Information Technology Reference
In-Depth Information
8.5.3
Sarbanes-Oxley: An Audit and Assessment Example
In deference to space considerations, the following example is very brief and is in
essence a reflection of the above assessment and audit details. The Sarbanes-Oxley
Act of 2002 (SOX) is intended to protect investors by improving the accuracy and
reliability of corporate disclosure with respect to finances; IA audits cover security
controls of financial systems. One approach, by no means the only approach, is to
perform an initial internal audit prior to an external audit. The preceding assess-
ment to the internal audit identifies the scope of the target systems. The internal
audit prepares employees for the audit process, flushes out the obvious noncompli-
ance issues, and provides feedback and opportunity to remediate noncompliance.
The SOX compliance assessment process (CAP) includes:
n
n
n
n
n
Obtain executive backing.
Define scope.
Assemble SOX CAP team.
Assign tasks to team member.
Execute SOX CAP.
Current controls
Identify and document.
Verify.
Gap analysis
Produce and publish results.
Findings
Remediation plan (gap closure)
Assess roadblocks and resolutions.
Lessons learned
n
n
n
n
n
8.5.4
Commentary
A preliminary internal audit is expensive but has many positive effects, including
discretely identifying and fixing obvious noncompliance issues, and preparing inter-
nal personnel to participate in an audit. Expect the unexpected, do not be surprised
if the audit sets out to discover X and issues Y, Z, A, B, and three or four variations
of C crop up. For example, one organization had such a diverse collection of finan-
cial applications that some data center managers were completely unaware that
financial applications resided on servers under their care. This was a critical finding
of the internal audit to rectify immediately… awareness before understanding.
Sarbanes-Oxley compliance and compliance management are likely to affect
many aspects of the financial accounting support infrastructure. For example, con-
solidation of accounting applications will both reduce the number of applications
and reduce the number of data centers housing financial applications; the benefit is
Search WWH ::




Custom Search