By Patsy C. Culver, CPA

Lately, CIO’s and their Information Technology (IT) teams are becoming more aware and increasingly concerned about Sarbanes Oxley and its mandate for the assessment of IT controls and risks.  CIO Magazine reported that the CIO’s days as the keeper of the keys to corporate data are numbered.  In an informal survey of the CIO’s of the top 19 Fortune 100 companies showed them viewing SOX compliance as a finance issue, not a systems issue.  A few CIOs acknowledged a potential role for IT but insisted it was premature.  They couldn’t have been more mistaken. 

While SOX legislation is at its heart about ensuring internal controls are in place to govern the reporting of financial information, the systems that generate, change, house, and transport the data is firmly in the realm of the CIO and the IT organization.  The CIO is now responsible for building the controls that allow this data to stand up to audit scrutiny. 

In geek-speak a “404” is someone who is clueless -- ”404” referring to the HTML error message meaning “File not Found”.  Ironically that meaning is about to expand.  Most IT organizations know about Section 404 of the Sarbanes Oxley Act but read the 100 words or so and don’t know what to make of it.  They have little sense if they have the controls in place to meet its requirements; and more often than not if they have the necessary compliance documentation.  If they do, their documentation seldom covers the global aspects of their organization but instead addresses only specific areas of IT and then only sparsely.  For some reason, IT gurus rarely do more than the minimum documenting unless they are in an organization or industry that demands documentation.

My goal is to discuss the approach for assessing your IT controls and risks, give you some key terms, and provide you some suggestions to start the process.  This naturally will be brief and doesn’t replace serious study of the COSO and COBIT rules before embarking on your own IT Control Risk assessment for your organization.  Information and best practices are just beginning to proliferate so keep your browser set to many of the best IT sites like CIO Magazine and in particular http://www.tscpa.org/members/sox/default.asp.

Following are three key areas that must be addressed.  I recommend that you follow these steps in order presented since each component impacts the scope of your assessment and, in some cases, the type of work in subsequent steps.

First, you must understand the IT Organization and Structure.  This could be the CIO organization or several organizations that make up the total IT organization. Document and review the IT management’s organization in relationship with the business unit/geographical organization.  Determine the strategy for managing technology and applications.  Although, this is not the most time consuming portion of your risk assessment and the strategy may not be obvious, this step is paramount since it forms the foundation for all steps that follow.  Without understanding your organization, structure, and strategy you cannot make any assessment as you move into the next step – evaluating the IT Entity Level Controls.

The second set of work is a review of the IT Entity Level Controls.  Entity Level Controls consider the tone at the top, along with the actual control environment of the entire organization and as well as the IT organization specifically.  Evaluate overall IT Controls including the assignment of authority and responsibility in the IT operations.  Ask yourself some questions:  Are there consistent policies and procedures for conduct and fraud prevention applied to all business locations and business units?  Specifically look at the control environment relating to financial reporting applications.  Look at the overall security administration policies, the application change-control environment, the data management and disaster recovery processes, and the problem resolution areas.  Are all these processes in place?  Does management show its involvement and interest by periodically reviewing them and recording findings?  Look at these controls in conjunction with general business processes.  It is imperative to integrate IT risk and control with business process risk and control evaluations to achieve a complete understanding of the environment.

Third, in order to comply with Section 404 requirements the IT Process Level Controls must be assessed. There are three distinct sets of processes that must be reviewed:

• General IT Processes
• Application and Data Owner Processes
• Integrated Application and specific processes

Again, these three processes, within this control, must be evaluated in order as they continue to build on one another.

General IT Process refers to the critical IT processes within the organization that support the key financial reporting related applications.  It should be evident that you may need to review the same general controls more than once in certain circumstances.  For example, if there are multiple processes that impact priority financial reporting areas that are not subject to similar policies, activities and control procedures, then you may have to separately review these processes.

The general IT processes you must review in every instance are:

·        Security Administration

·        Application change control

·        Data Management and disaster recovery

·        Data Center operations and problem management

·        Asset Management

The next area, Application and Data Owner Processes include those that are owned directly by the process owners.  Again, there are controls that should be evaluated in every instance :

·        Segregation of incompatible duties

·        Access to critical transactions and data

·        Business-impact analysis and business continuity plans

·        Business-owner change control procedures

Integrated application and specific processes include all IT and whatever manual controls may exist at the business process level.  What controls should be reviewed? The following application controls should be considered:

·        Programmed application controls

·        Access controls for critical transactions and data

·        Data validation and error checking routines

·        Error reporting

·        Complex calculations – including modifications

·        Complete and accurate reporting

·        Critical interfaces

This list may or may not be comprehensive since some specific IT related controls may surface as you do your evaluation. 

This is just a primer to help size the undertaking.  You should review more information or meet with consulting firms that provide Sarbanes Oxley Section 404 compliance services.  If you chose the consulting route, they should be independent of the accounting firm that provides your audit service.  Many of your fellow Dallas CPA Society members provide this independent service. . . another benefit of your membership with the DCPAS!