Sarban Oxley Act.

The SarbanesOxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and more commonly called SarbanesOxley, Sarbox or SOX, is a United States federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms. As a result of SOX, top management must now individually certify the accuracy of financial information. In addition, penalties for fraudulent financial activity are much more severe. The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. Enron-Mark to marketing accoiunting- A measure of the fair value of accounts that can change over time, such as liabilities and assets. This accounting act enables companies to record the price or value of a security, portofolio or account based on the current markt value rather than its book value. Tyco International-Top executives (Former CEO and CFO) wereb accused of theft of more than 150 million$, and was approved by the board of director as compensation. SAS70 SAS 70 provides guidance to service auditors when assessing the internal control of a service organization and issuing a service auditors report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations. There are 2 types of service auditor report: 1. A Type I service auditors report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. 2. A Type II service auditors report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review. Euro SOX Euro SOX is considered as the equivalent of US SOX. It is a collection of several directives: The European Unions Financial Services Action Plan (FSAP) The 4th directive Annual Accounts of spesific type of companies The 7th directive Consolidated accounts The 8th Company Law Directive The Transparency Directive The Market Abuse Directive The EU Data Protection Act Difference 1. Euro SOX, Quality assurance (title 5): all auditors and auditing firms are reviewed by a quality assurance. The quality aasurance system task is to test selected audit files and and review the compliance with auditing standards and independence requirement. Every auditors and audit firms carrying out audits of public-interest companies, quality assurance reviews has to take place at least 3 years and the overall result of the quality assurance

system should be published annually. The quality assurance ensures that the audit undertaken by are genuine.US SOX, does not consider quality assurance. 2. US SOX restrict auditing companies from providing non-auditing services (e.g consulting) for the same client. This is not the case with EURO-SOX. 3. EURO SOX compel companies to publish annual transpare ncy reports describing the legal
structure and ownership, when the last quality assurance review took place and a list of publicinterest companies the audit firm has carried out audits for the preceding financial year. 4. US SOX impose a 5 years audit partner rotation. Question 1-Why sarban oxley impact IS/IT Directly -The main focus of SOX is to ensure the accuracy of financial reportinfg and the system that support data. The corporate responsibility act requires that the CEO of public companies certify the accuracy of the financial report and the quality of the internal control established in the finacial report. This certification would hold the executives accountable in case of investigations. Within public companies, all employees are affected by this act even though it may seem like most of the burden is laid on the management, internal auditors and audit committee. With the enforceme nt of the SOX, documentation and being able to prove who did what, when, where and how is an important part of SOX. This has majorly impacted modern IS systems within many companies nowadays because modern IT system ackownlegde such. Before the passage of Sarbanes - Oxley, in case of financial fraud management could claim they did not know or understand what was going on. Sarbanes - Oxley has put a stop to that. Management have to certify on the effectiveness of the internal controls, which means they need to know what is going on, or be subject to the penalties defined in the Act. This of course puts pressure on the management or any other certifying employee Question 2-How auditors approach the audit of IS/IT An IS/IT audit is an examination of the control within an entity's IT infrastructure. These review may be performed in conjucttion with a financial statement audit, internal audit. It is the process of collecting and evaluationg evidence of an organisation's IS, practises and operations. The obtained evidence evaluation can ensure whether the organizations IS safeguard assets, maintain data integrity, and are operating effectively and efficiently to achieve the organizations goals and objectives. IS Audit Methodology This audit methodology has been developed in accordance wirth international IS audit standards. Phase 1: Audit planning; In this phase,the auditor plan the information system coverage to comply with the audit objectives specified by the Client and ensure compliance to all Laws and Professional Standards. Phase 2: Risk assessment and Business process Analysis; Risk assessment is the process of quantifying risk. In order to perform an effective Risk Assessment, we will need to understand the Clients Business Environment and Operations. Usually the first phase in carrying out a Risk Based IS Audit is to obtain an understanding of the Audit Universe. In understanding the Audit Universe we perform the following:

Identify areas where the risk is unacceptably high Identify critical control systems that address high inherent risks Assess the uncertainty that exists in relation to the critical control systems In carrying out the Business Process Analysis we: Obtain an understanding of the Client Business Processes Map the Internal Control Environment Identify areas of Control Weaknesses

Phase 3: Performance of Audit work: In the performance of Audit Work the Information Systems Audit Standards require us to provide supervision, gather audit evidence and document our audit work. Based on our risk assessment and upon the identification of the risky areas, we move ahead to develop an Audit Plan and Audit Program. The Audit Plan will detail the nature, objectives, timing and the extent of the resources required in the audit. Based on the compliance testing carried out in the prior phase, we develop an audit program detailing the nature, timing and extent of the audit procedures. In audit plan, various control tests and reviews can be done. They include: 1, General/persuasive controls: Evaluate the control in accordance with COBIT framework 2, Evaluate specific controls: Application control reviews, operating system control review, network control reviews.