IT Control Objectives for Sarbanes-Oxley This presentation is focused on the IT Control Objectives for SOX published by the ITGI Background: This document is focused on the 404 section of the SOX act. Which requires mgt. To assess the effectiveness of an org.’s internal controls over financial reporting and annually report on the results of that assessment. PCAOB suggests that. “IT controls have a pervasive effect on the achievement on the many control objectives. PCAOB further provides guidance on the controls that should be considered in the assessment and require companies to select and implement a suitable control framework. COSO has become the most commonly adopted framework. In general, the SEC registrants and others have found that the additional details regarding control considerations were needed beyond what has been provided in COSO. Insert COBIT COBIT in its full perspective provides controls and objectives that address the operational and compliance objectives, only those related directly to financial reporting were used to develop this document.
Managing Risk “…many of the IT professionals being held accountable for the quality and integrity of information generated by their IT systems are not well versed in the intricacies of internal control. This is not to suggest that risk is not being managed by IT, but rather that it may not be formalized or structured in a way required by an organization’s management or its auditors.” In my experience, this is the most difficult concept to relay to our IT management. While we find that generally IT management does perform their due diligence in this area, most do not fully understand their role in internal control. Have any of you had similar experiences in your organization? Example: Architectural review committees. Adding new equipment without full authorization. How about wireless access points?
IT Key Areas of Responsibility Understanding the organization’s internal control program and financial reporting process Mapping the IT systems that support internal control and the financial reporting process to the financial statements Identifying risks related to these systems Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness Documenting and testing IT controls Organizations need representation from the SOX teams to ensure the IT general controls and app. Controls support the objectives of compliance. According to the COBIT control objectives key areas of responsibility include: Comments: How many of your organizations have someone within the IT department performing these functions? How many of your organizations have IA performing these functions and the IT folks join in where the documentation and testing of IT controls?
IT Key Areas of Responsibility Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting process Monitoring IT controls for effective operation over time Participation by IT in the Sarbanes-Oxley project management office And the list goes on… If you really take a look at the responsibilities, these are activities that, as auditors, we perform every day. No need to reinvent the wheel. Most companies have IT controls in place although they may not be formalized. My personal experience, the greatest challenge is helping IT management to recognize the significance of effectively communicating and documenting the controls environment and, most importantly, taking ownership of the controls within their responsibilities. Eg. System development projects. IT teams rely on business units to specifically tell them how to code the “soft” controls. Example: the system built with no reporting. It is logging all activity, right? According to COBIT: Organizations may be able to tailor existing IT control processes to to comply with SOX. According to the ITGI, “Frequently, it is the consistency and quality of control documentation and evidential matter that is lacking, but the general process is often in place, only requiring some modification.” We would expect that IT enhancements will be in the areas of IT environment, Computer operations, access to programs and data, program development and program changes.
ITGI Control Objectives IT Control Environment Computer Operations Access to Programs and Data Program Development and Program Change IT Control Environment “tone at the top” The ITGI’s recent publication now includes a company level, IT management questionnaire to assess management’s attitude and actions towards internal controls Question: How many companies have completed their Entity Level Reviews? Did these reviews include questions/comments/input from the CIO or IT senior management? We’ll go over each point in detail. This slide is to introduce the topics
IT Control Environment The PCAOB has indicated that an ineffective control environment should be regarded as at least a significant deficiency and as a strong indicator that a material weakness in internal control over financial reporting exists That’s a pretty strong statement. What are the implications for IT? The next two slides will describe the IT Control environment.
What is the IT Control Environment? IT Governance Process IS Strategic Plan IT risk management process Compliance and Regulatory management IT policies, procedures and standards Monitoring and reporting are required to ensure that IT is aligned with business requirements. How many of your IT organizations have these types of plans/processes standardized? Do they use a formalized control framework? If so, which one?
Computer Operations Computer operations should include controls over: Effective acquisition Implementation Configuration and maintenance Ongoing controls over operation address the day-to-day delivery of information services, service level mgt., management of third-party services, etc. Effective acquisition: Third party software Was there a bid process and formal evaluation? Does the expenditure have to be approved? If so, by whom? Hardware Is there a policy and procedure for the acquisition and installation of new hardware? Is a third party responsible for acquiring and installing the hardware? Example: At CAL, EDS sometimes acquires the hardware, sets up the OS and Database. In this instance they would also harden the box. Any other examples? Implementation: How does your company introduce new software/hardware to the environment? What are the security protocols? What are the testing procedures? Configuration and maintenance: Extracting data from a legacy system into the new one New software could require a process change, who reviews, who approve? Are users getting useful reporting from the new system? Include CAL Test procedures for management of third party services
Access to Programs and Data Overall goal of access controls are to prevent “the unauthorized use of, and changes to, the system, and entity protects it data and program integrity.” Sounds simple enough… How does this change when you add in remote users? How does this change when you add in wireless access? How does this change when you add in vendors/customers with web access to needed systems or information? How about contract or temporary workers? How about third party vendors that require limited access to your systems?
