Monday, October 1, 2007

IT Governance

DISCUSSION DOCUMENT
THE IMPORTANCE OF IT
IN THE DESIGN, IMPLEMENTATION
AND SUSTAINABILITY OF INTERNAL
CONTROL OVER DISCLOSURE AND
FINANCIAL REPORTING
IT CONTROL OBJECTIVES
FOR SARBANES-OXLEY
ii IT Control Objectives for Sarbanes-Oxley
IT Governance InstituteR
The IT Governance Institute (ITGI) strives to assist enterprise leaders in
their responsibility to
make IT successful in supporting the enterprise's mission and goals. Its
goals are to raise
awareness and understanding among and provide guidance and tools to boards
of directors,
executive management and chief information officers (CIOs) such that they
are able to ensure
within their enterprises that IT meets and exceeds expectations, and its
risks are mitigated.
Information Systems Audit and Control AssociationR
The Information Systems Audit and Control Association (ISACAR) is an
international
professional, technical and educational organization dedicated to being a
recognized global
leader in IT governance, control and assurance. With members in more than
100 countries,
ISACA is uniquely positioned to fulfill the role of a central, harmonizing
source of IT control
practice standards the world over. Its strategic alliances with other
organizations in the
financial, accounting, auditing and IT professions ensure an unparalleled
level of integration
and commitment by business process owners.
Disclaimer
The IT Governance Institute, Information Systems Audit and Control
Association and the
authors of IT Control Objectives for Sarbanes-Oxley have designed this
publication primarily
as an educational resource for control professionals. The IT Governance
Institute, Information
Systems Audit and Control Association, authors and expert reviewers ("the
Development
Team") make no claim that use of this product will assure a successful
outcome. This
publication should not be considered inclusive of any proper procedures and
tests or exclusive
of other procedures and tests that are reasonably directed to obtaining the
same results. In
determining the propriety of any specific procedure or test, the controls
professional should
apply his/her own professional judgment to the specific control
circumstances presented by
the particular systems or information technology environment.
Readers should note that this document has not received endorsement from the
Securities and
Exchange Commission (SEC) or the Public Company Accounting Oversight Board
(PCAOB).
Accordingly, the Development Team makes no representation or warranties and
provides no
assurances that an organization's disclosure controls and procedures and the
internal controls
and procedures for financial reporting are compliant with the certification
requirement and
internal control reporting requirement of Sarbanes-Oxley, nor that an
organization's plans are
sufficient to address and correct any shortcomings that would prohibit the
organization from
making the required certification or reporting under Sarbanes-Oxley.
Additional
considerations are provided in the Preface of this publication.
Internal controls, no matter how well designed and operated, can provide
only reasonable
assurance of achieving an entity's control objectives. The likelihood of
achievement is
affected by limitations inherent to internal control. These include the
realities that human
judgment in decision-making can be faulty and that breakdowns in internal
control can occur
because of human failures such as simple errors or mistakes. Additionally,
controls, whether
manual or automated, can be circumvented by the collusion of two or more
people or
inappropriate management override of internal controls.
Disclosure
CopyrightC 2003 by the IT Governance Institute. Reproduction of selections
of this
publication for academic use is permitted and must include full attribution
of the material's
source. Reproduction or storage in any form for commercial purpose is not
permitted without
ITGI's prior written permission. No other right or permission is granted
with respect to this
work.
IT Governance Institute
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.590.7491
Fax: +1.847.253.1443
E-mail: research@isaca.org
Web site: www.itgi.org and www.isaca.org
ISBN: 1-893209-67-9
Printed in the United States of America
Acknowledgements iii
Acknowledgements
The IT Governance Institute wishes to recognize:
The authors, for their thought leadership
Christopher Fox, CA, PricewaterhouseCoopers LLP, USA
Paul A. Zonneveld, CISA, CISSP, CA, Deloitte & Touche LLP, Canada
The expert reviewers, whose comments helped shape the final document
Neil Anderson, CISA, CA, MBA, Electrolux AB, USA
Sean Ballington, CISA, CA, PricewaterhouseCoopers LLP, USA
Don Caniglia, CISA, Crowe Chizek LLP, USA
Sally Chan, CMA, PAdm, ACIS, RBC Financial Group, Canada
Tom Church, Deloitte & Touche LLP, USA
Pamela A. Fredericks, CISM, CISSP, Forsythe Solutions, USA
John Gimpert, CPA, Deloitte & Touche LLP, USA
Gary Hardy, CISA, IT Winners Ltd., UK
Edward L. Hill, Protiviti Inc, USA
Audrey Katcher, CISA, CPA, PricewaterhouseCoopers LLP, USA
Pierre Lapointe, CA, Deloitte & Touche LLP, Canada
Jennifer Laudermilch, CISA, CPA, PricewaterhouseCoopers LLP, USA
Elsa Lee, CISA, MA, CSQA, Crowe Chizek LLP, USA
William Levant, Deloitte & Touche LLP, USA
William Malik, CISA, Waveset Technologies, USA
Tiffany McCann, Financial Executives Institute-Research Foundation (FERF),
USA
Todd McGowan, CISA, CPA, Deloitte & Touche LLP, USA
Therese E. Michael, PricewaterhouseCoopers LLP, USA
Robert G. Parker, CISA, FCA, CMC, Deloitte & Touche LLP, Canada
Hugh Parkes, CISA, FCA, The Q Alliance, Australia
Al Passori, META Group Inc., USA
Brian Reinke, FCA, Deloitte & Touche LLP, Canada
Robert S. Roussey, CPA, Leventhal School of Accounting, University of
Southern California, USA
Michael Schirmbrand, Ph.D., CISA, CISM, CPA, KPMG LLP, Austria
Lily M. Shue, CISA, CCP, CITC, LMS Associates, USA
Hayward Walls, EnCana Corporation, Canada
Graham D. Ward, CISA, CA, ABCP, PricewaterhouseCoopers LLP, USA
The ITGI Board of Trustees, for its support of the project
Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA,
International President
Abdul Hamid Bin Abdullah, CISA, CPA, Auditor General's Office, Singapore,
Vice President
Ricardo J. Bria, CISA, Argentina, Vice President
Everett C. Johnson, Jr., CPA, Deloitte & Touche LLP, USA, Vice President
Dean R.E. Kingsley, CISA, CISM, CA, Deloitte & Touche LLP, Australia, Vice
President
Ronald Saull, CSP, Great-West Life Assurance Company, Canada, Vice President
Eddy Schuermans, CISA, PricewaterhouseCoopers LLP, Belgium, Vice President
Robert S. Roussey, CPA, Leventhal School of Accounting, University of
Southern California, USA, Past
International President
Paul A. Williams, FCA, MBCS, Paul Williams Consulting, UK, Past
International President
Emil G. D'Angelo, CISA, Bank of Tokyo-Mitsubishi, USA, Trustee
Erik Guldentops, CISA , Advisor, IT Governance Institute.
The ITGI Research Board, for overseeing and guiding the project
Chairperson, Lily M. Shue, CISA, CCP, CITC, LMS Associates, USA
Jayant Ahuja, CISA, CPA, CMA, PricewaterhouseCoopers LLP, USA
Candi Carrera, CF 6 Luxembourg, Luxembourg
John Ho Chi, CFE, Ernst & Young LLP, Singapore
Avinash W. Kadam, CISA, CISSP, CBCP, GSEC, CQA, MIEL E-Security Pvt. Ltd.,
India
Elsa Lee, CISA, MA, CSQA, Crowe Chizek LLP, USA
Robert G. Parker, CISA, FCA, CMC, Deloitte & Touche LLP, Canada
Michael Schirmbrand, Ph.D., CISA, CISM, CPA, KPMG LLP, Austria
Johann Tello Meryk, CISA, Banco del Istmo, Panama
Frank Vander Zwagg, CISA, Air New Zealand, New Zealand
Paul A. Zonneveld, CISA, CISSP, CA, Deloitte & Touche LLP, Canada
iv Table of Contents
Table of Contents
PREFACE.....................................................................
...............................v
A FOCUS ON INTERNAL
CONTROL...................................................1
SARBANES-OXLEY-ENHANCING CORPORATE
ACCOUNTABILITY
............................................................................
1
SPECIFIC REQUIREMENTS OF SARBANES-OXLEY ...................2
SECTION
302.........................................................................
..............3
AUDITOR EVALUATION RESPONSIBILITIES ...............................3
SECTION
404.........................................................................
..............4
AUDITOR ATTESTATION
..................................................................4
AUDIT
COMMITTEE...................................................................
.......5
FRAUD CONSIDERATIONS IN AN AUDIT OF INTERNAL
CONTROL OVER FINANCIAL REPORTING......................................6
THE FOUNDATION FOR RELIABLE FINANCIAL
REPORTING...................................................................
......................6
INFORMATION TECHNOLOGY CONTROLS-
A UNIQUE
CHALLENGE...................................................................
8
TURNING COMPLIANCE INTO COMPETITIVE
ADVANTAGE
............................................................................
...........9
INTERNATIONAL CONSIDERATIONS..........................................10
SETTING THE GROUND
RULES.........................................................11
COSO DEFINED
............................................................................
....11
ADOPTING A CONTROL FRAMEWORK......................................11
ASSESSING THE READINESS OF IT.............................................16
ESTABLISHING IT CONTROL GUIDELINES
FOR
SARBANES-OXLEY..............................................................
...17
CLOSING THE
GAP.........................................................................
......19
ROAD MAP FOR COMPLIANCE
....................................................19
HOW COMPLIANCE SHOULD BE DOCUMENTED....................28
LESSONS
LEARNED.....................................................................
...28
APPENDIX-IT CONTROL OBJECTIVES FOR
SARBANES-OXLEY..............................................................
..................31
1. GENERAL CONTROLS-PLAN AND ORGANIZE...................33
2. GENERAL CONTROLS-ACQUIRE AND IMPLEMENT.........39
3. GENERAL CONTROLS-DELIVER AND SUPPORT ...............42
4. GENERAL CONTROLS-MONITOR AND EVALUATE...........49
5. APPLICATION CONTROLS-BUSINESS CYCLES..................51
REFERENCES
............................................................................
.............57
Preface v
Preface
Despite all the publicity surrounding the Sarbanes-Oxley Act of 2002,
relatively little attention has focused specifically on the role of
information
technology (IT) in the financial reporting process. This is unfortunate,
given
that the accuracy and timeliness of financial reporting is, at most
companies,
heavily dependent on a well-controlled IT environment.
IT organizations need to become involved in Sarbanes-Oxley attestation
activities quickly. While the US Securities and Exchange Commission (SEC)
has extended the dates for compliance with Section 404 of the Act, this move
was only an acknowledgement that the original time frame was unrealistic
and more time was needed for companies to comply. It was not an invitation
to delay readiness and implementation work.
Accordingly, there is an urgent need for guidance material that specifically
addresses the information technology control environment. This document is
intended to help meet that need.
