Sarbanes-Oxley Compliance for Nonaccelerated Filers

Solving the Internal Control Puzzle

By Sid M. Edelstein

E-mail Story Print Story

Much of the standard professional auditing literature and available guidelines focuses almost exclusively on the objective analysis of accounting system control activities that support the financial reporting process. As a result, many auditors may find themselves ill equipped to address some of the more subjective and technically unfamiliar internal control aspects of SOA compliance audits: internal control framework development methodologies, the risk assessment activities on which they depend, and the information technology (IT) and business process automation systems that facilitate them.

Because business technology plays a major role in most companies’ internal control activities, IT-related aspects of SOA compliance are not commonly addressed in typical accounting literature. Such IT aspects include the COBIT IT internal control and governance framework, as well as IT general controls than can potentially impact the accuracy and timeliness of a company’s financial reporting processes. The historical development of COSO’s Internal Control–Integrated Framework and an overview of its key elements form the conceptual underpinnings of corporate internal control systems.

A Short History of Decay

Sarbanes-Oxley is not the first time that government has tried to protect the public from corporate malfeasance. A similar spate of high-profile corporate scandals in the 1980s prompted the establishment of the Treadway Commission, which laid the foundation for a variety of meaningful accounting and financial reporting reforms. Today’s SOA provisions are the direct descendants of these reforms. They are also only the first round in what is likely to become an ongoing legislative effort to improve corporate governance and accountability.

The Treadway Commission’s charter recognized the need to improve corporate internal control over financial recordkeeping and accounting practices. The task of addressing this issue fell to a group of private organizations known as the Committee of Sponsoring Organizations (COSO). COSO’s primary contribution to the Treadway Commission’s efforts was the development of an open, integrated framework for analyzing and improving the effectiveness of internal controls. Officially published in 1992, COSO’s Internal Control–Integrated Framework has become the de facto standard for internal control analysis and reporting. While leaving the door open to other potential internal control development frameworks, both the SEC and the PCAOB have specifically sanctioned the COSO framework as an appropriate guideline for SOA-compliant internal control analysis, development, and documentation.

Overview of the COSO Integrated Framework

The conceptual underpinnings of the COSO framework are quite simple and based upon the following observations:

• Every business has numerous operational objectives that it must accomplish in order to be successful.
• Every operational objective contains various inherent quantitative and qualitative risks to its achievement.
• The potential consequences of these risks should be reduced, wherever possible and practical, by instituting “integrated” internal controls.

COSO defines five key elements of an integrated, or comprehensive, framework of internal control as follows:

• Control environment. Executive management and corporate governance bodies must ensure that appropriate corporate ethics and values are established and enforced at the executive level and effectively instilled throughout the entire organization. If this “tone at the top” is not successfully established, the entire system of internal control can be easily undermined and susceptible to fraud and inaccurate financial reporting.
• Risk assessment. Efforts must be made to analyze, define, and document the qualitative and quantitative risks for all key business units and processes involved in achieving the organization’s business objectives. Accurate risk assessment is perhaps the most critical element in establishing an effective framework of internal control. It serves to highlight and isolate those specific business units and processes which present the greatest risk to the organization’s operational goals, and thereby helps focus and prioritize the creation of the organization’s overall internal control framework.
• Control activities. Once all internal control objectives have been established and their risks have been accurately assessed, specific safeguards, processes, and procedures must be developed and implemented to reduce or mitigate the defined risks to all critical internal control objectives. Many internal control analysis, testing, and reporting functions tend to focus almost exclusively upon control activities, because they lend themselves to objective analytical criteria. The danger, however, is that effective control activities in and of themselves do not ensure that the organization has implemented an effective system of internal controls. All five COSO components must be present to ensure that these control activities function correctly and consistently over time.
• Information and communication. Information and communication channels that support internal control objectives must be available and understood by all members of the organization as well as all necessary external entities (e.g., boards of directors, audit committees). Open internal and external communications are vital to internal control because they support the checks and balances that ensure the integrity of the control environment as well as the effectiveness and consistent application of control activities.
• Monitoring. The organization must ensure that all internal control objectives are continuously monitored, regularly tested, and revised as necessary to support changing business conditions. An effective internal control system must be dynamic and adaptable. As business technology continues to evolve, the pace of business grows exponentially faster and becomes more difficult to control. If the organization does not have a methodology in place for accurately measuring and benchmarking the effectiveness of its internal control procedures over time, these controls can quickly become outdated and ineffectual.

