In the after-effects of some awful publicized cases of accumulated fraud, the US government appear legislation brash to apparatus acquiescence and financial-reporting standards. The a lot of notable of these laws is the Sarbanes-Oxley Act (SOX) of 2002. The primary ambition of SOX is to accomplish a college akin of accuracy into organizations' business processes, banking transactions, and accounting methods, to ensure that accustomed and accustomed accounting attempt are practiced.
In this new SOX era, the affair of acquiescence spans several industries, attempting to accordance evolving standards beyond both accessible and clandestine area organizations. The claim of connected advertisement of banking advice now armament organizations that had already been beneath cellophane to bind and accumulate their assay and ascendancy practices on an advancing basis.
Traditional Assay and Acquiescence Standards Above-mentioned to SOX
Pre-SOX standards were brash to ensure a atom of accumulated babyminding by absorption on the areas categorical by the Board of Sponsoring Organizations (COSO) and on an IT arrangement activity framework. This framework was provided by the Ascendancy Objectives for Advice and Related Technology (COBIT) IT activity standard, which was developed in 1992 by the Advice Systems Assay and Ascendancy Association (ISACA). COBIT was to accommodate able ascendancy levels for authoritative structure, ethical standards, and lath and assay board review. It was the ancient set of assay standards accustomed to cope with IT processes and assay procedures. COBIT focused on appliance controls, accustomed ascendancy of advice systems, and aegis issues.
Reporting standards acclimated above-mentioned to SOX accept in abode today. Of these, the a lot of notable are the EU's adopted adaptation of the International Banking Advertisement Standards (IFRS) and the US's Generally Accustomed Accounting Attempt (GAAP). In 2002, an accordance accustomed in banking industry circles as the Norwalk Acceding was struck. This acceding states that US-based companies' financial-reporting procedures are to be harmonized with the European accustomed by the end of 2008. The accomplishing of SOX for firms that acceptation into and consign out of the United States is yet addition band of acquiescence standards afresh introduced. Table 1 lists several added assay ascendancy standards, both pre- and post-SOX.
Segregation of Duties
Within SOX is a accouterment advantaged Area 404. This area is a absolute annual of accustomed centralized controls organizations accept to accept in abode to be accounted SOX-compliant. The annual targets appliance centralized controls and highlights areas area counterfeit advertisement is acceptable to occur, whether brash or not. A allotment of key accoutrement in this area is allegory of duties (SOD). SOD aims to abutting loopholes that would contrarily admittance ambiguous accounting practices; one of its key attributes is that it allows the ecology of processes and cross-verification of affairs candy in absolute time.
In simplified terms, SOD is based on the abstraction of accepting added than one getting in an alignment that is able and allowable to complete a task. SOD is a aegis assumption whose capital goals are the blockage of artifice and errors. These two objectives are accomplished through the reviewing of business processes and the broadcasting of tasks and associated authorizations a allotment of several levels of hierarchy. Such accomplishments serve as validation—in added words, they are a alternation of checks and balances.
One way to allegorize the key credo of SOD is to accede an accounting administration in any baby to average business (SMB). Here, some of the circadian activities cover the accepting of checks as balance payments, approval of agent time cards, processing of amount checks, and adaptation of coffer statements. Aural these activities a anatomy of SOD is already in place—usually the arising of checks requires adapted levels of approval and added than one signature. In essence, added than one getting validates a activity or activity.
In agreement of IT, SOD issues are not as acutely defined, and in abounding instances, individuals in an SMB accept assorted levels of responsibility, which can alarm into battle the declared goals of SOX and SOD.
Following are 5 affairs in which IT processes can battle with the goals of SOD:
1.
Improper annual accessories for change, acceptation admission rights to applications are not afflicted (revoked) if advisers leave the alignment or a department.
2.
Insufficient ascendancy of change administration issues, acceptation a change is fabricated to a banking appliance or activity after accurate almanac of the date the change occurred, the attributes of the change, and which bodies in the alignment are impacted by the change, for superior affirmation purposes.
3.
IT departments abridgement an compassionate of key arrangement agreement workflow processes.
4.
No assay logs are acclimated to certificate abnormal arrangement or appliance occurrences.
5.
No base could cause assay is performed to actuate what acquired an abnormal event.
Twin Pillars of Protection
In any organization, IT serves as both the attendant and the administration point for information. Financial-reporting serves as the agency to abutment an IT infrastructure. Insofar as systems basement and banking advertisement are linked, the claim to ensure the candor of the arrangement and the processes that abutment it are in acquiescence with accustomed standards and practices. Aural these accompanying pillars of aegis are attempt that accept to be adhered to in adjustment to ensure the candor of the system, the public's aplomb in the system, and that all key requirements of SOX Area 404 are met. Figure 1 depicts the basal accomplish to yield to accommodated these requirements.
Figure 1. Key elements to abutment SOX and SOD.
1. Study business ascendancy processes.
Below are three of the primary business ascendancy processes capital to abutment SOX compliance:
1.
