国外简约大气的PPT模板

TheImportanceofITControlsto

Sarbanes-OxleyCompliance.

1ImportanceofITControlstoSarbanes-OxleyProvideahigh-leveloverviewofSarbanes-OxleyandtheinternalcontrolcertificationrequirementsDiscusstheimportanceofinformationtechnologyininternalcontroloverfinancialreportingDescribehowtheSarbanes-Oxleysection404rulesimpactinformationtechnologyProvideanoverviewoftheCobitITcontrolframeworkProvideanexampleofareadinessprogramroadmapSummarizetheimportanceandimpactofITcontrolstoSarbanes-OxleycomplianceToday’sObjectives2ImportanceofITControlstoSarbanes-OxleySettingtheStage3ImportanceofITControlstoSarbanes-OxleySettingtheStageWhatisinternalcontrol?Internalcontrolisbroadlydefinedasaprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,designedtoprovidereasonableassuranceregardingtheachievementofobjectivesinthefollowingcategories:EffectivenessandefficiencyofoperationsReliabilityoffinancialreportingCompliancewithapplicablelawsandregulationsInternalcontrolisnowtheLawTheSarbanes-OxleyActof2002wascreatedtorestoreinvestorconfidenceinthepublicmarketsSection404oftheActrequiresmanagementtoestablishandmaintaininternalcontrol–andrequirestheindependentauditorstoevaluateCompliancedeadline:Year-endsonorafterNovember15,2004PreparingforSarbanes-OxleycomplianceisasignificantandchallengingtaskTherearemanyrequirements,includingtheidentificationofsignificantfinancialstatementaccounts,processesandsystemsthatsupportthemandthendocumentingandtestingthem4ImportanceofITControlstoSarbanes-OxleyOverviewofInternalControlCertificationRequirementsSection302CertificationOverview

CEOandCFOtomakespecificcertificationsasoftheendofeachquarterlyandannualreportingperiod,including:ReportcontainsnountruestatementsReportisfairlypresentedinallmaterialrespectsResponsibilityfordesignandmaintenanceofdisclosurecontrolsandproceduresaswellasinternalcontrolsoverfinancialreportingBecameeffectivein2002(amendedinJune2003)Section404CertificationOverview

CEOandCFOtocertifyasoftheendofeveryannualreportingperiod:TheirresponsibilityforestablishingandmaintainingeffectiveinternalcontrolsoverfinancialreportingTheirassessmentofinternalcontrols,accompaniedbytheindependentauditors’attestationreportEffectiveforannualperiodsendingafterNovember15,2004(smallbusinessandforeignfilersJuly15,2005).5ImportanceofITControlstoSarbanes-OxleyUnderstandingtheRulesImpacttoIT

6ImportanceofITControlstoSarbanes-OxleyUnderstandingtheRulesImpacttoITManagementisrequiredtoassessthedesignandeffectivenessofitsinternalcontroloverfinancialreportingandprovideanassertiontothateffectinthepublishedfinancialstatements.Thecompany’sexternalauditorsarerequiredtoexpressanopiniononmanagement’sassessmentaswelltheirownopiniononthecompany’sinternalcontrols.Auditormustperformawalkthroughofmajorclassesoftransactionsforsignificantprocessestounderstandprocessflows,andassessthedesignandeffectivenessofcontrolsincludingapplicationandITgeneralcontrols.EvaluatethedesigneffectivenessofITcontrolstodeterminewhethertheyareproperlydesignedtoachieverelevantassertions.PerformtestsoftheoperatingeffectivenessofITcontrolsthatarenecessarytoachieverelevantassertions.KeyComplianceRequirementsImpacttoITControls7ImportanceofITControlstoSarbanes-Oxley(paragraph47)

“Theauditorshouldobtainanunderstandingofthedesignofspecificcontrolsbyapplyingproceduresthatinclude…tracingtransactionsthroughtheinformationsystemrelevanttofinancialreporting”

(paragraph73)

