the most likely way to avoid
auditing issues. But, its also important to follow the spirit of the lawthe government wants to see
proper controls and wants to see that companies are adopting the PCAOB standards as a part of its
culture. This is most clearly reflected by the tone at the top, managements consistent communication
of its commitment to the process.
Research Resources
Sarbanes-Oxley Act of 2002
US Congress
Public Company Accounting Oversight Board Bylaws and RulesStandardsAS2
The Public Company Accounting Oversight Board
Guide to the Sarbanes-Oxley Act: IT Risk and Controls Frequently Asked Questions
Protiviti
The Importance of IT Controls to Sarbanes-Oxley Compliance
IT Governance Institute
Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act
Deloitte & Touche LLP
8
IT Control Objectives for Sarbanes-Oxley
IT Governance Institute
COBIT Framework3rd Edition July 2000
COBIT Steering Committee & IT Governance Institute
Customer interviews