Integration of Duties I
December 15, 2006
Even after two years of struggling to streamline the Sarbanes-Oxley compliance process, particularly in regard to Section 404, much of corporate America believes there is still room for improvement.
The culprit this time is ITGC.
404 requires the identification and testing of key controls that prevent material financial misstatement. But while the effect of routine financial-side controls such as bank recs and rollforwards can be clearly and measurably linked to the financial statements, exactly where, and in what amount, a failed ITGC will impact the financials is not always clear.
And if you don't know if, where, or in what amount your control affects your financial statements, then from a 404 perspective, you do not know whether it is a key control.
Part of the problem is that Internal Audit departments are not prepared for - and certainly not experienced with - this kind of approach. Before SOX, the well-known "pervasive" effect of ITGC on the financial statements was more than enough to warrant the close scrutiny of IT auditors. Hither came SOX, which requires the identification and testing only of key controls that have a material effect on the financial statements. That includes key controls on the IT side, if they have a material effect on the financial statements. The need to tie ITGC to material financial misstatement is new, and auditors do not have an established approach to doing it.
So how have companies been choosing which ITGC are considered key?
By squandering a lot of resources, it seems. The IIA reports:
And from the Institute of Management Accountants:
(to be continued)
______________________
[1] David A. Richards CIA, President, IIA, Response to SEC Release No. 34-54122; File No. S711-06 CONCEPT RELEASE CONCERNING MANAGEMENT’S REPORTS ON INTERNAL CONTROL OVER FINANCIAL REPORTING, September 18, 2006. http://www.sec.gov/comments/s7-11-06/s71106-145.pdf. Examples of companies with the same experience include NASDAQ, whose SVP of Internal Audit, Brian G. O'Mally, commented to the SEC: "Guidance is required to identify the portions of IT frameworks that are specifically applicable to SOX. In the absence of such guidance, the conservative approach taken by many auditors causes the entire framework to be incorporated into SOX compliance efforts". http://www.sec.gov/comments/s7-11-06/s71106-168.pdf. Similarly, Kerry Bailey, SVP Global Operations Cybertrust. Corp writes: To date, the determination of the IT general controls to be tested in a given filer's environment has been a delicate negotiation between the filer and the public accounting partner, with the advantage clearly in favor of the accounting firm. There has been no clear definition of relevant controls, no consensus on the scope of the target environment that produces the financials as a subset of the entire corporate computing environment, and no uniformity in testing methodology. This has contributed greatly to the exorbitant costs of Section 404 compliance for the accelerated filers, and is a source of concern for small and micro-caps. http://www.sec.gov/comments/s7-11-06/s71106-72.pdf . And Jeff Straton, VP US Operations Finance and Corporate Controller at Alcon comments: Based on discussion forums, articles we have read in various publications, and our experience, most companies feel they are spending excessive amounts of time in the testing of controls related to general computer controls and specific controls over applications. By their very nature, automated financial controls are in place to eliminate human errors. Once a base-line for automated financial controls has been set, continued testing is redundant, and should be minimized. http://www.sec.gov/comments/s7-11-06/s71106-64.pdf
[2] http://www.sec.gov/comments/s7-11-06/s71106-106.pdf p.24
[3] http://www.sec.gov/comments/s7-11-06/s71106-75.pdf p.4
[4] Ibid. p.7
The culprit this time is ITGC.
404 requires the identification and testing of key controls that prevent material financial misstatement. But while the effect of routine financial-side controls such as bank recs and rollforwards can be clearly and measurably linked to the financial statements, exactly where, and in what amount, a failed ITGC will impact the financials is not always clear.
And if you don't know if, where, or in what amount your control affects your financial statements, then from a 404 perspective, you do not know whether it is a key control.
