SARBANES OXLEY SECTION 404

1
SARBANES OXLEY SECTION 404

• Information Technology
• DnD 28/4-05
• Arne.J.Helle_at_no.pwc.com

connectedthinking
2
Agenda

• Innledning
• Rammeverk for intern kontroll COSO
• Internasjonale trender
• Informasjonsteknologi og SOX s.404
• Intern kontroll og sammenhengen med
  IT-kontrollene
• CobiT
• Hva er godt nok for å sikre virksomheten?
• General Computer Controls
• Automated Application Controls
• Manual Application Controls
• Eksempler
• Erfaring fra Telenor og andre
• Spørsmål?

3
SARBANES OXLEY SECTION 404

• Information Technology
• Introduction

4
Managements Annual Requirements Under Section
404

• Significant personal obligations for CEO / CFO to
  ensure financial
• information provided to the market is reliable
• A documented assessment of effectiveness of
  internal control over
• financial reporting as of 31 December 200.. and
  annually thereafter
• Sufficient evidence and documentation using
  suitable control criteria including controls
• To prevent and detect fraud
• Over segregation of duties and safeguarding of
  assets

5
COSO Internal Control Integrated Framework

6
Introduction

• To comply with Sarbanes-Oxley Section 404,
  management needs to assess design and operating
  effectiveness of internal controls over financial
  reporting.
• Relationship of IT with internal controls over
  financial reporting
• Key controls identified can be manual, automated
  or combination of both
• All key controls for all relevant assertions
  relating to significant accounts and disclosure
  need to be assessed.
• As a result, IT needs to be considered in
  automated controls or where manual controls are
  supported by automated processes (sometimes also
  called semi-automated controls)

7
Introduction

• Where these key controls are automated or
  combination of both, the supporting underlying
  technology/infrastructure need to be operating
  effectively for these key controls to be working.
  As a result, companies need to assess the design
  and operating effectiveness of General Computer
  Controls for the application and supporting
  infrastructure
• Requires the consideration of the impact of IT on
  internal controls over financial reporting.
• Allows less extensive testing on automated
  controls (e.g. test of one) if general computer
  controls are operating effectively.
• That general controls have a pervasive effect on
  internal controls over financial reporting.
  Deficiency in general computer controls would
  have impact on the control environment (PCAOB FAQ
  35).

8
Internal Controls
9
IntroductionOVERVIEW OF SOX 404 AND IT CONTROLS
Legend
A
Name Key Business Controls Owner
Business Support IT
B
Name General Application Computer Controls Owner
IT/Business
C
Name General Computer Controls Owner
IT Support Business
10
SARBANES OXLEY SECTION 404

• Information Technology
• Scope of Coverage of
• Information Technology under SOX s. 404
• Hva er godt nok?

11
Focus areas of GCC (SOA requirements)
IT Environment - Planning and Organisation
Documenting and monitoring all controls
Program Acquisition Development, Implementation
Program Changes
Computer Operation Delivery and Support
Ensure System Security Access to Programs and Data
12
COBIT
Focus area General Computer Control
13
Methodology CobiT- example Working program

• Processes in CobiT IT-processes
• Plan and organise (IT Environment) Company Level
• PO1 IT Strategic Planning
• PO2 Information Architecture with focus on
  business critical information
• PO4 IT Organization and Relationship
• PO6 Communication of Management Aims and
  Directions
• PO7 Management of Human Resources
• PO8 Compliance With External Requirements
• PO9 Assessment of Risks
• PO11 Management of Quality
• Acquire and implement (Program Development and
  Program Change)
• AI2 Acquire or Develop Application Software
• AI3 Acquire Technology Infrastructure
• AI4 Develop and Maintain Policies and Procedures
• AI5 Install and Test Application Software and
  Technology Infrastructure
• AI6 Manage Changes
• Deliver and Support (Computer Operations and
  Access to Programs and Data)
• DS1 Define and manage service levels
• DS2 Manage third-party services

14
How Much Is Enough?

• All procedures and controls must be documented,
  maintained updated and easy to fine. (processes
  related to financial reporting)
• Need to map all controls document -(GCC
  Automated-, manual- applications controls
• Need to focus on Key Controls and document all
  changes
• Need to test the Key Controls management is to
  confirm the internal control, will require good
  documentation
• External auditor need to test the internal
  control is testing all documentation

15
How Much Is Enough?Automated Application Controls

• Which part of the application to cover?
• Are the automated- and manual- controls clearly
  identified
• Involvement IT personnel in documentation and
  testing of automated controls
• Control owner/application owner is responsible
  for documentation
• How to perform the testing?
• Similar to testing of controls activities by
  business are they documented?
• Types of testing techniques used depends on the
  nature of the automated application control. If
  you have it documented it will be easy
• Judgement is always required.

16
SARBANES OXLEY SECTION 404

• Information Technology
• Eksempler?

17
Organisation overview of SOA 404
Audit Committee
Torstein Moland Steering Committee
Halvor Bru Project director
Project Support Office (PSO)
External Auditor (EY)
Mobile
Fixed/others
Group
Norway cross process

• Telenor Mobil
• Sonofon
• Pannon
• DiGi
• Kyivstar
• GrameenPhone
• Telenor Pakistan

• Fixed Norway
• Part of Telenor AB
• Telenor Eiendom
• EDB IT Drift
• Canal Digital Norge

• Company level controls
• General Computer Controls (GCC)
• Financial reporting
• Treasury
• Tax

• Shared Service Center
• Payroll/pensions

incl. Bedriftskommunikasjon, Telenor Internett
and Telenor Global Services incl. Holding
companies category 3
18
GCC Process in Business Spots (High level)
Business Unit
Remediation
Documentation /Risk Evaluation
Testing
Document Key Controls
Document Deficiency or Materiel Weakness
BU SPOT
Suggest Remediation
Summary
Remediation clarifications / BU Commitment
GCC
Coordinate / QA / Support
Methodology
PSO
01.nn.04
01.nn.05
01.nn.05
31.nn.yy
Batch 2
Batch 3
19
When Deficiency or Materiel Weakness are detected
Sign-off / Commitment
Remediation
Feedback from Interview
Business Unit
Interview
Design Remediation Test of Remediation
BU SPOT
Design new / Adjust existing Key-Controls
Deficiency or Materiel Weakness
Document Key-Controls
Cobit Summary / Evaluation
GCC
Consulting / QA
Coordinate / QA Remediation
Coordinate / QA Key-Controls
Information
PSO
Initial Mapping Planing Organisasjon
Documentation Analyses Walkthrough
Design
20
SARBANES OXLEY SECTION 404

• Information Technology
• SPØRSMÅL?

21
SARBANES OXLEY SECTION 404

• Information Technology
• Appendix

22
Key Sarbanes-Oxley Requirements
23
Internal Controls Maturity Model
When necessary Controls are missing, or
classified as Unreliable or Informal, it should
lead to a Remediation