“Mostprocessesinvolveaseriesoftaskssuchascapturinginputdata,sortingandmergingdata,makingcalculations,updatingtransactionsandmasterfiles,generatingtransactions,andsummarizinganddisplayingorreportingdata.Theprocessingproceduresrelevantfortheauditortounderstandtheflowoftransactionsgenerallyarethoseactivitiesrequiredtoinitiate,authorize,record,processandreporttransactions.”ThePCAOBrulesareclear-auditorsmustunderstandhowtransactionsflowthroughthesystem…notarounditUnderstandingtheRulesImpacttoITcont’d8ImportanceofITControlstoSarbanes-Oxley(paragraph69)

“Theauditorshouldidentifyeachsignificantprocessovereachmajorclassoftransactionsaffectingsignificantaccountsorgroupsofaccountsand…Understandtheflowoftransactions,includinghowtransactionsareinitiated,authorized,recorded,processed,andreported.Identifythepointswithintheprocessatwhichamisstatement–includingamisstatementduetofraud–relatedtoeachrelevantfinancialstatementassertioncouldarise.Identifythecontrolsthatmanagementhasimplementedtoaddressthesepotentialmisstatements.Identifythecontrolsthatmanagementhasimplementedoverthepreventionortimelydetectionofunauthorizedacquisition,use,ordispositionofthecompany'sassets.

PCAOBstatementsapplicabletoApplicationControls:UnderstandingtheRulesImpacttoITcont’d9ImportanceofITControlstoSarbanes-Oxley (paragraph40)

“Determiningwhichcontrolsshouldbetested…Generally,suchcontrolsinclude…informationtechnologygeneralcontrols,onwhichothercontrolsaredependent” (paragraph50)

“Somecontrolshaveapervasiveeffectontheachievementofmanyobjectives…forexample,informationtechnologygeneralcontrolsoverprogramdevelopment,programchanges,computeroperations,andaccesstoprogramsanddata”PCAOBstatementsapplicabletoITGeneralControls:UnderstandingtheRulesImpacttoITcont’d10ImportanceofITControlstoSarbanes-OxleyTheImportanceof

InformationTechnologyinInternalControloverFinancialReporting

11ImportanceofITControlstoSarbanes-OxleyFormostorganizations,ITispervasiveandcriticaltothefinancialreportingprocessFinancialandroutinebusinessapplicationsarecommonlyusedtoinitiate,authorize,record,processandreporttransactionsRelevantITcontrolsincludeapplicationcontrols-thosethatareembeddedinfinancialandbusinessapplicationsgeneralcomputercontrols–underlyinginfrastructurecomponentsthatsupporttheapplicationsStatementsmadebythePublicCompanyAccountingandOversightBoard(PCAOB)ontheimpactofIT(paragraph75):

“Thenatureandcharacteristicsofacompany'suseofinformationtechnologyinitsinformationsystemaffectthecompany'sinternalcontroloverfinancialreporting”TheImportanceofInformationTechnology(IT)inInternalControloverFinancialReporting12ImportanceofITControlstoSarbanes-OxleyApplicationControlsSoDDataintegrityCompletenessValidationGeneralComputingControlsInformationSecurityOperationsDatabaseImpl.&SupportNetworkSupportBusinessProcessClassesofTransactionsSalesReturnsWriteoffsSignificantAccountBalanceBalance

Sheet(A\R)Income

StatementG/LInventoryOtherA\RMgtProcessFCRPSalesProcessProcessStagesInitiateRecordProcessReportApplicationImpl.&Maint.SystemSoftwareSupportTheRoleofInformationTechnologyinInternalControloverFinancialReportingcont’d13ImportanceofITControlstoSarbanes-OxleyAccountbalance:TradeA\R,SalesClassesofTransactions:Invoices,SalesordersBusinessProcess:A\R,SalesOrderprocessesProcessStages:Initiate,record,processApplicationControls:AccesscontrolsBuiltinlimitsforcreditapprovalRestrictedaccesstopricingtableGCCControls:ProgramchangeOperationsNetwork&systemsecurityLinkAccountsandAssertionstoIT:AnExample

Customer

order

entry

AccountsReceivable

Invoicecontrols

SAP,Oracle,OtherApplicationsGeneralcomputingcontrolscoversecurityaccess,changemanagement,operations,systemsandnetworksupport,dataretention,etc.OrderProcessingOrder&suppliercontrolsSales