Part of the problem is that Internal Audit departments are not prepared for - and certainly not experienced with - this kind of approach. Before SOX, the well-known "pervasive" effect of ITGC on the financial statements was more than enough to warrant the close scrutiny of IT auditors. Hither came SOX, which requires the identification and testing only of key controls that have a material effect on the financial statements. That includes key controls on the IT side, if they have a material effect on the financial statements. The need to tie ITGC to material financial misstatement is new, and auditors do not have an established approach to doing it.
So how have companies been choosing which ITGC are considered key?
By squandering a lot of resources, it seems. The IIA reports:
In the absence of current guidance that enables an identification of specificAnd from Deloitte:
risks, many organizations are performing full IT general controls testing on all
applications involved in financial reporting processes. As we indicated in our
response to the recent SEC Roundtable, we believe that has led to excessive
testing and resource costs among both registrants and their auditors.[1]
[I]t is important to note that many companies, generally speaking, have struggled with conducting the IT portion of their assessments of internal control. For instance, many companies struggled to understand what was required relative to IT controls, and in particular with the issue of identifying which IT controls are indeed relevant to financial reporting. They also struggled in applying a risk-based approach for IT, and as a result, spent time documenting and testing controls in areas of lesser risk. Overall, many companies have tended to document and test IT general controls without a good understanding of how their computer processing environments and the related IT general controls impact the financial reporting process and the associated risks.[2]
And from the Institute of Management Accountants:
[R]egistrants and auditors are spending a significant amount of time documenting
and testing IT general controls (and application controls) even though past experience has shown these controls are effective and pose low risk as it relates to a misstatement of financial reporting. [3]There has been an overemphasis on the area of general computer controls as a result of lack of clarity of the level of testing required, lack of appropriate assessment of risk and companies defaulting to the Control Objectives for Information and related Technology ("COBIT" framework as a supplement to COSO.[4]
(to be continued)
______________________
[1] David A. Richards CIA, President, IIA, Response to SEC Release No. 34-54122; File No. S711-06 CONCEPT RELEASE CONCERNING MANAGEMENT’S REPORTS ON INTERNAL CONTROL OVER FINANCIAL REPORTING, September 18, 2006. http://www.sec.gov/comments/s7-11-06/s71106-145.pdf. Examples of companies with the same experience include NASDAQ, whose SVP of Internal Audit, Brian G. O'Mally, commented to the SEC: "Guidance is required to identify the portions of IT frameworks that are specifically applicable to SOX. In the absence of such guidance, the conservative approach taken by many auditors causes the entire framework to be incorporated into SOX compliance efforts". http://www.sec.gov/comments/s7-11-06/s71106-168.pdf. Similarly, Kerry Bailey, SVP Global Operations Cybertrust. Corp writes: To date, the determination of the IT general controls to be tested in a given filer's environment has been a delicate negotiation between the filer and the public accounting partner, with the advantage clearly in favor of the accounting firm. There has been no clear definition of relevant controls, no consensus on the scope of the target environment that produces the financials as a subset of the entire corporate computing environment, and no uniformity in testing methodology. This has contributed greatly to the exorbitant costs of Section 404 compliance for the accelerated filers, and is a source of concern for small and micro-caps. http://www.sec.gov/comments/s7-11-06/s71106-72.pdf . And Jeff Straton, VP US Operations Finance and Corporate Controller at Alcon comments: Based on discussion forums, articles we have read in various publications, and our experience, most companies feel they are spending excessive amounts of time in the testing of controls related to general computer controls and specific controls over applications. By their very nature, automated financial controls are in place to eliminate human errors. Once a base-line for automated financial controls has been set, continued testing is redundant, and should be minimized. http://www.sec.gov/comments/s7-11-06/s71106-64.pdf
[2] http://www.sec.gov/comments/s7-11-06/s71106-106.pdf p.24
[3] http://www.sec.gov/comments/s7-11-06/s71106-75.pdf p.4
[4] Ibid. p.7
Labels: Identifying Key controls, Integration of Finance and IT, ITGC