IT Control Objectives for Sarbanes-Oxley
The Importance of IT in the Design, Implementation and Sustainability of
Internal Control Over Disclosure and Financial Reporting
IT Control Objectives
Purpose of IT Control Objectives for Sarbanes-Oxley This research is intended as a reference for executive management and IT control professionals,
including IT management and assurance professionals, when evaluating an organization’s IT controls as required by the US Sarbanes-Oxley Act of 2002 (the “Act”). These appendices are
being made available to ISACA members only, to facilitate their use. IT Control Objectives for
Sarbanes-Oxley is available in print through the ISACA bookstore for US $5. It is also posted on
the ISACA web site at www.isaca.org/research. Please be familiar with the guidance and practices discussed in the document before using these appendices.
IT Governance Institute
The IT Governance Institute (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology.
Effective IT governance helps ensure that IT supports business goals, optimizes business
investment in IT, and appropriately manages IT-related risks and opportunities. The IT
Governance Institute offers symposia, original research and case studies to assist enterprise
leaders and boards of directors in their IT governance responsibilities.
?Information Systems Audit and Control Association With more than 35,000 members in more than 100 countries, the Information Systems Audit and ?Control Association (ISACA) (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international
conferences, publishes the Information Systems Control Journal?, develops international
information systems auditing and control standards, and administers the globally respected ?Certified Information Systems Auditor? (CISA) designation, earned by more than 35,000 professionals since inception, and the Certified Information Security Manager? (CISM?)
designation, a groundbreaking credential earned by 5,000 professionals in its first two years.
? Copyright IT Governance Institute 2004 1
Disclaimer ?The IT Governance Institute, Information Systems Audit and Control Association and other
contributors make no claim that use of the materials will assure a successful outcome. This
material should not be considered inclusive of IT controls, procedures and tests, or exclusive of
other IT controls, procedures and tests that may be reasonably present in an effective internal
control system over financial reporting. In determining the propriety of any specific control,
procedure or test, SEC registrants should apply appropriate judgment to the specific control
circumstances presented by the particular systems or information technology environment.
Readers should note that this material has not received endorsement from the SEC, the PCAOB
or any other standard-setting body. The issues that are dealt with in this publication will evolve
over time. Accordingly, companies should seek counsel and appropriate advice from their risk
advisors and/or auditors. The contributors make no representation or warranties and provide no
assurances that an organization’s use of this document will result in disclosure controls and procedures and the internal controls and procedures for financial reporting that are compliant
with the requirements and the internal control reporting requirements of the Act, nor that an
organization’s plans will be sufficient to address and correct any shortcomings that would
prohibit the organization from making the required certification or reporting under the Act.
Internal controls, no matter how well designed and operated, can provide only reasonable
assurance of achieving an entity’s control objectives. The likelihood of achievement is affected
by limitations inherent to internal control. These include the realities that human judgment in
decision-making can be faulty and that breakdowns in internal control can occur because of
human failures such as simple errors or mistakes. Additionally, controls, whether manual or
automated, can be circumvented by the collusion of two or more people or inappropriate
management override of internal controls.
Copyright ? 2004 by the IT Governance Institute. Reproduction of selections of this publication
for academic use is permitted and must include full attribution of the material’s source.
Reproduction or storage in any form for commercial purpose is not permitted without ITGI’s
prior written permission. No other right or permission is granted with respect to this work.
Table of Contents
APPENDIX A—IT CONTROL OBJECTIVES FOR SARBANES-OXLEY
APPENDIX B—COMPANY-LEVEL QUESTIONNAIRE APPENDIX C—IT CONTROL OBJECTIVES
IT GENERAL CONTROLS—PROGRAM DEVELOPMENT AND PROGRAM CHANGE
IT GENERAL CONTROLS—COMPUTER OPERATIONS AND ACCESS TO PROGRAMS AND DATA
APPLICATION CONTROLS—BUSINESS CYCLES REFERENCES
? Copyright IT Governance Institute 2004 2
Appendix A—IT Control Objectives for Sarbanes-Oxley
The stage has been set for the importance of IT to prepare for Sarbanes-Oxley compliance, so the
focus now turns to the specific control objectives that will form the basis of an IT control
Figure 10 illustrates the IT processes of COBIT and maps their relationship to the appropriate
COSO component. It is immediately evident that many COBIT IT processes have relationships
with more than one COSO component. This is expected given the nature of general IT controls
as they form the basis for achieving reliable information systems. This multiple relationship
attribute further demonstrates why IT controls are the basis for all others and are essential for a
reliable internal control program.
