100%(2)2 out of 2 people found this document helpful
This preview shows page 6 - 8 out of 10 pages.
next three or five years. Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media.Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection and destruction, online storage, audit trails, integration withan enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes emails, instant messages, and spreadsheets that are used to analyze financial results), adequacy of retention life cycle, immutability of RM practices, audit trails and the accessibilityand control of RM content.End-user application / Spreadsheet controlsPC-based spreadsheets or databases are often used to provide critical data or calculations related to financial risk areas within the scope of a SOX 404 assessment. Financial spreadsheets are often categorized as end-user computing (EUC) tools that have historically been absent traditional IT controls. They can support complex calculations and provide significant flexibility. However, with flexibility and power comes the risk of errors, an increased potential for fraud, and misuse for critical spreadsheets not following the software development lifecycle (e.g. design, develop, test, validate, deploy). To remediate and control spreadsheets, public organizations may implement controls such as:Inventory and risk-rank spreadsheets that are related to critical financial risks identified as in-scope for SOX 404 assessment. These typically relate to the key estimates and judgments of the enterprise, where sophisticated calculations and assumptions are involved. Spreadsheets used merely to download and upload are less of a concern.Perform a risk based analysis to identify spreadsheet logic errors. Automated tools exist for this purpose.
Ensure the spreadsheet calculations are functioning as intended (i.e., "baseline" them).Ensure changes to key calculations are properly approved.Responsibility for control over spreadsheets is a shared responsibility with the business users and IT. The IT organization is typically concerned with providing a secure shared drive for storage of the spreadsheets and data backup. The business personnel are responsible for the remainder.A side note on “Inherent risks,” is to define it as the risk that an error exists that could be material or significant when combined with other errors encountered during the audit, assuming there are no related compensating controls. As an example, complex database updates are more likely to be miswritten than simple ones, and thumb drives are more likely to be stolen (misappropriated) than blade servers in a server cabinet. Inherent risks exist independent of the audit and can occur because of the nature of the business.