IT Control Objectives for Sarbanes-Oxley: Question

By Jacqueline Nelson,2014-07-16 07:27
9 views 0
IT Control Objectives for Sarbanes-Oxley: Question

    IT Control Objectives for Sarbanes-Oxley

    The Importance of IT in the Design, Implementation and Sustainability of

    Internal Control Over Disclosure and Financial Reporting


    Company-level Questionnaire

    IT Control Objectives

    Purpose of IT Control Objectives for Sarbanes-Oxley This research is intended as a reference for executive management and IT control professionals,

    including IT management and assurance professionals, when evaluating an organization’s IT controls as required by the US Sarbanes-Oxley Act of 2002 (the “Act”). These appendices are

    being made available to ISACA members only, to facilitate their use. IT Control Objectives for

    Sarbanes-Oxley is available in print through the ISACA bookstore for US $5. It is also posted on

    the ISACA web site at Please be familiar with the guidance and practices discussed in the document before using these appendices.

    IT Governance Institute

    The IT Governance Institute ( was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology.

    Effective IT governance helps ensure that IT supports business goals, optimizes business

    investment in IT, and appropriately manages IT-related risks and opportunities. The IT

    Governance Institute offers symposia, original research and case studies to assist enterprise

    leaders and boards of directors in their IT governance responsibilities.

     ?Information Systems Audit and Control Association With more than 35,000 members in more than 100 countries, the Information Systems Audit and ?Control Association (ISACA) ( is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international

    conferences, publishes the Information Systems Control Journal?, develops international

    information systems auditing and control standards, and administers the globally respected ?Certified Information Systems Auditor? (CISA) designation, earned by more than 35,000 professionals since inception, and the Certified Information Security Manager? (CISM?)

    designation, a groundbreaking credential earned by 5,000 professionals in its first two years.

    ? Copyright IT Governance Institute 2004 1

Disclaimer ?The IT Governance Institute, Information Systems Audit and Control Association and other

    contributors make no claim that use of the materials will assure a successful outcome. This

    material should not be considered inclusive of IT controls, procedures and tests, or exclusive of

    other IT controls, procedures and tests that may be reasonably present in an effective internal

    control system over financial reporting. In determining the propriety of any specific control,

    procedure or test, SEC registrants should apply appropriate judgment to the specific control

    circumstances presented by the particular systems or information technology environment.

Readers should note that this material has not received endorsement from the SEC, the PCAOB

    or any other standard-setting body. The issues that are dealt with in this publication will evolve

    over time. Accordingly, companies should seek counsel and appropriate advice from their risk

    advisors and/or auditors. The contributors make no representation or warranties and provide no

    assurances that an organization’s use of this document will result in disclosure controls and procedures and the internal controls and procedures for financial reporting that are compliant

    with the requirements and the internal control reporting requirements of the Act, nor that an

    organization’s plans will be sufficient to address and correct any shortcomings that would

    prohibit the organization from making the required certification or reporting under the Act.

Internal controls, no matter how well designed and operated, can provide only reasonable

    assurance of achieving an entity’s control objectives. The likelihood of achievement is affected

    by limitations inherent to internal control. These include the realities that human judgment in

    decision-making can be faulty and that breakdowns in internal control can occur because of

    human failures such as simple errors or mistakes. Additionally, controls, whether manual or

    automated, can be circumvented by the collusion of two or more people or inappropriate

    management override of internal controls.


    Copyright ? 2004 by the IT Governance Institute. Reproduction of selections of this publication

    for academic use is permitted and must include full attribution of the material’s source.

    Reproduction or storage in any form for commercial purpose is not permitted without ITGI’s

    prior written permission. No other right or permission is granted with respect to this work.

Table of Contents






    ? Copyright IT Governance Institute 2004 2

Appendix AIT Control Objectives for Sarbanes-Oxley

The stage has been set for the importance of IT to prepare for Sarbanes-Oxley compliance, so the

    focus now turns to the specific control objectives that will form the basis of an IT control


Figure 10 illustrates the IT processes of COBIT and maps their relationship to the appropriate

    COSO component. It is immediately evident that many COBIT IT processes have relationships

    with more than one COSO component. This is expected given the nature of general IT controls

    as they form the basis for achieving reliable information systems. This multiple relationship

    attribute further demonstrates why IT controls are the basis for all others and are essential for a

    reliable internal control program.

    COBIT is a comprehensive framework for managing risk and control of IT, comprising four domains, 34 IT processes and 318 detailed control objectives. COBIT includes controls that

    address operational and compliance objectives, but only those related to financial reporting have

    been used to develop this document.

While focus has been provided on what is required for financial reporting, the control objectives

    and considerations set forth in this document may exceed what is necessary for organizations

    seeking to comply with the requirements of the Sarbanes-Oxley Act. The suggested internal

    control framework (COSO) to be used for compliance with the Sarbanes-Oxley Act, as

    recommended by the SEC, addresses the topic of IT controls, but does not dictate requirements

    for such control objectives and related control activities. Similarly, PCAOB Auditing Standard

    No. 2 states the importance of IT controls, but does not specify which in particular must be

    included. Such decisions remain the discretion of each organization. Accordingly, organizations

    should assess the nature and extent of IT controls necessary to support their internal control

    program on a case-by-case basis.

The reader may find the following materials particularly useful. This guide was not prepared to

    suggest a one-size-fits-all approach; instead, it recommends that each organization tailor the

    control objective template to fit its specific circumstances. For example, if systems development

    is considered to be of low risk, an organization may choose to amend or delete some or all of the

    suggested control objectives. An organization should also consult with its external auditors to

    help ensure that all attestation-critical control objectives are addressed.

An important part of this publication is to provide guidance on the specific IT control objectives

    that should be considered for compliance with COSO and, ultimately, the Sarbanes-Oxley Act.

    Accordingly, the following section provides this information as well as a perspective on the

    importance of the control segment and how it relates to COSO and financial disclosure controls.

As always, IT organizations should consider the nature and extent of their operations in

    determining which of the control objectives, illustrative controls and tests of controls need to be

    included in their internal control program.

    ? Copyright IT Governance Institute 2004 3

? Copyright IT Governance Institute 2004 4

Appendix BCompany-level Questionnaire

The following questionnaire provides a company-level assessment of an organization’s IT

    control environment. This questionnaire includes COBIT control objectives found in the Plan and

    Organize and Monitor and Evaluate domains and a few from the Deliver and Support domain. As

    most organizations are using the COSO control framework for their internal control program,

    this questionnaire has been structured in the same order as COSO.

Control Environment

The control environment creates the foundation for effective internal control, establishes the

    “tone at the top,” and represents the apex of the corporate governance structure. The issues raised

    in the control environment component apply throughout an IT organization.

    Points to Consider Responses Comments IT Strategic Planning

    (1) Has management prepared strategic plans for IT that align Yes No Comments:

    business objectives with IT strategies? Does the planning approach include mechanisms to solicit input from

    relevant internal and external stakeholders affected by the

    IT strategic plans?

    (2) Does management obtain feedback from business process Yes No Comments:

    owners and users regarding the quality and usefulness of its IT plans for use in the ongoing risk assessment


    (3) Does an IT planning or steering committee exist to Yes No Comments:

    oversee the IT function and its activities? Does committee membership include representatives from senior

    management, user management and the IT function?

    (4) Are IT strategies and ongoing operations formally Yes No Comments:

    communicated to senior management and the board of directors, e.g., through periodic meetings of an IT

    steering committee?

    (5) Does the IT organization ensure that IT plans are Yes No Comments:

    communicated to business process owners and other relevant parties across the organization?

    (6) Does IT management communicate its activities, Yes No Comments:

    challenges and risks on a regular basis with the CEO and CFO? Is this information also shared with the board of


    (7) Does the IT organization monitor its progress against the Yes No Comments:

    strategic plan and react accordingly to meet established objectives?

    IT Organization and Relationships

    (8) Do IT managers have adequate knowledge and Yes No Comments:

    experience to fulfill their responsibilities?

    (9) Have key systems and data been inventoried and their Yes No Comments:

    owners identified?

    (10) Are roles and responsibilities of the IT organization Yes No Comments:

    defined, documented and understood?

    ? Copyright IT Governance Institute 2004 5

    Points to Consider Responses Comments (11) Do IT personnel have sufficient authority to exercise the Yes No Comments:

    role and responsibility assigned to them?

    (12) Do IT staff understand and accept their responsibility Yes No Comments:

    regarding internal control?

    (13) Have data integrity ownership and responsibilities been Yes No Comments:

    communicated to appropriate data/business owners and

    have they accepted these responsibilities?

    (14) Is the IT organizational structure sufficient to provide for Yes No Comments:

    necessary information flow to manage its activities?

    (15) Has IT management implemented a division of roles and Yes No Comments:

    responsibilities (segregation of duties) that reasonably

    prevents a single individual from subverting a critical


    (16) Are IT staff evaluations performed regularly (e.g., to Yes No Comments:

    ensure that the IT function has a sufficient number of

    competent IT staff necessary to achieve objectives)?

    (17) Are contracted staff and other contract personnel subject Yes No Comments:

    to policies and procedures created to control their

    activities by the IT function, and to assure the protection

    of the organization’s information assets?

    (18) Are significant IT events or failures, e.g., security Yes No Comments:

    breaches, major system failures or regulatory failures,

    reported to senior management or the board?

    Management of Human Resources

    (19) Are controls in place to support appropriate and timely Yes No Comments:

    responses to job changes and job terminations so that

    internal controls and security are not impaired by such


    (20) Does the IT organization subscribe to a philosophy of Yes No Comments:

    continuous learning, providing necessary training and

    skill development to its members?

    (21) Has the IT organization adopted and promoted the Yes No Comments:

    company’s culture of integrity management, including

    ethics, business practices and human resources


    Educate and Train Users

    (22) Has the entity established procedures for identifying and Yes No Comments:

    documenting the training needs of all personnel using

    information services in support of the long-range plan?

    (23) Does IT management provide education and ongoing Yes No Comments:

    training programs that include ethical conduct, system

    security practices, confidentiality standards, integrity

    standards and security responsibilities of all staff?

    ? Copyright IT Governance Institute 2004 6

Information and Communication

COSO states that information is needed at all levels of an organization to run the business and

    achieve the company’s control objectives. However, the identification, management and

    communication of relevant information represents an ever-increasing challenge to the IT

    department. The determination of which information is required to achieve control objectives

    and the communication of this information in a form and time frame that allow people to carry

    out their duties support the other four components of the COSO framework.

    Points to Consider Responses Comments Information Architecture

    (24) Has IT management defined information capture, Yes No Comments:

    processing and reporting controlsincluding

    completeness, accuracy, validity and authorizationto

    support the quality and integrity of information used for

    financial and disclosure purposes?

    (25) Has IT management defined information classification Yes No Comments:

    standards in accordance with corporate security and

    privacy policies?

    (26) Has IT management defined, implemented and Yes No Comments:

    maintained security levels for each of the data

    classifications? Do these security levels represent the

    appropriate (minimum) set of security and control

    measures for each of the classifications? Are they

    reevaluated periodically and modified accordingly?

    Communication of Management Aims and Directions

    (27) Has IT management formulated, developed and Yes No Comments:

    documented policies and procedures governing the IT

    organization’s activities?

    (28) Has IT management communicated policies and Yes No Comments:

    procedures governing the IT organization’s activities?

    (29) Does IT management periodically review its policies, Yes No Comments:

    procedures and standards to reflect changing business


    (30) Does IT management have processes in place to Yes No Comments:

    investigate compliance deviations and introduce remedial


    (31) Does IT management have a process in place to assess Yes No Comments:

    compliance with its policies, procedures and standards?

    (32) Does IT management understand its roles and Yes No Comments:

    responsibilities related to the Sarbanes-Oxley Act?

    ? Copyright IT Governance Institute 2004 7

Risk Assessment

Risk assessment involves the identification and analysis by management of relevant risks to

    achieve predetermined objectives, which form the basis for determining control activities. It is

    likely that internal control risks could be more pervasive in the IT organization than in other

    areas of the company. Risk assessment may occur at the company level (for the overall

    organization) or at the activity level (for a specific process or business unit).

    Points to Consider Responses Comments Assessment of Risks

    (33) Does the IT organization have an entity- and activity- Yes No Comments:

    level risk assessment framework that is used periodically

    to assess information risk to achieving business

    objectives? Does it consider the probability and

    likelihood of threats?

    (34) Does the IT organization’s risk assessment framework Yes No Comments:

    measure the impact of risks according to qualitative and

    quantitative criteria, using inputs from different areas

    including, but not limited to, management brainstorming,

    strategic planning, past audits and other assessments?

    (35) Is the IT organization’s risk assessment framework Yes No Comments:

    designed to support cost-effective controls to mitigate

    exposure to risks on a continuing basis, including risk

    avoidance, mitigation or acceptance?

    (36) Is a comprehensive security assessment performed for Yes No Comments:

    critical systems and locations based on their relative

    priority and importance to the organization?

    (37) Where risks are considered acceptable, is there formal Yes No Comments:

    documentation and acceptance of residual risk with

    related offsets, including adequate insurance coverage,

    contractually negotiated liabilities and self-insurance?

    (38) Is the IT organization committed to active and continuous Yes No Comments:

    risk assessment processes as an important tool in

    providing information on the design and implementation

    of internal controls, in the definition of the IT strategic

    plan, and in the monitoring and evaluation mechanisms?

    (39) Is access to the data center restricted to authorized Yes No Comments:

    personnel, requiring appropriate identification and


    (40) Has a business impact assessment been performed that Yes No Comments:

    considers the impact of systems failure on the financial

    reporting process?

    Manage Facilities

    (41) Are data center facilities equipped with adequate Yes No Comments:

    environmental controls to maintain systems and data,

    including fire suppression, uninterrupted power service

    (UPS), air conditioning and elevated floors?

    ? Copyright IT Governance Institute 2004 8


Monitoring, which covers the oversight of internal control by management through continuous

    and point-in-time assessment processes, is becoming increasingly important to IT management.

    There are two types of monitoring activities: continuous monitoring and separate evaluations.

    Points to Consider Responses Comments Compliance With External Requirements

    (42) Does the organization monitor changes in external Yes No Comments:

    requirements for legal, regulatory or other external

    requirements related to IT practices and controls?

    (43) Are control activities in place and followed to ensure Yes No Comments:

    compliance with external requirements, such as

    regulatory and legal rules?

    (44) Are internal events considered in a timely manner to Yes No Comments:

    support continuous compliance with legal and regulatory


    Management of Quality

    (45) Is documentation created and maintained for all Yes No Comments:

    significant IT processes, controls and activities?

    (46) Does a plan exist to maintain the overall quality assurance Yes No Comments:

    of IT activities based on the organizational and IT plans?

    (47) Are documentation standards in place, have they been Yes No Comments:

    communicated to all IT staff, and are they supported with


    (48) Does a quality plan exist for significant IT functions (e.g., Yes No Comments:

    system development and deployment) and does it provide

    a consistent approach to address both general and project-

    specific quality assurance activities?

    (49) Does the quality plan prescribe the type(s) of quality Yes No Comments:

    assurance activities (such as reviews, audits, inspections)

    to be performed to achieve the objectives of the quality


    (50) Does the quality assurance process include a review of Yes No Comments:

    adherence to IT policies, procedures and standards?

    (51) Have data integrity ownership and responsibilities been Yes No Comments:

    communicated to the appropriate data owners and have

    they accepted these responsibilities?

    Manage Performance and Capacity

    (52) Does IT management monitor the performance and Yes No Comments:

    capacity levels of the systems and network?

    (53) Does IT management have a process in place to respond Yes No Comments:

    to suboptimal performance and capacity measures in a

    timely manner?

    (54) Is performance and capacity planning included in system Yes No Comments:

    design and implementation activities?


    (55) Have performance indicators (e.g., benchmarks) from Yes No Comments:

    both internal and external sources been defined, and are

    data being collected and reported regarding achievement

    of these benchmarks?

    ? Copyright IT Governance Institute 2004 9

    Points to Consider Responses Comments (56) Has IT management established appropriate metrics to Yes No Comments:

    effectively manage the day-to-day activities of the IT


    (57) Does IT management monitor IT’s delivery of services to Yes No Comments:

    identify shortfalls and does IT respond with actionable

    plans to improve?

    Adequacy of Internal Control

    (58) Does IT management monitor the effectiveness of Yes No Comments:

    internal controls in the normal course of operations

    through management and supervisory activities,

    comparisons and benchmarks?

    (59) Are serious deviations in the operation of internal control, Yes No Comments:

    including major security, availability and processing

    integrity events, reported to senior management?

    (60) Are internal control assessments performed periodically, Yes No Comments:

    using self-assessments or independent audits, to examine

    whether or not internal controls are operating


    Independent Assurance

    (61) Does IT management obtain independent reviews prior to Yes No Comments:

    implementing significant IT systems that are directly

    linked to the organization’s financial reporting


    (62) Does IT management obtain independent internal control Yes No Comments:

    reviews of third-party service providers (e.g., by

    obtaining and reviewing copies of SAS 70, SysTrust or

    other independent audit reports)?

    (63) Is documentation retained in a manner that can be used by Yes No Comments:

    the independent auditor or examiner as a basis for


    Internal Audit

    (64) Does the organization have an IT internal audit Yes No Comments:

    department that is responsible for reviewing IT activities

    and controls?

    (65) Is the audit plan based upon a risk assessment that Yes No Comments:

    includes IT? Does it cover the full range of IT audits, e.g.,

    general and application controls, systems development

    life cycle?

    (66) Are procedures in place to follow up on IT control issues Yes No Comments:

    in a timely manner?

    ? Copyright IT Governance Institute 2004 10

Report this document

For any questions or suggestions please email