The Sarbanes-Oxley Act of 2002 (formally known as the Public Company Accounting Reform and Investor Protection Act) was a response from the U.S. government to a rash of notorious corporate scandals that began with Enron and Arthur Andersen, followed closely by Tyco, Adelphia Communications, WorldCom, HealthSouth, and many others.
The Sarbanes-Oxley Act and the Public Company Accounting Oversight Board (PCAOB) were created to restore investor confidence in U.S. public markets. The primary goal was to enhance corporate responsibility, enhance financial disclosures, and deter corporate and accounting fraud.
The monetary impact on corporations of complying with this legislation has brought much dissent and lobbying for less strict guidelines. Small companies are seeking exemption from the extensive documentation and reporting. Adjustments during 2005-2006 clarified the extent to which technology controls must be tested and which companies must assert adequate internal controls for all areas with any impact on financial transactions and reporting.
The Sarbanes-Oxley Act requires company executives to attest to the adequacy and effectiveness of their internal controls related to financial transactions and reporting, including information technology (IT) controls. These controls must be audited externally, and a statement of control must be included in the annual corporate report filed with the Security and Exchange Commission (SEC). Consequently, corporate CEOs and CFOs are now being held accountable for the quality and integrity of information generated by their company's applications and communications, as well as the infrastructure that supports those applications.
As a result, information services managers (IS managers) who may not be keenly aware of the internal control measures necessary when dealing with the requirements of Sarbanes-Oxley are being asked to thoroughly examine the technology risks and test all controls. This means that many IS managers request guidelines or consulting assistance to ensure that they are in compliance with the new laws. Because of the different business cultures involved in global corporations and the number of international investors in U.S.-based corporations, it is essential that the global IT community is aware of the impact that financial audits have on the way information services departments operate.
The Sarbanes-Oxley Act has many provisions. Sections 101, 302, 404, 409, and 906 are the key sections with relevance and impact on information services departments.
In section 101, the PCAOB is established as the governing agency to create auditing standards and rules for public companies. In addition, the PCAOB is given the authority to regulate the accounting firms that audit public companies. The rules issued by the PCAOB and approved by the SEC are referred to as Auditing Standards.
The primary guidance from the PCAOB in regard to auditing internal controls is provided in Auditing Standard No. 2, effective June 17, 2004, entitled, "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements." We will explore Auditing Standard No. 2 later in this chapter.
Section 302 specifies the legal responsibilities of the company's CEO and CFO. According to the Sarbanes-Oxley Act, the CEO and CFO are responsible for all internal controls and for reporting quarterly on any significant changes to internal controls that could affect the company's financial statement. Basically, these two officers must personally certify that they are responsible for and knowledgeable about all financial statements submitted quarterly and annually. They also must certify that they have knowledge of the design and have evaluated the effectiveness of all internal controls and that these controls ensure that complete and accurate information is reported to them. Significant changes to disclosure controls and any deficiencies, weaknesses, or fraudulent acts that may compromise the accuracy of reporting must be disclosed.
Section 302 also defines the external auditor's role over financial reporting. The external auditor evaluates internal controls to determine if modifications need to be made for accuracy and compliance. The external auditor must attest that he or she has reviewed management's assessment of internal controls and has approved the process and evaluation of that assessment.
This section also requires that management particularly address any changes to internal controls over financial reporting that has occurred during the last quarter.
Under Section 404, the CEO and CFO attest that internal controls are in place, documented, and effective. Management assessment contains four parts. The first three parts cover the following:
Responsibility of management for the existence and rigidity of internal controls
Evaluation of the effectiveness of internal controls
Statement of the framework used to evaluate the effectiveness of controls
Management is prohibited from stating that internal controls are effective if there are one or more material weaknesses in the controls.
The fourth part concerns the external auditor. The company's external auditor must separately attest that management's statement concerning the effectiveness of internal controls is accurate.
The greatest difficulty most organizations have is furnishing the formal documentation of internal controls and the evidence of the effectiveness of internal controls.