The Sarbanes-Oxley Act provides the foundation for new corporate
governance rules, regulations and standards issued by the SEC.
On 7 October 2003, the Public Company Accounting Oversight Board
(PCAOB) issued both a briefing paper and a proposed auditing standard,
release no. 2003-17-"An Audit of Internal Control Over Financial
Reporting Performed in Conjunction with an Audit of Financial Statements."
While this guidance has provided further clarification on the nature and
extent of the work required to provide an audit opinion, there are
significant
rules and standards that have yet to be issued. Among others, these might
include detailed guidance on documentation requirements and further
clarification on the requirements for real-time disclosure. The issuance of
rules, standards and guidelines will be an ongoing process that will
continually adapt to the results of regulatory examinations and the changing
business and accounting environments. It is likely that there will never be
a
time when the rules for Sarbanes-Oxley will be "black and white"; many
areas will still require professional judgment and interpretation. The
development of industry standards and practices and the public debate over
what could be considered to be good practice should facilitate this process.
vi IT Control Objectives for Sarbanes-Oxley
Unlike previous event-driven control activities (e.g., Y2K), Sarbanes-Oxley
activity will continue as a routine part of doing business. This document
focuses on the aspects of Sarbanes-Oxley that will have the greatest impact
on an organization in the short to medium term, that is, compliance with
Section 302 and 404 of the act. The document deliberately does not focus
on operational and efficiency issues, as the first priority should be
demonstrating that strong IT controls over financial reporting are in place.
However, it is inevitable (and desirable) that operational and efficiency
issues
will be addressed over time and built into the structures and processes that
are developed. Once the ongoing cost of Sarbanes-Oxley compliance is
assessed, there will be pressure to replace existing manual controls and
processes with automated processes. In addition, there are other aspects of
Sarbanes-Oxley that may have considerable impact on IT, e.g., the potential
impact of real-time disclosure.
Readers may find the material in the appendix-IT Control Objectives for
Sarbanes-Oxley-particularly useful. COSO-Internal Control-Integrated
Framework was used as the overall framework upon which the
supplementary IT guidance was based. Control Objectives for Information
and related Technology (COBITR), established by the IT Governance Institute,
was used as the initial IT controls baseline to develop a control objective
template. While COBIT addresses control objectives that relate to
operational
and compliance issues, only those related to financial reporting have been
used to develop this document.
COBIT is a very rich and robust framework, comprising four domains, 34 IT
processes and 318 detailed control objectives. It is a comprehensive
approach for managing risk and control of information technology. As such,
the control objectives and considerations set forth in this document may
exceed, or be deficient in, what is necessary for organizations seeking to
comply with the requirements of Sarbanes-Oxley. The suggested internal
control framework (COSO) to be used for compliance with Sarbanes-Oxley,
as supported by the Securities and Exchange Commission (SEC), addresses
the topic of IT general controls, but does not dictate requirements for such
control objectives and related control activities. Similarly, the audit
standards
issued by the PCAOB on 7 October 2003 highlight the importance of IT
general controls, but do not specify which in particular must be included.
Such decisions remain the responsibility of an organization's management
and independent auditors for their respective purposes. Accordingly,
companies should assess the nature and extent of information technology
controls necessary to support their internal control program on a
case-bycase
basis. Additional considerations are provided in the disclaimer section
of this publication.
In developing this publication, the approach that was taken started with
reviewing the detailed COBIT control objectives, reconciling the objectives
to COSO, determining if the objectives related to financial reporting
objectives, extracting the IT general control objectives and rewriting
objectives, as appropriate, so that they focus on financial reporting
objectives-the requirement of Sarbanes-Oxley. The resulting general
control objectives framework has four domains, 27 IT processes and 136
detailed control objectives.
However, a "one size fits all" approach is not the way to proceed. Each
organization may want to tailor the control objective template to fit its
specific circumstances, e.g., if systems development is considered to be of
low risk, an organization may choose to amend or delete some of the
suggested detailed control objectives. It is further suggested that each
organization consult with its external auditors to ensure that all
attestationcritical
control objectives are addressed. An organization may then choose to
incorporate additional aspects of COBIT.
IT Governance Institute vii
viii IT Control Objectives for Sarbanes-Oxley
This page intentionally left blank.
A Focus on Internal Control 1
A Focus on Internal Control
Recent events have ushered in a new era in the history of business,
characterized by a firm resolve to increase corporate responsibility. The
Sarbanes-Oxley Act of 2002 was created to restore investor confidence in
US public markets, which were devastated by business scandals and lapses in
corporate governance. Although it has literally rewritten the rules for
accountability, disclosure and reporting, the Act's myriad pages of legalese
support a simple premise: good corporate governance and ethical business
practices are no longer optional niceties-they are the law.
With the future of the capital markets-a pillar of the economy-at stake,
the need to link sound corporate governance with effective internal control
has never been greater. Forward-thinking companies and executives will
seize the opportunity. Those who fail to act may pay a heavy price.
Sarbanes-Oxley-Enhancing Corporate Accountability
Some observers have described Sarbanes-Oxley as the most significant piece
of business legislation in the last half-century. Sarbanes-Oxley
fundamentally
changes the business and regulatory environment, and public companies
cannot afford to underestimate the task ahead. The clock is ticking on
compliance, and any delays in dealing with the issue may have serious
consequences. Immediate and decisive action is required.
Sarbanes-Oxley aims to enhance corporate governance through measures
that will strengthen internal checks and balances and, ultimately,
strengthen
corporate accountability. However, it is important to emphasize that Section
404 does not merely require companies to establish and maintain an
adequate internal control structure, but also to assess its effectiveness on
an
annual basis. This distinction is significant.
For those organizations that have begun the compliance process, it has
quickly become apparent that information technology plays a vital role in
internal control-supporting the systems, data and infrastructure components
that are critical to the financial reporting process. On 7 October 2003, the
PCAOB issued a proposed auditing standard that discusses the importance of
information technology in the context of internal control. In particular
it states:
70. The nature and characteristics of a company's use of information
technology in its information system affect the company's internal control
over financial reporting.
2 ITControl Objectives for Sarbanes-Oxley
To this end, IT professionals, especially those in executive positions, need
to
be well-versed in internal control theory and practice to meet the
requirements of the Act. CIOs must now take on the challenges of (1)
enhancing their knowledge of internal control, (2) understanding their
company's overall Sarbanes-Oxley compliance plan, (3) developing a
compliance plan to specifically address IT controls, and (4) integrating
this
plan into the overall Sarbanes-Oxley compliance plan.
Accordingly, the goal of this publication is to offer guidance to those
responsible for corporate IT systems on the following:
A. Assessing the current state of their IT control environment
B. Designing control improvements necessary to meet the directives of
Sarbanes-Oxley Section 404
C. Closing the gap between A and B
Specific Requirements of Sarbanes-Oxley
Much of the discussion surrounding Sarbanes-Oxley has focused on Sections
302 and 404. A brief primer can be found in figure 1.
302 404
Who Corporate management, Corporate management,
executives and financial officer executives and financial officer
What 1. Evaluate effectiveness of 1. Evaluate design and operating
disclosure controls (with effectiveness of internal
focus on changes since the controls over financial
most recent evaluation)* reporting
2. Evaluate changes in internal 2. Disclose all known controls,
control over financial significant deficiencies
reporting and material weaknesses
3. Disclose all known control 3. Disclose acts of fraud
deficiencies and weaknesses
4. Disclose acts of fraud
When Already in effect as of July 2002 Year-ends beginning on or after
June 2004**
How Quarterly assessment by Annual assessment by
often management management and independent
auditors
*Annual for foreign private issuers **Nonaccelerated filers (<US $75M) can
defer to 2005
Figure 1-Sarbanes-Oxley Requirements Primer
A Focus on Internal Control 3
Section 302
Under Section 302, the company's principal executive officer
and financial officer must personally certify-quarterly and
annually-that they:
. Are responsible for disclosure controls and procedures
. Have designed (or supervised the design of) disclosure
controls to ensure that material information is made known
to them
. Have evaluated the effectiveness of disclosure controls and
procedures and material changes in internal control over
financial reporting
. Have presented their conclusions regarding the effectiveness
of disclosure controls
. Have disclosed to their audit committee and the independent
auditors any significant control deficiencies, material
weaknesses and acts of fraud that involve management or
other employees who have a significant role in the company's
internal control
. Have indicated in the filing any significant changes to
disclosure controls
. Have disclosed in their quarterly reports any change that has
(or is likely to) materially affect internal control over
financial reporting
Auditor Evaluation Responsibilities
The draft audit standard issued by the PCAOB on 7 October
2003 discusses the external auditors responsibilities in regards
to Section 302 in paragraphs 185 through 189. In particular
it states:
185. The auditor's responsibility as it relates to
management's quarterly certifications on internal control
over financial reporting is different from the auditor's
responsibility as it relates to management's annual
assessment of internal control over financial reporting.
. The auditor should perform limited procedures quarterly to
provide a basis for determining whether he or she has
become aware of any material modifications that, in the
auditor's judgment, should be made to the disclosures
about changes in internal control over financial reporting
in order for the certifications to be accurate and to comply
with the requirements of Section 302.
Disclosure Controls and
Procedures
Disclosure controls and
procedures refer to the
processes in place designed
to ensure that all material
information is disclosed by an
organization in the reports it
files or submits to the SEC.
These controls also require
that disclosures are complete
and accurate and are
recorded, processed,
summarized and reported
within the time periods
specified in the SEC's rules
and forms. Deficiencies in
controls, as well as any
significant changes to
controls, must be
communicated to the
organization's audit
committee and auditors in a
timely manner. An
organization's principal
executive officer and financial
officer must certify the
existence of these controls on
a quarterly basis.
4 ITControl Objectives for Sarbanes-Oxley
186. To fulfill this responsibility, the auditor should perform,
on a quarterly basis, the following procedures:
. Inquire of management about significant changes in the
design or operation of internal control over financial
reporting as it relates to the preparation of annual as well
as interim financial information that could have occurred
subsequent to the preceding annual audit or prior review of
interim financial information, and
. Determine, through a combination of observation and
inquiry, whether significant changes in internal control
over financial reporting may introduce significant
deficiencies or material weaknesses in the design of
internal control over financial reporting.
Section 404
The directives of Sarbanes-Oxley Section 404 require that
management provide an annual report on its assessment of
internal control over financial reporting in the annual filing.
This assessment must contain the following elements:
. A statement that company management is responsible for
establishing and maintaining adequate internal control over
financial reporting
. A statement identifying the internal control framework (such
as COSO) used by management to evaluate the effectiveness
of the company's internal control over financial reporting
. An assessment of the design and effectiveness of the
company's internal control over financial reporting
. Disclosure of any material weaknesses in the company's
system of internal control over financial reporting
. The company's independent auditor's attestation report on
management's assessment of internal control over financial
reporting
Auditor Attestation
An added challenge is that Section 404 requires a company's
independent auditor to attest to management's assessment of its
internal control over financial reporting. Not only must
organizations ensure that appropriate controls (including IT
controls) are in place, they must also provide their independent
auditors with documentation supporting management's
assessment. This includes design documentation and the
documented results of testing procedures.
