Academic information system in an institution is very important for the administration of lectures. The fore need for a system security audit so that the administration runs without obstacles. This audit can be carried out using the COBIT 5 framework, in this research an information security audit was carried out on academic information security. by focusing on the APO12 (Manage Risk), APO13 (Manage Risk), and DSS05 (Manage Security Service) domains. The stages in this research are initiation, planning the assessment, data collection, data validation, process attribute level and reporting the result. The results of this research note that the ability level of APO12 is at level 1, APO13 at level 2 and DSS05 at level 2, which means that the institution has carried out and implemented the information technology process and achieved its objectives. To reach level 3 some recommendations are given to cover the gaps that have been determined in the APO12, APO13 and DSS05 processes.

In 2002, Sarbanes-Oxley was named after bill sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH). As a result, to be "SOX compliant," top management must individually certify the accuracy of financial information. In addition, penalties for fraudulent financial activity are much more severe. The act increased the oversight role of boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements.[2]

information systems control and audit by ron weber pdf 12

A significant body of academic research and opinion exists regarding the costs and benefits of SOX compliance, with significant differences in conclusions.[18] This is due in part to the difficulty of isolating the impact of SOX from other variables affecting the stock market and corporate earnings.[19][20] Section 404 of the act, which requires management and the external auditor to report on the adequacy of a company's internal control on financial reporting, is often singled out for analysis.

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are "responsible for establishing and maintaining internal controls" and "have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared". 15 U.S.C. 7241(a)(4). The officers must "have evaluated the effectiveness of the company's internal controls as of a date within 90 days prior to the report" and "have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date". Id..

External auditors are required to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. The requirement to issue a third opinion regarding management's assessment was removed in 2007.

A Lord & Benoit report, titled Bridging the Sarbanes-Oxley Disclosure Control Gap was filed with the SEC Subcommittee on internal controls which reported that those companies with ineffective internal controls, the expected rate of full and accurate disclosure under Section 302 will range between 8 and 15 percent. A full 9 out of every 10 companies with ineffective Section 404 controls self reported effective Section 302 controls in the same period end that an adverse Section 404 was reported, 90% in accurate without a Section 404 audit.

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control on financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort.[46]

The 2007 FEI study and research by the Institute of Internal Auditors (IIA) also indicate SOX has improved investor confidence in financial reporting, a primary objective of the legislation. The IIA study also indicated improvements in board, audit committee, and senior management engagement in financial reporting and improvements in financial controls.[76][77] 2ff7e9595c