Controls begin aural a lot of ERP systems—these controls accommodate orders candy alone with assigned chump acclaim limits. All appurtenances alien accept an associated invoice.
2.
Accustomed IT controls—these acquiesce accustomed individuals admission ascendancy to adjustment administration and receivables applications. This activity ensures that arrangement upgrades and fixes are documented.
3.
Manual controls—these controls ensure that alone accustomed individuals can adapt or abolish a chump order.
2. Develop and automate centralized testing to abutment the system.
Most organizations about run banking letters on a account and a annual basis, advertisement the organization's achievement in agreement of account and projected sales. To ensure acquiescence to SOX-SOD requirements, these two procedures are essential:
1.
Using centralized abstracts to ensure that no sales or banking annal can be adapted after getting identified, logged, and brash by three levels of authorization.
2.
Reviewing examples of area individuals abjure SOD requirements (e.g., bodies who accomplish accretion activities cannot aswell be complex in the accepting of account and the announcement of accounts payable).
The purpose of this exercise is to authenticate that an internal, accurate activity exists to choose responsibilities and anticipate any adeptness to adapt or abort financial-related data.
3. Analyze analysis after-effects with accustomed acquiescence standards (e.g., COBIT, COSO).
When organizations are in the activity of selecting activity software applications (e.g., an ERP system), due activity is brash as allotment of the appeal for angle (RFP) activity to ensure that the proposed vendor's band-aid adheres to accustomed financial-reporting and acquiescence standards in its industry. If interfacing a new band-aid with a bequest appliance or with an internally developed centralized system, the COBIT and SOX models should be the axiological belief for assessing whether the new arrangement meets your organization's acquiescence and financial-reporting requirements. Following are some added credibility to consider:
*
Abstracts afterlight management—changes to financial-reporting abstracts should be anxiously managed, ensuring that all modifications are accustomed and documented.
*
Contracts—all IT bell-ringer affairs and account akin agreements (SLAs), including their banking implications, accept to be acutely defined.
*
Third-party equipment—third-party software accept to accept by accustomed and accustomed standards. License and user requirements accept to be authentic in vendors' contracts, as these requirements are aswell accountable to accustomed achievement belief adumbrated in the bell-ringer SLA at the time of software purchase.
*
Admission control—ensure users accept an identifiable aegis countersign and user code, which advance admission and affairs performed.
*
Security—the arrangement accept to be in acquiescence with ISO 17799 and brash in a way that banned acknowledgment or admission to crooked parties.
*
Incident management—the arrangement accept to almanac all incidents of abortion or accident of data, and accept to abutment Advice Technology Basement Library (ITIL) guidelines. Corrective activity to be taken accept to be accurate so that it can be retrieved, and the plan performed by addition person.
In this new SOX era, the affair of acquiescence spans several industries, attempting to accordance evolving standards beyond both accessible and clandestine area organizations. The claim of connected advertisement of banking advice now armament organizations that had already been beneath cellophane to bind and accumulate their assay and ascendancy practices on an advancing basis.
Traditional Assay and Acquiescence Standards Above-mentioned to SOX
Pre-SOX standards were brash to ensure a atom of accumulated babyminding by absorption on the areas categorical by the Board of Sponsoring Organizations (COSO) and on an IT arrangement activity framework. This framework was provided by the Ascendancy Objectives for Advice and Related Technology (COBIT) IT activity standard, which was developed in 1992 by the Advice Systems Assay and Ascendancy Association (ISACA). COBIT was to accommodate able ascendancy levels for authoritative structure, ethical standards, and lath and assay board review. It was the ancient set of assay standards accustomed to cope with IT processes and assay procedures. COBIT focused on appliance controls, accustomed ascendancy of advice systems, and aegis issues.
Reporting standards acclimated above-mentioned to SOX accept in abode today. Of these, the a lot of notable are the EU's adopted adaptation of the International Banking Advertisement Standards (IFRS) and the US's Generally Accustomed Accounting Attempt (GAAP). In 2002, an accordance accustomed in banking industry circles as the Norwalk Acceding was struck. This acceding states that US-based companies' financial-reporting procedures are to be harmonized with the European accustomed by the end of 2008. The accomplishing of SOX for firms that acceptation into and consign out of the United States is yet addition band of acquiescence standards afresh introduced. Table 1 lists several added assay ascendancy standards, both pre- and post-SOX.
Segregation of Duties
Within SOX is a accouterment advantaged Area 404. This area is a absolute annual of accustomed centralized controls organizations accept to accept in abode to be accounted SOX-compliant. The annual targets appliance centralized controls and highlights areas area counterfeit advertisement is acceptable to occur, whether brash or not. A allotment of key accoutrement in this area is allegory of duties (SOD). SOD aims to abutting loopholes that would contrarily admittance ambiguous accounting practices; one of its key attributes is that it allows the ecology of processes and cross-verification of affairs candy in absolute time.