Internal Control Over
Financial Reporting
Internal control over financial
reporting is defined by the
SEC as:
"a process designed by, or
under the supervision of, the
registrant's principal executive
and principal financial officers,
or persons performing similar
functions, and effected by the
registrant's board of directors,
management and other
personnel, to provide
reasonable assurance
regarding the reliability of
financial reporting and the
preparation of financial
statements for external
purposes in accordance with
generally accepted accounting
principles and includes those
policies and procedures that:
(1) Pertain to the maintenance
of records that in
reasonable detail accurately
and fairly reflect the
transactions and
dispositions of the assets of
the registrant;
(2) Provide reasonable
assurance that transactions
are recorded as necessary
to permit preparation of
financial statements in
accordance with generally
accepted accounting
principles, and that receipts
and expenditures of the
registrant are being made
only in accordance with
authorizations of
management and directors
of the registrant; and
(3) Provide reasonable
assurance regarding
prevention or timely
detection of unauthorized
acquisition, use or
disposition of the
registrant's assets that
could have a material effect
on the financial
statements."
Under the Sarbanes-Oxley Act, standards for the auditor's attestation are
now
the responsibility of the PCAOB. While the 404 attestation is "as of " a
specific date the draft PCAOB standard issued on 7 October 2003
specifically addresses financial reporting controls that should be in place
for
a period before the attestation date and controls that may operate after the
attestation date. It states:
95. The auditor's testing of the operating effectiveness of such controls
should occur at the time the controls are operating. Controls "as of" a
specific date encompass controls that are relevant to the company's
internal control over financial reporting "as of" that specific date, even
though such controls might not operate until after that specific date.
151. Management might be able to accurately represent that internal
control over financial reporting, as of the end of the company's most
recent fiscal year, is effective even if one or more material weaknesses
existed during the period. To make this representation, management must
have changed the internal control over financial reporting to eliminate the
material weaknesses sufficiently in advance of the "as of" date and have
satisfactorily tested the effectiveness over a period of time that is
adequate
for it to determine whether, as of the end of the fiscal year, the design
and
operation of internal control over financial reporting is effective.
Management should meet with their external auditors to determine the
period of time a control is required to be operating before the attestation
date.
Audit Committee
The draft audit standard of 7 October 2003 specifically addresses the
external auditor's evaluation of the audit committee in paragraphs 56
through
59. In particular it states:
56. Evaluating the Effectiveness of the Audit Committee's Oversight of the
Company's External Financial Reporting and Internal Control Over
Financial Reporting. The company's audit committee plays an important
role within the control environment and monitoring components of internal
control over financial reporting. Within the control environment, the
existence of an effective audit committee is essential to setting a positive
tone at the top. Within the monitoring component, an effective audit
committee is crucial to challenging the company's activities in the
financial arena.
As a result, it would be advisable if the audit committee is aware of any
significant activities impacting the IT environment as it relates to
financial
reporting.
A Focus on Internal Control 5
6 ITControl Objectives for Sarbanes-Oxley
Fraud Considerations in an Audit of Internal Control
Over Financial Reporting
In the introduction to PCAOB draft audit standard of 7 October 2003, the
board makes specific reference to fraud considerations:
Strong internal controls provide better opportunities to detect and deter
fraud. For example, many frauds resulting in financial statement
restatement relied upon the ability of management to exploit weaknesses in
internal control. To the extent that the internal control reporting required
by Section 404 can help restore investor confidence by improving the
effectiveness of internal controls (and reducing the incidence of fraud),
the
auditing standard on performing the audit of internal control over
financial reporting should emphasize controls that prevent or detect errors
as well as fraud. For this reason, the proposed standard specifically
addresses and emphasizes the importance of controls over possible fraud
and requires the auditor to test controls specifically intended to prevent
or
detect fraud that is reasonably likely to result in material misstatement of
the financial statements.
Paragraphs 24 through 26 of the draft audit standard of 7 October 2003
address fraud considerations. In particular paragraph 25 states:
Part of management's responsibility when designing a company's internal
control over financial reporting is to design and implement programs and
controls to prevent, deter, and detect fraud.
The Foundation for Reliable Financial Reporting
Information technology professionals understand the critical role that IT
plays in the operations of a company. Indeed, it is difficult to imagine a
successful company existing in the 21st century without some level of
reliance on IT systems.
In today's environment, financial reporting processes are driven by IT
systems. Such systems, whether ERP or otherwise, are deeply integrated in
the initiation, recording, processing and reporting of financial
transactions.
As such, they are inextricably linked to the overall financial reporting
process and need to be assessed, along with other important processes, for
compliance with Sarbanes-Oxley.
To emphasize this point, the PCAOB draft audit standard of 7 October 2003
discusses the relationship of information technology and its importance in
testing the design and operational effectiveness of internal control. In
particular paragraph 41 states:
.controls should be tested, including controls over relevant assertions
related to all significant accounts and disclosures in the financial
statements. Generally, such controls include [among others]:
. Controls, including information technology general controls, on which
other controls are dependent.
Enterprise
Management
IT Services
OS/Data/Telecom/Continuity/Networks
Business Process
Finance
Business Process
Manufacturing
Business Process
Logistics
Business Process
Etc.
Application
Controls
Controls embedded in business
process applications, designed
to achieve completeness,
accuracy, validity and
recording assertions, are
commonly referred to as
application controls.
Examples include:
. Authorizations
. Approvals
. Tolerance levels
. Reconciliations
. Input edits
General Controls
Controls embedded in shared
services form general controls.
Examples include:
. Systems maintenance
. Disaster recovery
. Physical and logical security
. Data management
. Incident response
Company-
Level
Controls
Company-level
controls set
the tone for the
organization.
Examples include:
. Systems
planning
. Operating style
. Enterprise
policies
. Governance
. Collaboration
. Information
sharing
. Codes of
conduct
. Fraud
prevention
A Focus on Internal Control 7
The draft audit standard continues in paragraph 67 by describing the process
that auditors should follow in determining the appropriate assertions or
objectives to support management's assessment:
To identify relevant assertions, the auditor should determine the source of
likely potential misstatements in each significant account. In determining
whether a particular assertion is relevant to a significant account balance
or disclosure, the auditor should evaluate[among others]:
. The nature and complexity of the systems, including the use of
information technology by which the company processes and controls
information supporting the assertion.
At least three common elements exist within all organizations-enterprise
management, business process and shared services.
Enterprise Management Business Process Shared Services
Enterprise management is the
manner in which strategy is
established and incorporated
into business activities. At
the company level, business
objectives are set, policies are
established, and decisions are
made on how to deploy and
manage the resources of the
organization. From an IT
perspective, policies and
other enterprisewide
guidelines are set and
communicated throughout
the organization.
Business processes are the
organization's mechanism of
creating and delivering value
to its stakeholders. Inputs,
processing and outputs are
functions of strategic
business processes.
Increasingly, business
processes are being
automated and integrated
with complex and highly
efficient IT systems.
Shared services are those that
are required by more than one
department or process and
are often delivered as a
common service. From an IT
perspective, services such as
security, telecommunications
and storage are necessary
services for any department or
business unit, and are often
managed by a central
IT function.
Figure 2-Common Elements of Organizations
8 ITControl Objectives for Sarbanes-Oxley
Figure 2 demonstrates how IT controls are embedded within each element
of business. For instance, consider the following areas where IT enables the
controls sought for reliable financial reporting:
. Information management and data classification
. Role-based user management (authentication, initiation and authorization
of transactions)
. Real-time reporting
. Transaction thresholds and tolerance levels
. Data processing integrity and validation
More and more, IT systems are automating business process activities and
providing functionality that enables as much or as little control as
necessary.
As such, compliance programs need to include system-based controls to
keep up-to-date with contemporary financial systems.
Information Technology Controls-A Unique Challenge
Sarbanes-Oxley makes corporate executives explicitly responsible for
establishing, evaluating and monitoring the effectiveness of internal
control
over financial reporting. For most organizations, the role of information
technology will be crucial to achieving this objective. Whether through a
unified enterprise resource planning system or a disparate collection of
operational and financial management software applications, IT is the
foundation of an effective system of internal control over financial
reporting.
Yet, this situation creates a unique challenge: many of the IT professionals
being held accountable for the quality and integrity of information
generated
by their IT systems are not well versed in the intricacies of internal
control.
This is not to suggest that risk is not being managed by IT, but rather that
it
may not be formalized or structured in a way required by an organization's
management or its auditors.
Organizations will need representation from IT on their Sarbanes-Oxley
teams to ensure that IT general controls and application controls exist and
support the objectives of the compliance effort. Some of the key areas of
responsibility for IT will include:
. Understanding the organization's internal control program and its
financial
reporting process
. Mapping the IT systems that support internal control and the financial
reporting process to the financial statements
. Identifying risks related to these IT systems
. Designing and implementing controls designed to mitigate the identified
risks, and monitoring them for continued effectiveness
. Documenting and testing IT controls
. Ensuring that IT controls are updated and changed, as necessary, to
correspond with changes in internal control or financial reporting processes
. Monitoring IT controls for effective operation over time
The SEC regulations that affect Sarbanes-Oxley are undeniably complicated,
and implementation will be both time-consuming and costly. In proceeding
with an IT control program, there are two important considerations that
should be taken into account:
1. There is no need to reinvent the wheel; virtually all public companies
have
some semblance of IT control. While they may be informal and lacking
sufficient documentation, IT controls generally exist in areas such as
security and availability.
2. Many companies will be able to tailor existing IT control processes to
comply with the provisions of Sarbanes-Oxley. Frequently, it is the
consistency and quality of control documentation and evidential matter
that is lacking, but the general process is often in place, only requiring
some modification.
Performing a thorough review of IT control processes and documenting them
as the enterprise moves forward will be a time-consuming task. Without
appropriate knowledge and guidance, organizations will run the risk of doing
too much or too little. This risk is amplified when those responsible are
not
experienced in the design and assessment of IT controls or lack the
necessary skill or management structure to identify and focus on the areas
of
most significant risk.
While some industries, such as financial services, are familiar with
stringent
regulatory and compliance requirements of public market environments,
most are not. To meet the demands of Sarbanes-Oxley, most organizations
will require a change in culture. More likely than not, enhancements to IT
systems and processes will be required, most notably in the design,
documentation and evaluation of IT controls. Because the cost of
noncompliance can be devastating to an organization, it is crucial to adopt
a
proactive approach and take on the challenge early.
Turning Compliance into Competitive Advantage
There is no such thing as a risk-free environment, and compliance with
Sarbanes-Oxley does not create such an environment. However, the process
that most organizations will follow to enhance their system of internal
control to conform to the Act will undoubtedly provide lasting benefits. In
particular, IT organizations can seize this opportunity to turn compliance
into competitive advantage.
The work required to meet the requirements of Sarbanes-Oxley should not
be regarded as a compliance process, but rather as an opportunity to
establish strong governance models designed to ensure accountability and
responsiveness to business requirements. Building a strong internal control
program within IT can help to:
. Enhance overall IT governance
. Enhance the understanding of IT among executives
A Focus on Internal Control 9
10 IT Control Objectives for Sarbanes-Oxley
. Make better business decisions with higher-quality, more timely
information
. Align project initiatives with business requirements
. Prevent loss of intellectual assets and the possibility of system breach
. Contribute to the compliance of other regulatory requirements, such
as privacy
. Gain competitive advantage through more efficient and effective operations
. Optimize operations with an integrated approach to security, availability
and processing integrity
. Enhance risk management competencies and prioritization of initiatives
International Considerations
Among the many factors that must be considered in complying with Sarbanes-
Oxley, there are some that will uniquely impact international organizations.
Specifically, global organizations, or non-US-based companies that are
required to comply with Sarbanes-Oxley, need to examine their IT operations
and determine if they are significant to the organization as a whole.
Significant business units can include financial business units or IT
business
units. The assessment of whether an IT business unit is significant can be
impacted by the materiality of transactions processed by the IT business
unit,
the potential impact on financial reporting if an IT business unit fails and
other qualitative risk factors. The issue is that there are financial
materiality
and significant risk considerations, quantitative and qualitative, and both
aspects provide focus.
Examples of international IT assessment considerations include:
. Where the financial business units within a country are not significant
individually, but IT processing occurs in a central location, then the IT
business unit may be significant, e.g., a US multinational's British
financial
business units that are not individually significant (although they would be
significant on a consolidated basis) and most financial reporting IT
processing performed by a single IT business unit
. Where the financial business unit is not significant in a particular
country,
but the local IT business unit is responsible for regional IT processing,
e.g.
an IT business unit in Singapore that is responsible for IT processing
throughout Asia and the Pacific
. Where there is no financial business unit in a particular country, but
USbased
IT responsibilities have been outsourced to that country, e.g., a US
insurance company that outsources IT processing and maintenance to an IT
business unit based in India
Setting the Ground Rules
Until recently, assertions on control by an organization were mostly
voluntary and based on a wide variety of internal control frameworks. To
improve consistency and quality, the SEC has mandated the use of a
recognized internal control framework that is established by a body or group
that has followed due-process procedures, including the broad distribution
of
the framework for public comment. In its final rules, specific reference is
made to the recommendations of the Committee of Sponsoring
Organizations of the Treadway Commission, otherwise known as COSO.1
COSO Defined
COSO is a voluntary, private sector organization dedicated to improving the
quality of financial reporting through business ethics, effective internal
control and corporate governance. It was originally formed in 1985 to
sponsor the National Commission on Fraudulent Financial Reporting, an
independent private sector organization often referred to as the Treadway
Commission. The sponsoring organizations include the AICPA, American
Accounting Association (AAA), Financial Executives International
(FEI), Institute of Internal Auditors (IIA) and Institute of Management
Accountants (IMA).
The sections that follow provide further insight into COSO as well as its
implications for IT.
Adopting a Control Framework
For years, IT has played an important role in the operation of strategic and
managerial information systems. Today, these systems are inseparable from
an organization's ability to meet the demands of customers, suppliers and
other important stakeholders. With widespread reliance on IT for financial
and operational management systems, controls have long been recognized as
necessary, particularly for significant information systems.
In the draft audit standard of 7 October 2003, the PCAOB states:
Because of the frequency with which management of public companies is
expected to use COSO as the framework for the assessment, the directions
in the proposed standard are based on the COSO framework. Other
suitable frameworks have been published in other countries and likely will
be published in the future. Although different frameworks may not contain
exactly the same elements as COSO, they should have elements that
encompass all of COSO's general themes.
It will be important to demonstrate how IT controls support the COSO
integrated framework. An organization should have IT control competency
in all COSO components.
Setting the Ground Rules 11
1 www.coso.org
12 IT Control Objectives for Sarbanes-Oxley
COSO identifies five essential components of effective internal control.
The following is a description of each component and its relationship to IT.
Detailed IT control objectives have been included at the end of this
document to provide considerations for Sarbanes-Oxley compliance.
1. Control Environment
Control environment creates the foundation for effective internal control,
establishes the "tone at the top," and represents the apex of the corporate
governance structure. The issues raised in the control environment
component apply throughout an organization.
The control environment primarily addresses the company level.
However, IT frequently has characteristics that may require additional
emphasis on business alignment, roles and responsibilities, policies and
procedures, and technical competence. The following list describes some
considerations related to the control environment and IT:
. IT is often mistakenly regarded as a separate organization of the business
and thus a separate control environment.
. IT is complex, not only with regard to its technical components but also
as
to how those components integrate into the company's overall system of
internal control.
. IT can introduce additional or increased risks that require new or
enhanced
control activities to mitigate successfully.
. IT requires specialized skills that may be in short supply.
. IT may require reliance on third parties where significant processes or IT
components are outsourced.
. The ownership of IT controls may be unclear.
2. Risk Assessment
Risk assessment involves the identification and analysis by management of
relevant risks to achieve predetermined objectives, which form the basis for
determining control activities. It is likely that internal control risks
could be
more pervasive in the IT organization than in other areas of the company.
Risk assessment may occur at the company level (for the overall
organization) or at the activity level (for a specific process or business
unit).
At the company level, the following may be expected:
. An IT planning subcommittee of the company's overall Sarbanes-Oxley
steering committee. Its responsibilities may include the following:
- Oversight of the development of the IT internal control strategic plan,
its
effective and timely execution/implementation, and its integration with
the overall Sarbanes-Oxley compliance plan
- Assessment of IT risks, e.g., data security, availability and performance
analysis
At the activity level, the following may be expected:
. Formal risk assessments built throughout the systems development
methodology
. Risk assessments built into the infrastructure operation and change
process
. Risk assessments built into the program change process
3. Control Activities
Control activities are the policies, procedures and practices that are put
into
place to ensure that business objectives are achieved and risk mitigation
strategies are carried out. Control activities are developed to specifically
address each control objective to mitigate the risks identified.
Control activities primarily address the activity level.
Without reliable information systems and effective IT control activities,
public companies would not be able to generate accurate financial reports.
COSO recognizes this relationship and identifies two broad groupings of
information system control activities: general controls and application
controls.
General controls, which are designed to ensure that the financial
information
generated from a company's application systems can be relied upon, include
the following types:
. Data center operation controls-Controls such as job setup and scheduling,
operator actions, backup and recovery procedures, and contingency or
disaster recovery planning
. System software controls-Controls over the effective acquisition,
implementation and maintenance of system software, database
management, telecommunications software, security software and utilities
. Access security controls-Controls that prevent inappropriate and
unauthorized use of the system
. Application system development and maintenance controls-Controls over
the development methodology, which include system design and
implementation, outlining specific phases, documentation requirements,
approvals, and checkpoints to control the development or maintenance of
the project
The draft audit standard of 7 October 2003 from the PCAOB specifically
precludes the external auditor from using the results of certain information
technology general controls testing performed by management and others as
well as any work related to companywide antifraud programs. The previously
mentioned controls are those on which the operating effectiveness of other
controls depend.
Setting the Ground Rules 13
14 IT Control Objectives for Sarbanes-Oxley
Application controls are embedded within software programs to prevent or
detect unauthorized transactions. When combined with other controls, as
necessary, application controls ensure the completeness, accuracy,
authorization and validity of processing transactions. Some examples of
application controls include:
. Balancing control activities-These controls detect data entry errors by
reconciling amounts captured either manually or automatically to a control
total. For example, a company automatically balances the total number of
transactions processed and passed from its online order entry system to the
number of transactions received in its billing system.
. Check digits-Calculations to validate data. A company's part numbers
contain a check digit to detect and correct inaccurate ordering from its
suppliers. Universal product codes include a check digit to verify the
product and the vendor.
. Predefined data listings-Provide the user with predefined lists of
acceptable data. For example, a company's intranet site might include
dropdown
lists of products available for purchase.
. Data reasonableness tests-Compare data captured to a present or learned
pattern of reasonableness. For example, an order to a supplier by a home
renovation retail store for an unusually large number of board feet of
lumber may trigger a review.
. Logic tests-Include the use of range limits or value/alphanumeric tests.
For example, credit card numbers have a predefined format.
General controls are needed to support the functioning of application
controls, and both are needed to ensure accurate information processing and
the integrity of the resulting information used to manage, govern and report
on the organization. As application controls increasingly replace manual
controls, general controls are becoming more important.
4. Information and Communication
COSO states that information is needed at all levels of an organization to
run
the business and achieve the entity's control objectives. However, the
identification, management and communication of relevant information
represents an ever-increasing challenge to the IT department. The
determination of which information is required to achieve control
objectives,
and the communication of this information in a form and time frame that
allows people to carry out their duties, supports the other four components
of the COSO framework.
The IT organization processes most financial reporting information. However,
its scope is usually much broader. For example, the IT department may also
assist in implementing mechanisms to identify and communicate significant
events, such as e-mail systems or executive decision support systems.
COSO also notes that the quality of information includes ascertaining
whether the information is:
. Appropriate-Is it the right information?
. Timely-Is it available when required and reported in the right period
of time?
. Current-Is it the latest available?
. Accurate-Are the data correct?
. Accessible-Can authorized individuals gain access to it as necessary?
At the company level, the following may be expected:
. Development and communication of corporate policies
. Development and communication of reporting requirements, including
deadlines, reconciliations, and the format and content of monthly, quarterly
and annual management reports
. Consolidation and communication of financial information
At the activity level, the following may be expected:
. Development and communication of standards to achieve corporate
policy objectives
. Identification and timely communication of information to assist in
achieving business objectives
. Identification and timely reporting of security violations
5. Monitoring
Monitoring, which covers the oversight of internal control by management
through continuous and point-in-time assessment processes, is becoming
increasingly important to IT management. There are two types of monitoring
activities: continuous monitoring and separate evaluations.
IT performance and effectiveness are increasingly monitored using
performance measures that indicate if an underlying control is operating
effectively. Consider the following examples:
. Defect identification and management-Establishing metrics and analyzing
the trends of actual results against metrics can provide a basis for
understanding the underlying reasons for processing failures. Correcting
these causes can improve system accuracy, completeness of processing and
system availability.
. Security monitoring-Building an effective IT security infrastructure
reduces the risk of unauthorized access. Improving security can reduce the
risk of processing unauthorized transactions and generating inaccurate
reports, and can ensure a reduction of the availability of key systems if
applications and IT infrastructure components have been compromised.
An IT organization also has many different types of separate
evaluations, including:
. Internal audits
. External audits
Setting the Ground Rules 15
16 IT Control Objectives for Sarbanes-Oxley
. Regulatory examinations
. Attack and penetration studies
. Independent performance and capacity analyses
. IT effectiveness reviews
. Control self-assessments
. Independent security reviews
. Project implementation reviews
At the company level, the following may be expected:
. Centralized continuous monitoring of computer operations
. Centralized monitoring of security
. IT internal audit reviews (While the audit may occur at the activity
level,
the reporting of audit results to the audit committee will be at the company
level.)
At the activity level, the following may be expected:
. Defect identification and management
. Local monitoring of computer operations or security
. Supervision of local IT personnel
Assessing the Readiness of IT
Sarbanes-Oxley now requires all qualifying SEC-registered organizations to
document, evaluate, monitor and report on internal control over financial
reporting and disclosure controls and procedures, which include IT controls.
The first step in this process will be to assess the overall strength of IT
control in the organization by considering the questions illustrated in
figure 3.
Figure 3-Sarbanes-Oxley IT Diagnostic Questions
1. Does the Sarbanes-Oxley steering committee understand the risks inherent
in IT
systems and their impact on compliance with Section 404?
2. Does IT management understand the financial reporting process and its
supporting systems?
3. Does the CIO have an advanced knowledge of the types of IT controls
necessary
to support reliable financial processing?
4. Are policies governing security, availability and processing integrity
established,
documented and communicated to all members of the IT organization?
5. Are the IT department's roles and responsibilities related to Section 404
documented and understood by all members of the department?
6. Do members of the IT department understand their roles, do they possess
the
requisite skills to perform their job responsibilities relating to internal
control, and
are they supported with appropriate skill development?
7. Is the IT department's risk assessment process integrated with the
company's
overall risk assessment process for financial reporting?
8. Does the IT department document, evaluate and remediate IT controls
related to
financial reporting on an annual basis?
9. Does the IT department have a formal process in place to identify and
respond to
IT control deficiencies?
10. Is the effectiveness of IT controls monitored and followed up on a
regular basis?
The responses to these questions will help determine (1) if the IT
department
is integrated with the overall Sarbanes-Oxley Section 404 implementation
plan, (2) if the IT department has documented and evaluated IT controls and
(3) if executive management, including the CIO, appreciates the impact that
the IT department has on Sarbanes-Oxley Section 404 compliance.
Establishing IT Control Guidelines for Sarbanes-Oxley
While the importance of IT controls is embedded in the COSO internal
control framework, IT management requires more examples to help identify,
document and evaluate IT controls.
Several IT internal control frameworks exist. However, the IT control
objectives known as COBIT are considered particularly useful, and are an
open
framework, which aligns with the spirit of the Sarbanes-Oxley requirement
that any framework used be open and generally acceptable. COBIT is an IT
governance model that provides both company-level and activity-level
objectives along with associated controls. Using the COBIT framework, a
company can design a system of IT controls to comply with Section 404.
Before deciding to use COBIT as the basis for developing the IT control
objectives considered in this research, consideration was also given to
other
IT control guidelines-including ISO17799, the Information Technology
Infrastructure Library (ITIL) and the Common Criteria-to ensure that
important general and application controls necessary to satisfy Sarbanes-
Oxley were addressed.
In the development of this IT control template, each control objective was
challenged to ensure its relevance and importance to the requirements of
Sarbanes-Oxley. This process of evaluation resulted in some COBIT control
objectives being excluded or combined into a single objective, for
simplicity
purposes. Furthermore, each IT control objective has been reconciled to
COSO, to support alignment with an organization's overall Sarbanes-Oxley
program.
While COSO identifies five components of internal control (as illustrated in
figure 4) that need to be in place and integrated to achieve financial
reporting and disclosure objectives, COBIT provides similar guidance for IT.
The five components of COSO-beginning with identifying the control
environment and culminating in the monitoring of internal controls-can be
visualized as the horizontal layers of a three-dimensional cube with the
COBIT objective domains-from Plan/Organize through Monitor/Evaluate-
applying to each individually and in aggregate.
Setting the Ground Rules 17
18 IT Control Objectives for Sarbanes-Oxley
COSO Components
COBIT Objectives
Plan and
Organize
Seeccttiioonn 330022
Seeccttiioonn 440044
Deliver and
Support
Monitor and
Evaluate
Acquire and
Implement
IT controls should consider the overall governance framework
to support the quality and integrity of information.
Competency in all five layers of COSO's framework are
necessary to achieve an integrated control program.
Controls in IT are relevant to both financial reporting
and disclosure requirements of Sarbanes-Oxley.
Risk Assessment
Monitoring
Information and Communication
Control Activities
Control Environment
Figure 4-Internal Control Components
Closing the Gap
The following section provides a compliance road map that is tailored to the
specific objectives and responsibilities of IT departments.
Road Map for Compliance
Understanding how Sarbanes-Oxley applies to a company-based on its
business characteristics-can aid in the development of the internal control
program. Many factors come into play, and larger companies will face
challenges distinct from those of smaller enterprises. Also, the extent to
which a strong internal control framework is already in place will have
significant bearing on activities.
The compliance road map, illustrated in figure 5, provides direction for IT
professionals on meeting the challenges of Sarbanes-Oxley.
1. Plan and Scope
Scoping the project is, without question, one of the most important
activities
in the entire program. While it is true that general controls cut across
geographies and business processes, not all IT processes are relevant.
In this project initiating phase, organizations should form an IT control
subcommittee that is integrated into and reports to the overall Sarbanes-
Oxley steering committee. Smaller organizations may be able to redeploy, on
a part-time basis, existing staff; however, larger organizations may need
dedicated full-time personnel.
Closing the Gap 19
Business Value
Sarbanes-Oxley Compliance
1. Plan
and
Scope
. Financial
reporting
process
. Supporting
systems
8. Document
Results
. Coordination with auditors
. Internal sign-off (302, 404)
. Independent
sign-off (404)
9. Build
Sustainability
. Internal evaluation
. External evaluation
7. Determine
Material
Weaknesses
. Significant deficiency
. Material weakness
. Remediation
6. Evaluate
Operational
Effectiveness
. Internal audit
. Technical testing
. Self assessment
. Inquiry
. All locations and controls
(annual)
5. Evaluate
Control
Design
. Mitigate control
risk to an
acceptable level
. Understood by
users
3. Identify
Significant
Accounts/Controls
. Application controls
over initiating,
recording, processing
and reporting
. IT general controls
2. Perform
Risk
Assessment
. Probability and
impact to
business
. Size/complexity
4. Document Control Design
. Policy manuals
. Procedures
. Narratives
. Flowcharts
. Configurations
. Assessment questionnaires
Figure 5-Compliance Road Map
20 IT Control Objectives for Sarbanes-Oxley
As a critical first step, organizations must understand how the financial
reporting process works and identify where technology is critical in the
support of this process. This will identify key systems and subsystems that
need to be included in the scope of the project. Typically, systems will be
considered in scope, if they participate in the initiation, recording,
processing
and reporting of financial information.
As defined in paragraph 43 of the draft audit standard of 7 October 2003
from the PCAOB, processes and controls to be included in the scope of the
program generally include:
. Controls over initiating, recording, processing, and reporting significant
accounts and disclosures and related assertions embodied in the financial
statements.
. Controls over the selection and application of accounting policies that
are
in conformity with generally accepted accounting principles.
. Antifraud programs and controls.
. Controls, including information technology general controls, on which
other controls are dependent.
. Controls over significant nonroutine and nonsystematic transactions, such
as accounts involving judgments and estimates.
. Controls over the period-end financial reporting process, including
controls over procedures used to enter transaction totals into the general
ledger; to initiate, record, and process journal entries in the general
ledger;
and to record recurring and nonrecurring adjustments to the financial
statements (e.g., consolidating adjustments, report combinations, and
reclassifications).
2. Perform Risk Assessment
Risk assessment enables organizations to understand how events can inhibit
the achievement of business objectives. Risk assessment requires two
perspectives: likelihood and impact. Likelihood reflects the potential for
events to occur, while impact reflects the effect of such events.
In the context of the IT compliance program, a risk assessment must be
performed for systems supporting the financial reporting process. Examples
of risks that could undermine financial reporting include failures of:
. The quality and integrity of information managed by IT systems
. Access controls over IT systems and related applications
. Authorizations designed and automated into application systems
. The availability and timeliness of information
. The confidentiality of information disclosure
. Recoverability controls designed to support continued reporting
Consideration must also be given to the relative financial and operational
significance of various IT processing locations or business units. In some
cases, the outsourcing or centralization of general IT controls may be
significant to the business. In this way, compliance teams should understand
the probability and impact of failures at each significant location and
their
potential impact to the overall organization.
Although a location or business unit may not be significant from a financial
standpoint, it may still be an important location. For example, a business
unit
could be responsible for critical online processing, and from an IT
perspective, be dependent on local systems for continuous operation. The
nature of these operations could have a material impact on the organization
and potentially expose it to a risk of material misstatement, even though
the
relative financial significance is not great. In such an event,
consideration of
IT controls at this location would be appropriate.
When determining which locations or business units to include in the scope
of the Sarbanes-Oxley program, organizations should consider the following:
. The extent of dependence on IT at the various locations or business units
. The degree of consistency in process and procedures with other locations
or business units. Where processes and procedures are unique,
organizations may need to consider these locations separately and ensure
that overall control objectives are met.
. The organization's assessment of risk related to the location or business
unit
3. Identify Significant Accounts/Controls
COSO identifies two broad groupings of information system control
activities:
. Application controls, which apply to the business processes they support,
and are designed within the application to prevent/detect unauthorized
transactions. When combined with manual controls, as necessary,
application controls ensure completeness, accuracy, authorization and
validity of processing transactions.
. General controls, which apply to all information systems and support
secure and continuous operation
For application controls, organizations should first identify significant
accounts that could have a material impact on the financial reporting and
disclosure process. Once the significant accounts have been identified,
application controls relevant to such accounts should be identified and
documented.
For information technology general controls, organizations should assess
those controls that support the quality and integrity of information, and
that
are designed to mitigate the identified risks.
Closing the Gap 21
22 IT Control Objectives for Sarbanes-Oxley
The appendix of IT Control Objectives for Sarbanes-Oxley, provides details
on the specific control objectives that should be considered for both
general
and application controls. Since company-level controls are primarily related
to the control environment and risk assessment components of COSO, and
their existence sets the tone for the effectiveness of all other controls,
assessing company-level controls is a key objective for this phase. It
includes
such elements as:
. Tone from the top
. Integrity, ethical values and competence
. IT management's philosophy and operating style
. Delegation of authority and responsibility for IT management
. IT policies and procedures
. The quality and skill of people involved with the organization
. The direction provided by senior management
4. Document Control Design
Documentation is a unique aspect to the Sarbanes-Oxley compliance process
that will likely pose a significant challenge for organizations. While most
companies have controls in place, few have documentation to provide
sufficient evidence of their design and operation.
