Answers frequently asked questions about IT issues related to section 404 compliance
Menlo Park, CA — March 25, 2004 — Protiviti Inc., an internal audit and business and technology risk consulting firm, today announced the release of its new publication, "Guide to the Sarbanes-Oxley Act: IT Risks and Controls."
The book contains responses to more than 50 "frequently asked questions" regarding technology risks and controls as they relate to compliance with Section 404 of Sarbanes-Oxley, Protiviti said, adding that it provides information for organizations in the process of establishing internal control over financial reporting, as required by Section 404.
Edward Hill, Protiviti's managing director leading the firm's information technology audit services practice, said, "Complying with Section 404 creates unique challenges for IT departments that are relied upon to implement and monitor numerous systems. On many occasions they have to develop new processes under tight deadlines to control and monitor these systems. Our hope is that this resource guide will serve as a helpful roadmap for professionals involved with building internal controls within the IT environment."
Protiviti said that "Guide to the Sarbanes-Oxley Act: IT Risks and Controls" offers information on the numerous risk and control issues — at both the entity and business-process levels — that must be addressed by IT departments and professionals as part of Section 404 compliance efforts.
The guide also reviews required documentation, testing and remediation matters that impact the IT organization as a whole. One of the specific subjects covered include risk and control considerations in complying with Sarbanes-Oxley.
"Many IT departments are just now coming to understand the requirements and what is involved not only in achieving compliance but in maintaining it," noted O'Donnell. The guide reviews current IT control guidelines and standards, such as those provided by COSO and the Information Systems Audit and Control Association's (ISACA) Control Objectives for Information and Related Technologies (CobiT).
The guide also delves into applying IT control considerations to business-process controls, assessing the impact of entity-level controls surrounding IT, identifying and assessing general control considerations at the activity/process level, the roles and responsibilities of application and data owners in facilitating Sarbanes-Oxley compliance, and the importance of documentation and testing in evaluating internal control over financial reporting.
With more than 30 offices in North America, Europe and Asia, Protiviti is an international provider of independent outsourced and co-sourced internal audit and business and technology risk consulting services.