The IT Governance Institute has released an updated second edition of its research guide, “IT Control Objectives for Sarbanes-Oxley.” The guide evaluates the use of IT controls in compliance with the Sarbanes-Oxley Act of 2002, the provisions of which act to combat financial malfeasance.
Early this year, the institute sponsored a meeting attended by individuals from accounting and professional firms to discuss the guide’s strengths and weaknesses. Based on feedback from more than 100 respondents, the institute proceeded to amend, upgrade and update the guide.
“In some cases, the regulations had changed or had been further clarified,” said Paul Zonneveld, partner at Deloitte and one of the guide’s authors, who explained that the institute also examined ways to simplify the guide overall. “Some companies thought it was getting too big or too extensive.”
The second edition of the guide introduces advances in thinking about financial reporting and IT controls. According to the institute, the most significant point is the need to take a top-down approach to assessing risk.
“What it really means from an IT perspective is that all systems are not created equal,” Zonneveld said. “Some IT systems have a higher probability of causing failure in terms of financial reporting. And so you can’t treat all IT systems alike — you have to spend more time on the higher-risk areas and less time on the lower-risk areas.”
Zonneveld added that identifying high-risk areas requires closely determining the linkage between database systems and financial statements,…
Please log in or subscribe to read this article