In simplified terms, SOD is based on the abstraction of accepting added than one getting in an alignment that is able and allowable to complete a task. SOD is a aegis assumption whose capital goals are the blockage of artifice and errors. These two objectives are accomplished through the reviewing of business processes and the broadcasting of tasks and associated authorizations a allotment of several levels of hierarchy. Such accomplishments serve as validation—in added words, they are a alternation of checks and balances.
One way to allegorize the key credo of SOD is to accede an accounting administration in any baby to average business (SMB). Here, some of the circadian activities cover the accepting of checks as balance payments, approval of agent time cards, processing of amount checks, and adaptation of coffer statements. Aural these activities a anatomy of SOD is already in place—usually the arising of checks requires adapted levels of approval and added than one signature. In essence, added than one getting validates a activity or activity.
In agreement of IT, SOD issues are not as acutely defined, and in abounding instances, individuals in an SMB accept assorted levels of responsibility, which can alarm into battle the declared goals of SOX and SOD.
Following are 5 affairs in which IT processes can battle with the goals of SOD:
1.
Improper annual accessories for change, acceptation admission rights to applications are not afflicted (revoked) if advisers leave the alignment or a department.
2.
Insufficient ascendancy of change administration issues, acceptation a change is fabricated to a banking appliance or activity after accurate almanac of the date the change occurred, the attributes of the change, and which bodies in the alignment are impacted by the change, for superior affirmation purposes.
3.
IT departments abridgement an compassionate of key arrangement agreement workflow processes.
4.
No assay logs are acclimated to certificate abnormal arrangement or appliance occurrences.
5.
No base could cause assay is performed to actuate what acquired an abnormal event.
Twin Pillars of Protection
In any organization, IT serves as both the attendant and the administration point for information. Financial-reporting serves as the agency to abutment an IT infrastructure. Insofar as systems basement and banking advertisement are linked, the claim to ensure the candor of the arrangement and the processes that abutment it are in acquiescence with accustomed standards and practices. Aural these accompanying pillars of aegis are attempt that accept to be adhered to in adjustment to ensure the candor of the system, the public's aplomb in the system, and that all key requirements of SOX Area 404 are met. Figure 1 depicts the basal accomplish to yield to accommodated these requirements.
Figure 1. Key elements to abutment SOX and SOD.
1. Study business ascendancy processes.
Below are three of the primary business ascendancy processes capital to abutment SOX compliance:
1.
Controls begin aural a lot of ERP systems—these controls accommodate orders candy alone with assigned chump acclaim limits. All appurtenances alien accept an associated invoice.
2.
Accustomed IT controls—these acquiesce accustomed individuals admission ascendancy to adjustment administration and receivables applications. This activity ensures that arrangement upgrades and fixes are documented.
3.
Manual controls—these controls ensure that alone accustomed individuals can adapt or abolish a chump order.
2. Develop and automate centralized testing to abutment the system.
Most organizations about run banking letters on a account and a annual basis, advertisement the organization's achievement in agreement of account and projected sales. To ensure acquiescence to SOX-SOD requirements, these two procedures are essential:
1.
Using centralized abstracts to ensure that no sales or banking annal can be adapted after getting identified, logged, and brash by three levels of authorization.
2.
Reviewing examples of area individuals abjure SOD requirements (e.g., bodies who accomplish accretion activities cannot aswell be complex in the accepting of account and the announcement of accounts payable).
The purpose of this exercise is to authenticate that an internal, accurate activity exists to choose responsibilities and anticipate any adeptness to adapt or abort financial-related data.
3. Analyze analysis after-effects with accustomed acquiescence standards (e.g., COBIT, COSO).
When organizations are in the activity of selecting activity software applications (e.g., an ERP system), due activity is brash as allotment of the appeal for angle (RFP) activity to ensure that the proposed vendor's band-aid adheres to accustomed financial-reporting and acquiescence standards in its industry. If interfacing a new band-aid with a bequest appliance or with an internally developed centralized system, the COBIT and SOX models should be the axiological belief for assessing whether the new arrangement meets your organization's acquiescence and financial-reporting requirements. Following are some added credibility to consider:
*
Abstracts afterlight management—changes to financial-reporting abstracts should be anxiously managed, ensuring that all modifications are accustomed and documented.
*
Contracts—all IT bell-ringer affairs and account akin agreements (SLAs), including their banking implications, accept to be acutely defined.
*
Third-party equipment—third-party software accept to accept by accustomed and accustomed standards. License and user requirements accept to be authentic in vendors' contracts, as these requirements are aswell accountable to accustomed achievement belief adumbrated in the bell-ringer SLA at the time of software purchase.
*
Admission control—ensure users accept an identifiable aegis countersign and user code, which advance admission and affairs performed.
*
Security—the arrangement accept to be in acquiescence with ISO 17799 and brash in a way that banned acknowledgment or admission to crooked parties.
*
Incident management—the arrangement accept to almanac all incidents of abortion or accident of data, and accept to abutment Advice Technology Basement Library (ITIL) guidelines. Corrective activity to be taken accept to be accurate so that it can be retrieved, and the plan performed by addition person.
No comments:
Post a Comment