IT Performance Improvement
Networking and Telecommunications
Share This Article
Search the Site
Ten Steps to Sarbanes-Oxley Compliance
The 1997 movie Titanic resulted in such emotional outpouring from some viewers that cynics began wearing T-shirts saying "The boat sank, get over it." A comparable IT T-shirt might say "compliance is here to stay, get on with it." CIOs in banking, defense industries, and other highly regulated industries grew up with a compliance mind-set, but some firms, particularly those newly required to meet Sarbanes-Oxley (SOX) regulations, struggle to adjust. Regulatory compliance is one of the core governance disciplines. Let us use SOX as an example.
Ten Steps to Sarbanes-Oxley Compliance
Anyone reading business magazines and newspapers comes away with the impression that Sarbanes-Oxley requirements are onerous. Section 404 requires both the chief executive officer (CEO) and the chief financial officer (CFO) vouch for the adequacy of internal controls. The external auditors must then independently review management's assertion of adequate internal controls. If there are "material weaknesses" or too many "significant deficiencies," they will not certify compliance (see below for a description of these levels of control weakness).
One problem with the implementation of SOX is that it tends to set a standard for compliance that may be inadequate. Meeting SOX standards (i.e., passing 404) does not imply that a firm or an IT department has the processes in place required to manage its business. Nor does it mean that an optimal level of control exists anymore than having a pulse signifies good health. SOX compliance is the minimum standard, not an optimum standard.
Regardless of your firm's current maturity level, you will need to demonstrate SOX compliance efficiently and honestly. Following are typical steps required to pass section 404:
- Identify your framework. Most U.S. organizations use as a starting point for objectives. The legislation does not specifically require CobIT, but it is accepted by all the major auditing firms.
- Using CobIT as a reference point, develop a list of controls that are "key" to the successful operation of information technology. These key controls support, ultimately, accurate financial statements.
- Split key controls into two categories: (a) general controls, which are pervasive across all or most platforms and applications, and (b) application controls.
- Review the list with your external auditor. In the first year of SOX compliance for accelerated filers,8 many firms, fearing the unknown, defined far too many controls as key. As a result, the quantity of testing and consequent funds expended to support 404 compliance was excessive. If you define a control as key, it has to be tested, documented, and remediated if found ineffective and then tested again. At NCI, for example, we started with 165 general controls and as of this writing are down to 32.
- The external auditors will also be interested in "environmental" practices and organizational structures that strengthen the overall control environment. Unlike the general and application controls discussed earlier, these entity-level controls are typically measured in degrees of compliance and often not precisely measureable. For example, it is easier to form an opinion on the question "Does your accounts payable system have a built-in check for duplicate payments" than to state unequivocally that "the audit committee represents an informed, vigilant and effective overseer of the financial reporting process." If you feel your company is not in a passable degree of compliance then you might want to look into invoice management software. Following is a partial list of representative entity-level questions:
- Are there appropriate policies for developing and modifying accounting systems and controls (including changes to and use of computer programs and data files)?
- Are there defined responsibilities for individuals responsible for implementing, documenting, testing, and approving changes to computer programs that are purchased or developed by information systems personnel or users?
- Are systems conversions well controlled (e.g., completed pursuant to written procedures or plans)?
- Are appropriate approvals from management required prior to allowing an individual access to specific applications and databases?
- Are IT personnel prohibited from having incompatible responsibilities or duties in user departments?
- Has management established procedures to prevent unauthorized access to, or destruction of, documents, records (including computer programs and data files), and assets?
- Is data processing access to non data-processing assets restricted; e.g., blank checks?
- Is physical security over IT assets (both IT department and users) reasonable given the nature of the company's business?
- Is there a dedicated security officer function that monitors IT processing activities and are there periodic reports to the board of directors and audit committee on the current state of IT security at the company?
- Are there systems to monitor and respond to potential business interruptions due to incidents stemming from malicious intrusions, and to update security protocols to prevent them? Are security violations and other incidents automatically logged and reviewed?
- Does the company conduct periodic reviews or audits of IT security? If yes, are the results of the review or audit reported to the board of directors or audit committee?
