HOME
NEWS

An analysis of IT Controls role in next-to-come “Japanese SOX”


By VARINDIA - 2010-04-01
An analysis of IT Controls role in next-to-come “Japanese SOX”

“J-SOX””is the unofficial name referring to Japanese regulatory related to financial controls management incorporated in the legislated draft entitled Financial Instruments and Exchange Law, published on June 7, 2006 by the Japanese regulatory authority Financial Services Agency.

J-SOX will be effective for fiscal years beginning on or after April 1, 2008: all Japanese companies and their consolidated subsidiaries and affiliates all over the world will need to comply with J-SOX requirements. Japanese requirements are similar to those addressed by US Sarbanes-Oxley Act (SOX) Sections 302 (Corporate Responsibility for Financial Reports) and 404 (Management evaluation and report on internal controls), as    
they include an evaluation by management based on an internal control framework, introduce audit requirements in addition to management’s evaluation, and are based on an approach which begins with an evaluation of company-wide internal controls followed by an assessment of process-level controls.

On November 21, 2006, Japanese Financial Services Agency provided a guidance for management (Exposure draft of Implementation Standards for Evaluation and Audit of Internal Control over Financial Reporting) in order to help them to be compliant with J-SOX requirements. The document consists of three main sections:

1. Internal control basic framework
2. Evaluation and reporting of internal control over management’s financial reporting 3. Audit of internal control over financial reporting

This paper presents an analysis of role of IT controls in achieving compliance to J-SOX, by presenting IT controls matters included in the three above-mentioned sections.

Internal control basic framework
Response to IT was included as one of the component of internal control framework, thus clearly indicating the importance of IT controls in an overall approach to Corporate Governance. In order to achieve IT control objectives related to financial reporting reliability, both IT General Controls (hereafter “ITGC”) and IT Application Controls (hereafter “ITAC”) should be considered.

ITGC are those addressing indirect control to maintain an environment for the effective execution of ITAC: organizations must have reasonable ITGC in place before they can rely on their ITAC. For example a malicious attacker could exploit a weakness in the ITGC framework (e.g. weak password policy on ERP system) in order to access an application system (e.g. ERP system) thus causing a damage to the whole organization.

So management should implement an effective

ITGC framework in order to protect entire information systems from potential threats.

ITGC apply to the entire IT infrastructure of the organization, including but not limited to:

* IT organization and strategy - IT resources management, roles and responsibilities in IT function, information systems strategies, long and short term plans and budgets, training programs provided to IT personnel, …

* IT operations - backup and restore procedures, batch and on line job scheduling on application systems, help desk function provided by IT, …

* Management of information systems outsourcers – IT vendor selection procedures, audit procedures performed on services provided by IT vendors in order to assess service level agreements, KPIs, …

* Logical and physical security - user access management with respect to identification and authentication techniques, asset protection from viruses and malicious software, physical access management to Data Center, …

* Change management over operating systems, application systems, database management software, network software - change management procedures, patch management, …

* Disaster recovery planning or business continuity planning - plans defining how to respond to incidents that impair company’s operations and assigning employees specific procedures to follow in the event of a disaster, …

* Network security - network security architecture including but not limited to firewall, router, proxy, DMZ, …

* Hardware Management - procedures for procurement computer hardware consistent with the company’s information systems plans.

ITAC are unique to each application that organization uses to run its business and they are embedded in financial applications. In this respect, ITAC are the IT components that enforce process or business level controls and help to minimize mistakes and prevent or detect malicious actions, such as fraud. Because ITAC are so closely tied to the business processes their applications support, these controls are often considered business controls implemented by information technology.

ITAC focus on:
* Data preparation procedures to minimize errors and omissions;

* Accuracy, completeness and authorization checks to ensure change control and validation for input data as close to its point of origin as possible;

* Data processing integrity ensured via segregation of duties and proper authorization process;

* Output checks to verify that data processing occurred inside application systems was accurate, complete and without errors.

The following figure illustrates the relationships of the various types of controls.

