The schematic presented below is a high level overview of the SOX Internal Control over Financial Reporting (ICFR) regulatory model. This model takes a “black box” view of information technology, but we have decided to color it blue in this version.
This level of abstraction can be useful for conversing with stakeholders about the ICFR risk factors associated with the end-to-end business and operational processes comprising the enterprise value chains. This provides a context to further correlate risks that are applicable at the ERP layer(s) (i.e., the transaction and application controls, along with the software engineering, security, and infrastructure control processes that provide for their reliability).
