Information technology controls |
Information technology controls ( IT controls ) are specific information systems designed to allow support, oversight, and monitoring of business processes. IT controls generally include controls over the general IT environment, computer operations, access to programs and data, program development and program changes.
Passage of the Sarbanes-Oxley Act has brought these systems of control into prominence.
=What are IT Controls=
With the widespread use of Information Technology (IT) systems, from mainframe through client-server environments, it is paramount that controls are in place. The Sarbanes-Oxley Act makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal control over financial reporting. For most organizations, the role of IT will be crucial to achieving these objectives. Some of the key areas of responsibility for IT include: *Understanding the organizations internal control program and its financial reporting process. *Mapping the IT systems that support internal control and the financial reporting process to the financial statements. *Identifying risks related to these IT systems. *Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness. *Documenting and testing IT controls. *Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes. *Monitoring IT controls for effective operation over time. *Participation by IT in the Sarbanes-Oxley project management office.
To comply with Sarbanes-Oxley, it is critical that organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as databases, networks and operating systems, are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a business process that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process.
=The Role of IT in Financial Reporting=
In todays business environment, the financial reporting processes of most organizations are driven by Information Technology (IT) systems. Few companies manage their data manually and most companies have moved to electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB Auditing Standard 2 states: : The nature and characteristics of a companys use of information technology in its information system affect the companys internal control over financial reporting.
Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and needs to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.
The importance of IT as it relates to the overall financial reporting process is highlighted by several sections in PCAOB Auditing Standard No. 2. :*PCAOB Auditing Standard 2 discusses the relationship of IT and its importance in testing the design and operational effectiveness of internal control. An excerpt from the standard states: : Controls should be tested, including controls over relevant assertions related to all significant accounts and disclosures in the financial statements. Generally, such controls include (among others): :*Controls, including information technology general controls, on which other controls are dependent. The standard further describes the process that auditors should follow in determining the appropriate assertions or objectives to support management assessment: To identify relevant assertions, the auditor should determine the source of likely potential misstatements in each significant account. In determining whether a particular assertion is relevant to a significant account balance or disclosure, the auditor should evaluate [among others]: :*The nature and complexity of the systems, including the use of information technology by which the company processes and controls information supporting the assertion.
The standard also specifically addresses information technology in period-end financial reporting: As part of understanding and evaluating the period-end financial reporting process, the auditor should evaluate [among others]: :*The extent of information technology involvement in each period-end financial reporting process element.
=Sarbanes-Oxley and its impact on IT Controls=
Sarbanes-Oxley primarily affects public companies with a market capitalization of $75 million listed on U.S. exchanges. Sarbanes-Oxley is strictly focused on financial reporting and does not specifically address IT. However, IT does affect the reliability and security of systems in which companies keep their financial records. There are several titles and sections in the Sarbanes-Oxley Act that has a direct impact on internal controls (including IT controls). These four major sections are:
====General IT Controls====
Sarbanes-Oxley requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports (Section 302) and require public companies to establish adequate internal controls over financial reporting (Section 404). These sections cover internal controls that assure the secure, stable, and reliable performance of computer hardware, software and IT personnel connected to the financial systems.
====Application Controls====
Sections 302 and 404 also impact internal controls, including control points over the functions and logic of the financial applications that feed information into financial reports.
====Real-time disclosure====
Section 409 requires public companies to disclose information about material changes in their financial condition or operations on a rapid basis. Companies need to determine whether their existing financial systems, such as enterprise resource management applications are capable of providing data in real time, or if the organization will need to add such capabilities or use specialty software to access the data. Companies must also account for changes that occur externally, such as changes by customers or business partners that could materially impact its own financial positioning (e.g. key customer/supplier bankruptcy and default).
To comply with Section 409, organizations should assess their technological capabilities in the following categories: :*Availability of internal and external portals - Portals help route and identify reporting issues and requirements to investors and other relevant parties. These capabilities address the need for rapid disclosure.
:*Breadth and adequacy of financial triggers and alert - The organization sets the trip wires that will kick off a Section 409 disclosure event.
:*Adequacy of document repositories Repositories play a critical role for event monitoring to assess disclosure needs and provide mechanism to audit disclosure adequacy.
:*Capacity to be an early adopter of Extended Business Reporting Language (XBRL) XBRL will be a key tool to integrate and interface transactional systems, reporting and analytical tools, portals and repositories.
====Records retention====
Section 802 of Sarbanes-Oxley requires public companies and their public accounting firms to maintain all audit or review work papers for a period of five years from the end of the fiscal period in which the audit of review was concluded. This includes electronic records which are created, sent, or received in connection with an audit or review. As external auditors rely to a certain extent on the work of internal audit, it would imply that internal audit records must also comply with Section 802.
In conjunction with document retention, another issue is that of the security of storage media and how well electronic documents are protected for both current and future use. The five-year record retention requirement means that current technology must be able to support what was stored five years ago. Due to rapid changes in technology, some of todays media might be outdated in the next three or five years. Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media.
Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes emails, instant messages, and spreadsheets that are used to analyze financial results) , adequacy of retention life cycle, immutability of RM practices, audit trails and the accessibility and control of RM content.