- In order for the external auditors to acknowledge that your firm is in compliance with section 404 of Sarbanes-Oxley requirements, detailed testing of the controls is necessary. From their perspective, the value and reliability of IT controls testing falls into three tiers:
- Lowest reliance: Self-testing done by the IT group. This does not imply lack of professionalism or expertise in the testing. Indeed, IT self-testing is likely to be the most effective, because the team members have a strong level of systems knowledge. But the external auditors consider it to be the least independent, because IT is essentially auditing itself. An example of IT testing might be a review of change control compliance - out of ten programs with a compile date in the current year, how many have corresponding authorization and testing documented in the change management system?
- Medium reliance: Internal Audit performs a set of well-defined tests to show the compliance of each key control, both general and application. Standard workpaper format and adherence to statistical guidelines for sampling are expected. As a practical matter, the performance of Internal Audit's SOX testers can affect the cost of the external audit. If the workpapers are highly organized, well annotated and easy to review, then E&Y, PwC, KPMG, or other outside firms develop confidence in the results and minimize their own independent testing. In a review of NCI's SOX workpapers a few years ago, one of our external auditors jokingly remarked "we were tempted to use some of your work for our own but you used some annotation software that would give it away." Clearly, the big auditing firms hire bright and energetic people. Nonetheless, those same people are typically young, overworked, and rushed to get results out. Anything that can be done to make it easy for them works in the CIO's and the organization's favor.
- Highest reliance:The work performed by the external auditors is the most independent and therefore counts more than work performed by the client's management. For IT, focus areas are usually security, change management, and data integrity (including backup). If there is a significant variance between their testing and management's self-testing, two unpleasant consequences will occur: (1) the external auditors will significantly expand their testing - at their then current billing rates, and (2) the integrity of management will be brought into question.
- Sometimes key controls fail. When they do, a remediation plan is created, put in place, and the control is retested. For example, a key control may state that "periodic, formal restore testing is performed to ensure that backups are effective." During examination of this control, the auditor may find no evidence of a systematic restore testing. Perhaps the individuals in IT operations responsible for restore testing thought that incidental restores that happen during the year, due to some random mishap, are sufficient. Unfortunately, such informal activities do not constitute formal restore testing, where systems and applications are methodically restored to ensure compliance across all critical applications. A simple remediation plan may state "Effective 6/30/08, a quarterly restore testing process will be initiated and documentation retained to demonstrate all critical applications can be restored on demand." After a "cure" period, the control is retested for effectiveness. Cure time is a duration required before the control can safely be considered effective. After the control has been in place for the specified number of days and the retest is successful, then it is has been remediated and will not result in a deficiency. Note that compliance to section 404 is at a "point in time." This means that if you get your IT control failures fixed early on, you can get a clean bill of health at the end of your fiscal year - at least from a SOX perspective. Figure 5 shows an example remediation work-paper entry.
Figure 5 Example remediation work-paper entry.
- Combining the results of their own work, Internal Audit's testing, and IT self-testing, the external auditors will assess the strength of IT controls and whether they are adequate to support management's contention that the system of internal controls supports accurate and timely financial statements. IT controls mesh with traditional financial and operational controls to create the combined control environment. In some cases, a weak IT control can be compensated for by a strong compensating manual control. For example, in organizations where receipt of goods is a significant part of the business, auditors typically look for the well-known "three way match" - that the purchase order, physical receipt, and invoice from the vendor all match before the invoice is paid. If an application does not include this control, a manual three-way match can compensate for the lack of computer control. When controls fail, the results are ranked at one of three levels:
- Deficiency. A control breakdown prevents management or employees from preventing or detecting financial misstatements within a reasonable time frame. This lowest level of failure will not preclude a successful 404 outcome. For example, a key control states that emergency program changes to applications are permitted if they are required to repair a "broken" production system (e.g., a critical batch process aborts at midnight); however, they must be approved by IT management in advance and by an appropriate user within 48 hours of the change. The requirement for user approval was not built into the change control system as an automated process. The auditor discovered emergency application changes approved by IT management but not by a user. The finding was noted as a deficiency and was remediated by automating the reminder for user approval - the e-mails continue and escalate until the user's electronic signature is obtained.
- Significant deficiency. An important control is not working and the organization's ability to initiate, record, process, or report financial data to the public is compromised. In addition, a significant deficiency may prevent compliance with generally accepted accounting principles (GAAP). A significant deficiency must be reported to the audit committee of the board of directors. A single significant deficiency may not cause a "404 failure," but multiple, unresolved, significant deficiencies could convince the external auditors that the system of internal controls is not adequate to support the financial statements. For example, a firm's enterprise resource planning (ERP) security system was configured to permit sales personnel to alter standard shipping terms on contracts. An auditor found three instances where revenue had been recorded in advance of shipment, thus slightly distorting both revenue and inventory in the period reviewed.
