Beginning Nov. 15, companies will have to include such attestations with their 2004 annual reports. Companies with market capitalization of less than $75 million and foreign companies listed on U.S. stock exchanges have until July 15, 2005, to comply.
The Public Company Accounting Oversight Board auditing standard identifies four major categories of IT control--program development, program changes, computer operations, and access to programs and data.
The oversight board has embraced recommendations issued by the Committee of Sponsoring Organizations, an umbrella group of accounting organizations; the recommendations, known as the COSO framework, are intended to improve the quality of financial reporting. Although many companies have adopted the COSO framework voluntarily, they've relied mostly on simple accounting tools such as spreadsheets. However, once Sarbanes-Oxley required CEOs and CFOs to state that their financial reporting controls are effective, the issue moved to the front burner and teams of legal, finance, and IT execs have been quickly assembled to formulate a compliance plan.