Sub-processCustomercontrolsITInfrastructureNetworksSystemSoftwareDatabasesandInformationSecurityApplicationcontrolscoverauthorizedchanges,segregationofduties,validity,completenessandtimelinessofreportingoffinancialinformation.14ImportanceofITControlstoSarbanes-OxleyCobitITControlFrameworkOverview15ImportanceofITControlstoSarbanes-OxleyCOBIT–AModelforGeneralComputerControlsTheITGovernanceInstitute(www.ITGI.org)hasrecentlypublished“revised”guidanceforITprofessionalsonhowtoaddressSarbanes-OxleyfromanITperspective–April2004“Sarbanes-Oxley;Theimportanceofinformation

technologyinthedesign,implementationand

sustainabilityofinternalcontrol”Thepublicationistheresultofa

jointeffortofindustryandauditors,

withleadershipfromDeloitteandothersTheITGIisarecognizedgloballeaderinITgovernance,controlandassurancewithmembersinmorethan100countries16ImportanceofITControlstoSarbanes-OxleyPCAOBdesignatesCOSOastheprescribedstandardcontrolframeworkandhasbecomethecontrolframeworkofchoiceforSOXcomplianceAll5layersmustbeconsideredwhenevaluatinginternalcontrolHowever,COSOdoesnotprovidespecificguidancearoundITcontrol.CobiTisawidelyacceptedITcontrolframework(ITGI)CobiTprovides4domainsofITcontrolCobiTcontrolsaddressthe5layersofCOSOWiththedevelopmentofthisapproach,organizationscanbeconfidentthattheyaretakinganapproachthatreflectsCOSOrequirementsCOBIT–AModelforGeneralComputerControlscont’d17ImportanceofITControlstoSarbanes-OxleyTheITGIpublicationprovidesguidancetoITprofessionalsonhowtomeettheSarbanes-OxleychallengeDetailedcontrolobjectivesareprovidedforeachCobiTdomainandmappedtotheirrespectiveCOSOcomponentOthercontrolguidelineswerereviewedandreconciledtothisapproachduringthedevelopmentprocess,includingISO17799,CommonCriteria,ITIL,andSysTrustOrganizationsshouldassesstheirrequirementsonanindividualbasisandtailortheirapproachaccordinglyCOSOComponentsCobiT

ObjectivesCOBIT–AModelforGeneralComputerControlscont’d18ImportanceofITControlstoSarbanes-OxleyTheCobiTSOAframeworkidentifiedasub-setoftheseareasforthepurposeoffocusingonSOArequirementsCompanylevel:Planning&Organizing/MonitoringCOBIT–AModelforGeneralComputerControlscont’dPlanning&OrganizationITStrategicPlanningITorganizationandrelationshipsManagementofhumanresourcesEducateandtrainusersInformationarchitectureCommunicationofmgmtaimsanddirectionAssessmentofrisksManagetheITinvestmentManageprojectsMonitoringCompliancewithexternalrequirementsManagementofqualityEnsurecontinuousservicePerformanceandcapacityMonitoringAdequacyofinternalcontrolsIndependentassuranceInternalauditActivitylevel:AcquisitionandImplementation/DeliveryandSupportProgramDevelopment(SDLC)ProgramChangesComputerOperations(scheduling,backup,problemmanagement)Accesstoprogramsanddata(applications,database,operatingsystem,network)19ImportanceofITControlstoSarbanes-OxleyTop5List–404ITControlsRequirementsSecurityApplicationandplatformbasedFocusedonapplicationsthatmayimpactfinancialsandsupportinginfrastructureRequiressecureoperatingsystems,database,network,firewallsandinfrastructureAuditorswilllookforexcessiveaccess;lackofsegregationofduties;inadequateapprovalofaccess;theywillbetestingkeyprocessestodeterminethattheyareeffectiveChangeControlNeedtoensurethatproceduresareinplacetocontrolandensureproperapprovalofchangestoproductionTechnicalcontrolsmusttightlylimitandcontroldeveloperaccesstoproductionDisasterRecoveryFocuswillbeonbasicbackupandrecoverabilityoffinancialdataITGovernanceFocuswillbeondeterminingofthereareclearpolicies,procedures,andcommunicationswithinITArethereclearsegregationofduties?Istheretheappropriate“toneatthetop”oftheITorganization?DevelopmentAndImplementationActivitiesPropercontrolsneedtobebuiltinbeforeanewsystemorsystemchangesgointheproductionenvironmentAuditorsmayevaluatenewfinancialsystems;dataconversionandtestingarecritical20ImportanceofITControlstoSarbanes-OxleyMostCommonITControlGapsToRemediateChangecontrolprocessesnotfullyinplace(especiallyindistributedorwebbasedenvironments)Securityprocedures,strategies,andprofilestructuresnotdocumentedforcriticalapplications.Organizationalsecuritypolicies,procedures,androlesandresponsibilitygaps.SecurityadministrationprocedureslackappropriatecontrolsorconsistencyInadequatecontrolstodeleteorchangeaccesswhenindividualleavesofchangesjobresponsibilities(especiallycontractors)InadequateapprovalofaccesschangesAccesslevelsnotregularlyreviewedandapprovedbymanagementExcessiveaccesstosystemsPrivilegedaccesstooperatingsystem,database,andapplicationenvironmentInadequatesegregationofdutiesApplicationdevelopersandDBAshaveaccesstoproductionInfrastructuresupportingapplicationsisnotsecure(network,operatingsystem,database)ITcontrolsnotintegratedintokeybusinessprocesses(e.g.SDLC,changecontrol,compliance,testinganddataconversionprocedures)Lackofaregularprocesstoverifythatcontrolscontinuetobeadequateandeffective(atleastquarterly)NolongtermstrategytoevaluateandaddressrisksTheareasthatwillgethithardestaresecurityandchangecontrol21ImportanceofITControlstoSarbanes-OxleyITControlReadinessRoadmap

