Professional Documents
Culture Documents
IT Control Objectives For Sarbanes-Oxley
IT Control Objectives For Sarbanes-Oxley
Sarbanes-Oxley
Managing Risk
many of the IT professionals being held
accountable for the quality and integrity of
information generated by their IT systems
are not well versed in the intricacies of
internal control. This is not to suggest that
risk is not being managed by IT, but rather
that it may not be formalized or structured
in a way required by an organizations
management or its auditors.
IT Control Environment
Computer Operations
Access to Programs and Data
Program Development and Program Change
IT Control Environment
The PCAOB has indicated that an ineffective
control environment should be regarded as
at least a significant deficiency and as a
strong indicator that a material weakness in
internal control over financial reporting
exists
IS Strategic Plan
IT risk management process
Compliance and Regulatory management
IT policies, procedures and standards
Computer Operations
Computer operations should include controls over:
Effective acquisition
Implementation
Configuration and maintenance
Ongoing controls over operation address the dayto-day delivery of information services, service
level mgt., management of third-party services,
etc.
Multi-location Considerations
Significant business units
Potential financial materiality and
significant risk considerations, quantitative
and qualitative and both aspects provide
focus
Open Discussion