Because there was a manual review of variances after the period (compensating control) and the magnitude of the distortion was not "material" at the entity level, this control weakness was designated as a significant deficiency rather than a material weakness. The problem was remediated by restricting full contract modification capability to a limited number of individuals. A new transaction capability ("responsibility" in Oracle terms) was created to allow sales representatives to change some other terms, which are routinely modified as part of the sales cycle.
- Material weakness. One or more control failures at this level will result in a 404 failure. A material weakness represents, according to the AICPA, "more than a remote likelihood that a material misstatement of the financials will not be prevented or detected." The control failure must be reported to the audit committee of the board of directors as well as the investing public (via the 10K). Material weaknesses usually, but not always, arise from business practices rather than IT control failures. For example, auditors performed a test of change control authorization for one firm and found more than a dozen application program changes with no user approvals and testing documents. This same deficiency was noted in the previous year's review. The remediation plan that management had developed in the prior year had apparently not been implemented. Accordingly, the auditors concluded that the likelihood of financial misstatement was more than remote and management's inaction implied a lack of commitment to maintaining a strong system of internal controls.
- Within a month or two of the close of the fiscal year, the external auditors will review their findings, discuss areas for control improvements (not necessarily related to key controls), and examine management's retest results. Because SOX testing typically takes place throughout the year, a selected subset needs to be retested at the end of the year in order to demonstrate that the control environment has not deteriorated. The external auditors will also review the results of remediation efforts and related tests.
- After the close of the fiscal year, the auditors will render an opinion. This will include an opinion on the accuracy of the financial statements and management's assertion that its system of internal controls that will properly identify and correct material financial inaccuracies. The following text is copied from NCI Building Systems' 2006 annual report:
We have evaluated the effectiveness of our internal control over financial reporting as of October 29, 2006. This evaluation was performed using the internal control evaluation framework developed by the Committee of Sponsoring Organizations of the Treadway Commission. Based on such evaluation, management has concluded that, as of such date, our internal control over financial reporting was effective.
Pursuant to Section 404 of the Sarbanes-Oxley Act of 2002, we included a report of management's assessment of the design and effectiveness of our internal controls as part of this Annual Report on Form 10-K for the fiscal year ended October 29, 2006. Ernst & Young, LLP, our independent registered public accounting firm, also attested to, and reported on, management's assessment of the effectiveness of internal control over financial reporting. Management's and Ernst & Young's reports are included in our 2006 Consolidated Financial Statements on pages 39 and 40 of our Form 10-K under the captions entitled "Management's Report on Internal Control Over Financial Reporting" and "Report of Independent Registered Public Accounting Firm on Internal Control Over Financial Reporting" and are incorporated herein by reference.
The corresponding text in the 10K is an example of the external auditor's opinion on both the system of internal controls and the financial statements:
In our opinion, management's assessment that the Company maintained effective internal control over financial reporting as of October 29, 2006, is fairly stated, in all material respects, based on the COSO criteria. Also, in our opinion, the Company maintained, in all material respects, effective internal control over financial reporting as of October 29, 2006, based on the COSO criteria.
We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the consolidated balance sheets of the Company as of October 29, 2006 and October
29, 2005, and the related consolidated statements of operations, stockholders' equity, cash flows and comprehensive income for each of the three years in the period ended October 29, 2006 and our report dated
January 8, 2007 expressed an unqualified opinion thereon. The above text is the formal equivalent to "Hurray! We passed 404!" Of course, IT is only one component, albeit an important one, of the system of internal controls.
For new CIOs, SOX can be a tense process. The CEO and CFO have to personally sign a statement that, to the best of their knowledge, the system of internal controls is adequate. IT is expected to pass with few deficiencies, no significant deficiencies, and certainly no material weaknesses. It reminds one of us of tenure as Enron Corp's Telecom Director - not once did anyone call to say "I just picked up the phone and it worked - gee thanks." SOX compliance is a baseline, expected part of your job. One bright spot is that it gets significantly easier over time. Key controls should not change much, except to get more streamlined.
Testing becomes routine. So long as the data, screen shots, and so forth originate from the current fiscal year, testing processes can be the same from year to year.
About the Author