COSO affirms that an integrated internal control framework must take all of these elements into account and include control objectives that effectively address each of them. In other words, the effectiveness of a company’s overall system of internal controls could be severely compromised if any one of these five key components is lacking in its design or execution.

COSO also requires that the development of control objectives incorporate a scope that encompasses the following three functional considerations:

• Operations: Improved operational efficiencies.
• Financial reporting: Accuracy and timeliness of the financial reporting process.
• Compliance: Adherence to all corporate legal and regulatory responsibilities.

Finally, COSO requires that control objectives based upon the guidelines detailed above be developed for all business units as well as all key business processes conducted within these units. This ensures that the control framework is designed to encompass both company-wide and process-specific operational control objectives. (Exhibit 1 and Exhibit 2 present a graphical representation of the COSO framework and an example of typical COSO internal control documentation.)

IT Support

While most IT departments are actively engaged in supporting their organization’s internal controls over financial reporting, and many do so effectively, few are well versed in the disciplines and procedures necessary to adequately substantiate or document these activities in accordance with COSO or SOA requirements. This presents a significant dilemma because, in most public companies, IT departments bear a great deal of responsibility for ensuring the accuracy, integrity, and availability of the transactional data used in financial statements.

The PCAOB has recommended that in making a determination regarding which controls should be tested for Sarbanes-Oxley compliance, auditors must consider “controls, including information technology general controls, on which other controls are dependent” (PCAOB Release 2003-17).

By and large, most auditors already have some experience analyzing IT “application-level” internal controls; analysis of these controls has been included in standardized audit procedural guidelines for a number of years and has already been incorporated into the testing and walk-through procedures typically conducted during the course of a normal audit. Analyzing “general” IT controls, however, requires a level of IT knowledge and technical expertise that goes well beyond what most internal and external auditors have been trained for.

General IT controls can potentially encompass the entire spectrum of an organization’s IT operations, and many of these controls, along with the systems which support them, may not be adequately documented for purposes of SOA compliance. The auditor’s judgment and discretion must be applied in order to segregate those general IT controls which could potentially have a significant or material impact on any given company’s financial reporting processes. Once these high-risk controls have been successfully isolated, auditors should be prepared to provide guidance to IT department management and personnel in developing appropriate IT general control documentation and testing procedures to support ongoing SOA compliance activities.

The Changing IT Environment

Unfortunately, the COSO Internal Control–Integrated Framework provides little guidance regarding general IT controls, because IT environments have changed dramatically since its publication. When COSO’s integrated framework was initially released, the typical enterprise IT environment was centralized and composed primarily of customized, legacy business applications. The most significant risks these systems represented to the integrity of financial data and reporting related to internal controls over application development, data entry, and system access.

In the COSO framework example documentation itself, only a handful of pages deal specifically with internal controls over IT operations, and these are nearly exclusively devoted to the aforementioned controls. While these IT internal control issues still exist and are a key focal point in any SOA control analysis, they represent only the tip of the iceberg with respect to today’s financially relevant general IT controls.

Since the introduction of COSO’s Internal Control–Integrated Framework, enterprise IT environments have grown exponentially more complex and decentralized. Sophisticated e-mail systems and web-based technologies now handle much of the financial information and corporate communications that were once conducted manually and left paper trails. Generic accounting software applications and integrated ERP systems have sophisticated financial controls that can be configured to dynamically ensure the security, availability, and integrity of financial data.

Analyzing access security parameters and data-entry batch controls is no longer enough to ensure the accuracy and integrity of a company’s financial data. Modern business technologies have enabled companies to conduct transactions in real time on a plethora of disparate processing platforms. As companies continue to leverage modern business technologies, both the pace and the breadth of financial data processing continue to increase. Corralling this financial data flow will be critical to successfully controlling its accuracy and integrity in the future.

COBIT: The COSO of IT

The dizzying array of modern business technology available can differ dramatically in its potential impact on a given company, but the technology itself only represents part of the equation. What about the IT control environment is necessary to successfully manage and maintain these sophisticated IT systems?

Modern IT environments often require teams of highly skilled management and technical personnel to operate efficiently. Are there enough personnel qualified to perform these duties effectively? Is their training maintained on an ongoing basis in order to ensure continuous support for the company’s growing IT systems? Are effective change-management policies and procedures in place to coordinate ongoing system enhancements? Does the high-level system access to financial applications and databases that IT personnel need present a significant internal control issue?

These and countless other issues with respect to IT governance also break new ground for auditors that must now, for SOA-compliance attestation, form an opinion as to the effectiveness of the general IT controls upon which other financial internal controls depend.

The IT Governance Institute has published a discussion document, “IT Control Objectives for Sarbanes-Oxley,” which provides what may be the only comprehensive methodology for assessing both general and application-level IT controls in support of SOA compliance (available from www.isaca.org). The work is based upon COBIT, a detailed set of professional guidelines for establishing effective IT governance, auditing, and internal control objectives. It identifies generic internal control objectives for the financial reporting process and modifies them accordingly to specifically address SOA compliance considerations. This specialized subset of COBIT is then mapped to the components of the COSO framework. The end result is a detailed IT internal control checklist that can be used to thoroughly assess both IT general and application-level controls for purposes of SOA-compliance analysis.

In addition to this checklist, this document also provides IT management with a comprehensive road map for coordinating all aspects of their department’s support for the company’s overall SOA compliance activities. Beyond being an excellent guideline for educating IT management and personnel, it is also a valuable resource for auditors that wish to achieve a greater understanding of modern IT internal controls and their relevance to SOA compliance.

Exhibit 3 and Exhibit 4 illustrate COBIT’s relationship to the COSO internal control integrated framework. Using COBIT as a foundation for an SOA IT internal control analysis methodology is logical because its open framework encompasses an integrated approach to enhancing enterprise IT governance and internal control that is similar to COSO’s. COBIT was designed to provide a consistent set of guidelines and best practices for maintaining an enterprise IT environment, not specifically to support the accuracy and integrity of the financial systems operating within this environment.

While COBIT and the “IT Control Objectives for Sarbanes-Oxley” discussion document derived from it provide an excellent foundation, these reference documents alone cannot solve all of the problems auditors will face in determining how the numerous IT general and application-level internal controls detailed in this documentation may affect a specific organization’s financial reporting processes.

Because the COBIT IT controls are exhaustive and often focused exclusively on IT-related issues, not all will have relevance to a particular company’s financial reporting processes. In general, when COBIT is the reference, auditors should be prepared to make a strong case for how and why a particular IT general control chosen for analysis or testing could potentially uncover a deficiency that could have a significant or material impact on the company’s financial statements. An informed determination about the IT general controls to focus on will be critical to the successful completion of an SOA audit.

Case Study

To illustrate how to isolate modern IT general controls that could have relevance to corporate financial statement processing functions, consider the following characteristics of a typical large corporation:

• The company maintains multiple national offices and distribution centers linked via WAN and VPN connections.
• All accounting, supply chain, and fulfillment operations are fully integrated via a modern, distributed ERP system that feeds financial information back to a centralized mainframe in the home office for financial processing and reporting.
• The company has internally developed an e-commerce website that generates most of its total sales orders. A high percentage of its purchasing and EDI operations are also conducted via secure trading-partner websites maintained by vendors or independent third-party service providers.
• The company distributes the majority of its internal financial reporting documentation electronically to all business units in real time via secured intranet websites and e-mailed PDF report attachments.

