The IT Governance Institute has released an updated second edition of its research guide, “IT Control Objectives for Sarbanes-Oxley.” The guide evaluates the use of IT controls in compliance with the Sarbanes-Oxley Act of 2002, the provisions of which act to combat financial malfeasance.
Early this year, the institute sponsored a meeting attended by individuals from accounting and professional firms to discuss the guide’s strengths and weaknesses. Based on feedback from more than 100 respondents, the institute proceeded to amend, upgrade and update the guide.
“In some cases, the regulations had changed or had been further clarified,” said Paul Zonneveld, partner at Deloitte and one of the guide’s authors, who explained that the institute also examined ways to simplify the guide overall. “Some companies thought it was getting too big or too extensive.”
The second edition of the guide introduces advances in thinking about financial reporting and IT controls. According to the institute, the most significant point is the need to take a top-down approach to assessing risk.
“What it really means from an IT perspective is that all systems are not created equal,” Zonneveld said. “Some IT systems have a higher probability of causing failure in terms of financial reporting. And so you can’t treat all IT systems alike — you have to spend more time on the higher-risk areas and less time on the lower-risk areas.”
Zonneveld added that identifying high-risk areas requires closely determining the linkage between database systems and financial statements, looking at where the data is held, who uses it, how they could manipulate it and what access restrictions need to be in place so unauthorized people can’t change it. He identified access controls as an example of a high-risk area and backup, recovery and physical security as examples of low-risk areas.
Beyond a stronger focus on risk assessment, the second edition of the guide adds a simplified readiness road map and a cross-reference to CobiT 4.0 processes.
According to the institute, the guide has been downloaded more than 250,000 times since it was first made available in 2004 (it’s available for download at www.itgi.org). The institute has seen an increase in international registrants using the guide to address Sarbanes-Oakley principally because international regulations are starting to require it.