IT Governance Institute

IT CONTROL OBJECTIVES FOR SARBANES-OXLEY

THE IMPORTANCE OF IT IN THE DESIGN, IMPLEMENTATION AND SUSTAINABILITY OF INTERNAL CONTROL OVER DISCLOSURE AND FINANCIAL REPORTING

……….” How Compliance Should Be Documented

To date, most organizations have struggled with the question of how much documentation is necessary to support their internal control program, and in what form it should be retained. In responding to this query, it is important to consider the communications from the SEC and the PCAOB as well as those that will likely guide independent auditors in their certification efforts.

Documentation may take various forms, including entity policy manuals, IT policy and procedures, narratives, flowcharts, decision tables, procedural write-ups or completed questionnaires. No single particular form of documentation is mandated by Sarbanes-Oxley, and the extent of documentation may vary, depending upon the size and complexity of the organization.

For most organizations, documentation should be, at a minimum, prepared for the following:

Lessons Learned

Parallels can be drawn between the affect of the Sarbanes-Oxley Act of 2002 on public companies and the impact of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) on the banking industry”