Figure 1. Relationship between IT controls and business cycles controls.
As it is shown on figure 1, ITGC represent foundations on which ITAC are built on; both ITGC and ITAC are the infrastructure on which business or process controls are built on.

Evaluation and reporting of internal control over management’s financial reporting

One of the points requiring most attention with respect to the evaluation and reporting of Internal Controls over Financial Reporting (ICFR) is the evaluation of IT controls.

In order to correctly assess IT controls effectiveness, guidance suggests to:

1. understand relationships between business cycles and application systems used to process business data
2. obtain an understanding of IT infrastructure underlying identified applications
3. identify evaluation units for ITGC

In order to address point 1, useful techniques could be the following:

* interview key users of all business cycles (e.g. Purchasing Manager for Purchasing process or Chief Financial Officer for Financial Closing and Reporting Process) in order to understand company business and detect related information systems used to process business and financial data

* list all identified relevant application systems supporting company business cycles

* with the aid of Information Technology Management, understand features and role of different applications in every business cycle

* identify all data flows between different application systems and map them in a flow chart In order to address point 2, it is necessary to understand the following:

* IT department organization

* IT policies and procedures in place, with a focus on information security matters (e.g. information security policy, password and account policy, …)

* Hardware and software used in the organization, including Operating Systems and DataBase Management Softwares (DBMS)

* Possible relationships with IT outsourced vendors, in order to understand which kind of service is provided by them

* Network infrastructure and topology, with a focus on network security aspects (e.g. firewall, Intrusion Prevention/Detection Systems, proxy servers, DMZ, RAS and VPN accesses, …)

So after that it is necessary to clearly evaluate ITGC (point 3), in order to assess if there are some control deficiencies not enabling to fully address related control o bjectives and, consequently, mitigating risks.

Of course it could be really hard to evaluate if a deficiency in an ITGC could result in a material weakness, that is a deficiency, or combination of deficiencies, that could outcome in a material misstatement on financial statements; anyway what Management should try to perform is to evaluate if a deficient ITGC could have impact on over positioned ITAC.

Dealing with IT controls, evaluation should be done according to two points of view:

1. design & implementation ––it is necessary to understand whether an IT control activity addresses related control objective in a such a way to reduce potential risk to an acceptable level; this could be done by adopting a risk management methodology (risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations missions) mapping all relevant IT risks (or control objectives) possibly occuring to information systems (risk assessment) and then evaluating control activities in place to mitigate (risk mitigation) or transfer (risk transfer) those risks

2. operating effectiveness - management should determine whether the company’s IT controls are operating effectively to demonstrate effective internal control over financial reporting. This requires testing the controls over all relevant assertions for all significant accounts and disclosures at each individually important location and over the specific risk areas at other locations. The company must retain evidence of this testing to support management’s assessment of internal control over financial reporting.

Audit of Internal Controls over Financial Reporting

This section explains the approach to the law that an independent accounting firm should follow.

Dealing with IT controls, one of the scopes of auditing ICFR by external auditors is to assess effectiveness of IT controls framework by:

* understanding which IT controls are in place

* evaluating if company management properly evaluated effectiveness of IT controls put in place (not issuing an opinion on effectiveness of ICFR and consequently IT controls like US SOX 404 section requires)

* evaluating ITGC and ITAC both on design and implementation and operating sides, throughout corroborative inquiries with key users supported by examination of documentation, reperforming, observation or independent testing.

According to above considerations, J-SOX should be considered as a part of a broader governance, risk and compliance strategy. IT controls will be one of the most important component of the entire law and company should pay attention to them in order to address the overall legislative requirements and be compliant with them.

Top Management must ensure that the organization has the capabilities needed to accomplish its mission. According to J-SOX, these mission owners must determine the capabilities that their IT systems must have to provide the desired compliance and level of mission. A well-structured IT controls framework, when used effectively, can help management in achieving not only law compliance, but also the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.

The author is: Fabio Bonanni Senior Consultant, CISSP, Milan, Italy You can reach him at: fabiobonanni@libero.it
 
 
   
 

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA