The Sarbanes-Oxley Act of 2002 (
The Sarbanes-Oxley Act and the
Public Company Accounting Oversight Board
(PCAOB) were created to restore investor confidence in U.S. public markets. The primary goal was to enhance corporate responsibility, enhance financial disclosures, and
The Sarbanes-Oxley Act requires company executives to attest to the adequacy and effectiveness of their internal controls
As a result,
information services managers
(IS managers) who may not be keenly aware of the internal control measures necessary when dealing with the requirements of Sarbanes-Oxley are being asked to thoroughly examine the technology risks and test all controls. This means that many IS managers request guidelines or consulting assistance to ensure that they are in compliance with the new laws. Because of the different business cultures involved in global corporations and the number of international investors in U.S.-based corporations, it is essential that the global IT community is aware of the impact that financial
The Sarbanes-Oxley Act has many provisions. Sections 101, 302, 404, 409, and 906 are the key sections with relevance and impact on information services departments.
In section 101, the PCAOB is established as the
The primary guidance from the PCAOB in regard to auditing internal controls is provided in Auditing Standard No. 2, effective June 17, 2004, entitled, "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements." We will explore Auditing Standard No. 2 later in this chapter.
Section 302 specifies the legal responsibilities of the company's CEO and CFO. According to the Sarbanes-Oxley Act, the CEO and CFO are responsible for all internal controls and for reporting quarterly on any significant changes to internal controls that could affect the company's financial statement. Basically, these two officers must
Section 302 also defines the external auditor's role over financial reporting. The external
This section also requires that management particularly address any changes to internal controls over financial reporting that has occurred during the last quarter.
Under Section 404, the CEO and CFO attest that internal controls are in place, documented, and effective. Management assessment contains four parts. The first three
Responsibility of management for the existence and rigidity of internal controls
Evaluation of the effectiveness of internal controls
Statement of the framework used to evaluate the effectiveness of controls
The fourth part concerns the external auditor. The company's external auditor must separately attest that management's statement concerning the effectiveness of internal controls is accurate.
The greatest difficulty most organizations have is
PCAOB Auditing Standard No. 2
On 9 March 2004, the PCAOB approved Auditing Standard No. 2, entitled, "An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements." This audit standard establishes the requirements for performing an audit of internal control over financial reporting and provides some important directions on the scope and approach required of corporation management and external
Section 409 states that the CEO and CFO will ensure "rapid and current public disclosure" of any material event that could affect the company's financial or operational performance. Material events could include any type of company restructuring, changes in personage or
Section 906 consists of three parts. First is that every periodic report with financial information must be accompanied by a written statement by the CEO and CFO. The second part specifies that the content of this report
For most organizations, IT services are now a
The CEOs and CFOs look to the information services department to ensure that the general and specific internal controls for all applications, data, networking, contracts, licenses, telecommunications, and physical environment are documented and effective. Overall risk and control considerations are assessed at the departmental level of information services and then at the entity level. Entity-level review may vary depending on the following questions:
How large is the organization?
Are key functions outsourced?
What is the division of process and responsibilities for
How are the control responsibilities split among
How is the strategy for IS-both application and infrastructure-developed, documented, and managed?
To date, audits have found that the primary weaknesses among corporations are consistency, documentation, and communication. A given group within IS may believe that its strategy, tactical procedures, and applications are well controlled. However, communication with other groups may be lacking to the point that no one
Global organizations and non-U.S.-based companies should examine their business-unit technology operations to determine their significance to the organization as a whole. The assessment of an IS business unit depends on the materiality of transactions
A few examples of these assessment considerations might include
A U.S. multinational organization that has a single business unit that does not
A U.S.-based insurance company that outsources IS application development, technical support, or maintenance to an IT business unit based in India
During an audit, company organizations often will contend that they are not responsible for a given control because either the function is outsourced or the software was purchased from and
Documentation of the third-party controls is required for attestation by the independent auditor, so an assessment must determine the effectiveness and completeness of the service organization's internal controls. If SAS 70 or similar audit
Four functional objectives for auditing third-party services and outsourcing major portions of company activities that are relevant to companies, corporation subsidiaries, and multinationals are summarized as
Policy statements regarding data integrity, availability, and confidentiality are determined by senior management and must be maintained and contractually supported by any outsource arrangement.
Asset-protection requirements should be clearly defined and
Data and information
Service levels should be defined, measurable, and acceptable to both parties. Failure to meet service-level agreements should have some
To date, the PCAOB and external auditors reviewing compliance with Sarbanes-Oxley have been attentive primarily to security, change management, and problem management. A key focus for the audit is integrity of the technology infrastructure for processing, storage, and communication of financial data. This is
Ownership of IT controls may be unclear, especially for application controls. Therefore, the audit in each area must integrate automated and manual controls at the business-process level.
In general, the following IT controls must be documented and evaluated as effective in order to be in compliance with Sarbanes-Oxley requirements:
Security administration must have an effective, documented process for monitoring and enforcing the security policies dictated by management. These policies and processes must be communicated to all user groups. If "user group stewards" are used to spread the security administration workload, those stewards must follow the same policies and procedures as the IS support staff. They, too, must communicate thoroughly and effectively with the user community.