PCAOB Auditing Standard No. 2 On 9 March 2004, the PCAOB approved Auditing Standard No. 2, entitled, "An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements." This audit standard establishes the requirements for performing an audit of internal control over financial reporting and provides some important directions on the scope and approach required of corporation management and external auditors. It also provides guidance on the controls that should be considered, including program development, program changes, computer operations, and access to programs and data. PCAOB Auditing Standard No. 2 specifically addresses the financial reporting controls that should be in place for a period before the attestation date and the controls that may operate after the attestation date.
Section 409 states that the CEO and CFO will ensure "rapid and current public disclosure" of any material event that could affect the company's financial or operational performance. Material events could include any type of company restructuring, changes in personage or duties of key personnel, budget overruns on IT projects, and stock sales by corporate officers. It may even be necessary to disclose a major new financial or operational application that is determined to "not work." "Rapid and current disclosure" essentially requires near-real-time reporting. This can be a huge nightmare for companies with a dependence on batch-oriented processing methods that tend to take longer to complete.
Section 906 consists of three parts. First is that every periodic report with financial information must be accompanied by a written statement by the CEO and CFO. The second part specifies that the content of this report fairly represent the financial condition of the company. The last section lays out the fines and imprisonment penalties for either knowingly or unknowingly submitting a false statement. It also sets criminal penalties for failure of corporate officers to certify the financial reports in a timely manner-60 days after end of year in 2004, 45 days after end of year in 2005, and 30 days after end of year in 2006.
For most organizations, IT services are now a vital part of the financial reporting process. The applications and services support creation, storage, processing, and reporting of financial transactions. Therefore, Sarbanes-Oxley compliance also must include controls for the use of technology in data handling, processing, and reporting. General computing controls thus are critical to the overall financial reporting process in ensuring data integrity and secure operations. IT departments now must formally address the design, documentation, implementation, testing, monitoring, and maintaining of IT internal controls.
The CEOs and CFOs look to the information services department to ensure that the general and specific internal controls for all applications, data, networking, contracts, licenses, telecommunications, and physical environment are documented and effective. Overall risk and control considerations are assessed at the departmental level of information services and then at the entity level. Entity-level review may vary depending on the following questions:
How large is the organization?
Are key functions outsourced?
What is the division of process and responsibilities for geographically dispersed locations?
How are the control responsibilities split among user groups, IS functions, and third-party providers?
How is the strategy for IS-both application and infrastructure-developed, documented, and managed?
To date, audits have found that the primary weaknesses among corporations are consistency, documentation, and communication. A given group within IS may believe that its strategy, tactical procedures, and applications are well controlled. However, communication with other groups may be lacking to the point that no one group knows what the other is doing. One of the most common deficiencies in organizations is the lack of a comprehensive strategic plan concerning how IT can best serve the overall business objectives. Together, these omissions lead to weak security and an uncontrolled or inconsistent architecture.
Global organizations and non-U.S.-based companies should examine their business-unit technology operations to determine their significance to the organization as a whole. The assessment of an IS business unit depends on the materiality of transactions processed by that unit, the potential impact on financial reporting if the IS business unit fails, and other qualitative risk factors.
A few examples of these assessment considerations might include
A U.S. multinational organization that has a single business unit that does not transact enough volume to be financially material, but the IS department within it processes a large amount of information and/or consolidates financial statements for additional locations
A U.S.-based insurance company that outsources IS application development, technical support, or maintenance to an IT business unit based in India
Controls surrounding third-party services should ensure that roles and responsibilities of third parties are clearly defined, adhered to, and continue to satisfy requirements. Control measures are aimed at reviewing and monitoring existing contracts and procedures for their effectiveness and compliance with organization policy. The dissolution of a major contract could have significant impact on financial reporting. Thus it would fall within the guidelines for disclosure by the company officers.
During an audit, company organizations often will contend that they are not responsible for a given control because either the function is outsourced or the software was purchased from and maintained by a third party. According to legislative guidelines, a company can outsource service but not the responsibility for control of that service. It is next to impossible for a company to outsource problems and expect the problems to go away.
Documentation of the third-party controls is required for attestation by the independent auditor, so an assessment must determine the effectiveness and completeness of the service organization's internal controls. If SAS 70 or similar audit opinions do not include controls testing, results of the testing, and the third-party service auditor's opinion on control effectiveness, the reports are not sufficient for Sarbanes-Oxley compliance. Companies should be sure to note whether the specific environment, platforms, and applications used in fulfillment of the outsourced services are covered by the SAS 70 (or similar audit) reports.
