FOR SARBANES-OXLEY, 2" EDITION THE IMPORTANCE OF IT IN THE DESIGN, IMPLEMENTATION AND SUSTAINABILITY OF INTERNAL CONTROL OVER FINANCIAL REPORTING AND DISCLOSURE Exposure Drart—30 APRIL 2006IT Governance Institute® The IT Governance Institue (ITGI") (wwieitgiorg) was established in 1998 to advance international thinking and standards in directing and controlling, an enterprise's information technology. Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages I/-telated risks and opportunities. The ITGI offers electronic resources, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities. Disclosure Copyright © 2006 IT Governance Institute. All rights reserved. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanieal, photocopying, recording or otherwise), without the prior written authorization of the IT Governance Institute. Reproduction of selections of this publication for internal and noncommercial or academic use only is permitted and must include full attribution of the material's source. No other right or permission is granted with respect to this work. IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA. Phone: + 1.847.590.7491 Fax: 1.847.253.1443 E-mail: research@itgi.org Web site: wwreitg.ong IT Control Objectives for Sarbanes Oxley, 2" Edition Printed in the United States of AmericaT Governance institute Disclaimer ‘The IT Governance Institute, ISACA“ and other contributors make no claim that use of this document will assure a suecessful outcome. This publication should not be considered inclusive of IT controls, procedures and tests, oF exclusive of other IT controls, procedures and tests that may be reasonably present in an effective internal control system over financial reporting. In determining the propriety of any specific control, procedure or test, US Securities and Exchange Commission (SEC) registrants should apply appropriate judgment to the specific control circumstances presented by the particular systems or information technology environment. Readers should note that this document has not received endorsement from the SEC, which is responsible for regulating public companies, or the US Public Company Accounting Oversight Board (PCAOB), which is responsible for regulating the public accounting profession. The issues that are dealt with in this publication will evolve over time. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and/or auditors. The contributors make no representation or warranties and provide no assurances that an organization’s use of this document will result in disclosure controls and procedures and the internal controls and procedures for financial reporting that are compliant with the requirements and the internal control reporting requirements of the Sarbanes-Oxley Act (he Act), nor that an corganization’s plans will be sufficient to address and correct any shortcomings that would prohibit the organization from making the required certification or reporting under the Act. Internal controls, no matter how well designed and operated, can provide only reasonable assurance of achieving an entity’s control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision making can be faulty and that breakdowns in internal control can occur because of hhuman failures such as simple errors or mistakes. Additionally, controls, whether manual or automated, can be circumvented by the collusion of two ‘or more people or inappropriate management override of internal controls. 3, 4 | ttn tbo Acknowledgments From the publisher The IT Governance Institute wishes to recognize: ‘The principal contributors, for their tircless efforts in the development of the document Christopher Fox, ACA Paul Zonneveld, CISA, CA. The focus group, for their guidance and ideas Gordon Bloom, CISA, RSM McGladrey Inc., USA. Michael Cangemi, CISA, CPA, Cangemi Company LLC, USA Nancy Cohen, CPA, AICPA, USA Roger Debreceny, Ph.D., FCPA, University of Hawaii, USA Robert Frelinger, CISA, Sun Microsystems Inc., USA. Kenneth S. Gabriel, CPA, KPMG LLP, USA. Michael Garber, CIA, CPA, Motorola Inc., USA John Gimpert, CPA, Deloitte & Touche LLP, USA John Hainaut, Jefferson Wells, USA. Hussain Hasan, CISM, CISSP, RSM McGladrey Ine., USA Edward Hill, CIA, CPA, Protiviti, USA ‘Tara Janos, BP Amoco, USA Peter Koltun, Jefferson Wells, USA Phillip Lageschulte, CPA, KPMG LLP, USA Elsa Lee, CISA, CSQA, Crowe Chizek LLP, USA Anthony Noble, CISA, CCP, Viacom Inc., USA Heroit Prentice, MILA, FIIA, QiCA, The Institute of Internal Auditors, USA Debbie Sanneman, Motorola, USA Sheryl Skolnik, CISA, CISM, CPA, BDO Seidman LLP, USA Tracy Stewart, CISA, CISSP, CCP, CIA, Allstate Insurance Company, USA Doug Underwood, CPA, McGladrey & Pullen, USA. Mickey Vaja, CISA, CCNA, CISSP, Grant Thorton LLP, USA Kenneth Vander Wal, CISA, CPA, CSP. Emst & Young LLP, USA. Timothy Van Ryzin, CISA, CISM, Harley-Davidson, USA Jeffrey Ward, CISA, CPA, CITP, Stone Carlie & Company 1 Margaret Yocher, United Technologies-Carrier, USA. Paul Zonneveld, CISA, CA, Deloitte & Touche LLP, Canada USAT Governance institute The ITGI Board of Trustees Evereit C, Johnson, CPA, Deloitte & Touche LLP (retired), USA, International President Abdul Hamid Bin Abdullah, CISA, CPA, Auditor General's Office, Singapore, Vice President William C. Boni, CISM, Motorola, USA, Vice President Jean-Louis Leignel, MAGE Conseil, France, Vice President Lucio Augusto Molina Focazzio, CISA, Colombia, Vice President Howard Nicholson, CISA, City of Salisbury, Australia, Vice President Bent Poulsen, CISA, CISM, VP Securities Services, Denmark, Vice President Frank Yam, CISA, CIA, CCP, CFE, CFSA, FFA, FIIKCS, Focus Strategic Group, Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President, Robert S. Roussey, CPA, University of Southern California, USA, Past International President Emil G. D'Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi, USA, Trustee Ronald Saull, CSP, The Great-West Life and IGM Financial, Canada, Trustee Erik Guldentops, CISA, CISM, Belgium, Advisor ISACA chapters ASIS International ‘The Center for Internet Security Commonwealth Association of Corporate Governance ISACA Solvay Business Schoo! University of Antwerp Management School Bindview cA Hewlett-Packard 1BM Phoenix Business and Systems Process Inc. 5