< Back
Sarbanes-Oxley Compliance for Nonaccelerated
Filers
Solving the Internal Control Puzzle
By Sid
M. Edelstein
No business legislation in recent history has
elicited a broader range of reaction among
financial professionals than the Sarbanes-Oxley
Act of 2002 (SOA). While SOA clearly presents
compliance challenges for public companies of
all sizes, for many smaller, nonaccelerated
filers these challenges can seem all but
insurmountable. For some, this perception can
lead to willful denial that compliance
requirements extend to them. For others, it
typically yields token efforts at compliance
that often fall short. Neither is a good
response. Unfortunately, many smaller companies
lack the internal resources and specialized
expertise necessary to successfully address all
of the complexities associated with
comprehensive SOA compliance.
Much of the standard professional auditing
literature and available guidelines focuses
almost exclusively on the objective analysis of
accounting system control activities that
support the financial reporting process. As a
result, many auditors may find themselves ill
equipped to address some of the more subjective
and technically unfamiliar internal control
aspects of SOA compliance audits: internal
control framework development methodologies, the
risk assessment activities on which they depend,
and the information technology (IT) and business
process automation systems that facilitate them.
Because business technology plays a major role
in most companies’ internal control activities,
IT-related aspects of SOA compliance are not
commonly addressed in typical accounting
literature. Such IT aspects include the COBIT IT
internal control and governance framework, as
well as IT general controls than can potentially
impact the accuracy and timeliness of a
company’s financial reporting processes. The
historical development of COSO’s Internal
Control–Integrated Framework and an overview of
its key elements form the conceptual
underpinnings of corporate internal control
systems.
A Short History of Decay
Sarbanes-Oxley is not the first time that
government has tried to protect the public from
corporate malfeasance. A similar spate of
high-profile corporate scandals in the 1980s
prompted the establishment of the Treadway
Commission, which laid the foundation for a
variety of meaningful accounting and financial
reporting reforms. Today’s SOA provisions are
the direct descendants of these reforms. They
are also only the first round in what is likely
to become an ongoing legislative effort to
improve corporate governance and accountability.
The Treadway Commission’s charter recognized the
need to improve corporate internal control over
financial recordkeeping and accounting
practices. The task of addressing this issue
fell to a group of private organizations known
as the Committee of Sponsoring Organizations (COSO).
COSO’s primary contribution to the Treadway
Commission’s efforts was the development of an
open, integrated framework for analyzing and
improving the effectiveness of internal
controls. Officially published in 1992, COSO’s
Internal Control–Integrated Framework has become
the de facto standard for internal control
analysis and reporting. While leaving the door
open to other potential internal control
development frameworks, both the SEC and the
PCAOB have specifically sanctioned the COSO
framework as an appropriate guideline for SOA-compliant
internal control analysis, development, and
documentation.
Overview of the COSO Integrated Framework
The conceptual underpinnings of the COSO
framework are quite simple and based upon the
following observations:
Every business has numerous operational
objectives that it must accomplish in order to
be successful.
Every operational objective contains various
inherent quantitative and qualitative risks to
its achievement.
The potential consequences of these risks should
be reduced, wherever possible and practical, by
instituting “integrated” internal controls.
COSO defines five key elements of an integrated,
or comprehensive, framework of internal control
as follows:
Control environment. Executive management and
corporate governance bodies must ensure that
appropriate corporate ethics and values are
established and enforced at the executive level
and effectively instilled throughout the entire
organization. If this “tone at the top” is not
successfully established, the entire system of
internal control can be easily undermined and
susceptible to fraud and inaccurate financial
reporting.
Risk assessment. Efforts must be made to
analyze, define, and document the qualitative
and quantitative risks for all key business
units and processes involved in achieving the
organization’s business objectives. Accurate
risk assessment is perhaps the most critical
element in establishing an effective framework
of internal control. It serves to highlight and
isolate those specific business units and
processes which present the greatest risk to the
organization’s operational goals, and thereby
helps focus and prioritize the creation of the
organization’s overall internal control
framework.
Control activities. Once all internal control
objectives have been established and their risks
have been accurately assessed, specific
safeguards, processes, and procedures must be
developed and implemented to reduce or mitigate
the defined risks to all critical internal
control objectives. Many internal control
analysis, testing, and reporting functions tend
to focus almost exclusively upon control
activities, because they lend themselves to
objective analytical criteria. The danger,
however, is that effective control activities in
and of themselves do not ensure that the
organization has implemented an effective system
of internal controls. All five COSO components
must be present to ensure that these control
activities function correctly and consistently
over time.