22ImportanceofITControlstoSarbanes-OxleySOAReadinessRoadmapPreparingforSOX404requiresastructuredandmeasuredapproach,otherwiseyouwillfindyourselfdoing“toomuch”or“toolittle”ThecurrentPCAOBrulesrequireauditorstoatteston“managementassessmentprocess”Assuch,thereadinessroadmapthatmanyorganizationsarefollowingdemonstratestheassessmentprocessthroughaseriesofstepsandactivitiesthataligntothePCAOBrules23ImportanceofITControlstoSarbanes-OxleySOAReadinessRoadmapBusinessValueSarbanes-OxleyITCompliance1.Plan&ScopeFinancialreportingprocessSupportingsystems3.IdentifySignificantControlsApplicationcontrols-overinitiating,recording,processing&reportingITGeneralControls5.EvaluateControlDesignMitigatescontrolrisktoanacceptablelevelUnderstoodbyusers8.DocumentProcess&ResultsCoordinationwithAuditorsInternalsign-off(302,404)Independent

sign-off(404)7.Identify&RemediateDeficienciesSignificantdeficienciesMaterialweaknessRemediation6.EvaluateOperationalEffectivenessInternalauditTechnicaltestingSelfassessmentInquiry+Alllocationsandcontrols(annual)4.DocumentControlsPolicymanualsProceduresNarrativesFlowchartsConfigurationsAssessmentquestionnaires2.PerformRiskAssessmentProbability&ImpacttobusinessSize/complexity9.BuildSustainabilityInternalevaluationExternalevaluation24ImportanceofITControlstoSarbanes-OxleyAReadinessRoadmap

Plan&ScopeKeyConsiderationsIn-scopevsout-of-scopesystemsOpportunitiesforimprovementPrevention,identificationanddetectionoffraudKeyComponentsFinancialreportingprocessesInitiatingRecordingProcessingReportingClassesoftransactionsNon-routineandsystematicUnderstandthefinancialreportingprocessandidentifytheinformationsystemsandrelatedresourcesthatareused.25ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

PerformRiskAssessmentKeyComponentsITRisksQualityandIntegrityfailureSecurityfailureAvailabilityfailureRiskassessmentProbabilityoffailureImpacttothebusinessKeyConsiderationsSpecificriskareasDatavalidationDataconversionInterfacesManagementreportsComplexorcriticalcalculationsSpreadsheetsIdentifyrisksassociatedtheinformationsystemsandrelatedITresources(ie.whatcouldgowrong?)26ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

