Sarbanes Oxley: What to Control and How?

Be a part of largest online community. Register Now!

When sections 404 and 409 of the Sarbanes Oxley Act of 2002 were written, they were originally designed to encompass financial controls only. Kept well within the realm of the internal audit staff, the rules were designed to ensure the accuracy of the financial reporting at each month end. What the PCAOB (Public Company Accounting Oversight Board) quickly realized was that the controls that affect the month end financial reporting stretch well beyond the internal audit group and into the very operations of the organization. Daily changes in the physical environment of a company rarely hit the financial statements until journal entry postings, consolidation and reconciliation are completed at month end. This is especially true for larger organizations that have to gather data sometimes from the other side of the world.

Groups that have been performing the internal compliancy work in these organizations have quickly realized that failures in the underlying processes within organizations are more often the cause of catastrophic corporate collapse. Undisclosed ownership structures that reduced the level of debt and risk and overstated the revenues were the biggest single failure points in Enron. But the ability to establish structures such as those that brought down the major energy trader rested well outside the realm of financial disclosure rules and regulations. They rested with the executive ethics and oversight committees that were never created at Enron and were never supported by the board. Just like this example, there are a wide variety of significant continuity threats existing in organizations that could be interpreted by the PCAOB and the SEC to be failure points that required control mechanisms. One such example is Information Technology assets operations and policies of the organization and its external IT suppliers.

How IT Operations Can Fail Sarbanes 404/409

Compliancy Sarbanes 404 states that there must be a clear declaration of responsibility by management for establishing and maintaining an adequate internal control structure and procedures for financial reporting as well as an assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Sarbanes 409 states that boards must disclose to the public real time information concerning material changes in the financial condition or operations of the issuer including trends.

Impact of/on IT:
Both of these two sections rely on the control of and physical processes within organizations. Without controls on an information infrastructure, the company will be unable to declare and assess that their controls are effective for financial reporting simply because the information generated for the financial postings are derived from the physical activities of the organization that are controlled by these very systems.

It's those systems and those physical flows that require the same level of control infrastructure and testing for management to be able to attest to the effectiveness of their entire controls structure. For example, a chief operations officer delegated the authority to book income based on delivery of goods or services, can easily manipulate the revenue figures by altering the derived delivery date within systems (which may fall under his control) to equal the contract signing date. The result may be booked income that is effectively not realized in a later time period as it should and possibly without any corresponding offset. A control that limits the individual's capacity to alter system functions can effectively eliminate the potential requirement of restatement and the potential negative impact of such an event in the public realm. The test plan would incorporate a functionality test in which the auditors attempt to alter the systems invoicing date functionality through the security level of the COO. A failure to alter the date would result in a 'pass' on the test that is then documented complete with the test plan and outcome, process chart, control report and sign-off.

There are numerous areas that can be tested to this level of detail regarding all physical functions within an organization. However, the narrowing of the controls to those functions that have a material impact on the financial statements greatly reduces the workload on companies trying to comply with 404. 409 on the other hand, requires less of an actual control and more an ability for the organization to gain "real time" information from systems on the physical flows and inventories of that particular company or division. However, controls and real-time information are not the complete picture.

The Role of Policy in 404/409

Policy is a very strong tool of organizations working toward compliancy. Policy forms the statement of intention that provides a strong indication of management's work toward compliancy. For example, an organization that is attempting to 'lock down' potential ethical misdoings by its executives would be well advised to start by creating a comprehensive ethics policy for the organization and then have each executive sign the policy as part of their agreements. This won't control the behaviour of executives that would breech ethical guidelines but it will send a clear message that the organization does not condone specific types of activities. The addition of an oversight committee and 'whistleblower' mechanism continues to add to the position that the company is seriously backing the controls structure. Now as individual and detailed controls are added, the organization is well placed to provide attestation. The same type of policy must be formally created and accepted by the board regarding the operations of the information systems infrastructure. Without the overriding policy regarding such things as physical IT security, the attestation of the controls will be ineffective.

Seven Important IT Control Considerations

1. Create an information security policy that governs both the physical access to systems as well as the virtual access. Back it up with physical stress tests of the security infrastructure such as ethical hacking, rogue RF detection, portable device policy and planned security breeches. Ensure the policy regulates such things as password rotation, authorization levels, functional security control mechanisms, audit trails, etc.
2. Create a policy regarding outsourced and supplied IT functions relating to such aspects as the protection and control of sensitive information, the level of SOX compliance from support organizations, new software controls policy, upgrade and test reporting policies, etc. Ensure that a formal digital rights policy is in place for the organization as well as a public information control and release policy.
3. Identify each sub-system that has the potential to materially affect the financials or other systems and provide an assessment of the risk for each one. Use this list to identify the most critical systems and controls and apply resources to those first.
4. Create a hot site, back-up and failover policy along with testing and failover operational guide. Remember that backups must be periodically tested to ensure that critical systems have the capable redundancy required for continuity and non-material impact limitation.
5. Provide an audit capability to change, update and testing processes to ensure that standards are upheld and that the effects of rogue activities are minimized.
6. Map each of the physical control processes in the IT department and ensure that the correct level of responsibility and oversight is applied. Test the controls by following and auditing the processes utilizing any audit trails available or mapping current activities.
7. Perform tests of system accuracy, completeness and appropriate authorization of physical data that is materially relevant. Ensure such factors as numerical sequencing, separation of duties, physical reconciliations and exceptions are tested, performed, managed and overseen.

The information infrastructure of an organization is a critical component to compliancy for 404 and 409. Without an assured amount of testing and controls, the management will not be able to certify the controls processes with any level of certainty. The failure to adequately test the system controls will provide the next level of issues regarding Sarbanes Oxley compliance and will undoubtedly lead to stronger regulations regarding underlying systems and processes.