面对SOX，组织需要解决的IT问题

发布时间：2005年03月25日点击数： 作者：Rod Scott 来源：本站原创

【字体：小 大】 【收藏】 【打印文章】 【查看评论( 0 )】

摘要:

As organizations are documenting their internal controls for Sarbanes-Oxley, they will inevitably determine that the general controls over information technology and some application controls must be assessed. Since much of their financial reporting is done based on information and controls provided by information technology, a lack of internal controls in information technology could bring into question any of the financial reporting controls. In order to attest to the internal control of the organization the CFO and CEO will, therefore, be faced with assessing both the adequacy of the general controls of the Information Technology (IT) environment and the application controls of the financial reporting systems.

In many cases, the assessment of general controls of the IT environment will be the first time this has been done on a comprehensive basis for the organization. It is likely that some instances of internal control weaknesses will be discovered and will require the attention of the CFO and CEO to remediate.

In one organization, a control assessment of Information Technology for Sarbanes-Oxley found the following control weaknesses.

I. Physical Security
The room housing the computer equipment for the corporate offices was located in the middle of one floor of a leased office space in a multi-story building shared with several other companies, with remote security via closed-circuit television. The sprinkler system for the room housing the computer equipment was the same (water) used for the entire floor and building. This meant that a smoker in the lavatory could trigger the sprinkler system for the floor that would drench the computer equipment and cause a protracted outage of the business systems for a large portion of the organization. In addition, the walls of the room housing the computer were simply floor to ceiling partitions with no fire protection materials and vulnerable to physical destruction.

The backup to the power supply for the building was an Uninterruptible Power Source (UPS) for the computer equipment which would provide only thirty seconds of power. Just enough time to shutdown the equipment without damage.

II. Business Continuity Plan
Compounding the problem was that, although an excellent business continuity plan had been made, none of the portions of the plan requiring action or the expenditure of money (i.e. cold-site backups, etc.) had been executed. Therefore, the plan was not functional. This, coupled with Physical security weaknesses, previously discussed, subjected the organization to a severe financial crisis, should an outage occur.

III. Record Retention
The requirements of Sarbanes-Oxley to retain records “for a period of not less than 7 years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report” was not in compliance. Retention of electronic records was not documented in their Record Retention policy and as a consequence, several procedural weaknesses were discovered. One example was that there was a decentralized control of the purge of their business records which had led to an accidental purging of all historical records through 2001 at one site.

IV. Managing Change
Although there were clearly developmental jobs and operations jobs, there was no separation of duties, which would have reduced the risk in introducing change to the production environment.

V. Dependence on Third-party Resources
There was dependence on third parties in critical financial systems. The source programs were retained off-site by the third party, a 24/7 connection was provided for the third-party from an off-site location, and there were no Change Control procedures limiting the third-party from the program libraries. The third party had security administration privileges to the production data environment.

The CIO assured the CFO that his organization had good reasons for not providing better controls, which were primarily cost and staff limitations. Implied in the CIO’s response was a general disregard for the need for the controls identified. The complex nature of Information Technology makes it difficult for the CFO to understand and act on IT issues without the cooperation of the CIO. However, independent reviews can highlight areas where increased involvement and understanding are required. Internal audit often can provide this monitoring.

When the public accountant for the organization reviewed the assessment report, he found nothing “material” to the internal controls of the organization. This seemingly cavalier attitude about the severity of IT control weaknesses may be a result of lack of understanding of the control nuances in information technology or it may be ‘business as usual’ with public accounting firms. Whichever is the case, it raises concern over the understanding of the public accounting sector about the threats of IT weaknesses to the internal control of the organization and the right of the investors to be apprised of serious weaknesses in this aspect of controls in an organization.

The abdication of responsibility and lack of understanding of accounting by management in Enron led to their off-book transaction fiasco. It can be argued that the ability to understand control nuances in information technology can be even more taxing for financial professionals. Information Technology now represents a large percentage of capital expenditures and an even larger percentage of the business process functionality and information. Without emphasis on IT governance by the Boards of Directors, this area may be the next fiasco that will cause government to turn to Sarbanes-Oxley type of regulations to resolve.

One has to wonder what IT threat would ever be considered a significant deficiency or material weakness under the Public Company Accounting Oversight Board (PCAOB) standards. With a reported profit of million annually, this company with IT control weaknesses could easily lose 10% or more of their bottom line to any one of these reported threats. “Not material”? Isn’t this type of unknown exposure exactly what the Sarbanes-Oxley Act is trying to prevent? Doesn’t a potential loss of 10% of the net profit constitute materiality?

PCAOB (Public Company Accounting Oversight Board) has provided great examples of material weakness in their proposed standards. However, no examples exist which could provide a baseline to external auditors to assist them in evaluating IT threats to internal control. We need examples that could be used to judge the magnitude of control weaknesses that are discovered during the assessment of general controls in the IT environment.

The closest example offered by the proposed PCAOB standards is Example D-3 in the Appendix D -- Examples of Material Weaknesses and Significant Deficiencies

Example D-3 - Identification of Several Deficiencies
  Scenario A – Material Weakness.
  During its assessment of internal control over   financial reporting, management identified the  following deficiencies. Based on the context in   which the deficiencies occur, management and  the auditor agree that these deficiencies  individually represent significant deficiencies:

Inadequate segregation of duties over certain information system access controls.
Several instances of transactions that were not properly recorded in subsidiary ledgers; transactions were not material, either individually or in the aggregate.
  A lack of timely reconciliations of the account balances affected by the improperly recorded transactions. Based only on these facts, the auditor should determine that the combination of these significant deficiencies represents a material weakness for the following reasons: Individually, these deficiencies were evaluated as representing a more than remote likelihood that a misstatement that is more than inconsequential, but less than material, could occur. However, each of these significant deficiencies affects the same set of accounts. Taken together, these significant deficiencies represent a more than remote likelihood that a material misstatement could occur and not be prevented or detected. Therefore, in combination, these significant deficiencies represent a material weakness.
If “segregation of duties over certain information system access controls” can contribute to a material weakness when combined with other deficiencies in the same area, why wouldn’t similar deficiencies in security administration, which can affect all financial reporting systems, constitute a material weakness?

Why wouldn’t a lack of separation of duties in the management of change to the production program libraries be able to affect all financial reporting systems? The latter can provide the opportunity for fraud or result in lack of integrity, reliability or availability in those financial reporting systems.

The standards went so far as to explain that a collection of significant deficiencies can constitute a material weakness and that significant weaknesses that remain unresolved can also constitute a material weakness. Both are conditions that may occur frequently in IT environments.

Hopefully, PCAOB will broaden their vistas to include information technology rather than just the accounting aspects of Sarbanes-Oxley. The world has changed and information technology is the vehicle by which financial reporting is created, analyzed and reported. If there are control weaknesses in information technology it can impact all of the organization not just the financial reporting and from an investor viewpoint, the business can be at extreme risk.

Rather than try to couch all control issues in accounting terminology, they must open the dialogue to include the technology issues that are well known in security and IT Audit circles. Recognizing that there are, indeed, information technology issues that should be reported to investors would be a first and important step. The external auditors may need guidance as to what constitutes a material weakness in IT general controls or application controls. Providing a baseline in the PCAOB standards would assure the Sarbanes-Oxley assessment does not attest to a level of financial control that cannot be supported due to information technology material weaknesses.