国外简约大气的模板.ppt

The Importance of IT Controls to Sarbanes-Oxley Compliance.,.,2,Provide a high-level overview of Sarbanes-Oxley and the internal control certification requirements Discuss the importance of information technology in internal control over financial reporting Describe how the Sarbanes-Oxley section 404 rules impact information technology Provide an overview of the Cobit IT control framework Provide an example of a readiness program roadmap Summarize the importance and impact of IT controls to Sarbanes-Oxley compliance,Todays Objectives,.,3,Setting the Stage,.,4,Setting the Stage,What is internal control? Internal control is broadly defined as a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Internal control is now the Law The Sarbanes-Oxley Act of 2002 was created to restore investor confidence in the public markets Section 404 of the Act requires management to establish and maintain internal control and requires the independent auditors to evaluate Compliance deadline: Year-ends on or after November 15, 2004 Preparing for Sarbanes-Oxley compliance is a significant and challenging task There are many requirements, including the identification of significant financial statement accounts, processes and systems that support them and then documenting and testing them,.,5,Overview of Internal Control Certification Requirements,Section 302 Certification Overview CEO and CFO to make specific certifications as of the end of each quarterly and annual reporting period, including: Report contains no untrue statements Report is fairly presented in all material respects Responsibility for design and maintenance of disclosure controls and procedures as well as internal controls over financial reporting Became effective in 2002 (amended in June 2003),Section 404 Certification Overview CEO and CFO to certify as of the end of every annual reporting period: Their responsibility for establishing and maintaining effective internal controls over financial reporting Their assessment of internal controls, accompanied by the independent auditors attestation report Effective for annual periods ending after November 15, 2004 (small business and foreign filers July15, 2005).,.,6,Understanding the Rules Impact to IT,.,7,Understanding the Rules Impact to IT,Management is required to assess the design and effectiveness of its internal control over financial reporting and provide an assertion to that effect in the published financial statements. The companys external auditors are required to express an opinion on managements assessment as well their own opinion on the companys internal controls.,Auditor must perform a walkthrough of major classes of transactions for significant processes to understand process flows, and assess the design and effectiveness of controls including application and IT general controls. Evaluate the design effectiveness of IT controls to determine whether they are properly designed to achieve relevant assertions. Perform tests of the operating effectiveness of IT controls that are necessary to achieve relevant assertions.,Key Compliance Requirements,Impact to IT Controls,.,8,(paragraph 47) “The auditor should obtain an understanding of the design of specific controls by applying procedures that include tracing transactions through the information system relevant to financial reporting” (paragraph 73) “Most processes involve a series of tasks such as capturing input data, sorting and merging data, making calculations, updating transactions and master files, generating transactions, and summarizing and displaying or reporting data. The processing procedures relevant for the auditor to understand the flow of transactions generally are those activities required to initiate, authorize, record, process and report transactions.”,The PCAOB rules are clear - auditors must understand how transactions flow through the system not around it,Understanding the Rules Impact to IT contd,.,9,(paragraph 69) “The auditor should identify each significant process over each major class of transactions affecting significant accounts or groups of accounts and Understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed, and reported. Identify the points within the process at which a misstatement including a misstatement due to fraud related to each relevant financial statement assertion could arise. Identify the controls that management has implemented to address these potential misstatements. Identify the controls that management has implemented over the prevention or timely detection of unauthorized acquisition, use, or disposition of the companys assets.,PCAOB statements applicable to Application Controls:,Understandi。