Four functional objectives for auditing third-party services and outsourcing major portions of company activities that are relevant to companies, corporation subsidiaries, and multinationals are summarized as follows:
Policy statements regarding data integrity, availability, and confidentiality are determined by senior management and must be maintained and contractually supported by any outsource arrangement.
Asset-protection requirements should be clearly defined and understood by the principals in any outsourcing agreement.
Data and information custodial responsibilities should be well defined and complied with.
Service levels should be defined, measurable, and acceptable to both parties. Failure to meet service-level agreements should have some compensatory action. Billing and invoices should be accurate and costs within budgeted amounts.
To date, the PCAOB and external auditors reviewing compliance with Sarbanes-Oxley have been attentive primarily to security, change management, and problem management. A key focus for the audit is integrity of the technology infrastructure for processing, storage, and communication of financial data. This is especially true when financial reports are generated from a data warehouse fed by multiple accounting and business operation systems.
Ownership of IT controls may be unclear, especially for application controls. Therefore, the audit in each area must integrate automated and manual controls at the business-process level.
In general, the following IT controls must be documented and evaluated as effective in order to be in compliance with Sarbanes-Oxley requirements:
Security administration must have an effective, documented process for monitoring and enforcing the security policies dictated by management. These policies and processes must be communicated to all user groups. If "user group stewards" are used to spread the security administration workload, those stewards must follow the same policies and procedures as the IS support staff. They, too, must communicate thoroughly and effectively with the user community.
Who has access to the application and data? Who authorizes access? How often is access level reviewed? What is the authorization process? What happens when an authorized person leaves or changes jobs? Is data security enforced at the element level? Are passwords enforced and changed regularly?
Execution of financial transactions or transactions that lead to financial transactions must be limited to those individuals who have an authorized business reason to do so. Access to financial and "protected personal" data likewise must be limited to those individuals who have an authorized business reason for access.
To ensure accuracy, completeness, and integrity of financial reporting, companies must have a documented, effective change-control process that includes changes to financial applications, all interface applications, operating systems that control the desktop and host server, productivity tools used to create summary analysis, database management systems, and networks. The change process must provide the following:
Points for management review
Migration of changed components
Communication of changes to the user community
Who can initiate a change? Who authorizes changes? Who can make changes? What testing should be done prior to making a change to production components? Who does the testing and validates the changes? How is testing documented? What process is used to promote development components into production?
Change control applies to applications, productivity tools, and operating system software. Communication of infrastructure changes traditionally has been weak. IS department personnel have long felt that users do not care what is changed or when as long as it works. But what if it doesn't? What if a seemingly unrelated change to an application or operating system causes a category of transactions to be unreported?
Financial application change control is an obvious concern when reviewing controls over financial reporting. Frequently, compliance auditors have not assessed the risks of inadequate change control for interface systems, database infrastructure, operating systems, network systems, or hardware configurations. Even internal IS groups may not realize the relevance of documented and enforced controls in these areas related to financial reporting activities. Recent analysis by risk-assessment experts has shown that inadequate change-control methods can lead to a loss of information integrity in financial applications and data systems. The potential risks include inaccurate reporting or incomplete reporting.
Data management encompasses both logical and physical data management as well as identification and protection of critical data, especially data related to financial processing and reporting.
Data Transfer between Systems Timing and frequency of downloads from interface systems to a financial data warehouse or ERP system are audit review items. The response performance of data warehouse queries and reporting is not an issue for Sarbanes-Oxley but is critical for data warehouse functionality. The relevant issue is whether downloads are consistent, timely, and complete with validation routines. Errors found in the extract, transform, and download process should be segregated, reported, and cleared within a reasonable time frame to ensure accurate financial reporting.
Database Structures Compatibility of database management systems used to store financial data is important. If the transactional data used for financial reporting are stored in different data structures, the integrity of summation, interpretation, and analysis can be jeopardized. If different data structures are necessary, then compensating controls must be in place to validate the final compilation of data.
Data-Element Consistency Many companies run multiple accounting systems that use different terminology to represent the same information or the same terminology to represent different information. Therefore, metadata files and data dictionaries should be used to ensure consistent interpretation of key data elements.