IdentifySignificantControlsKeyComponentsApplicationcontrolsEmbeddedwithinbusinessprocessesDirectlysupportfinancialassertionsGeneralcontrolsProgramdevelopmentProgramchangesProgramoperationsAccesscontrolKeyConsiderationsControlframework-CobiTTMRevised–April2004***12primarycontrolobjectivesattheprocesslevelControlenvironmentquestionnaireforentitylevelIdentifyapplicationandgeneralcontrols27ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

DocumentControlsKeyComponentsProcessdescriptionRiskassessmentControlobjectiveControlactivityTestofthecontrolConclusionsandremediationplansKeyConsiderationsIncludecompensatingcontrolsImpactonoverallSOAtestingprogramReportgapsindocumentationSufficienttosupportmanagementassertionDocumentcontrolprocessestosupportmanagement’sassessment28ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

EvaluateControlDesignKeyComponentsSufficienttodemonstrate:ControldesignedtopreventordetectmaterialerrorsConclusionthattestswereappropriatelyconductedResultsoftestsappropriatelyevaluatedKeyConsiderationsPreventativevs.detectiveAutomatedvs.manualPeople,processandtechnologyControlmaturitylevel–controlsaredefined,managed,measuredandrepeatableControlsshouldbedesignedtoreducetheriskoferrortoanacceptablelevel29ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

EvaluateOperationalEffectivenessKeyComponentsApplicationcontrolsandgeneralcontrolsReliabilityPerformedbyknowledgeablepersonPerformedconsistentlyAppropriatelymonitoredProblemsfolloweduponatimelybasisKeyConsiderationsPeriodoftimevs.pointintimeAuditevidence–inquiryaloneisnotenoughSamplesizes–mustbeadequategivenfrequencyofcontroloperationServiceorganizations–SAS70Testcontrolstoensuretheyareareoperatingasdesignedandconsistentlyoveraperiodoftime30ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

Identify&RemediateDeficienciesKeyComponentsImpacttothefinancialstatementsIsitmorethaninconsequential?LikelihoodofoccurrenceIstheremorethanaremotelikelihoodofoccurrence?CompensatingcontrolsKeyConsiderationsIsolated/manualerrorsvs.systematicerrorsPeriodofeffectiveoperationHasimpactassessmentbeenperformedtodeterminetheimportancetothefinancialreportingprocess?MayneedtorevisitcontroldesignoroperationifdeficienciesareobservedIdentifyweaknessesandremediate/retestpriortocompliancedeadline31ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

DocumentProcess&ResultsKeyComponentsOverallassessmentprocessConsiderriskassessmentresultsDiscloseallknowncontroldeficienciesandweaknessesIncludeassessmentofcontroldesigneffectivenessKeyConsiderationsShow-stoppersMaterialweaknessesSignificantdeficienciesMaintainsufficientevidencetosupportmanagementassessmentprocess32ImportanceofITControlstoSarbanes-OxleyARoadmapforCompliance

BuildSustainabilityKeyComponentsContinuouseffectivenessofinternalcontrolMonitoringactivitiesChangemanagementKnowledgecaptureandsharingKeyConsiderationsContinuousimprovementprocessRules,approachesandbestpracticesareevolving–staytunedEstablisha‘CenterofExcellence’modeltosupportongoingSOAcompliance33ImportanceofITControlstoSarbanes-OxleyInSummary34ImportanceofITControlstoSarbanes-OxleyInSummaryWiththedependenceonITforreliablefinancialreportingprocesses,ITplaysakeyroleincompliancewithSection404ofSarbanes-OxleyFormanyorganizationsSarbanes-Oxleyissimplyacodificationofexistingresponsibilities.TheseITcontrolresponsibilitiesalreadyexist;however,Sarbanes-Oxleymayrequireadditionalformalizationandsignificanteffortstodocumentandtest.CompaniesshouldensureIThasanactiveroleinSarbanes-Oxleyefforts:ParticipateonthecompliancesteeringcommitteeUnderstandthefinancialreportingprocessandcommunicatethedependencyonIT(applications,infrastructure,security,etc.)EstablishIT’sroleinensuringadequatecontrolsoverthefinancialreportingprocessDocumentITrisksandcontrolsrelatedtothefinancialreportingprocessRegularlytestcontrolsandremediatesignificantweaknessesEstablishmonitoringactivitie