Information and communication. Information and
communication channels that support internal
control objectives must be available and
understood by all members of the organization as
well as all necessary external entities (e.g.,
boards of directors, audit committees). Open
internal and external communications are vital
to internal control because they support the
checks and balances that ensure the integrity of
the control environment as well as the
effectiveness and consistent application of
control activities.
Monitoring. The organization must ensure that
all internal control objectives are continuously
monitored, regularly tested, and revised as
necessary to support changing business
conditions. An effective internal control system
must be dynamic and adaptable. As business
technology continues to evolve, the pace of
business grows exponentially faster and becomes
more difficult to control. If the organization
does not have a methodology in place for
accurately measuring and benchmarking the
effectiveness of its internal control procedures
over time, these controls can quickly become
outdated and ineffectual.
COSO affirms that an integrated internal control
framework must take all of these elements into
account and include control objectives that
effectively address each of them. In other
words, the effectiveness of a company’s overall
system of internal controls could be severely
compromised if any one of these five key
components is lacking in its design or
execution.
COSO also requires that the development of
control objectives incorporate a scope that
encompasses the following three functional
considerations:
Operations: Improved operational efficiencies.
Financial reporting: Accuracy and timeliness of
the financial reporting process.
Compliance: Adherence to all corporate legal and
regulatory responsibilities.
Finally, COSO requires that control objectives
based upon the guidelines detailed above be
developed for all business units as well as all
key business processes conducted within these
units. This ensures that the control framework
is designed to encompass both company-wide and
process-specific operational control objectives.
(Exhibit 1 and Exhibit 2 present a graphical
representation of the COSO framework and an
example of typical COSO internal control
documentation.)
IT Support
While most IT departments are actively engaged
in supporting their organization’s internal
controls over financial reporting, and many do
so effectively, few are well versed in the
disciplines and procedures necessary to
adequately substantiate or document these
activities in accordance with COSO or SOA
requirements. This presents a significant
dilemma because, in most public companies, IT
departments bear a great deal of responsibility
for ensuring the accuracy, integrity, and
availability of the transactional data used in
financial statements.
The PCAOB has recommended that in making a
determination regarding which controls should be
tested for Sarbanes-Oxley compliance, auditors
must consider “controls, including information
technology general controls, on which other
controls are dependent” (PCAOB Release 2003-17).
By and large, most auditors already have some
experience analyzing IT “application-level”
internal controls; analysis of these controls
has been included in standardized audit
procedural guidelines for a number of years and
has already been incorporated into the testing
and walk-through procedures typically conducted
during the course of a normal audit. Analyzing
“general” IT controls, however, requires a level
of IT knowledge and technical expertise that
goes well beyond what most internal and external
auditors have been trained for.
General IT controls can potentially encompass
the entire spectrum of an organization’s IT
operations, and many of these controls, along
with the systems which support them, may not be
adequately documented for purposes of SOA
compliance. The auditor’s judgment and
discretion must be applied in order to segregate
those general IT controls which could
potentially have a significant or material
impact on any given company’s financial
reporting processes. Once these high-risk
controls have been successfully isolated,
auditors should be prepared to provide guidance
to IT department management and personnel in
developing appropriate IT general control
documentation and testing procedures to support
ongoing SOA compliance activities.
The Changing IT Environment
Unfortunately, the COSO Internal
Control–Integrated Framework provides little
guidance regarding general IT controls, because
IT environments have changed dramatically since
its publication. When COSO’s integrated
framework was initially released, the typical
enterprise IT environment was centralized and
composed primarily of customized, legacy
business applications. The most significant
risks these systems represented to the integrity
of financial data and reporting related to
internal controls over application development,
data entry, and system access.
In the COSO framework example documentation
itself, only a handful of pages deal
specifically with internal controls over IT
operations, and these are nearly exclusively
devoted to the aforementioned controls. While
these IT internal control issues still exist and
are a key focal point in any SOA control
analysis, they represent only the tip of the
iceberg with respect to today’s financially
relevant general IT controls.
Since the introduction of COSO’s Internal
Control–Integrated Framework, enterprise IT
environments have grown exponentially more
complex and decentralized. Sophisticated e-mail
systems and web-based technologies now handle
much of the financial information and corporate
communications that were once conducted manually
and left paper trails. Generic accounting
software applications and integrated ERP systems
have sophisticated financial controls that can
be configured to dynamically ensure the
security, availability, and integrity of
financial data.