Who has access to the application and data? Who authorizes access? How often is access level reviewed? What is the authorization process? What happens when an authorized person
Execution of financial transactions or transactions that lead to financial transactions must be limited to those individuals who have an authorized business reason to do so. Access to financial and "protected personal" data likewise must be limited to those individuals who have an authorized business reason for access.
To ensure accuracy, completeness, and integrity of financial reporting, companies must have a documented, effective change-control process that includes changes to financial applications, all interface applications, operating systems that control the desktop and host server, productivity tools used to create summary analysis, database management systems, and networks. The change process must provide the following:
Points for management review
Migration of changed
Communication of changes to the user community
Who can initiate a change? Who authorizes changes? Who can make changes? What testing should be done prior to making a change to production components? Who does the testing and
Change control applies to applications, productivity tools, and operating system software. Communication of infrastructure changes traditionally has been weak. IS department personnel have long felt that users do not care what is changed or when as long as it works. But what if it doesn't? What if a seemingly unrelated change to an application or operating system causes a category of transactions to be unreported?
Financial application change control is an obvious concern when reviewing controls over financial reporting. Frequently, compliance auditors have not assessed the risks of inadequate change control for interface systems, database infrastructure, operating systems, network systems, or hardware configurations. Even internal IS groups may not realize the relevance of documented and enforced controls in these areas related to financial reporting activities. Recent analysis by risk-assessment experts has shown that inadequate change-control methods can lead to a loss of information integrity in financial applications and data systems. The potential risks include inaccurate reporting or incomplete reporting.
Data management encompasses both logical and physical data management as well as identification and protection of critical data, especially data related to financial processing and reporting.
Data Transfer between Systems Timing and frequency of downloads from interface systems to a financial data warehouse or ERP system are audit review items. The response performance of data warehouse queries and reporting is not an issue for Sarbanes-Oxley but is critical for data warehouse functionality. The relevant issue is whether downloads are consistent, timely, and complete with validation routines. Errors found in the extract, transform, and download process should be segregated, reported, and cleared within a reasonable time frame to ensure accurate financial reporting.
Compatibility of database management systems used to store financial data is important. If the transactional data used for financial reporting are stored in different data structures, the integrity of summation, interpretation, and analysis can be jeopardized. If different data structures are necessary, then
Data-Element Consistency Many companies run multiple accounting systems that use different terminology to represent the same information or the same terminology to represent different information. Therefore, metadata files and data dictionaries should be used to ensure consistent interpretation of key data elements.
Physical Control of Data The physical control of data is crucial to the integrity of financial reporting as well. If the facilities where servers, workstations, and hard-copy reports are located are not secured, then unauthorized viewing or change may compromise transactions and/or data.
Timing and frequency of the backup process should be determined by the business need for short-
The PCAOB stated that
Day-to-day service-level management
Management of third-party services
Configuration and systems management
Problem management and resolution
Operations management scheduling
The system software component of operations includes controls over acquisition, implementation, configuration, and maintenance of operating system software, database management systems, middleware software, network communications software, security software, and utilities. System software also includes the incident tracking, logging, and monitoring functions. Finally, another inapparent example of an IT operations control would relate to detail reporting on the use of utilities that alert management to unauthorized access to powerful data-altering functions.
Audit of the network operations and problem management includes a review of entry points to the wide area network (WAN) or local area network (LAN). Proper configuration of firewalls, routers, and modems is essential to avoid unauthorized access to and potential modification of the company financial applications and data. The complete network configuration diagram, including all servers, routers, and firewalls, must be included in the documentation provided to the auditors. Inbound modem and virtual private network (VPN) connections pose a particularly high risk of unauthorized access. All outside telecommunication connections (Internet or point-to-point) must be forced to go through the company network routers and firewalls. See Chapter 5 for more information about auditing network devices.
The current threat of hackers, viruses, worms, and other malicious behavior dictates that each server and workstation (especially portable computers) have antivirus software and the latest antivirus definitions. Potential risk for loss of critical financial data is high should companies not keep antivirus software up to date.
Any virus or worm problems
Audit of asset management deals mostly with authorization, financial expenditure, and appropriate depreciation and reporting. Have key assets (e.g., software, data, hardware, middleware, and facilities) been inventoried and their "company
Segregated responsibility for ordering
Receipt and disbursement
Change management of asset inventory
Overall understanding of asset procedures
As a result, records management is an
Within asset management, companies should consider facilities controls. Are data center facilities equipped with adequate environmental controls to maintain systems and data, for example, fire suppression, uninterrupted power supply (UPS), air conditioning, elevated floors, and documented emergency procedures. See Chapter 4 for more information pertaining to auditing facilities controls.
Costs for reviewing internal controls and complying with the Sarbanes-Oxley Act can be high-both in internal costs and in external services costs. Most of the internal IS personnel do not have the background, knowledge, or experience with controls to adequately assess whether the current environment meets Sarbanes-Oxley requirements. Individuals may not have the motivation to do thorough documentation or communication either. Therefore, specialized IT auditors often are brought into the company to do a gap analysis-to determine what is
Despite the high cost of compliance, ineffective controls or
In multinational corporations, auditors may be pressed to more closely question suspicious payments that have the earmarks of bribes. In the past, corporate executives did not have a duty to disclose questionable payments that were paid to receive offshore services. This may no longer be an option.
For more specific points to consider,