COBIT is a comprehensive framework for managing risk and control of IT, comprising four domains, 34 IT processes and 318 detailed control objectives. COBIT includes controls that
address operational and compliance objectives, but only those related to financial reporting have
been used to develop this document.
While focus has been provided on what is required for financial reporting, the control objectives
and considerations set forth in this document may exceed what is necessary for organizations
seeking to comply with the requirements of the Sarbanes-Oxley Act. The suggested internal
control framework (COSO) to be used for compliance with the Sarbanes-Oxley Act, as
recommended by the SEC, addresses the topic of IT controls, but does not dictate requirements
for such control objectives and related control activities. Similarly, PCAOB Auditing Standard
No. 2 states the importance of IT controls, but does not specify which in particular must be
included. Such decisions remain the discretion of each organization. Accordingly, organizations
should assess the nature and extent of IT controls necessary to support their internal control
program on a case-by-case basis.
The reader may find the following materials particularly useful. This guide was not prepared to
suggest a one-size-fits-all approach; instead, it recommends that each organization tailor the
control objective template to fit its specific circumstances. For example, if systems development
is considered to be of low risk, an organization may choose to amend or delete some or all of the
suggested control objectives. An organization should also consult with its external auditors to
help ensure that all attestation-critical control objectives are addressed.
An important part of this publication is to provide guidance on the specific IT control objectives
that should be considered for compliance with COSO and, ultimately, the Sarbanes-Oxley Act.
Accordingly, the following section provides this information as well as a perspective on the
importance of the control segment and how it relates to COSO and financial disclosure controls.
As always, IT organizations should consider the nature and extent of their operations in
determining which of the control objectives, illustrative controls and tests of controls need to be
included in their internal control program.
? Copyright IT Governance Institute 2004 3
? Copyright IT Governance Institute 2004 4
Appendix B—Company-level Questionnaire
The following questionnaire provides a company-level assessment of an organization’s IT
control environment. This questionnaire includes COBIT control objectives found in the Plan and
Organize and Monitor and Evaluate domains and a few from the Deliver and Support domain. As
most organizations are using the COSO control framework for their internal control program,
this questionnaire has been structured in the same order as COSO.
The control environment creates the foundation for effective internal control, establishes the
“tone at the top,” and represents the apex of the corporate governance structure. The issues raised
in the control environment component apply throughout an IT organization.
Points to Consider Responses Comments IT Strategic Planning
(1) Has management prepared strategic plans for IT that align Yes No Comments:
business objectives with IT strategies? Does the planning approach include mechanisms to solicit input from
relevant internal and external stakeholders affected by the
IT strategic plans?
(2) Does management obtain feedback from business process Yes No Comments:
owners and users regarding the quality and usefulness of its IT plans for use in the ongoing risk assessment
(3) Does an IT planning or steering committee exist to Yes No Comments:
oversee the IT function and its activities? Does committee membership include representatives from senior
management, user management and the IT function?
(4) Are IT strategies and ongoing operations formally Yes No Comments:
communicated to senior management and the board of directors, e.g., through periodic meetings of an IT
(5) Does the IT organization ensure that IT plans are Yes No Comments:
communicated to business process owners and other relevant parties across the organization?
(6) Does IT management communicate its activities, Yes No Comments:
challenges and risks on a regular basis with the CEO and CFO? Is this information also shared with the board of
(7) Does the IT organization monitor its progress against the Yes No Comments:
strategic plan and react accordingly to meet established objectives?
IT Organization and Relationships
(8) Do IT managers have adequate knowledge and Yes No Comments:
experience to fulfill their responsibilities?
(9) Have key systems and data been inventoried and their Yes No Comments:
(10) Are roles and responsibilities of the IT organization Yes No Comments:
defined, documented and understood?
? Copyright IT Governance Institute 2004 5
Points to Consider Responses Comments (11) Do IT personnel have sufficient authority to exercise the Yes No Comments:
role and responsibility assigned to them?
(12) Do IT staff understand and accept their responsibility Yes No Comments:
regarding internal control?
(13) Have data integrity ownership and responsibilities been Yes No Comments:
communicated to appropriate data/business owners and
have they accepted these responsibilities?
