IT Controls Impact Sarbanes-Oxley Compliance Efforts

By Nancy Hala, KnowledgeLeader contributing writer

Source: Protiviti's KnowledgeLeader Internal Audit and Risk Management Community

Information technology (IT) is, incontrovertibly, a central business process element in most organizations today. To illustrate this point, consider that, as many organizations make the decision to outsource noncore business functions (such as human resources), a trend has emerged to include IT in these outsourcing initiatives so that the function will be viewed and treated in an integrated, comprehensive way.

In other words, leaving IT out of the picture is no longer an option.

The same can be said of the widespread initiatives businesses are undertaking related to Sarbanes-Oxley Act (SOA) compliance. The financial reporting process, as well as processes that accept, record, accumulate, summarize and report the transactions underlying financial reporting, are accomplished with computers, programs and other technology-related equipment and software. Therefore, the effectiveness of the controls around these applications and systems will directly impact the integrity of the financial reporting, including the data that is input into the process, as well as the information that ultimately becomes the output.

With this in mind, many organizations have come to understand the significant impact IT carries in SOA compliance, and they recognize that IT must be carefully considered when documenting, evaluating and attesting to the effectiveness of internal controls surrounding financial reporting.

The right approach to IT risk, control
There is an overall approach to use when evaluating IT risks and controls. In this approach, the initial step is to understand the IT organization and its structure, such as management, organization and strategy. The second step is to conduct IT entity-level controls evaluations by looking at IT controls, risks assessments, communication and monitoring, and identifying application and data owners. The third step is performing IT process level control evaluations involving general IT processes, application- and data-owner processes and application-specific processes.

In the realm of SOA testing and compliance, this basic structure can help organizations establish an effective, standardized methodology for reviewing and understanding the impact IT has on internal controls.

The scope of the IT environment that should be included in SOA compliance efforts includes:

  • Security administration
  • Application-change control
  • Data management and disaster recovery
  • Data center operations and problem management
  • Asset management
Mike Lynn is the senior vice president in charge of audit risk management at AXA Technology Services, a subsidiary of AXA Group Worldwide, the global financial services organization. As a foreign subsidiary, AXA will not be required to comply with Sarbanes-Oxley provisions until 2005. However, the organization is striving to achieve compliance within the current year by partnering with an external public accounting firm. "We have a working model of what Sarbanes-Oxley will look like from an IT operations standpoint," he says. "We are using that model to roll out to the rest of the group. We believe this is a more efficient way of approaching Sarbanes-Oxley compliance, rather than beginning from scratch."

Lynn believes that using a Sarbanes-Oxley approach based on an IT perspective is beneficial in many ways. "The range of IT process-related risks is not as broad as general operational risks," he says "Therefore, IT standards are often approached in a more uniform manner. This helps us when it comes to rolling out risk and control standards."

According to Lynn, to establish Sarbanes-Oxley compliance forces an organization to conduct a widespread, cross-function risk assessment. This helps the audit team truly understand its business operating environment and develop effective controls. "Sarbanes is essentially an audit, but one that is focused on financial reporting, not operational efficiencies," he says. "So by looking at the activities that are required by Sarbanes from an IT perspective, we will better understand the status of general controls in the IT services environment and how they impact the organization's financial viability. For example, if a particular IT system is the foundation for a financial application but is not properly controlled, the data in that application may be inaccessible or unreliable, and that has significant compliance implications."

Key areas to be considered
The three key areas to consider when evaluating IT controls are corporate governance, IT governance (the CIO organization) and application and data owner governance.

Corporate governance is a critical area to examine first simply because it sets the "tone at the top" as defined by leadership. With respect to IT governance, there are two areas that must be addressed: IT operations and the overall governance of processes impacting IT. This involves the CIO organization and examines the impact on general or pervasive controls.

Finally, the application and data owners are the business groups interfacing with business-process owners. The effectiveness of the application and data-process controls will ultimately affect the controls at the activity or process level, and therefore must be included in key areas to be considered in SOA compliance.

Both the CIO and IT management can assist the organization with SOA compliance. Tom Luick, Protiviti manager, who is currently involved on several Sarbanes-Oxley-related client projects, says, "It's important to focus compliance efforts on the IT controls that are critical to effectively mitigating the existing financial reporting risks, and consider whether the documented control framework will be manageable going forward." To accomplish this, Luick recommends the following guidelines:
  • Be wary of documenting so many controls that the effort to maintain the documentation becomes unreasonable.
  • Collaborate with the external auditor to validate that the documented controls are sufficient.
  • Work closely with the finance organization, and understand the financial processes and controls that are in scope for the compliance initiative.
  • Make sure that management and the external auditor consider the comprehensive control environment as they assess test results and potential weaknesses.
  • Do not underestimate the level of effort required to document, test and report on controls for SOA compliance.
  • Expect that several iterations of documenting and testing controls will be required to thoroughly prepare for the external audit process.
  • Allow sufficient time for the remediation and retesting of controls.
Ed Hill, Protiviti managing director, adds, "The best thing that the CIO and IT management can do is to begin viewing their departments using a process orientation. They must measure the processes and begin to mature them in accordance with ITIL (Information Technology Infrastructure Library) and CobiT (Control Objectives for IT) guidance. That should help them with all compliance initiatives, not just Sarbanes-Oxley initiatives."

 

This article was first published on the Protiviti KnowledgeLeader website. KnowledgeLeader is an extensive repository of guides, tools, articles and best practices for internal audit, technology risk and business risk management. If you are interested in more material on this topic, you are welcome to sign up for a free 30-day trial of the subscription service by visiting www.knowledgeleader.com.