Sarbanes-Oxley is the most comprehensive financial regulatory law in US history. It places responsibility for accurate and reliable corporate financial reporting in the hands of the CEO and CFO. It holds senior management specifically responsible for any and all shortcomings. Senior managers are now responsible for the design, implementation, and internal assessment of internal controls for financial reporting. In today’s world a significant part of those controls are embedded in the IT department.
The first (and much delayed) deadlines have come and gone. Despite the pain of meeting the deadline, many companies are now seeing the benefits of comprehensive internal examination of the processes, systems, and people involved in financial reporting systems. Companies have now experienced what Sarbanes-Oxley means in terms of compliance. For most it was a time-consuming, intense exercise. The resources required to meet compliance deadlines exceeded most people’s estimates. Big accounting firms tagged the average cost of compliance at $7.8 million.
If you’re not hearing a collective sigh of relief, it’s because most executives realize that the challenge of sustaining SOX compliance will require substantial additional resources. SOX requires both annual and quarterly audits of management’s assessments of internal controls. This means that internal control tests and reporting need to be on-going. Solutions must be found and implemented that make compliance sustainable without huge investments of time and resources.
From a corporate perspective this means a wide range of institutional, process, and behavioral change must occur. In IT – in some ways – this is a more straightforward proposition. Tools are available that can automate significant parts of IT Internal controls. This paper explores what is required for IT to build a sustainable system of IT general controls.
We provide a working model that takes the pain out of the detailed, mundane tasks associated with collecting and reporting on data that auditors require. We’ve taken our experience with customers and relevant research to develop some working guidelines for designing, testing, and documenting IT internal controls.
We’ll also give a brief overview of the Sarbanes-Oxley law. Our focus is on IT general internal controls. This document is not intended as a Sarbanes-Oxley silver bullet. Its intent is to provide some templates that IT managers can use to build a complete sustainable IT general internal control structure.
Sarbanes-Oxley Overview
The Sarbanes-Oxley Act of 2002 was fashioned to protect investors by requiring accuracy, reliability, and accountability of corporate disclosures. It requires companies to put in place controls to inhibit and deter financial misconduct. And it places responsibility for all this – unambiguously – in the hands of the CEO.
Failure to comply with Sarbanes-Oxley exposes senior management to possible prison time (up to 20 years), significant penalties (as much as $5 million), or both. Sarbanes-Oxley is one of the most complete American corporate anti-crime laws ever. It focuses on and proscribes a range of corporate misbehavior such as, altering financial statements, misleading auditors, and intimidating whistle blowers. It doles out harsh punishments and imposes fines and prison sentences for anyone who knowingly alters or destroys a record or document with the intent to obstruct an investigation.
Sarbanes-Oxley is clear on what it disallows, and sets the tone for proper corporate conduct. It does not, however, detail how to become compliant. It leaves the bulk of that decision and definition in the hands of individual businesses. This flexibility is a plus in that it provides wide latitude in compliance. However, the lack of detail has created some confusion as to what constitutes appropriate controls.
Yet, the cost associated with lack of compliance is very real. Moody’s Corp. has taken negative credit action against 20% of companies it covers that reported material weaknesses in their controls.
Much of the discussion about Sarbanes-Oxley as it relates to IT focuses on two sections: 302 and 404. In addition, the Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard No. 2 which provides detailed guidance to auditors of Sarbanes-Oxley compliance.
N. B. PCAOB recently (4/15/05) acknowledged the difficulty and cost associated with 404 compliance and indicated it would be reviewing standards and issuing new guidance and perhaps reopening the rule.