For a company like this, above and beyond the standard IT security, access control, and accounting process walk-throughs, attention should also be paid to the following specialized IT general and application level control areas:

Network infrastructure. In distributed IT environments, particularly those utilizing remote-access technologies, security considerations go well beyond analyzing basic network and application-level user access parameters. A thorough analysis of IT controls in this area would include a review of firewall configuration parameters, network intrusion detection and monitoring provisions, network performance monitoring activities, network configuration and administration functions, data classification and encryption standards, e-mail and antivirus filtering provisions, business continuity provisions, and critical third-party service provider reliability. Because any weak link in the chain of a company’s network infrastructure could jeopardize the company’s financial data, a key deficiency in this area could ultimately have a significant effect on the company’s financial statement production process.

Another key issue is the role the network plays in supporting corporate communications. Information and communication represents one of the key COSO elements in establishing an integrated framework of internal control. Any significant deficiencies that could compromise reliable information exchange and corporate communications could also represent a key internal-control concern.

ERP configuration and business continuity. Modern ERP and accounting systems are capable of fully automating and integrating many highly complex business processes and centrally regulating and monitoring a broad array of financial and accounting system controls. No two vendors’ ERP or accounting applications are alike, and many can be extensively customized to support specialized vertical industry requirements. Detailed knowledge of the control, security, and workflow configuration parameters particular to the specific ERP and accounting software applications in use is critical in analyzing how effectively these systems support the company’s internal controls over financial processes and procedures.

In the example above, all internal accounting operations are being processed centrally via the home office’s mainframe. This affects the company’s ability to produce accurate financial reports on a timely basis should an unplanned business interruption make this system unavailable for an extended time. As a result, an IT internal-control review should ascertain whether the company has performed a formal business-impact analysis or risk-assessment study on its mission-critical business systems, and whether adequate business continuity provisions have been established.

Web-based application development considerations, and third-party reliance. As companies continue to migrate mission-critical business applications to the web and integrate web-based applications with back-end accounting systems, the technical sophistication necessary to effectively evaluate and test related internal controls has grown considerably. Companies employ dozens of different database and application development tools in building their websites. Insofar as these websites increasingly support critical financial operations that could have a material impact upon the company’s financial reporting processes, they represent a key point of concern.

When analyzing web-based application development, auditors should focus on the methodology the company is employing to monitor and regulate website development and maintenance. Are these activities being properly administered, tracked, and audited? Are web-based applications tested thoroughly prior to introduction? Are encryption standards implemented to protect sensitive data? Are adequate reconciliation procedures in place to ensure that online financial transactions are correctly recorded on a timely basis in the company’s back-end accounting systems? Are the underlying databases adequately secured to prevent unauthorized access and manipulation of data prior to their entry into the accounting system? Are any key third-party service providers or business partners utilized to support web-based business activities, and are their systems secure?

Paperless Financial Reporting Systems

Implementing real-time financial management and paperless reporting systems can dramatically enhance the efficiency of an enterprise’s operations. While helping make companies more nimble, the increasing adoption of these technologies has robbed auditors of ready access to the paper trails that have traditionally supported their analysis and testing of internal controls.

To successfully analyze IT controls surrounding dynamic systems and paperless environments, auditors must acclimate themselves to specialized data extraction and analysis tools and work directly with the live data that reside on these systems. Walk-throughs of financial reporting functions will require a detailed understanding of the underlying databases, scripts, applications, and electronic reports generated by these systems. Auditors must also analyze the automated internal control procedures that have been programmed into these applications to perform data integrity checks, including exception handling, error tracking, and reconciliation functions, as well as the e-mail and intranet-based workflow automation processes utilized to streamline financial reporting.

While by no means exhaustive, these illustration issues identify various general IT controls that could have a material impact on financial statements. It is necessary to have a clear understanding of the relationship between these IT general controls and the financial processes they support within the organization’s overall framework of internal control.