LF. Gibson, The Radian Group Introduction
Although it may take considerable effort to coordinate management philosophies and implement an organized and acceptable set of standards, SOX compliance can ultimately enhance business functions–not just please the SEC.
Executive Summary
U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX) to stabilize U.S. markets in light of recent corporate scandals (Enron, WorldCom) that cost investors millions of dollars and deflated the U.S. economy. This Act reforms corporate governance particularly by adding integrity to internal processes that affect earnings and financial disclosures. Ultimately, these changes are supposed to regain consumers’ trust in publicly traded companies and help them make appropriate investing decisions.
In general, SOX requires publicly traded companies to be more financially accountable. However, becoming more responsible extends beyond the accounting department–complying with SOX requires cooperation and support among many business units, including IT.
IT supports the corporation’s drive to comply with SOX by securing and protecting financial data on the network. IT is also required to consistently document this effort.
Without IT support, a corporation simply cannot comply with SOX and will endure retribution from the Securities and Exchange Commission, which regulates SOX.
SOX Summary for IT Managers
Most of the IT department’s responsibilities in the SOX Act fall under sections 302 and 404.
Section 302 requires the public company to affirm in each report that internal controls are adequate and they have not disclosed any knowingly false or misleading statements–presenting a fair representation of financial conditions. Both the public company’s officers and public accounting firm must attest to the accuracy of the reporting. Any significant deficiencies found in the internal controls or fraud that involves management or employees must be reported.
The Nitty Gritty on Section 302? The CIO will be expected to Sign and acknowledge the accuracy of the annual report filed with the SEC. Most CIOs and senior IT executives believe that merely assessing the IT controls at the financial reporting entity level and remediating any gaps is sufficient for SOX compliance. They are wrong!
Section 404 requires reports to identify management’s responsibilities for establishing and maintaining adequate internal controls, and provide an assessment of the effectiveness of the internal controls and procedures affecting financial reporting. The public accounting firm must attest once again to the fairness and accuracy of the reporting.
The Nitty Gritty on Section 404? The CIO will be expected to administer an unprecedented level of alignment between IT practices and business practices; between technology management and financial management; and between records management practices (retention, storage, access, and disposition) and compliance requirements.
In today’s technology-centric environments, the accuracy of financial reports relies in large part on decisions made by IT professionals. At its core, the foundation of any financial report in today’s corporation is the information found inside the systems “owned” by the IT department. Consequently, the accuracy and reliability of financial reporting is dependent upon the trustworthiness of those IT systems. This is turn depends largely on the purchasing configuration, and management decisions made by or influenced by IT.
How Does IT create Internal Controls for use in the SOX world?
“The nature and characteristics of a company’s use of information technology in its information system affect the company’s internal control over financial reporting” – Public Company Accounting Oversight Board Accounting Standard 2
An internal control is a process designed to support three distinct activities:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Within the IT world, a basic example of IT internal control is a policy and procedure that requires each user to have a unique username and password in order to log on to the company network.
Other examples for IT may include:
- Procedures for securing, protecting, and ensuring the availability of critical infrastructure, including storage systems
- Tools and processes ensuring the business’ ability to recover from a disaster
- Requiring independent certification of the qualifications of IT staff that manage critical systems and handle sensitive data
- Implementing response plans for information security breaches
- Monitoring information systems for system performance issues
- Developing patch management and application update procedures
Management is not permitted to conclude that the company’s internal control over financial reporting is effective if there are one or more material weaknesses in the company’s internal control over financial reporting. (As audited internally and by the independent auditors.)
So what does this all mean? As part of their internal control activities, management is required to select a framework against which to evaluate their internal controls over financial reporting, and is then required to develop and execute a plan for evaluating, testing and reporting on the effectiveness of those controls. In addition, once management has completed the assessment of the company’s internal controls over financial reporting, the SEC requires management to engage their independent auditors to conduct an audit of that assessment.
IT must play an active, central role in each of these activities. In order to play this role, IT executives must work to understand the connection between the “internal controls over financial reporting” required by Section 404 and the types of controls that IT uses in the management of information and systems. Only by understanding this connection can IT adequately perform its responsibilities and play a leadership role in the SOX compliance process.
There are a variety of entities and documents related to Section 404 compliance that have a direct bearing on IT’s SOX compliance role. IT must consider their impact when developing IT compliance, control, and governance activities.
Auditing Frameworks
There is a lot of room for interpretation of SOX–the Act does not specify a specific internal control framework or IT governance practice appropriate for compliance. In addition, the auditors who are required to attest to financial reports are typically not experts in IT technologies. To overcome these challenges, SOX references the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework. COSO provides an integrated framework to help businesses assess and enhance their internal control systems and align their IT governance practices with SOX.
There are five main components of the COSO framework that are relevant to SOX:
1) Control (Internal) Environment
The Internal Environment depicts the company’s philosophy for risk management and sets the basis of integrity and ethics they oblige to uphold in the environment.
2) Risk Assessment
The purpose of Risk Assessment is to identify potential risks (security breaches, for example), the likelihood of those risks, and the consequent ramifications of those risks to determine how they should be managed.
3) Control Activities
This includes all the policies and operating procedures that are established to mitigate the risks identified in the Risk Assessment and ensure risk responses are handled appropriately. These activities should address the organization of and controls for information systems, as well as specific application guidelines to support accurate and timely processing of transactions.
4) Information and Communication
When creating the standard operating procedures, management must consider the flow of information within the company to ensure it effectively supports employees’ activities. In addition, all relevant data needs to be identified, captured, and presented in a coherent format.
