SOX LITE - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

SOX LITE

Description:

Public companies that have to comply with SOX are encouraged to use a framework ... AI7 Install and accredit solutions and changes. 3. Delivery and Support (DS) ... – PowerPoint PPT presentation

Number of Views:164
Avg rating:3.0/5.0
Slides: 31
Provided by: isacaa
Category:
Tags: lite | sox | accredit

less

Transcript and Presenter's Notes

Title: SOX LITE


1
SOX LITE
  • COBIT for Small Mid-Size Businesses
  • David Parker, CISA, CPA, CIA, CFE

2
BACKGROUNDWhat is COBIT?
  • Control OBjectives for Information and Related
    Technology

3
What is the Relationship Between COBIT and SOX?
  • Public companies that have to comply with SOX are
    encouraged to use a framework to manage their
    internal control environment
  • The two frameworks that the SEC suggests are 1)
    COBIT and 2) the COSO Internal Control
    Integrated Framework

4
What is the difference between COBIT and COSO?
  • The two frameworks target different audiences
  • COSO 1) Targets management controls 2) Useful
    for management at large, 3) Consists of 5 control
    components
  • COBIT 1) Targets IT controls specifically, 2)
    Useful for IT management, users, and auditors, 3)
    Consists of 4 objective domains

5
COSO Internal Control Integrated Framework
  • States that internal control is a process
  • Established by an entitys BOD, management and
    other personnel
  • Designed to provide reasonable assurance
    regarding the achievement of stated objectives

6
COSO Internal Control Integrated Framework
  • Focuses on
  • Effectiveness
  • Efficiency of operations
  • Reliable financial reporting
  • Compliance with laws and regulations

7
COBIT
  • Approaches IT controls by
  • Looking at information (NOT just financial
    information)
  • Needed to support business requirements
  • And associated IT resources and processes

8
Relationship between COSO/COBIT and SOX
  • SEC suggests that companies follow the COSO
    framework in general
  • Many companies choose to follow the COBIT
    framework specific to their IT controls

9
COBIT and Small Companies
  • Before 2009, small public companies (sales lt
    200,000) did not have to comply with SOX
    internal control requirements
  • Starting in 2009, they have to start complying
  • This affects approximately 5,000 companies
  • SOX internal control requirements are called SOX
    404 because they pertain to Section 404 of the
    The Sarbanes-Oxley Act of 2002

10
Why is SOX Lite Needed?
  • SOX work has a high fixed cost and
    disproportionately affects smaller firms
  • During 2004, U.S. companies with revenues
    exceeding 5 billion spent .06 of their revenue
  • Companies with less than 100 million in revenue
    spent 2.55 of their revenue

11
Therefore, Todays Objective
  • Evaluate the COBIT framework in light of the
    needs and capacities of small- and medium-size
    private companies subject to the SOX 404 work.

12
So what does SOX 404 work entail?
  • Executive management of a public company
  • are responsible for establishing and maintaining
    an adequate internal control structure and
    procedures for financial reporting
  • must report the effectiveness of the internal
    control structure and processes

13
The Problem
  • There is no specific mention in Section 404 as to
    what IT needs to do to comply with SOX
  • How can I comply with something without knowing
    what I need to do to comply?
  • As a whole, in response, the majority of auditors
    have adopted COBIT, largely because COBIT
    standards are platform independent

14
  • BACKGROUND What exactly is the COBIT Framework?

15
4 Domains of COBIT
  • Plan and Organize (PO)
  • Acquire and Implement (AI)
  • Delivery and Support (DS)
  • Monitor and Evaluate (ME)

16
Plan and Organize (PO)
  • Are IT and the business strategy aligned?
  • Is the enterprise achieving optimum use of its
    resources?
  • Does everyone in the organization understand the
    IT objectives?
  • Are IT risks understood and being managed?
  • Is the quality of IT systems appropriate for
    business needs?

17
PO Objectives
  • PO1 Define a strategic IT plan
  • PO2 Define the information architecture
  • PO3 Determine technological direction
  • PO4 Define the IT processes, organization and
    relationships
  • PO5 Manage the IT investment

18
PO Objectives (Contd)
  • PO5 Manage the IT investment
  • PO6 Communicate management aims and directions
  • PO7 Manage IT human resources
  • PO8 Manage quality
  • PO9 Assess and manage IT risks
  • PO10 Manage projects

19
2. Acquire and Implement (AI)
  • Are new projects likely to delivery solutions
    that meet business needs?
  • Are new projects likely to be delivered on time
    and within budget?
  • Will the new systems work properly when
    implemented?
  • Will changed be made without upsetting current
    business operations?

20
AI Objectives
  • AI1 Identify automated solutions
  • AI2 Acquire and maintain application software
  • AI3 Acquire and maintain technology
    infrastructure
  • AI4 Enable operation and use

21
AI Objectives (Contd)
  • AI5 Procure IT resources
  • AI6 Manage changes
  • AI7 Install and accredit solutions and changes

22
3. Delivery and Support (DS)
  • Are IT services being delivered in line with
    business priorities?
  • Are IT costs optimized?
  • Is the workforce able to use the IT systems
    productively and safely?
  • Are adequate confidentiality, integrity and
    availability in place for information security?

23
DS Objectives
  • DS1 Define and manage service levels
  • DS2 Manage third-party services
  • DS3 Manage performance and capacity
  • DS4 Ensure continuous service
  • DS5 Ensure systems security

24
DS Objectives (Contd)
  • DS6 Identify and allocate costs
  • DS7 Educate and train users
  • DS8 Manage service desk and incidents
  • DS9 Manage the configuration
  • DS10 Manage problems

25
DS Objectives (Contd)
  • DS11 Manage data
  • DS12 Manage the physical environment
  • DS13 Manage operations

26
4. Monitor and Evaluate (ME)
  • Is ITs performance measured to detect problems
    before its too late?
  • Does management ensure that internal controls
    effective and efficient?
  • Can IT performance be linked back to business
    goals?
  • Are adequate confidentiality, integrity and
    availability controls in place for information
    security?

27
ME Objectives
  • ME1 Monitor and evaluate IT performance
  • ME2 Monitor and evaluate internal control
  • ME3 Ensure compliance with external
    requirements
  • ME4 Provide IT governance

28
Prioritizing the COBIT Framework
  • For these 4 areas, ask yourself
  • What controls are appropriate for your
    environment?
  • Of the appropriate controls, which will maximize
    your results?

29

Prioritizing the COBIT Framework (Contd)
  • For small companies, the framework can be
    overwhelming
  • Solution Use a matrix to identify control
    objectives, control activities, control tests and
    the test results

30
Prioritizing Remediation Efforts
  • 1. Network security
  • 2. Virus protection
  • 3. Backup procedures
  • 4. File access privilege controls
  • 5. IT as part of the organizations long- and
    short-term plan
  • 6. IT continuity and recovery plan
  • 7. Identification and authentication procedures
  • 8. Management support/buy-in
  • 9. Risk evaluation program
  • 10. General employee IT security training program
  • 11. Data input controls
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SOX LITE" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!