IT Audit and Control
provides for new corporate governance rules, regulations and standards for specified public companies including SEC registrants.
The US Securities and Exchange Commission (SEC) has mandated the use of a recognized internal control framework.
Section 404 requires the management of public companies specified by the Act to assess the effectiveness of the organizationís internal control over
financial reporting and annually report the result of that assessment.
Much has been written on the importance of the Act and internal controls in general; however, little exists on the significant role that information
technology plays in this area. Most would agree that the reliability of financial reporting is heavily dependent on a well-controlled IT environment.
Accordingly, there is a need for information for organizations to consider in addressing IT controls in a financial reporting context.
New Art Technologies, Inc. has decades of experience in all facets of IT development, audit and control. We review IT control processes completely and
holistically, focusing on the following framework of questions:
- Does the Sarbanes-Oxley steering committee understand the risks inherent in IT systems and their impact on compliance with section 404?
- Has IT management implemented suitable IT controls to meet these business requirements?
- Does the CIO have an advanced knowledge of the types of IT controls necessary to support reliable financial processing?
- Are policies governing security, availability and processing integrity established, documented and communicated to all members of the IT organization?
- Are the roles and responsibilities for all those involved in processing financial IT systems related to section 404 documented and understood by all members
of the department?
- Do members of the IT department and all those involved in processing financial IT systems understand their roles, do they possess the requisite skills
to perform their job responsibilities relating to internal control, and are they supported with appropriate skill development?
- Is the IT departmentís risk assessment process integrated with the companyís overall risk assessment process for financial reporting?
- Does the IT department document, evaluate and remediate IT controls related to financial reporting on an annual basis?
- Does the IT department have a formal process in place to identify and respond to IT control deficiencies?
- Is the effectiveness of IT controls monitored and followed up on a regular basis?