Recent events have ushered in a new era in the history of business, characterised by a firm resolve to increase corporate responsibility. The Sarbanes-Oxley Act of 2002 was created to restore investor confidence in US public markets, which were devastated by business scandals and lapses in corporate governance. The responses to these events include a much stronger focus on internal controls. The expectations in SA are not much different.
At most companies relatively little attention was given to the role of information technology in the financial reporting process. This is unfortunate, as most companies are heavily dependent on well-controlled IT environments.
IT professionals, especially those in executive positions, now need to be well-versed in internal control theory and practice to meet the requirements of good governance. CIOs must now take on the challenges of enhancing their knowledge of internal control, understanding their company`s overall corporate governance compliance plan, developing a compliance plan to specifically address IT controls, and integrating this plan into the overall corporate governance compliance plan.
COSO (Committee of Sponsoring Organisations) is the suggested internal control framework to be used for compliance with corporate governance. It addresses the topic of IT general controls, but does not dictate requirements for such control objectives and related control activities. Similarly, the audit standards issued in the US by the PCAOB on 7 October 2003 highlight the importance of IT general controls, but do not specify which in particular must be included.
Such decisions remain the responsibility of an enterprise`s management and independent auditors for their respective purposes. Accordingly, enterprises should assess the nature and extent of information technology controls necessary to support their internal control program on a case-by-case basis.
As always, IT organisations should consider the nature and extent of their operations in determining which, if not all, of the control objectives need to be included in their internal control program.
Not only must organisations ensure that appropriate controls (including IT controls) are in place, they must also provide their independent auditors with documentation supporting management`s assessment. This includes design documentation and the documented results of testing procedures.
For more information, visit www.infosecafrica.co.za.
Share
Editorial contacts