Physical Control of Data The physical control of data is crucial to the integrity of financial reporting as well. If the facilities where servers, workstations, and hard-copy reports are located are not secured, then unauthorized viewing or change may compromise transactions and/or data.
Data Backup Timing and frequency of the backup process should be determined by the business need for short-term recovery of data in problem situations. Disaster recovery and business continuity plans are not an inherent part of the latest requirements for Sarbanes-Oxley compliance but are critical to business resiliency. See Chapter 4 for additional information about disaster recovery.
The PCAOB stated that ineffective IT control environments are a significant indication that material weaknesses in internal control over financial reporting exist. IT operations controls extend well beyond the obvious management of hardware and the data center. With respect to acquiring an IT environment, there are controls over the definition, acquisition, installation, configuration, integration, and maintenance of the IT infrastructure. Ongoing daily controls over operations include
Day-to-day service-level management
Management of third-party services
Configuration and systems management
Problem management and resolution
Operations management scheduling
The system software component of operations includes controls over acquisition, implementation, configuration, and maintenance of operating system software, database management systems, middleware software, network communications software, security software, and utilities. System software also includes the incident tracking, logging, and monitoring functions. Finally, another inapparent example of an IT operations control would relate to detail reporting on the use of utilities that alert management to unauthorized access to powerful data-altering functions.
Audit of the network operations and problem management includes a review of entry points to the wide area network (WAN) or local area network (LAN). Proper configuration of firewalls, routers, and modems is essential to avoid unauthorized access to and potential modification of the company financial applications and data. The complete network configuration diagram, including all servers, routers, and firewalls, must be included in the documentation provided to the auditors. Inbound modem and virtual private network (VPN) connections pose a particularly high risk of unauthorized access. All outside telecommunication connections (Internet or point-to-point) must be forced to go through the company network routers and firewalls. See Chapter 5 for more information about auditing network devices.
The current threat of hackers, viruses, worms, and other malicious behavior dictates that each server and workstation (especially portable computers) have antivirus software and the latest antivirus definitions. Potential risk for loss of critical financial data is high should companies not keep antivirus software up to date.
Any virus or worm problems encountered on a workstation or server in the company network should be fully documented. Such documentation should include the determined impact and resolution steps taken.
Audit of asset management deals mostly with authorization, financial expenditure, and appropriate depreciation and reporting. Have key assets (e.g., software, data, hardware, middleware, and facilities) been inventoried and their "company owners" identified? The following asset-management-related items are reviewed during a Sarbanes-Oxley audit:
Segregated responsibility for ordering
Receipt and disbursement
Change management of asset inventory
Overall understanding of asset procedures
As a result, records management is an indispensable part of the asset-management plan.
Within asset management, companies should consider facilities controls. Are data center facilities equipped with adequate environmental controls to maintain systems and data, for example, fire suppression, uninterrupted power supply (UPS), air conditioning, elevated floors, and documented emergency procedures. See Chapter 4 for more information pertaining to auditing facilities controls.
Costs for reviewing internal controls and complying with the Sarbanes-Oxley Act can be high-both in internal costs and in external services costs. Most of the internal IS personnel do not have the background, knowledge, or experience with controls to adequately assess whether the current environment meets Sarbanes-Oxley requirements. Individuals may not have the motivation to do thorough documentation or communication either. Therefore, specialized IT auditors often are brought into the company to do a gap analysis-to determine what is deficient or unreliable. Companies may decide that implementation of automated documentation controls or new financial reporting software is necessary. The level of this commitment will determine the cost.
Despite the high cost of compliance, ineffective controls or noncompliance will result in a much higher cost. Should a company's external auditor find material weaknesses in controls, the competency and credibility of the company may be questioned-thus causing a drop in share price and capital availability. Investors now will be presented with a view of the risks associated with management structure and controls that may prompt them to divest. Foreign issuers may risk enforcement actions and personal liability that they have not encountered before.
In multinational corporations, auditors may be pressed to more closely question suspicious payments that have the earmarks of bribes. In the past, corporate executives did not have a duty to disclose questionable payments that were paid to receive offshore services. This may no longer be an option.
For more specific points to consider, illustrative controls, or tests of those controls, see http://www.isaca.org for the IT Control Objectives for Sarbanes-Oxley.