While the PCAOB has not given detailed guidance on documentation
requirements, it states in the draft standard that documentation should be
sufficient for the external auditor to review the design and test the
effectiveness of a control.
The draft standard addresses documentation in paragraphs 43 through 47. In
addition to stating that documentation should include the five components of
internal control over financial reporting, the draft standard states:
44. Documentation might take many forms of presentation and can include
a variety of information, including policy manuals, process models,
flowcharts, job descriptions, documents, and forms. No one form of
documentation is required, and the extent of documentation will vary
depending on the size, nature, and complexity of the company.
45. Documentation of the design of controls over relevant assertions
related to significant accounts and disclosures is evidence that controls
related to management's assessment about the effectiveness of internal
control over financial reporting, including changes to those controls, have
been identified, are capable of being communicated to those responsible
for their performance, and are capable of being monitored by the
company. Such documentation also provides the foundation for
appropriate communication concerning responsibilities for performing
controls and for the company's evaluation of and monitoring of the
effective operation of controls.
46. Inadequate documentation of the design of controls over relevant
assertions related to significant accounts and disclosures is a deficiency
in
the company's internal control over financial reporting.
Management should discuss the proposed extent and detail of their control
documentation with their external auditors early in the process to reduce
the
risk that the external auditor will consider their control documentation
deficient.
Understanding control theory and the concepts that define "IT control
design" will be an important competency of IT organizations in the future.
Put simply, IT control design defines the approach an organization follows
to
reduce IT risk-the risk that IT prevents the business from achieving
its objectives-to an acceptable level. Once the control is properly
designed,
its implementation and continued effectiveness become the focus. The
existence of controls and their effectiveness are discussed in subsequent
phases.
Equally important in this phase is the documentation that supports an
organization's control program. Documentation should be prepared-both at
the company level as well as the activity level-of the objectives that the
controls are designed to achieve to support the organization's internal
control
over financial reporting and disclosure controls and procedures.
It is advisable that an organization document its approach to IT control,
including the assignment of authority and responsibility for IT controls as
well as their design and operation.
5. Evaluate Control Design
In this phase, an IT organization must step back and evaluate the ability of
its control program to reduce IT risk to an acceptable level and to ensure
it is
understood by users. The PCAOB draft audit standard of 7 October 2003
discusses the factors that might contribute to controls not operating
effectively. In particular paragraph 74 states:
Factors that affect whether the control might not be operating effectively
include the following:
. The degree to which the control relies on the effectiveness of other
controls (for example, the control environment or information technology
general controls)
To help in this process, consider the IT control design and effectiveness
model in figure 6. Depending on how the organization measures up, it may
be necessary to spend some time enhancing the design and effectiveness of
the control program.
Closing the Gap 23
24 IT Control Objectives for Sarbanes-Oxley
Figure 6 demonstrates the stages of control reliability that may exist
within
organizations. For the purposes of establishing internal control, some
organizations may be willing to accept IT controls that fall somewhere short
of stage 3. However, given the Act's requirements for independent
attestation
of controls by external audit, controls will more than likely require the
attributes and characteristics of stage 3 or higher for key control
activities.
The table presented in figure 7 provides insight into the various
characteristics of each stage as well as the related implications. IT
organizations must realize that there is little definition or guidance
regarding
the attributes or characteristics necessary to comply with the Act. The SEC
has indicated that no particular form of documentation is approved or
required, and the extent of documentation may vary, depending upon the size
and complexity of the organization.
6. Evaluate Operational Effectiveness
Once control design has been assessed, as appropriate, its implementation
and continuing effectiveness must be confirmed. During this stage, initial
and ongoing tests-conducted by individuals responsible for the controls and
the internal control program management team-should be performed to
check on the operating effectiveness of the control activities.
Design and Operating Effectiveness
Extent of Documentation, Awareness and Monitoring
Stage 0
Non-existent
Stage 1
Initial/Ad Hoc
Stage 2
Repeatable but Intuitive
Stage 3
Defined Process
Stage 4
Managed and Measurable
Stage 5
Optimized
Figure 6-Stages of Control Reliability
Closing the Gap 25
Figure 7-Control Quality
At this level, there
is a complete lack
of any recognizable
control process or
the existence of
any related
procedures. The
organization has
not even
acknowledged
there is an issue to
be addressed and
therefore no
communication
about the issue is
generated.
There is some
evidence the
organization
recognizes that
controls and
related procedures
are important and
that they need to
be addressed.
However, controls
and related
policies and
procedures are
not in place and
documented.
An event and
disclosure process
does not exist.
Employees are not
aware of their
responsibility for
control activities.
The operating
effectiveness of
control activities is
not evaluated on a
regular basis.
Control
deficiencies are
not identified.
Controls and
related policies
and procedures
are in place but
not always fully
documented.
An event and
disclosure
process is in place
but not
documented.
Employees may
not be aware of
their responsibility
for control
activities.
The operating
effectiveness of
control activities
is not adequately
evaluated on a
regular basis and
the process is not
documented.
Control
deficiencies may
be identified but
are not remedied
in a timely
manner.
Controls and
related policies
and procedures
are in place and
adequately
documented.
An event and
disclosure process
is in place and
adequately
documented.
Employees are
aware of their
responsibility for
control activities.
The operating
effectiveness of
control activities is
evaluated on a
periodic basis
(e.g., quarterly),
however the
process is not
fully documented.
Control
deficiencies are
identified and
remedied in a
timely manner.
Controls and
related policies
and procedures
are in place,
adequately
documented, and
employees are
aware of their
responsibility for
control activities.
An event and
disclosure process
is in place,
adequately
documented and
monitored, but not
always reevaluated
to reflect
major process or
organizational
changes.
The operating
effectiveness of
control activities is
evaluated on a
periodic basis
(e.g., weekly) and
the process is
adequately
documented.
There is limited,
primarily tactical,
use of technology
to document
processes, control
objectives and
activities.
Stage 5 meets all
of the
characteristics of
stage 4.
An enterprisewide
control and risk
management
program exists
such that controls
and procedures
are well
documented and
continuously
reevaluated to
reflect major
process or
organizational
changes.
A self-assessment
process is used to
evaluate the design
and effectiveness
of controls.
Technology is
leveraged to its
fullest extent to
document
processes, control
objectives and
activities, identify
gaps, and evaluate
the effectiveness
of controls.
The organization
has a total
inability to be in
compliance at
even the minimum
level.
Insufficient
controls, policies,
procedures and
documentation
exist to even
support
management's
assertion.
The level of effort
to document, test
and remedy
controls is very
significant.
Although controls,
policies and
procedures are in
place, insufficient
documentation
exists to support
management's
certification and
assertion.
The level of effort
to document, test
and remedy
controls is
significant.
Sufficient
documentation
exists to support
management's
certification and
assertion.
The level of effort
to document, test
and remedy
controls may be
significant
depending on the
organization's
circumstances.
Sufficient
documentation
exists to support
management's
certification and
assertion.
The level of effort
to document, test
and remedy
controls may be
less significant
depending on the
organization's
circumstances
Implications of
stage 4 remain.
Improved
decision-making is
enabled because of
high-quality, timely
information.
Internal resources
are used effectively
and efficiently.
Information is
timely and reliable.
Implications Characteristics
Stage 0-
Non-existent
Stage 1-
Initial/Ad Hoc
Stage 2-
Repeatable but
Intuitive
Stage 3-
Defined
Process
Stage 4-
Managed and
Measurable
Stage 5-
Optimized
26 IT Control Objectives for Sarbanes-Oxley
Ordinarily, organizations should test more extensively and with higher
frequency those controls on which other significant controls depend (for
example, general controls as opposed to application controls). In making a
judgment about the extent of testing that is appropriate, organizations
should consider how the IT control impacts financial and disclosure
reporting processes.
The PCAOB draft audit standard of 7 October 2003 specifically addresses
service auditor's reports in paragraphs B29 through B34. In particular:
There are a number of areas in which the auditor should not use the
results of testing performed by management and others, including [among
others]:
. Controls that have a pervasive effect on the financial statements, such as
certain information technology general controls on which the operating
effectiveness of other controls depend.
Some organizations use external service organizations to perform outsourced
services. These services are still part of an organization's overall
operations
and responsibility and, consequently, need to be considered in the overall
IT
internal control program.
Furthermore, the PCAOB draft audit standard of 7 October 2003 states:
B25. The use of a service organization does not reduce management's
responsibility to maintain effective internal control over financial
reporting. Rather, management should evaluate controls at the service
organization, as well as related controls at the company, when making its
assessment about internal control over financial reporting.
In such circumstances, organizations should review the activities of the
service organization in arriving at a conclusion on the reliability of its
internal control. Documentation of service organization control activities
will
be required for the attestation activities of the independent auditor, so an
assessment is required of the service organization to determine the
sufficiency and appropriateness of evidence supporting these controls.
Traditionally, audit opinions commonly known as SAS70 reports (Section
5900 in Canada) have been performed for service organizations. If these
audit reports do not include tests of controls, results of the tests and the
service auditor's opinion on operating effectiveness, they may not be deemed
sufficient for purposes of Sarbanes-Oxley compliance. In such cases,
organizations may wish to consult with their external auditors and
understand the specific requirements.
7. Determine Material Weaknesses
Deficiencies in an entity's internal control range from
inconsequential shortcomings to material weaknesses
(see sidebar, What Is the Difference Between a
Deficiency and a Weakness?). Determining whether a
deficiency is significant or material requires professional
judgment and the consideration of various factors.
In making the judgment as to which IT control
deficiencies are significant, independent auditors will
consider various factors such as the size of operations,
complexity and diversity of activities, organizational
structure, and the likelihood that the IT control
deficiency could result in a misstatement of the
organization's financial records.
To prepare, IT organizations should engage individuals
with experience performing IT control audits to identify
the weaknesses in IT internal control programs. Once a
reliable control state has been reached, a sustainability
model should be implemented to ensure its operating
effectiveness over time.
8. Document Results
During the evaluation phase, results of tests performed
should be recorded, as they will form the basis for
management assertion and auditor attestation. Again,
there is no prescribed format; the goal is to provide a
comprehensive, easily understood summary of control
effectiveness that is inclusive of all testing activities
performed. This documentation should culminate in a
management report that can be shared with senior
executives and demonstrates the overall reliability,
quality and integrity of IT systems. Doing so will help
facilitate the CEO's and CFO's enterprisewide
certifications of control.
9. Build Sustainability
The final phase ensures that internal controls are
sustainable. At this point, IT management should be in
a position to sign off on the IT internal control program
effectiveness and the effectiveness may then be
approved through an external evaluation. Control
assessment and management competencies must
become part of the IT department's organization and
culture, and sustain themselves over the long term.
Control is not an event; it is a process that requires
continuous support and evaluation to stay current.
Closing the Gap 27
What Is the Difference Between a Deficiency
and a Weakness?