Analyzing access security parameters and
data-entry batch controls is no longer enough to
ensure the accuracy and integrity of a company’s
financial data. Modern business technologies
have enabled companies to conduct transactions
in real time on a plethora of disparate
processing platforms. As companies continue to
leverage modern business technologies, both the
pace and the breadth of financial data
processing continue to increase. Corralling this
financial data flow will be critical to
successfully controlling its accuracy and
integrity in the future.
COBIT: The COSO of IT
The dizzying array of modern business technology
available can differ dramatically in its
potential impact on a given company, but the
technology itself only represents part of the
equation. What about the IT control environment
is necessary to successfully manage and maintain
these sophisticated IT systems?
Modern IT environments often require teams of
highly skilled management and technical
personnel to operate efficiently. Are there
enough personnel qualified to perform these
duties effectively? Is their training maintained
on an ongoing basis in order to ensure
continuous support for the company’s growing IT
systems? Are effective change-management
policies and procedures in place to coordinate
ongoing system enhancements? Does the high-level
system access to financial applications and
databases that IT personnel need present a
significant internal control issue?
These and countless other issues with respect to
IT governance also break new ground for auditors
that must now, for SOA-compliance attestation,
form an opinion as to the effectiveness of the
general IT controls upon which other financial
internal controls depend.
The IT Governance Institute has published a
discussion document, “IT Control Objectives for
Sarbanes-Oxley,” which provides what may be the
only comprehensive methodology for assessing
both general and application-level IT controls
in support of SOA compliance (available from
www.isaca.org). The work is based upon COBIT, a
detailed set of professional guidelines for
establishing effective IT governance, auditing,
and internal control objectives. It identifies
generic internal control objectives for the
financial reporting process and modifies them
accordingly to specifically address SOA
compliance considerations. This specialized
subset of COBIT is then mapped to the components
of the COSO framework. The end result is a
detailed IT internal control checklist that can
be used to thoroughly assess both IT general and
application-level controls for purposes of SOA-compliance
analysis.
In addition to this checklist, this document
also provides IT management with a comprehensive
road map for coordinating all aspects of their
department’s support for the company’s overall
SOA compliance activities. Beyond being an
excellent guideline for educating IT management
and personnel, it is also a valuable resource
for auditors that wish to achieve a greater
understanding of modern IT internal controls and
their relevance to SOA compliance.
Exhibit 3 and Exhibit 4 illustrate COBIT’s
relationship to the COSO internal control
integrated framework. Using COBIT as a
foundation for an SOA IT internal control
analysis methodology is logical because its open
framework encompasses an integrated approach to
enhancing enterprise IT governance and internal
control that is similar to COSO’s. COBIT was
designed to provide a consistent set of
guidelines and best practices for maintaining an
enterprise IT environment, not specifically to
support the accuracy and integrity of the
financial systems operating within this
environment.
While COBIT and the “IT Control Objectives for
Sarbanes-Oxley” discussion document derived from
it provide an excellent foundation, these
reference documents alone cannot solve all of
the problems auditors will face in determining
how the numerous IT general and
application-level internal controls detailed in
this documentation may affect a specific
organization’s financial reporting processes.
Because the COBIT IT controls are exhaustive and
often focused exclusively on IT-related issues,
not all will have relevance to a particular
company’s financial reporting processes. In
general, when COBIT is the reference, auditors
should be prepared to make a strong case for how
and why a particular IT general control chosen
for analysis or testing could potentially
uncover a deficiency that could have a
significant or material impact on the company’s
financial statements. An informed determination
about the IT general controls to focus on will
be critical to the successful completion of an
SOA audit.
Case Study
To illustrate how to isolate modern IT general
controls that could have relevance to corporate
financial statement processing functions,
consider the following characteristics of a
typical large corporation:
The company maintains multiple national offices
and distribution centers linked via WAN and VPN
connections.
All accounting, supply chain, and fulfillment
operations are fully integrated via a modern,
distributed ERP system that feeds financial
information back to a centralized mainframe in
the home office for financial processing and
reporting.
The company has internally developed an
e-commerce website that generates most of its
total sales orders. A high percentage of its
purchasing and EDI operations are also conducted
via secure trading-partner websites maintained
by vendors or independent third-party service
providers.
The company distributes the majority of its
internal financial reporting documentation
electronically to all business units in real
time via secured intranet websites and e-mailed
PDF report attachments.
