– Effectiveness and efficiency of operations – Reliability of financial reporting – Compliance with applicable laws and regulations
• Internal control is now the Law
The Importance of IT Controls to Sarbanes-Oxley Compliance.
Today’s Objectives
• Provide a high-level overview of Sarbanes-Oxley and the internal control certification requirements
4
©2004 Deloitte & Touche LLP
Overview of Internal Control Certification Requirements
Section 302 Certification Overview • CEO and CFO to make specific certifications as of the end of each
• Discuss the importance of information technology in internal control over financial reporting
• Describe how the Sarbanes-Oxley section 404 rules impact information technology
– The Sarbanes-Oxley Act of 2002 was created to restore investor confidence in the public markets
– Section 404 of the Act requires management to establish and maintain internal control – and requires the independent auditors to evaluate
– Compliance deadline: Year-ends on or after November 15, 2004
• Preparing for Sarbanes-Oxley compliance is a significant and challenging task
– There are many requirements, including the identification of significant financial statement accounts, processes and systems that support them and then documenting and testing them
quarterly and annual reporting period, including: – Report contains no untrue statements – Report is fairly presented in all material respects – Responsibility for design and maintenance of disclosure controls and procedures as well as internal controls over financial reporting
Oxley compliance
2
©2004 Deloitte & Touche LLP
Setting the Stage
3
©2003 Firm Name/Legal Entity
Setting the Stage
• What is internal control?
– Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Became effective in 2002 (amended in June 2003)
Section 404 Certification Overview • CEO and CFO to certify as of the end of every annual reporting period:
• Effec ending after November 15, 2004 (small business and foreign filers July15, 2005).
– Their responsibility for establishing and maintaining effective internal controls over financial reporting
– Their assessment of internal controls, accompanied by the independent auditors’ attestation report
• Provide an overview of the Cobit IT control framework • Provide an example of a readiness program roadmap • Summarize the importance and impact of IT controls to Sarbanes-