IT Management Attestations

~ Services | Tips & Tricks | Compliance | Helpful Links | Home ~

Attestations An Attestation is managements internal assessment and compliance with regulatory compliance certifications. Today only the CEO and CFO are required by law to sign an attestation. But more and more corporations are including the CIO in that requirement. Primarily because IT now plays such a critical role in ensuring the corporations data is secured and properly managed to retain reliable accounting systems.   Many CIOs become very uncomfortable in signing a corporate level attestation for their organization. How does the CIO know for sure that his direct staff is properly overseeing the IT components they manage? And how do those senior IT executives know that their directors and managers are giving proper attention and accountability to the processes they manage?   Because of this, many IT organizations are implementing an IT management wide Attestation to their compliance standards. From the lowest manager up, these attestations define the responsibility of each manager to adhere to corporate standards and compliance regulations. Each one roles up into a package for the next level manager to review and certify by signing their own attestation. Until finally, all of IT’s management has attested to the oversight of controls. And the CIO now feels like his/her back is covered.   Accountability IT Managers, Directors and Vice Presidents   Policy IT Management staff is responsible for attesting in good faith, to the compliance of corporate policies, procedures, IT General Controls (key and non-key), Industry and SOx regulations on a quarterly or bi-annual basis. Some organizations implement a global attestation policy annually. My suggestion is, the larger the organization, the more frequent the IT attestations should be documented.   These attestations aren’t just legal jargon that someone signs their name to. In the IT world, they also include exceptions to policies and standards. Exceptions to standards are just part of the business of IT. This isn’t a one size fits all world, so you must allow for exceptions to keep your business running and competitive. But that also means you must be aware of what those exceptions are, so you can better determine the risks to the company over all.   Whatever your cycle for requiring Attestations, your IT compliance team should require all IT managers to review their IT General Controls and Control processes, both key and non-key. Managers, Directors and Vice Presidents will be required to provide signed attestations for the compliance of their assigned controls and report any known exceptions. This process does not replace the Corporate Attestation process. It’s in addition to it.   Sample Attestation Letter From: Manager Name   To: IT Compliance   Date: __________   RE: Quarterly Management Attestation Letter   Attestation for group/department: __________________   ”The Company” places a continuing responsibility on IT Management to diligently supervise its employees and agents in aspects of Regulatory Compliance activities. Among other functions, I am responsible for: [indicate responsibilities].   To the best of my knowledge, the afore mentioned group/department has maintained and continues to maintain IT internal controls, following processes and procedures defined for ”The Company’s” Information Technology systems, that properly support the integrity and reliability of the corporations information and data security.   This group is administered as follows: A listing of policies and procedures application to my organization is attached. A listing of known compliance exceptions within my organization is attached. A complete set of policies and procedures is prominently displayed on my organizations website @ ____. Periodic management oversight/audits are conducted to ensure compliance with company policies and procedures.   Included in this management oversight is an assurance of: Protecting system security and following corporate security policies, Adhering to change management and segregation of duties policies. Adhering to the corporate SDLC policy and the implementation of [Project Methodology}, Oversight of compliance reviews as defined in this groups IT General Control procedures (ie: quarterly, biannual, annual security, baseline, change management reviews.)   There are inherent limitations in any control, including the possibility of human error and the circumvention or overriding of internal controls. Upon occurrence of these events, I bring reportable compliance matters relating to my area of IT General Controls to the attention of the IT Compliance team.   During this reporting period, to my knowledge, my organization was in material compliance with all applicable federal and state laws and regulations.     __________________________ Name [Print name] ___________________________ Signature ________________ Date   A. Policies and Procedures     B. Control Exceptions