For a company like this, above and beyond the
standard IT security, access control, and
accounting process walk-throughs, attention
should also be paid to the following specialized
IT general and application level control areas:
Network infrastructure. In distributed IT
environments, particularly those utilizing
remote-access technologies, security
considerations go well beyond analyzing basic
network and application-level user access
parameters. A thorough analysis of IT controls
in this area would include a review of firewall
configuration parameters, network intrusion
detection and monitoring provisions, network
performance monitoring activities, network
configuration and administration functions, data
classification and encryption standards, e-mail
and antivirus filtering provisions, business
continuity provisions, and critical third-party
service provider reliability. Because any weak
link in the chain of a company’s network
infrastructure could jeopardize the company’s
financial data, a key deficiency in this area
could ultimately have a significant effect on
the company’s financial statement production
process.
Another key issue is the role the network plays
in supporting corporate communications.
Information and communication represents one of
the key COSO elements in establishing an
integrated framework of internal control. Any
significant deficiencies that could compromise
reliable information exchange and corporate
communications could also represent a key
internal-control concern.
ERP configuration and business continuity.
Modern ERP and accounting systems are capable of
fully automating and integrating many highly
complex business processes and centrally
regulating and monitoring a broad array of
financial and accounting system controls. No two
vendors’ ERP or accounting applications are
alike, and many can be extensively customized to
support specialized vertical industry
requirements. Detailed knowledge of the control,
security, and workflow configuration parameters
particular to the specific ERP and accounting
software applications in use is critical in
analyzing how effectively these systems support
the company’s internal controls over financial
processes and procedures.
In the example above, all internal accounting
operations are being processed centrally via the
home office’s mainframe. This affects the
company’s ability to produce accurate financial
reports on a timely basis should an unplanned
business interruption make this system
unavailable for an extended time. As a result,
an IT internal-control review should ascertain
whether the company has performed a formal
business-impact analysis or risk-assessment
study on its mission-critical business systems,
and whether adequate business continuity
provisions have been established.
Web-based application development
considerations, and third-party reliance. As
companies continue to migrate mission-critical
business applications to the web and integrate
web-based applications with back-end accounting
systems, the technical sophistication necessary
to effectively evaluate and test related
internal controls has grown considerably.
Companies employ dozens of different database
and application development tools in building
their websites. Insofar as these websites
increasingly support critical financial
operations that could have a material impact
upon the company’s financial reporting
processes, they represent a key point of
concern.
When analyzing web-based application
development, auditors should focus on the
methodology the company is employing to monitor
and regulate website development and
maintenance. Are these activities being properly
administered, tracked, and audited? Are
web-based applications tested thoroughly prior
to introduction? Are encryption standards
implemented to protect sensitive data? Are
adequate reconciliation procedures in place to
ensure that online financial transactions are
correctly recorded on a timely basis in the
company’s back-end accounting systems? Are the
underlying databases adequately secured to
prevent unauthorized access and manipulation of
data prior to their entry into the accounting
system? Are any key third-party service
providers or business partners utilized to
support web-based business activities, and are
their systems secure?
Paperless Financial Reporting Systems
Implementing real-time financial management and
paperless reporting systems can dramatically
enhance the efficiency of an enterprise’s
operations. While helping make companies more
nimble, the increasing adoption of these
technologies has robbed auditors of ready access
to the paper trails that have traditionally
supported their analysis and testing of internal
controls.
To successfully analyze IT controls surrounding
dynamic systems and paperless environments,
auditors must acclimate themselves to
specialized data extraction and analysis tools
and work directly with the live data that reside
on these systems. Walk-throughs of financial
reporting functions will require a detailed
understanding of the underlying databases,
scripts, applications, and electronic reports
generated by these systems. Auditors must also
analyze the automated internal control
procedures that have been programmed into these
applications to perform data integrity checks,
including exception handling, error tracking,
and reconciliation functions, as well as the
e-mail and intranet-based workflow automation
processes utilized to streamline financial
reporting.
While by no means exhaustive, these illustration
issues identify various general IT controls that
could have a material impact on financial
statements. It is necessary to have a clear
understanding of the relationship between these
IT general controls and the financial processes
they support within the organization’s overall
framework of internal control.
--------------------------------------------------------------------------------
Sid M. Edelstein, CPA, is a principal and
director of IT services at Cornick, Garber &
Sandler, LLP, New York, N.Y. He would like to
thank Malcolm Schwartz, one of COSO’s original
authors, for his review and comments. |
< Back
|
|
|
     
Published in the December 2004 issue of The CPA Journal!
 |