Program Development and Program Change What are the acquisition and implementation risks of new applications and/or systems? What are the risks of not having a good change management program? With regards to Program Development and Program Change, COBIT focuses on two areas: the acquisition and implementation of new applications and the maintenance of existing applications What are the risks of acquiring/implementing new systems? Poor project management Unrealistic completion dates/project goals Overspent budgets or mismanagement of budgets Not all affected departments are included in discussions/sign off process Affected departmental needs are not met, I.e. reporting requirements How do we mitigate these risks? What are your strategies for managing these risks? What are the risks of not having a good change management program? Unauthorized changes Unmanaged changes Changes implemented without proper testing What constitutes a good change management program change requests only come from authorized individuals change requests are logged and weighed in priority change requests are properly tested change requests are properly documented both in the change management tool and in the code change requests receive proper sign off
Multi-location Considerations Significant business units Potential financial materiality and significant risk considerations, quantitative and qualitative and both aspects provide focus Significant business units can include financial business units or IT business units. The assessment of significance can impacted by the materiality of transactions processed by the business unit, the potential impact on financial reporting if an IT business unit fails and other potential risk factors What are some examples of your organization’s multi-location considerations?
What is SOX? SOX provides the foundation for new corporate governance rules, regulations & standards issued by the Securities and Exchange Commission. It covers a range of topics from criminal penalties to Corporate Board responsibilities. SOX also covers issues such as independent auditing requirements, corporate governance, internal control assessment, and enhanced financial disclosure. CEO’s of publicly traded companies will be held accountable for the quality of the controls established which enable accurate Financial reporting (including IT processes, systems & roles).
Penalties Section 802(a) of the SOX states: “ Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
What prompted SOX? Sarbanes-Oxley was passed in the wake of a number of notable corporate accounting scandals including Enron and WorldCom.
A hint on policies. Bear in mind that you will be held to the letter of all policies your company develops related to SOX even if they exceed federal requirements. This is very important to remember when drafting policies. Policies should ensure that corporate behavior is consistent, controlled, and can be proven. Remember, 3 parts carrot 1 part stick.
A word on Frameworks There are many frameworks out there to assist you with SOX compliance. The key is to find a framework that works for your team, commit to it, train on it, and use it to your best possible advantage.
Examples of COBIT Controls Network Security –Firewalls, secure network configuration including 802.11x Virus Protection –anti-virus and anti-spyware updated regularly
Examples of COBIT Controls Backups & Restore – Regularly tested procedures IT Continuity – Disaster Recovery Procedures
Examples of COBIT Controls Files Access Privilege Controls Identity Management – password strength/age and access. Who has access and is that appropriate now?
Examples of COBIT Controls Risk Evaluation Programs – Risk Assessment and internal auditing. Employee IT Security Training – Training of end users related to utilization of resources.
Examples of COBIT Controls Management support/buy in – Executive level oversight of projects related to IT. IT as part of strategic planning – The business must be supported by technologies.
Change Management Standardized change control is a great place to find fast rewards in pursuit of compliance. Change Approval Change Categorization Change Documentation Change Prioritization Formal Request for Change Process A body of subject matter experts that oversee change.
Consistent Logging Change Management Configuration Mgmt. Event Management Incident Management Knowledge Mgmt. Problem Management
“Operationalize” information. Connect the internal changes needed with the strategic objectives of the company. Illustrate that real-time information flow enhances your organization’s ability to make decisions while making compliance easier. Point out the significance of new activities that may seem mundane or inconsequential. This will help actions taken by staff at every level feel more relevant and less painful.
Remember W. Edward Deming? SOX Compliance is not a fix it and forget it endeavor. As companies and the ecosystems that support them change new compliance quandaries will come up.
How can SOX help ? Perspectives on operational control, consistency, and quality take on a whole different meaning once they have a clear relationship to fiduciary responsibility. It is amazing how different the conversation about project prioritization becomes once executive management are offered the opportunity to make decisions guiding it.