Information technology controls (or IT controls) are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework (Control Objectives for Information Technology) is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
ITGC represent the foundation of the IT control structure. They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls:
IT application or program controls are fully automated (i.e., performed automatically by the systems) and designed to ensure the complete and accurate processing of data, from input through output. These controls vary based on the business purpose of the specific application. These controls may also help ensure the privacy and security of data transmitted between applications. Categories of IT application controls may include:
An organization's Chief Information Officer or Chief Information Security Officer is typically responsible for the security, accuracy and the reliability of the systems that manage and report the company's data, including financial data.
COBIT is a widely utilized framework containing best practices for the governance and management of information and technology, aimed at the whole enterprise. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which are enabled by specific IT activities. COBIT defines the design factors that should be considered by the enterprise to build a best-fit governance system. COBIT addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels. [1]
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environment , risk assessment , control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provides similar detailed guidance for IT, while the interrelated Val IT concentrates on higher-level IT governance and value-for-money issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains applying to each individually and in aggregate. The four COBIT major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
SOX (part of United States federal law) requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports (Section 302) and require public companies to establish adequate internal controls over financial reporting (Section 404). Passage of SOX resulted in an increased focus on IT controls, as these support financial processing and therefore fall into the scope of management's assessment of internal control under Section 404 of SOX.
The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB [2] and SEC [3] state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's SOX 404 top-down risk assessment. In addition, Statements on Auditing Standards No. 109 (SAS109) [4] discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance.
IT controls that typically fall under the scope of a SOX 404 assessment may include:
Specific activities that may occur to support the assessment of the key controls above include:
To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure the completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as databases, networks, and operating systems, which are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a business process that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years.
Section | Title | Description |
---|---|---|
302 | Corporate Responsibility for Financial Reports | Certifies that financial statement accuracy and operational activities have been documented and provided to the CEO and CFO for certification |
404 | Management Assessment of Internal Controls | Operational processes are documented and practiced demonstrating the origins of data within the balance sheet. SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. |
409 | Real-time Issuer Disclosures | Public companies must disclose changes in their financial condition or operations in real time to protect investors from delayed reporting of material events |
802 | Criminal Penalties for Altering Documents | Requires public companies and their public accounting firms to retain records, including electronic records that impact the company’s assets or performance. Fines and imprisonment for those who knowingly and willfully violates this section with respect to (1) destruction, alteration, or falsification of records in federal investigations and bankruptcy and (2) destruction of corporate audit records. |
Section 409 requires public companies to disclose information about material changes in their financial condition or operations on a rapid basis. Companies need to determine whether their existing financial systems, such as enterprise resource management applications are capable of providing data in real-time, or if the organization will need to add such capabilities or use special software to access the data. Companies must also account for changes that occur externally, such as changes by customers or business partners that could materially impact their own financial positioning (e.g. key customer/supplier bankruptcy and default).
To comply with Section 409, organizations should assess their technological capabilities in the following categories:
The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act, Pub. L. 107–204 (text)(PDF), 116 Stat. 745, enacted July 30, 2002, also known as the "Public Company Accounting Reform and Investor Protection Act" and "Corporate and Auditing Accountability, Responsibility, and Transparency Act" and more commonly called Sarbanes–Oxley, SOX or Sarbox, contains eleven sections that place requirements on all U.S. public company boards of directors and management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.
An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, roll forward prior year working papers, and evaluate the propositions in their auditing report.
Investor relations (IR) is a "strategic management responsibility that is capable of integrating finance, communication, marketing and securities law compliance to enable the most effective two-way communication between a company, the financial community, and other constituencies, which ultimately contributes to a company's securities achieving fair valuation." as defined by National Investor Relations Institute (NIRI). IR is also function to assess the impact of a company actions on the company's position in the capital markets.
An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.
The chief risk officer (CRO), chief risk management officer (CRMO), or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.
Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.
Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data governance.
Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.
The Financial Instruments and Exchange Act, is a Japanese law that is the main statute codifying securities law and regulating securities companies in Japan. It was promulgated on June 14, 2006.
Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Controls are put in place to address risks within these components. Through continuous monitoring of the operations and controls, weak or poorly designed or implemented controls can be corrected or replaced – thus enhancing the organization's operational risk profile. Investors, governments, the public, and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.
Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.
An entity-level control is a control that helps to ensure that management directives pertaining to the entire entity are carried out. These controls are the second level to understanding the risks of an organization. Generally, entity refers to the entire company.
Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.
Control self-assessment is a technique developed in 1987 that is used by a range of organisations including corporations, charities and government departments, to assess the effectiveness of their risk management and control processes.
Certified Sarbanes-Oxley Professional (CSOXP) is a credential awarded by the governance, risk & compliance group. The CSOXP credential communicates that certified professionals have the knowledge listed below: