|
According to the PCAOB, the number of publicly traded companies reporting
material weaknesses in internal control over financial reporting directly
as a result of the Sarbanes-Oxley (SOX) Act will significantly rise in 2005.
CPA firms are under pressure to maintain higher standards as their role
changes from consultant to examiner. Public companies have a limited window
of time to grasp the imposing requirements and to implement the necessary
changes to comply with the regulations.
MindSource provides the critical resources and the IT, regulatory, and
enterprise security expertise to meet business compliance objectives.
Our suite of compliance services includes Sarbanes-Oxley 404/IT External
Audits, Sarbanes-Oxley 404/IT Internal Readiness, SAS 70 Audit Services,
and Gramm-Leach-Bliley (GLB) compliance services.
SOX 404/IT External Audit
SOX Section 404 establishes rules to ensure that members of senior management
of all publicly traded companies address their responsibility for implementing
internal controls over financial reporting. Each company must assess the
effectiveness of its controls and annually report the results to the SEC.
Because the reliability of financial reporting is heavily dependent on
a well-controlled IT environment, IT management is a vital component of
SOX 404 conformance.
MindSource collaborates with accounting firms to provide external audit
services. We utilize our deep IT expertise and the COBIT framework to
conduct the required 404/IT audit for external attestation. Our team evaluates
and tests IT general and application controls to determine whether or
not we can attest to management’s assertion as to the design and
operating effectiveness of internal controls over the financial reporting
process.
SOX 404/IT Internal Readiness
Complying with SOX is a time-consuming and documentation-intensive task,
requiring substantial planning. Underestimating the requirements for this
effort can lead to misallocation of financial and human resources and
increased risk of noncompliance.
MindSource leverages significant external audit experience to deliver
404/IT Internal Readiness services. Our process includes the application
of accepted standards, best practices, and control frameworks, including
COBIT, ITIL, ISO 17799, and COSO to achieve effective, efficient, and
compliant internal controls. A typical 404/IT engagement begins with Project
Scoping and follows with the iterative audit and controls testing process.
Project Scoping and Gap Analysis
Project Scoping is critical to SOX compliance efforts; planning saves
time, effort, and money. A high-level analysis identifies compliance gaps
and sets forth plans for implementing internal controls and remediating
deficiencies. The steps include the following:
- Discovering internal control programs and financial reporting processes
and performing a risk analysis to determine the key controls
- Mapping IT systems that support internal controls and the financial
reporting process from data capture to final statement publication
- Identifying and documenting areas of deficiency in control design
and operating effectiveness of key control domains
- Developing remediation strategies
SOX 404/IT Internal Audit/Controls Testing
Because SOX requires management to assess the effectiveness of internal
controls on an annual basis, the internal audit function is critical to
achieving compliance. MindSource leverages deep knowledge of compliance
and the COBIT IT control framework to evaluate and test IT controls. This
process includes:
- Taking a risk analysis-based approach to identify the key IT general
controls
- Assessing the control design and enumerating gaps, closely monitoring
documentation deficiencies
- Testing the operating effectiveness of key IT controls, noting all
exceptions, significant deficiencies, and material weaknesses
Documentation
Using a trusted third party to manage and perform documentation can
reduce the cost of compliance and take pressure off of internal resources.
According to AMR Research, documentation is among the top 2005 SOX spending
priorities. Creating, modifying, and storing documents typically occupy
more man-hours than all other compliance activities.
Our experts collaborate with your team to identify and create documentation
of systems, policies, and procedures to achieve compliance requirements
and to optimize IT planning and implementation. Areas of documentation
focus include:
- Corporate governance, as it relates to the IT function
- IT and security policies
- Detailed operating and control procedures
- Standard forms for all IT general control domains, including access
control, program development, program change control and computer operations
- Network maps and process diagrams
|
