IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function.
Categories of IT application controls may include: An organization's Chief Information Officer or Chief Information Security Officer is typically responsible for the security, accuracy and the reliability of the systems that manage and report the company's data, including financial data.
The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains applying to each individually and in aggregate.
IT controls that typically fall under the scope of a SOX 404 assessment may include: Specific activities that may occur to support the assessment of the key controls above include: To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part.
While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks.
This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years.
Section 409 requires public companies to disclose information about material changes in their financial condition or operations on a rapid basis.
Companies must also account for changes that occur externally, such as changes by customers or business partners that could materially impact their own financial positioning (e.g. key customer/supplier bankruptcy and default).