An internal control deficiency may consist
of a design or operating deficiency. A design
deficiency exists when a necessary control is
missing or an existing control is not properly
designed, so that even when the control is
operating as designed the control objective is
not always met. An operating deficiency exists
when a properly designed control either is not
operating as designed or the person
performing a control does not possess the
necessary authority or qualifications to
perform the control effectively. Internal control
deficiencies relevant to internal control over
financial reporting could adversely affect the
entity's ability to initiate, record, process and
report financial data consistent with the
assertions of management in the financial
statements. Internal control deficiencies
relevant to financial reporting range from
inconsequential internal control deficiencies to
material weaknesses in internal control.
A significant deficiency is an internal control
deficiency in a significant control or an
aggregation of such deficiencies that could
result in a misstatement of the financial
statements that is more than inconsequential.
A material weakness is a significant deficiency
or an aggregation of significant deficiencies
that precludes the entity's internal control
from providing reasonable assurance that
material misstatements in the financial
statements will be prevented or detected on a
timely basis by employees in the normal
course of performing their assigned functions.
The inability to provide such reasonable
assurance results from one or more significant
deficiencies. The design or operation of one or
more of the internal control components does
not reduce to a relatively low level the risk that
misstatements caused by errors or fraud in
amounts that would be material in relation to
the financial statements may occur and may
not be detected within a timely period by
employees in the normal course of performing
their assigned functions. Therefore, the
existence of a material weakness precludes
the responsible party from concluding that
internal control is effective and the practitioner
from issuing an unqualified opinion that
internal control is effective.
Note that management is not permitted to
conclude that the company's internal control
over financial reporting is effective, if there are
one or more material weaknesses in the
company's internal control over financial
reporting.
28 IT Control Objectives for Sarbanes-Oxley
How Compliance Should Be Documented
To date, most organizations have struggled with the question of how much
documentation is necessary to support their internal control program, and in
what form it should be retained. In responding to this query, it is
important
to consider the communications from the SEC and the PCAOB as well as
those that will likely guide independent auditors in their certification
efforts.
Documentation may take various forms, including entity policy manuals, IT
policy and procedures, narratives, flowcharts, decision tables, procedural
write-ups or completed questionnaires. No single particular form of
documentation is mandated by Sarbanes-Oxley, and the extent of
documentation may vary, depending upon the size and complexity of the
organization.
For most organizations, documentation should be, at a minimum, prepared
for the following:
. Company level
- Statement of control and approach to confirming its existence and
continued effectiveness over time
. Activity level
- Description of the processes and related subprocesses (may be in
narrative form; however, it may be more effective to illustrate as
a flowchart)
- Description of the risk associated with the process or subprocess,
including an analysis of its impact and probability of occurrence.
Consideration should be given to the size and complexity of the
process or subprocess and its impact on the organization's financial
reporting process.
- Statement of the control objective designed to reduce the risk of the
process or subprocess to an acceptable level and a description of its
alignment to the COSO framework
- Description of the control activity(ies) designed and performed to satisfy
the control objective related to the process or subprocess
- Description of the approach followed to confirm (test) the existence and
operational effectiveness of the control activities
- Conclusions reached about the effectiveness of controls, as a result
of testing
Lessons Learned
Parallels can be drawn between the affect of the Sarbanes-Oxley Act of 2002
on public companies and the impact of the Federal Deposit Insurance
Corporation Improvement Act of 1991 (FDICIA) on the banking industry.
Closing the Gap 29
Both statutes introduced regulations to remedy perceived market failures,
and each enacted significant new reporting requirements. There are several
lessons public companies can learn from the FDICIA example:
. Accept that the environment has changed profoundly. Companies must
recognize that they operate in a new environment-one that demands more
effort and accountability.
. Promote understanding of internal control within the organization.
Companies may be tempted to show superficial compliance with Sarbanes-
Oxley, but such an approach may backfire if controls fail because form was
stressed over substance.
. Factor into the business model the cost of developing an internal control
program. Good internal control is not a one-time expense; rather, it
fundamentally changes the cost of doing business.
Past events ushered in a new era in the history of business, characterized
by
a firm resolve to increase corporate responsibility. Sarbanes-Oxley was
created to restore investor confidence in public markets, which have been
devastated by business scandals and lapses in corporate governance.
Although it has literally rewritten the rules for accountability, disclosure
and
reporting, good corporate governance and ethical business practices are no
longer optional niceties-they are the law.
To this end, IT professionals, especially those in executive positions, need
to
be well versed in internal control theory and practice to meet the
requirements of the Act. CIOs must now take on the challenges of (1)
enhancing their knowledge of internal control, (2) understanding their
company's overall Sarbanes-Oxley compliance plan, (3) developing a
compliance plan to specifically address IT controls and (4) integrating this
plan into the overall Sarbanes-Oxley compliance plan. Unlike previous
event-driven control activities (e.g., Y2K), Sarbanes-Oxley activity will
continue as a routine part of doing business. IT is very important to
internal
control over financial reporting. Management's assessment as required by
Section 404 of Sarbanes-Oxley is a complex and time-consuming project.
Organizations need to develop an ongoing process to monitor compliance, as
the full impact of Sarbanes-Oxley will not be known for several years.
30 IT Control Objectives for Sarbanes-Oxley
This page intentionally left blank.
Appendix-IT Control Objectives for Sarbanes-Oxley
Having set the stage for the importance of IT in preparing for Sarbanes-
Oxley compliance, the specific control objectives that will form the basis
of
the IT control program must be addressed.
The table in figure 8 illustrates the segments of COBIT and maps their
relationship to the appropriate COSO component. In reviewing this material,
readers may notice that not all COBIT control objectives are mapped to the
COSO framework; for instance, "identify automated solutions." In such
cases, the COBIT objective has not been mapped since it has more to do with
operational efficiencies than financial reporting or disclosure controls. It
is
immediately evident that many COBIT segment elements have relationships
with more than one COSO component. This is expected, given the nature of
general IT controls, as they form the basis for achieving reliable
information
systems. This multirelationship attribute further demonstrates why IT
controls are the basis for all others and are essential for a reliable
internal
control program.
COBIT is a very rich and robust framework, comprising four domains,
34 IT processes and 318 detailed control objectives. It is a comprehensive
approach for managing risk and control of information technology. As such,
the control objectives and considerations set forth in this document may
exceed, or be deficient in, what is necessary for organizations seeking to
comply with the requirements of Sarbanes-Oxley. The suggested internal
control framework (COSO) to be used for compliance with Sarbanes-Oxley,
as supported by the Securities and Exchange Commission (SEC), addresses
the topic of IT general controls, but does not dictate requirements for such
control objectives and related control activities. Similarly, the audit
standards
issued by the PCAOB on 7 October 2003 highlight the importance of IT
general controls, but do not specify which in particular must be included.
Such decisions remain the responsibility of an organization's management
and independent auditors for their respective purposes. Accordingly,
companies should assess the nature and extent of information technology
controls necessary to support their internal control program on a
case-bycase
basis. Additional considerations are provided in the disclaimer section
of this publication.
The reader may find the following materials particularly useful. Preparing
this guide is not to suggest a "one size fits all" approach; instead it
recommends that each organization tailor the control objective template
to fit its specific circumstances. For example, if systems development is
considered to be of low risk, an organization may choose to amend or delete
some of the suggested detailed control objectives. An organization may also
consult with its external auditors to ensure that all attestation-critical
control
objectives are addressed.
Appendix-IT Control Objectives for Sarbanes-Oxley 31
32 IT Control Objectives for Sarbanes-Oxley
COSO Component
COBIT Control Objectives
Control
Environment
Risk
Assessment
Control
Activities
Information and
Communication
Monitoring
Define a strategic IT plan.
Define the information architecture.
Determine technological direction.
Define the IT organization and relationships.
Manage the IT investment.
Communicate management aims and direction.
Manage human resources.
Ensure compliance with external requirements.
Assess risks.
Manage projects.
Manage quality.
Acquire and Implement
Identify automated solutions.
Acquire and maintain application software.
Acquire and maintain technology infrastructure.
Develop and maintain procedures.
Install and accredit systems.
Manage changes.
Plan and Organize
. .
.. .
.
.
..
.
.
.
.
.
. .
.
.....
.
.
.
.
.
.
.
..
.
.
.
. .
...
.
.
. .
...
.
. .
.
..
.
..
..
.
...
Deliver and Support
Define and manage service levels.
Manage third-party services.
Manage performance and capacity.
Ensure continuous service.
Ensure systems security.
Identify and allocate costs.
Educate and train users.
Assist and advise customers.
Manage the configuration.
Manage problems and incidents.
Manage data.
Manage facilities.
Manage operations.
Monitor and Evaluate
Monitor the processes.
Assess internal control adequacy.
Obtain independent assurance.
Provide for independent audit.
Figure 8-COBIT Relationship to COSO
An important objective of this publication is to provide IT professionals
with
guidance on the specific control objectives that should be considered for
compliance with COSO and, ultimately, Sarbanes-Oxley. Accordingly, the
following section provides this information as well as a perspective on the
importance of the control segment and how it relates to COSO and financial
and disclosure controls.
The control objectives that follow are based on the guidance provided in
COBIT. Those familiar with COBIT will recognize that the control objectives
in this publication are not presented exactly as they are in COBIT. The end
result is a series of IT controls, designed specifically for COSO and
Sarbanes-Oxley.
As always, IT organizations should consider the nature and extent of their
operations in determining which, if not all, of the control objectives need
to
be included in their internal control program.
1. General Controls-Plan and Organize
This domain addresses strategy and tactics, and focuses on identifying the
way IT can best contribute to the achievement of the business objectives.
Furthermore, the realization of the strategic vision needs to be planned,
communicated and managed for different perspectives.
COBIT control processes that should be considered for COSO internal
control models include:
. Define a strategic plan.
. Define the information architecture.
. Define the IT organization and relationships.
. Communicate management aims and direction.
. Manage human resources.
. Ensure compliance with external requirements.
. Assess risks.
. Manage quality.
Each of these control processes is outlined in figures 9 through 16.
Appendix-IT Control Objectives for Sarbanes-Oxley 33
34 IT Control Objectives for Sarbanes-Oxley
Figure 10-Define the Information Architecture
Control Objective COSO Component
Information should be identified, captured and communicated in a form and
time frame that
enables the business to carry out its responsibilities effectively and on a
timely basis. As
processing deadlines become tighter and availability requirements become
more important, an
organization will place increasing reliance on automated, rather than
manual, systems and related
controls. Accordingly, the increasing demands on systems require appropriate
planning and
design to support these business requirements. Activities performed in this
area align with the
control activities and information and communication components of COSO. If
information
architecture is not defined or consistently applied, there is increased risk
that the information
required to prepare financial statements will not be available in a timely
manner.
IT management has defined information capture, processing Information and
and reporting controls-including completeness, accuracy, communication
validity and authorization-to support the quality and integrity
of information used for financial and disclosure purposes.
