COMPUTERS & AUDITING
example, some control objectives in Cobi T
are not applicable to Sarbanes-Oxley
requirements. IT operational efficiencies
and performance metrics, though critical
to assessing an organization’s IT capability maturity, do not constitute an adequate
means of supporting accurate, complete,
and fairly presented financial reporting.
To prepare for executive certification,
organizations must identify significant
accounts that are material to financial
reporting, present a logical and defensible approach to assessing the associated
risks and controls, and evaluate their design
and operating effectiveness. IT focuses on
information assets and the risks that
threaten the fulfillment of related control
objectives. A key component of IT-related
Sarbanes-Oxley work, therefore, involves
mapping control objectives for financial
reporting to the IT control objectives. For
example, authorization and safeguarding
of assets — a key organizational control
objective — is largely related to the IT-related objectives of ensuring information
security, confidentiality, and privacy.
To ensure consistency of execution in
control-mapping efforts, several key distinctions and assumptions — particularly
those based on terms used in financial statement assertions in the accounting world —
must be clearly understood. The following
common financial statement assertions, for
example, may take on a new or additional
meaning in the IT context.
Existence and occurrence: Controls must
address the possibility of duplicate,
retransmitted, or fictitious transactions
occurring at all stages of processing,
interfaces, and systems feeds.
Measurement: Different measurements
are used for IT, such as management-defined measurement criteria for specific
computer operations and processing. The
predetermined threshold and measurement criteria should be tailored and documented to the requirements of the
respective businesses on the basis of their
relevance to financial reporting.
Completeness and accuracy: The Cobi T
framework’s principles of “reliability
and integrity of information” can be useful in supporting Sarbanes-Oxley’s
completeness assertion in the IT environment. The act’s required quarterly
reporting of material IT changes that
affect financial reporting and its main-tainability, for example, can be placed
on the organization’s Sarbanes-Oxley
Presentation and disclosure: Cobi T’s principles of “compliance and availability,”
which refer to availability of information required by business processes, laws,
regulations, and contractual arrangements, can be a helpful reference
for supporting presentation and disclosure assertions.
Because many of the internal controls
for financial reporting are IT-dependent,
it is important to highlight the key technology enablers of business processes and
to foster a mutual understanding of the definition of internal controls between the
business and IT members of the Sarbanes-Oxley project team.
THE SARBANES-OXLEY ACT AT A GLANCE
CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS
CEOs and CFOs must personally certify that they are responsible for disclosure controls and procedures and that the report is accurate, complete, and fairly presented.
Quarterly and annual filings must contain a certification that the CEO and CFO have
performed an evaluation of the design and effectiveness of the disclosure controls.
Certifying executives must state that they have disclosed to their audit committee
and independent auditor any significant control deficiencies, material weaknesses
or acts of fraud, and significant changes in financial reporting internal controls.
MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
Companies must perform an annual evaluation of internal controls over financial
reporting and a quarterly evaluation of any material change in the company’s internal controls over financial reporting that occurred during the fiscal quarter.
The company’s independent auditor must issue an attestation report on management’s assessment of the effectiveness of internal controls over financial reporting.
Annual filings must contain a report of management on their assessment of
the effectiveness of internal controls over financial reporting.
Although the IT processing environment
encompasses many key controls that are significant and critical to the success of the IT
function, it may have little bearing on the
Sarbanes-Oxley compliance agenda. To
qualify for priority attention in time-sensi-tive Sarbanes-Oxley initiatives, IT control
activities need to meet specific criteria that
help ensure relevance to the act’s requirements. The following questions can be used
as a starting point for assessing whether IT
efforts are relevant to Sarbanes-Oxley.
Is the business technology-dependent,
or is IT critical to the business?
Is the IT activity anchored with an identified significant account to ensure that
there are no runaway IT processes?
Are there known significant deficiencies
or material weaknesses where a technology solution is pending?
Is this an organization-defined high-risk
Is the computer processing directly or
indirectly related to the timely production of financial reports?
Does the business maintain complex
Is the financial application a feeder system to several system interfaces — from
transaction origination to final destination — in a major general ledger account?
Is the application characterized by: high-value and/or high-volume transactions,
automated computation and reconciliation, straight-through processing, and a
high volume of nonroutine procedural
Does the application handle table
maintenance, quantitative models, and
Is the application shared by many business units across the enterprise?
Is this IT process dependent on critical
manual controls to complete the end-to-end process (or vice versa)?
Is some or all of this IT process managed
by a third-party outsourcer?
Reviewing these self-assessment questions can help IT auditors sharpen their
focus on Sarbanes-Oxley requirements and
define project scope.
INTERNAL AUDITOR FEBRUARY 2004