ITControlObjectivesforSarbanes-Oxley.pptVIP

IT Control Objectives for Sarbanes-Oxley Presented by Doug Moore, Jefferson Wells International and Christine Chaney, Continental Airlines Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information generated by their IT systems are not well versed in the intricacies of internal control. This is not to suggest that risk is not being managed by IT, but rather that it may not be formalized or structured in a way required by an organization’s management or its auditors.” IT Key Areas of Responsibility Understanding the organization’s internal control program and financial reporting process Mapping the IT systems that support internal control and the financial reporting process to the financial statements Identifying risks related to these systems Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness Documenting and testing IT controls IT Key Areas of Responsibility Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting process Monitoring IT controls for effective operation over time Participation by IT in the Sarbanes-Oxley project management office ITGI Control Objectives IT Control Environment Computer Operations Access to Programs and Data Program Development and Program Change IT Control Environment The PCAOB has indicated that an ineffective control environment should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists What is the IT Control Environment? IT Governance Process IS Strategic Plan IT risk management process Compliance and Regulatory management IT policies, procedures and standards Monitoring and reporting are required to ensure that IT is aligned with business requirements. Computer Operations Computer operations should include controls over: E