IT management has defined information classification Control activities
standards in accordance with corporate security and privacy
policies.
IT management has defined, implemented and maintained Control activities
security levels for each of the data classifications. These
security levels represent the appropriate (minimum) set of
security and control measures for each of the classifications
and are reevaluated periodically and modified accordingly.
Figure 9-Define a Strategic IT Plan
Control Objective COSO Component
The strategic planning process is a fundamental control for IT because it
provides the direction
and mandate for helping the business achieve its objectives. The plan
identifies what IT must do
to support the business, the related risks that need to be considered by the
business, the
investments required to meet these objectives and sustain them over time, as
well as senior
management's support of the overall IT mandate. Activities performed in this
area align with the
risk assessment, information and communication, and monitoring components of
COSO.
Without appropriate IT planning, over time, the business will struggle to
achieve its objectives
and, the risk of noncompliance with financial reporting and disclosure
requirements will increase.
Management prepares strategic plans for IT that align Risk assessment
business objectives with IT strategies. The planning approach
includes mechanisms to solicit input from relevant internal
and external stakeholders impacted by the IT strategic plans.
Management obtains feedback from business process owners Risk assessment
and users regarding the quality and usefulness of its IT plans
for use in the ongoing risk assessment process.
An IT planning or steering committee exists to oversee the IT Risk
assessment
function and its activities. Committee membership includes
representatives from senior management, user management
and the IT function.
The IT organization ensures that IT plans are communicated to Information
and
business process owners and other relevant parties across communication
the organization.
IT management communicates its activities, challenges and Information and
risks on a regular basis with the CEO and CFO. This communication
information is also shared with the board of directors.
The IT organization monitors its progress against the strategic Monitoring
plan and reacts accordingly to meet established objectives.
Appendix-IT Control Objectives for Sarbanes-Oxley 35
Figure 11-Define the IT Organization and Relationships
Control Objective COSO Component
The IT organization is responsible for managing all aspects of the system
environment. Ensuring
the employment of appropriate people with the necessary skills to meet the
mandate of IT, and
ultimately the business, is critical to its overall effectiveness.
Furthermore, the definition of roles
and responsibilities is necessary to establish accountability over systems
and data. Activities in
this area align to the control environment and information and communication
components of
COSO. Without appropriate skills and the definition of roles and
responsibilities, there is
increased risk that systems and data will not be reliable and will, thereby,
compromise the
business' ability to comply with legal and regulatory requirements.
IT managers have adequate knowledge and experience to fulfill Control
environment
their responsibilities.
Key systems and data have been inventoried and their owners Control
environment
identified.
Roles and responsibilities of the IT organization are defined, Control
environment
documented and understood.
IT personnel have sufficient authority to exercise the role and Control
environment
responsibility assigned to them.
The IT organizational structure is sufficient to provide for Control
environment
necessary information flow to manage its activities.
IT management has implemented a division of roles and Control environment
responsibilities (segregation of duties) that reasonably
prevents a single individual from subverting a critical process.
IT management has ensured that personnel are performing Control environment
only those duties stipulated in their respective jobs and
position descriptions.
IT staff evaluations are performed regularly (e.g., to ensure Control
environment
that the IT function has a sufficient number of competent IT
staff necessary to achieve their objectives).
Contracted staff and other contract personnel are subject to Control
environment
policies and procedures, created to control their activities by
the IT function, to assure the protection of the organization's
information assets.
IT staff understand and accept their responsibility regarding Control
environment
internal control.
IT strategies and ongoing operations are formally defined and Information
and
communicated to senior management and the board of communication
directors, e.g., through periodic meetings of an IT steering
committee.
Significant IT events or failures, e.g., security breaches, major
Information and
system failures or regulatory failures, are reported to senior communication
management or the board.
36 IT Control Objectives for Sarbanes-Oxley
Figure 13-Manage Human Resources
Control Objective COSO Component
Education and training of IT staff address how an organization supports its
people to perform
their job responsibilities in a reliable and controlled manner. Actions
performed in this area align
with the control environment and information and communication components of
COSO. The
ability, or lack thereof, to cross-train, learn and continually enhance
skill levels will directly
impact the enterprise's ability to meet new challenges and demands of the
business.
Controls are in place to support appropriate and timely Control environment
responses to job changes and job terminations so that
internal controls and security are not impaired by such
occurrences.
The IT organization subscribes to a philosophy of continuous Information and
learning, providing necessary training and skill development communication
to its members.
The IT organization adopts and promotes the entity's culture Control
environment
of integrity management, including ethics, business practices
and human resource evaluations, to ensure compliance.
Figure 12-Communicate Management Aims and Direction
Control Objective COSO Component
Establishing a reliable system requires participation from all members of
the IT organization. To
accomplish this, members of the IT organization should be informed and
committed to the
direction of IT and its ability to meet the objectives outlined in the
strategic plan. Activities in this
area align to the control environment and information and communications,
and monitoring
components of COSO. Without communicating its direction, IT organizations
may be unable to
obtain the commitment of their members and, ultimately, achieve their goals.
IT management has formulated, developed and documented Control environment
policies and procedures governing the IT organization's
activities.
IT management has communicated policies and procedures Information and
governing the IT organization's activities. communication
IT management periodically reviews its policies, procedures Monitoring
and standards to reflect changing business conditions.
IT management has processes in place to investigate Monitoring
compliance deviations and introduce remedial action.
IT management has a process in place to assess compliance Monitoring
with its policies, procedures and standards.
Appendix-IT Control Objectives for Sarbanes-Oxley 37
Figure 14-Ensure Compliance with External Requirements
Control Objective COSO Component
The organization should establish and maintain procedures to ensure
compliance with
Sarbanes-Oxley, the SEC and other external regulatory requirements. The
compliance function
should identify and communicate requirements that could potentially impact
the IT organization.
The IT organization should establish a framework of control to ensure that
external requirements
are understood and managed. If external requirements that could impact
financial reporting are
not addressed, then this could jeopardize accurate reporting of financial
results. Activities in this
area are aligned with the control activities, information and communication,
and monitoring
components of COSO.
The organization monitors changes in external requirements Monitoring
for legal, regulatory or other external requirements related to
IT practices and controls.
Control activities are in place and followed to ensure Control activities
compliance with external requirements, such as regulatory
and legal rules.
Internal events are considered in a timely manner to support Information and
continuous compliance with legal and regulatory requirements. communication
Figure 15-Assess Risks
Control Objective COSO Component
Risk assessment is defined as "the identification and analysis of relevant
risks to achievement of
the objectives." Risk assessment is usually pervasive in the IT
organization. Activities in this area
align with the risk assessment component of COSO. Without adequate risk
assessments, there is
an increased risk that an appropriate framework of internal controls will
not be implemented. An
inadequate framework of internal control would jeopardize the Section 302
and 404 management
assertions.
The IT organization has an entity- and activity-level risk Risk assessment
assessment framework, which is used periodically to assess
information risk to achieving business objectives.
Management's risk assessment framework focuses on the Risk assessment
examination of the essential elements of risk and the cause/
effect relationship among them, including risks related to
achieving business objectives, regulatory compliance, legal
compliance, technology reliability, information integrity and
human resources.
A risk assessment framework exists and considers the Risk assessment
probability and likelihood of threats.
The IT organization's risk assessment framework measures Risk assessment
the impact of risks according to qualitative and quantitative
criteria, using inputs from different areas including, but not
limited to, management brainstorming, strategic planning,
past audits and other assessments.
The IT organization's risk assessment framework is designed Risk assessment
to support cost-effective controls to mitigate exposure to risks
on a continuing basis, including risk avoidance, mitigation
or acceptance.
A comprehensive security assessment is performed for critical Risk
assessment
systems and locations based on their relative priority and
importance to the organization.
38 IT Control Objectives for Sarbanes-Oxley
Figure 16-Manage Quality
Control Objective COSO Component
Quality programs address both general and project-specific quality assurance
activities and
should prescribe the type(s) of quality assurance activities (such as
reviews, audits, inspections,
etc.) to be performed to achieve the objectives of the general quality plan.
Activities in this area
align with all components of the COSO framework. Without quality assurance,
the organization
may not be able to rely on its systems of control, and thereby, management's
302 and 404
assertions may be jeopardized.
Documentation is created and maintained for all significant IT Control
environment
processes and activities.
A plan exists to maintain the overall quality assurance of IT Control
environment
activities based on the organizational and IT plans.
Documentation standards are in place, have been Control environment
communicated to all IT staff and are supported with training.
A quality plan exists for significant IT functions (e.g., system Control
environment
development and deployment) and provides a consistent
approach to address both general and project-specific quality
assurance activities.
The quality plan prescribes the type(s) of quality assurance Control
environment
activities (such as reviews, audits, inspections, etc.) to be
performed to achieve the objectives of the quality plan.
The quality assurance process includes a review of the Control environment
adherence to IT policies, procedures and standards.
Data integrity ownership and responsibilities have been Information and
communicated to the appropriate data owners and they communication
have accepted these responsibilities.
Figure 15-Assess Risks (cont.)
Control Objective COSO Component
Where risks are considered acceptable, there are formal Risk assessment
documentation and acceptance of residual risk with related
offsets, including adequate insurance coverage, contractually
negotiated liabilities and self-insurance.
The IT organization is committed to active and continuous risk Risk
assessment
assessment processes as an important tool in providing
information on the design and implementation of internal
controls, in the definition of the IT strategic plan, and in the
monitoring and evaluation mechanisms.
Appendix-IT Control Objectives for Sarbanes-Oxley 39
2. General Controls-Acquire and Implement
This domain includes changes in and maintenance of existing systems to
make sure that the life cycle is continued for these systems. To realize the
IT
strategy, IT solutions need to be identified, developed or acquired, as well
as
implemented and integrated into the business process.
COBIT control processes that should be considered for COSO internal
control models include:
. Acquire and maintain application software.
. Acquire and maintain technology infrastructure.
. Develop and maintain procedures.
. Install and accredit systems.
. Manage changes.
Each of these control processes is outlined in figures 17 through 21.
Figure 17-Acquire and Maintain Application Software
Control Objective COSO Component
Acquiring and maintaining application software include the design,
acquisition/building and
deployment of systems that support the achievement of business objectives.
Actions performed
in this area align with the control activities component of COSO. This is
also where controls are
designed and implemented to support the initiating, recording, processing
and reporting of
financial information and disclosure. Deficiencies in this area may have a
significant impact on
financial reporting and disclosure. For instance, without sufficient
controls over application
interfaces, financial information may not be complete or accurate.
Activities in this area align
with the control activities component of COSO.
The organization has a system development life cycle Control activities
methodology that considers security, availability and
processing integrity requirements of the organization.
The system development life cycle methodology ensures Control activities
that information systems are designed to include application
controls that support complete, accurate, authorized and
valid transaction processing.
The organization has an acquisition and planning process Control activities
that aligns with its overall strategic direction.
The organization acquires software in accordance with its Control