Section 404 - puts the onus on both the independent auditor and management to ensure that internal controls (including IT controls) are working. *Independent auditors are required to attest to managements assessment of its internal control over financial reporting. Due to this requirement, cycle rotation to test controls is no longer acceptable in public company audits. *Auditors also have to test preventative and detective controls in order to obtain high levels of assurance about the operating effectiveness of internal controls. *Management on the other hand must also provide their independent auditors with documentation, evidence of functioning controls and the documented results of testing procedures.
PCAOB Auditing Standard No. 2 specially addresses financial reporting controls that should be in place for a period before the attestation date and controls that may operate after the attestation date. In relation to Section 302, the standard requires independent auditors to perform procedures to establish if there are material modifications to internal controls so as to affect financial reporting which needs to be disclosed in order that the certifications as required under Section 302 are accurate. PCAOB Auditing Standard No. 2 also requires auditors to make assessment as to whether company has put in place controls (including IT controls) that not only detect errors, but controls that detect and deter fraud. Under Sarbanes-Oxley, auditors should audit key and general controls. Key controls are controls that are key to ensuring that the values on the balance sheet are accurate and reliable. Some of these key controls will be IT-based. An example might be a trigger on a database table that ensures that adding any entry into the accounts receivable table automatically creates an entry into the general ledger. When assessing general controls, it is crucial to look at the effects of those controls across all IT systems that are within the scope of the SOX audit. General controls usually incorporate at least the following types of controls: :*Change management procedures :*Source code/document version control procedures :*Software development life cycle standards :*Security policies, standards and processes :*Incident management policies and procedures :*Technical support policies and procedures :*Hardware/software configuration, installation, testing, management standards, policies and procedures :*Disaster recovery/backup and recovery procedures
One way to bring an IT department into compliance with Sarbanes-Oxley is to closely align its control objectives to the standards set up by COBIT. COBIT (Control Objectives for Information and Related Technology) is an IT governance model that provides both company level and activity level objectives engineered to be closely aligned with the spirit of SOX. A company can use this framework to design a system of IT controls in compliance with Section 404. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environment, risk assessment, control activities, information and communication and monitoring, illustrated in figure 2, that need to be in place to achieve financial reporting and disclosure objectives; COBIT provide a similar detailed guidance for IT. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT objective domains-applying to each individually and in aggregate. The four COBIT control objectives are: plan and organize, acquire and implement, deliver and support and monitor and evaluate.
=References=
:#Coe, Martin J. Trust services: a better way to evaluate I.T. controls: fulfilling the requirements of section 404. Journal of Accountancy 199.3 (2005): 69(7). :#Chan, Sally, and Stan Lepeak. IT and Sarbanes-Oxley. CMA Management 78.4 (2004): 33(4). :#Goodwin, Bill. IT should lead on Sarbanes-Oxley. Computer Weekly 27 April 2004: p5. :#Gomolski, Barbara. The top five issues for CIOs. Computerworld January 2004: 42(1). :#Hagerty, John. Sarbanes-Oxley Is Now a Fact of Business Life-Survey indicates SOX IT-compliance spending to rise through 2005. VARbusiness Nov. 15 2004: 88. :#http://www.aicpa.org/pubs/jofa/sep2003/mcconn.htm :#http://www.altiris.com/docs/products/WP-AltirisSupportofSarbanes-Oxley.pdf :#http://www.protiviti.com/downloads/PRO/pro-us/articles/FeatureArticle_20041112.html :# IT Control Objectives for Sarbanes Oxley: The Importance of IT in the Design, Implementation, and Sustainability of Internal Control over Disclosures and Financial Reporting. http://www.itgi.org. April 2004. IT Governance Institute. 12 May. 2005 . :#Johnston, Michelle. Executing an IT Audit for Sarbanes-Oxley Compliance. http://www.informit.com/articles/article.aspp=337041&rl=1. 17 Sept. 2004 . :#Lurie, Barry N. Information technology and Sarbanes-Oxley compliance: what the CFO must understand. Bank Accounting and Finance 17.6 (2004): 9 (5). :#McCollum, Tim. IIA Seminar Explores Sarbanes-Oxley IT Impact. IT Audit 6 (2003). :#McConnell Jr., Donald K, and George Y. Banks. How Sarbanes-Oxley Will Change the Audit Process. http://www.aicpa.org/pubs/jofa/sep2003/mcconn.htm (2003). :#Munter, Paul. Evaluating Internal Controls and Auditor Independence under Sarbanes-Oxley. Financial Executive 19.7 (2003): 26 (2). :#Perspectives on Internal Control Reporting: A Resource for Financial Market Participants. Deloitte & Touche LLP, Ernst & Young LLP, KPMG LLP, PricewaterhouseCoopers LLP. December 2004. :#Piazza, Peter. IT security requirements of Sarbanes-Oxley. Security Management June 2004: 40(1). :# Sarbanes-Oxley Section 404: An overview of PCAOB s requirement. KPMG. April 2004. :# Sarbanes-Oxley Spending in 2004 More Than Expected: Spending for section 404 compliance averaged $4.4 million in 2004, a survey finds. InformationWeek March 22, 2005. :# The Impact of Sarbanes-Oxley on IT and Corporate Governance. www.serena.com. Serena. 12 May. 2005 .
=See also=
|
|