IT controls and the Sarbanes-Oxley Act (SOX)

IT controls and the Sarbanes-Oxley Act (SOX)

The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB^[1] and SEC^[2] state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's SOX 404 top-down risk assessment. In addition, Statements on Auditing Standards No. 109 (SAS109)^[3] discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance.

IT controls that typically fall under the scope of a SOX 404 assessment may include:

• 
  Specific application (transaction processing) control procedures that directly mitigate identified financial reporting risks. There are typically a few such controls within major applications in each financial process, such as accounts payable, payroll, general ledger, etc. The focus is on "key" controls (those that specifically address risks), not on the entire application.
  
• 
  IT general controls that support the assertions that programs function as intended and that key financial reports are reliable, primarily change control and security controls;
  
• 
  IT operations controls, which ensure that problems with processing are identified and corrected.
  

• 
  Understanding the organization’s internal control program and its financial reporting processes.
  
• 
  Identifying the IT systems involved in the initiation, authorization, processing, summarization and reporting of financial data;
  
• 
  Identifying the key controls that address specific financial risks;
  
• 
  Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness;
  
• 
  Documenting and testing IT controls;
  
• 
  Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes; and
  
• 
  Monitoring IT controls for effective operation over time.
  

Push services are often based on information preferences expressed in advance. This is called a publish/subscribe model. A client might "subscribe" to various information "channels". Whenever new content is available on one of those channels, the server would push that information out to the user.

Synchronous conferencing and instant messaging are typical examples of push services. Chat messages and sometimes files are pushed to the user as soon as they are received by the messaging service. Both decentralised peer-to-peer programs (such as WASTE) and centralised programs (such as IRC or XMPP) allow pushing files, which means the sender initiates the data transfer rather than the recipient.

Email is also a push system: the SMTP protocol on which it is based is a push protocol (see Push e-mail). However, the last step —from mail server to desktop computer— typically uses a pull protocol like POP3 or IMAP. Modern e-mail clients make this step seem instantaneous by repeatedly polling the mail server, frequently checking it for new mail. The IMAP protocol includes the IDLE command, which allows the server to tell the client when new messages arrive. The original BlackBerry was the first popular example of push technology for email in a wireless context.

Another popular type of Internet push technology was PointCast Network, which gained popularity in the 1990s. It delivered news and stock market data. Both Netscape and Microsoft integrated it into their software at the height of the browser wars, but it later faded away and was replaced in the 2000s with RSS (a pull technology).

Other uses are push enabled web applications including market data distribution (stock tickers), online chat/messaging systems (webchat), auctions, online betting and gaming, sport results, monitoring consoles and sensor network monitoring.

Push technology is used in Windows Update to push updates to a user's computer.

Record

A business record is a document that records a business dealing. Business records include meeting minutes, memorandums, employment contracts, and accounting source documents.

It must be retrievable at a later date so that the business dealings can be accurately reviewed as required. Since business is dependent upon confidence and trust, not only must the record be accurate and easily retrieved, the processes surrounding its creation and retrieval must be perceived by customers and the business community to consistently deliver a full and accurate record with no gaps or additions.

Most business records have specified retention periods based on legal requirements or internal company policies. This is important because in many countries (including the United States) documents are required by law be disclosed to government regulatory agencies or to the general public. Likewise, they may be discoverable if the business is sued. Under the business records exception in the Federal Rules of Evidence, certain types of business records, particularly those which are made and kept with regularity, may be considered admissible in court despite containing hearsay.

In computer science, a record (also called tuple or struct) is one of the simplest data structures, consisting of two or more values or variables stored in consecutive memory positions; so that each component (called a field or member of the record) can be accessed by applying different offsets to the starting address.

For example, a date may be stored as a record containing a 16-bit numeric field for the year, a three-letter field for the month, and an 8-bit numeric field for the day-of-month. As this example shows, the fields of a record need not all have the same size and encoding; therefore, in general one cannot easily obtain the field which has a run-time computed index in the field sequence, as one can do in an array.

A record type is a data type that describes such values and variables. Most modern computer languages allow the programmer to define new record types. The definition includes specifying the data type of each field, its position in the record, and an identifier (name or label) by which it can be accessed.

Records can exist in any storage medium, including main memory and mass storage devices such as magnetic tapes or hard disks. Records are a fundamental component of most data structures, especially linked data structures. Many computer files are organized as arrays of logical records, often grouped into larger physical records or blocks for efficiency.

A router^[1] is a networking device whose software and hardware are usually tailored to the tasks of routing and forwarding information. For example, on the Internet, information is directed to various paths by routers.

For the pure Internet Protocol (IP) forwarding function, router design tries to minimize the state information kept on individual packets. Once a packet is forwarded, the router should no longer retain statistical information about it. It is the sending and receiving endpoints that keeps information about such things as errored or missing packets.

Forwarding decisions can involve decisions at layers other than the IP internetwork layer or OSI layer 3. Again, the marketing term switch can be applied to devices that have these capabilities. A function that forwards based on data link layer, or OSI layer 2, information, is properly called a bridge. Marketing literature may call it a layer 2 switch, but a switch has no precise definition.

Among the most important forwarding decisions is deciding what to do when congestion occurs, i.e., packets arrive at the router at a rate higher than the router can process. Three policies commonly used in the Internet are Tail drop, Random early detection, and Weighted random early detection. Tail drop is the simplest and most easily implemented; the router simply drops packets once the length of the queue exceeds the size of the buffers in the router. Random early detection (RED) probabilistically drops datagrams early when the queue exceeds a configured size. Weighted random early detection requires a weighted average queue size to exceed the configured size, so that short bursts will not trigger random drops.

A router uses a routing table to decide where the packet should be sent so if the router can’t find the preferred address then it will look down the routing table and decide which is the next best address to send it to.

Another definition is provided by the APICS Dictionary when it defines SCM as the "design, planning, execution, control, and monitoring of supply chain activities with the objective of creating net value, building a competitive infrastructure, leveraging worldwide logistics, synchronizing supply with demand, and measuring performance globally."

Supply chain management encompasses the planning and management of all activities involved in sourcing, procurement, conversion, and logistics management. It also includes the crucial components of coordination and collaboration with channel partners, which can be suppliers, intermediaries, third-party service providers, and customers. In essence, supply chain management integrates supply and demand management within and across companies. More recently, the loosely coupled, self-organizing network of businesses that cooperate to provide product and service offerings has been called the Extended Enterprise.

Supply chain management can also refer to supply chain management software which includes tools or modules used to execute supply chain transactions, manage supplier relationships and control associated business processes.