5) Monitoring
Internal controls need to be monitored on a continual basis to ensure the security and integrity of the information flowing throughout company and the validity of the corresponding reports. Modifications to internal controls should be made as necessary and recorded in the disclosure.
In addition, COSO identifies several areas that have both a direct and implied impact on the IT Department. For Example COSO recommends that:
- A mechanism (e.g. information technology steering committee) is in place for identifying emerging information needs
- A long-range information technology plan has been developed and linked with strategic initiatives.
- Sufficient resources (managers, analysts, and programmers with the requisite technical abilities) are provided as needed to develop new or enhanced information systems.
How does SOX Compliance fit with the COBIT Framework?
While COSO provides a useful overall framework for internal controls, it does not provide detailed guidance on IT-specific controls. COBIT and similar IT controls frameworks (such as ISO 17799) provide important guidance on the gamut of IT issues, including business alignment. A related document entitled “IT Control Objectives for Sarbanes-Oxley” provides insight on the mapping of COBIT controls to those internal controls outlined in COSO.
What is the PCAOB AS2?
Sox mandated the creation of a new entity to create and oversee public company auditing standards and practices. This gave birth to the Public Company Accounting Oversight Board (PCAOB). The PCAOB has published an auditing standard that outlines the procedures auditors should use when auditing management’s internal controls over financial reporting. This document, Auditing Standard No. 2 (AS2), in essence tells companies what auditors will be looking for when they perform such an audit. As such, IT executives need to evaluate the impact of AS2 on their IT controls program.
Record Keeping and the responsibility of IT
The SEC, in enacting its Section 404 rules, made clear that companies must create and maintain records that provide “reasonable support” for management’s internal control assessments. So what kinds of records must companies develop and maintain? Public companies already have an obligation to maintain (under existing Exchange Act Rules), “records of sufficient accuracy to meet adequately four interrelated objectives:
- Appropriate reflection of corporate transactions and the disposition of assets;
- Effective administration of other facets of the issuer’s internal control system;
- Preparation of its financial statements in accordance with generally accepted accounting principles’
- Proper auditing.”
In short, the SEC has stated that companies must create and maintain more than just strictly financial records as part of its internal control processes, stating that such records “include not only general ledgers and accounting entries, but also memoranda and internal corporate reports”. Companies should do well to take a conservative approach to such recordkeeping and moreover should investigate technologies and processes that will enable such records to be maintained in a trustworthy and complete manner and to be retrieved expeditiously.
Conclusions
As noted earlier, the internal control process, as advanced by COSO and carried in the IT world by COBIT and similar frameworks, was designed not only to support financial reporting, but also to improve the “effectiveness and efficiency of operations.”
In addition, the development of IT control process and evaluation programs can provide a foundation for achieving compliance with laws and regulations outside of SOX, and support improved record retention and electronic discover procedures.
Without IT’s knowledge, participation and leadership, organizations will struggle to meet compliance requirements related to SOX and beyond. It is time for IT departments, and their leaders, to take up the challenge.
- IT must realize that it has a new link in its job description – corporate compliance.
- IT executives should view Section 404 compliance as an opportunity to adopt process that can improve the overall effectiveness of the IT department.
- IT must play an active role in developing, implementing, testing, and continually improving internal controls over financial reporting.
- The opportunities for increased business alignment and operational effectiveness offered by a SOX Section 404 compliance initiative should be closely examined.
Resources
The following links and public information were used in collaboration of this document.
Web Resources
- Sox Institute from the Sarbanes Oxley Group (SoxInstitute.org)
- Sarbanes-Oxley Compliance Journal (S-ox.com)
- Committee of Sponsoring Organizations of the Treadway Commission (COSO.org)
- Information Systems Audit and Control Association (ISACA.org)
- CCG, Inc. (ControlCompliance.com)
- Kahn Consulting Inc. (KahnConsulting.com)
- CIO Magazine (CIO.com )
- Sarbanes Oxley and IT Management Controls (Wikipedia.org)
Articles and Whitepapers
- The Sarbox Conspiracy – CIO.com – by Christopher Koch
- IT Has a Brand New Job: Corporate Compliance – Kahn Consulting – Randolph Kahn, ESQ.
- IT Assessment: the CIO Sucker Punch in Sarbanes-Oxley – Obian Mitiware Inc. – Obian.com
- SEC Announces Next Steps for Sabranes-Oxley Implementation – sec.gov – 05/17/2006
- Sarbanes-Oxley and the IT Organization: A Survival Guide for Year Two – Peregrine Systems – Rebecca Lawson – 01/05
Appendix
Sec. 302 CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS
REGULATIONS REQUIRED.–The Commission shall, by rule, require for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that–
1) The signing officer has reviewed the report;
2) Based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
3) Based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
4) The signing officers–
a. Are responsible for establishing and maintaining internal controls;
b. Have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
c. Have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
d. Have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
5) The signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function) –
a. All significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
b. Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
6) The signing officers have indicated in the report whether or not there were significant changes in internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
a. FOREIGN REINCORPORATIONS HAVE NO EFFECT.– Nothing in this section 302 shall be interpreted or applied in any way to allow any issuer to lessen the legal force of the statement required under this section 302, by an issuer having reincorporated or having engaged in any other transaction that resulted in the transfer of the corporate domicile or offices of the issuer from inside the United States to outside of the United States.
b. DEADLINE.–The rules required by subsection (a) shall be effective not later than 30 days after the date of enactment of this Act.
Sec. 404 MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
a. RULES REQUIRED.– The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall–
1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
b. INTERNAL CONTROL EVALUATION AND REPORTING.–With respect to the internal control assessment required by subsection a., each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
