Sarbanes Oxley Section 404
Section 404 and Internal Controls
Section 404 of the Sarbanes-Oxley Act requires executives of public companies to include an assessment report of the effectiveness of internal controls over financial reporting, including IT controls, when submitting their annual reports to the SEC.
By establishing and documenting internal controls, companies can attest to the validity and integrity of financial information from the time such information enters the company to the completion of the annual report each year. The SEC also requires that each company's external auditors independently review management's assessment of internal controls and document any material weaknesses the audit firm discovers.
Impact of Section 404 on Information Technology
The "assessment of internal controls" report is designed to assure the SEC as well as investors that a company has the necessary procedures and controls in place to adequately ensure the integrity of financial data. When applied to technology, this implies that financial data must be accurately recorded and shared in appropriate ways and that the data must be secured from threats of unauthorized access, inappropriate changes and data corruption.
Additionally, this report places increased impetus on companies to select software providers that can be a partner to them in Sarbanes-Oxley compliance by providing information about software features that provide internal controls over financial data, as well as by ensuring that the development process for creating the software is well-controlled and in line with industry best practices.
Section 404 refers to internal controls as defined by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), although it does not require that a company use the COSO framework in order to crate the assessment of internal controls. Some IT organizations are choosing to adopt the Control Objectives for Information and Related Technology (COBIT) framework for guidance about how to approach assessment and testing of IT related internal controls. The Public Company Accounting Oversight Board (PCAOB) (established by the Sarbanes-Oxley Act) released guidelines for auditors that discuss IT internal controls in March 2004.
Whether a company approaches IT internal controls from the COSO or COBIT framework, it will be necessary for organizations to review their financial applications for:
- Data Security and Access Controls
- Integrity and Accuracy of Data
- Reliable Reporting Systems
- Disaster Recovery
In addition, organizations will want to review the development methodologies and change control processes used by their financial software vendors to ensure modifications to the software are made with proper authorization and are appropriately reviewed and tested.
FAS and Sarbanes-Oxley
FAS fixed asset management solutions address each of the key areas of internal control for financial software systems outlined above. Best/Sage Software has designed a paper (available below to download) to help our customers in public or private companies and nonprofit organizations to understand and document the internal controls over fixed asset management provided within our FAS solutions, as well as explain the control procedures in place at Best/Sage Software over development and testing of the software.
DOWNLOAD
OUR FIXED ASSET MANAGER'S GUIDE TO SARBANES-OXLEY