(14) Is the IT organizational structure sufficient to provide for Yes No Comments:
necessary information flow to manage its activities?
(15) Has IT management implemented a division of roles and Yes No Comments:
responsibilities (segregation of duties) that reasonably
prevents a single individual from subverting a critical
(16) Are IT staff evaluations performed regularly (e.g., to Yes No Comments:
ensure that the IT function has a sufficient number of
competent IT staff necessary to achieve objectives)?
(17) Are contracted staff and other contract personnel subject Yes No Comments:
to policies and procedures created to control their
activities by the IT function, and to assure the protection
of the organization’s information assets?
(18) Are significant IT events or failures, e.g., security Yes No Comments:
breaches, major system failures or regulatory failures,
reported to senior management or the board?
Management of Human Resources
(19) Are controls in place to support appropriate and timely Yes No Comments:
responses to job changes and job terminations so that
internal controls and security are not impaired by such
(20) Does the IT organization subscribe to a philosophy of Yes No Comments:
continuous learning, providing necessary training and
skill development to its members?
(21) Has the IT organization adopted and promoted the Yes No Comments:
company’s culture of integrity management, including
ethics, business practices and human resources
Educate and Train Users
(22) Has the entity established procedures for identifying and Yes No Comments:
documenting the training needs of all personnel using
information services in support of the long-range plan?
(23) Does IT management provide education and ongoing Yes No Comments:
training programs that include ethical conduct, system
security practices, confidentiality standards, integrity
standards and security responsibilities of all staff?
? Copyright IT Governance Institute 2004 6
Information and Communication
COSO states that information is needed at all levels of an organization to run the business and
achieve the company’s control objectives. However, the identification, management and
communication of relevant information represents an ever-increasing challenge to the IT
department. The determination of which information is required to achieve control objectives
and the communication of this information in a form and time frame that allow people to carry
out their duties support the other four components of the COSO framework.
Points to Consider Responses Comments Information Architecture
(24) Has IT management defined information capture, Yes No Comments:
processing and reporting controls—including
completeness, accuracy, validity and authorization—to
support the quality and integrity of information used for
financial and disclosure purposes?
(25) Has IT management defined information classification Yes No Comments:
standards in accordance with corporate security and
(26) Has IT management defined, implemented and Yes No Comments:
maintained security levels for each of the data
classifications? Do these security levels represent the
appropriate (minimum) set of security and control
measures for each of the classifications? Are they
reevaluated periodically and modified accordingly?
Communication of Management Aims and Directions
(27) Has IT management formulated, developed and Yes No Comments:
documented policies and procedures governing the IT
(28) Has IT management communicated policies and Yes No Comments:
procedures governing the IT organization’s activities?
(29) Does IT management periodically review its policies, Yes No Comments:
procedures and standards to reflect changing business
(30) Does IT management have processes in place to Yes No Comments:
investigate compliance deviations and introduce remedial
(31) Does IT management have a process in place to assess Yes No Comments:
compliance with its policies, procedures and standards?
(32) Does IT management understand its roles and Yes No Comments:
responsibilities related to the Sarbanes-Oxley Act?
? Copyright IT Governance Institute 2004 7
Risk assessment involves the identification and analysis by management of relevant risks to
achieve predetermined objectives, which form the basis for determining control activities. It is
likely that internal control risks could be more pervasive in the IT organization than in other
areas of the company. Risk assessment may occur at the company level (for the overall
organization) or at the activity level (for a specific process or business unit).
Points to Consider Responses Comments Assessment of Risks
(33) Does the IT organization have an entity- and activity- Yes No Comments:
level risk assessment framework that is used periodically
to assess information risk to achieving business
objectives? Does it consider the probability and
likelihood of threats?
(34) Does the IT organization’s risk assessment framework Yes No Comments:
measure the impact of risks according to qualitative and
quantitative criteria, using inputs from different areas
including, but not limited to, management brainstorming,
strategic planning, past audits and other assessments?
(35) Is the IT organization’s risk assessment framework Yes No Comments:
designed to support cost-effective controls to mitigate
exposure to risks on a continuing basis, including risk
avoidance, mitigation or acceptance?
(36) Is a comprehensive security assessment performed for Yes No Comments:
critical systems and locations based on their relative
priority and importance to the organization?
(37) Where risks are considered acceptable, is there formal Yes No Comments:
documentation and acceptance of residual risk with
related offsets, including adequate insurance coverage,
contractually negotiated liabilities and self-insurance?
(38) Is the IT organization committed to active and continuous Yes No Comments:
risk assessment processes as an important tool in
providing information on the design and implementation
of internal controls, in the definition of the IT strategic
plan, and in the monitoring and evaluation mechanisms?
(39) Is access to the data center restricted to authorized Yes No Comments:
personnel, requiring appropriate identification and
(40) Has a business impact assessment been performed that Yes No Comments:
considers the impact of systems failure on the financial
(41) Are data center facilities equipped with adequate Yes No Comments:
environmental controls to maintain systems and data,
including fire suppression, uninterrupted power service
(UPS), air conditioning and elevated floors?
? Copyright IT Governance Institute 2004 8
Monitoring, which covers the oversight of internal control by management through continuous
and point-in-time assessment processes, is becoming increasingly important to IT management.
There are two types of monitoring activities: continuous monitoring and separate evaluations.
Points to Consider Responses Comments Compliance With External Requirements
(42) Does the organization monitor changes in external Yes No Comments:
requirements for legal, regulatory or other external
requirements related to IT practices and controls?
(43) Are control activities in place and followed to ensure Yes No Comments:
compliance with external requirements, such as
regulatory and legal rules?
(44) Are internal events considered in a timely manner to Yes No Comments:
support continuous compliance with legal and regulatory
Management of Quality
(45) Is documentation created and maintained for all Yes No Comments:
significant IT processes, controls and activities?
(46) Does a plan exist to maintain the overall quality assurance Yes No Comments:
of IT activities based on the organizational and IT plans?
(47) Are documentation standards in place, have they been Yes No Comments:
communicated to all IT staff, and are they supported with
(48) Does a quality plan exist for significant IT functions (e.g., Yes No Comments:
system development and deployment) and does it provide
a consistent approach to address both general and project-
specific quality assurance activities?
(49) Does the quality plan prescribe the type(s) of quality Yes No Comments:
assurance activities (such as reviews, audits, inspections)
to be performed to achieve the objectives of the quality
(50) Does the quality assurance process include a review of Yes No Comments:
adherence to IT policies, procedures and standards?
(51) Have data integrity ownership and responsibilities been Yes No Comments:
communicated to the appropriate data owners and have
they accepted these responsibilities?
Manage Performance and Capacity
(52) Does IT management monitor the performance and Yes No Comments:
capacity levels of the systems and network?
(53) Does IT management have a process in place to respond Yes No Comments:
to suboptimal performance and capacity measures in a
(54) Is performance and capacity planning included in system Yes No Comments:
design and implementation activities?
(55) Have performance indicators (e.g., benchmarks) from Yes No Comments:
both internal and external sources been defined, and are
data being collected and reported regarding achievement
of these benchmarks?
? Copyright IT Governance Institute 2004 9
Points to Consider Responses Comments (56) Has IT management established appropriate metrics to Yes No Comments:
effectively manage the day-to-day activities of the IT
(57) Does IT management monitor IT’s delivery of services to Yes No Comments:
identify shortfalls and does IT respond with actionable
plans to improve?
Adequacy of Internal Control
(58) Does IT management monitor the effectiveness of Yes No Comments:
internal controls in the normal course of operations
through management and supervisory activities,
comparisons and benchmarks?
(59) Are serious deviations in the operation of internal control, Yes No Comments:
including major security, availability and processing
integrity events, reported to senior management?
(60) Are internal control assessments performed periodically, Yes No Comments:
using self-assessments or independent audits, to examine
whether or not internal controls are operating
(61) Does IT management obtain independent reviews prior to Yes No Comments:
implementing significant IT systems that are directly
linked to the organization’s financial reporting
(62) Does IT management obtain independent internal control Yes No Comments:
reviews of third-party service providers (e.g., by
obtaining and reviewing copies of SAS 70, SysTrust or
other independent audit reports)?
(63) Is documentation retained in a manner that can be used by Yes No Comments:
the independent auditor or examiner as a basis for
(64) Does the organization have an IT internal audit Yes No Comments:
department that is responsible for reviewing IT activities
(65) Is the audit plan based upon a risk assessment that Yes No Comments:
includes IT? Does it cover the full range of IT audits, e.g.,
general and application controls, systems development
(66) Are procedures in place to follow up on IT control issues Yes No Comments:
in a timely manner?
? Copyright IT Governance Institute 2004 10