Post Sarbanes Oxley, focus for corporations is more on compliance and security.

Sarbanes Oxley has had a major impact on the organizations using SAP R/3 as their ERP. Some of the changes seen in the corporate landsacpe include identifying and documenting processes, implementing controls and safeguards, documenting user access approvals etc. In short, there has been a cultural shift in organizations post Sarbanes Oxley. Below, I have listed 7 major pointers which can help organizations towards better SAP security in the Sarbanes Oxley Era. 1. 2. 3. 4. 5. 6. 7. Provide users access on a need to know and need to do basis. Adequately secure programs, transactions and tables. All user accesses to SAP R/3 are properly authorized and approved. Segregation of duties is maintained for all sensitive business transactions All controls and business processes are documented. Anti-fraud preventive controls are in place to prevent & detect fraud before an audit. User profiles and roles in SAP are secured and designed to meet business requirements.

Sarbanes Oxley - Identifying Company Level Controls

Controls to oversee the control environment and risk assessmentprocesses at the overall corporate level are called company level controls. Thus company level controls are used to monitor operations. These controls help the management in monitoring and maintaining a sound system of internal control. They thus have a pervasive impact on the control process, application controls and transaction processing. I have listed down some examples of company level controls below. Guys, note that this is just an illiustrative list. Some Company level controls which I have identified are: - Risk assessment process - Centralized processing and controlling of major activities - Monitoring the performance of operations - Period end financial reporting process - Tone at the Top i.e. the control environment in place at the company - Policies and procedures approved by the board of directors. - Risk management practices and monitoring business processes Apart from the above, a company might have many other company level controls which might be specific to a company.

Sarbanes Oxley Basics - Four Steps in Designing Internal Controls

Internal Control designing is a step by step process. If correctly understood one can easily design internal controls for any process irrespective of the company. I am today discussing the brief steps for designing efficient and effective internal controls. The steps below are intended to

just give an overview. I would be discussing the entireinternal control design process in detail later on. Four Steps in Designing Effective Internal Controls Undertand the Risk - The first step in designing internal controls is to understand the risk that you are trying to mitigate. Without a clear understanding of risk, its unlikely that you would be able to design good internal controls. Identify Control Activity - Once you have identified the risk, identify the control activity which would reduce the identified risk to an acceptable level. Benefit Vs. Costs - In any controls design process it very important to compare cost of controls with the benefits to be derived. Controls no doubt have a cost, however, cost of controls should not overweigh the benefits. It's no point protecting an assets worth a couple of hundred dollars with a biometric control costing thousands. Establish Internal Control - Having accomplished the above three steps, the last step is establishing the identified activity as an internal control.

Sarbanes Oxley Report Under Section 404 - Content of Internal Control Report

The Sarbanes Oxley Act lays down several reporting requirements. The act is very clear on items which have to be included in the internal control report. Once a company is through with evaluating its internal controls under Section 404, a report is to be submitted by the management to SEC. I have listed below the items which have to be included in the internal control report. The internal control report should include a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting. There has to be an express statement from the companies management which mentions management's responsibility clearly. The second important thing required in the internal control report is management's assessment on the effectiveness of internal controls. Third, the internal control report should have a statement which identifies the Internal Control Framework used by the managment to evaluate the effectiveness of internal controls. Finally, all the above have to attested by a CPA firm. More precisely, the CPA firm who has audited the company's financial statement will have to issue a statement attesting the internal controls as assessed by the management.