An Information Technology
Perspective of Sarbanes-Oxley
David M. Cannon, Ph.D., CPA (Ohio), CCP
Assistant Professor
Department of Accounting and Taxation
Grand Valley State University
West Michigan Accounting and Auditing
Symposium
May 27, 2004
Primary Sarbanes-Oxley
Sections Relevant to IT
• Section 302
– CEOs and CFO must attest to accuracy of financial
statements (a)(2)
– CEO and CFO must certify that to their knowledge,
quarterly and annual reports contain no untrue
statement of a material fact or fails to omit material
fact
– CEOs and CFO must certify that
• they are responsible for internal controls (a)(4)(A)
• that the controls are designed such that material information
is made known to the CEO and CFO (a)(4)(B)
• that they have evaluated the effectiveness of internal control
within 90 days prior to quarterly and annual reports (a)(4)(C)
Primary Sarbanes-Oxley
Sections Relevant to IT
• Section 404
– Annual report must contain a report on the
effectiveness of internal control
– external auditor must provide assurance on
internal control report
• Section 409
– Real time disclosure requirements for
“material changes in the financial condition or
operations”
Pervasiveness of IT in business
processes
• IT is critical to financial business processes
in all but tiniest organizations
• Many significant transactions entered into
and/or processed without human
intervention
– Stock trades
– Goods Orders
– Payments for Goods and Services
Pervasiveness of IT in business
processes (continued)
• Trend toward integrated, inter-enterprise
systems
– Supply Chain Management (SCM)
– Electronic Data Interchange (EDI)
– eXtensible Markup Language (XML)
– eXtensible Business Reporting Language
(XBRL)
– Enterprise Application Integration (EAI)
Pervasiveness of IT in business
processes (continued)
• Real-time, integrated global systems now
common
• Current emphasis is on advance
specification of business rules instead of
human judgements on individual
transactions
Basic Perspective Differences
Between IT and Finance
Organizational Perspective
• IT typically views
individual information
systems in isolation
Risk Perspective
• IT is concerned with
information technology
operational and systems
development risks
• Finance is concerned with
the entire reporting entity
• Finance is concerned with
financial risk and
reporting risk
Characteristics of
Section 302 & 404
Compliant Systems
• Well-defined and documented
• Transparent
• Accurate
• Verifiable
Based on Sarbanes-Oxley and insurance IT: think you don’t have to worry?
RebusIS Insurance Solutions White Paper
Well-defined and documented
processes
Documentation of business processes often
–
–
–
–
–
Incomplete
Inconsistent
Obsolete
Obscured
Just plain wrong
• Internal control documentation situation is
•
worse
Repeatability lacking for manual processes
Well-defined and documented
processes (continued)
• What about non-routine processes?
• How do we ensure that changes in
business processes are documented?
• What about outsourced processes?
Transparency
• Most financial controls are embedded within
information systems and require specialized IT
knowledge to identify, understand and test
–
–
–
–
–
–
Parameter files (Software, Hardware and Network)
Program source code
Job Control Language (JCL), Scripts
Scheduling Software (ex: CA-7)
Access Control Software (ex: RACF)
Change Control Software (ex: Librarian)
Transparency
• Many business processes cross organizational
boundaries
–
–
–
–
–
Outsourcing
Enterprise Application Integration (EAI)
Supply Chain Management (SCM)
eXtensible Markup Language (XML)
eXtensible Business Reporting Language (XBRL)
• Are the processes used by external entities to
•
implement outsourced business processes known,
visible and documented?
Are the controls over such processes known,
visible and documented?
Accuracy
• Does a company’s business processes
result in the “right number” being
reported? (Reliability)
– Human error
– System design deficiencies
– Program bugs
– System operational errors
Accuracy
• Is there repeatability (stability) in the
processes? Potential problems:
– Manual entries
– Spreadsheets
– Manual procedures and processes
Verifiability
• Does the information system provide the
information required to verify how the
reported numbers are produced?
– Audit trails
– Change control system(s)
– Business process and control documentation
tracking systems
Section 409 Compliance Issues
• Diversity of operating environments
–
–
–
–
–
–
Multiple vendors
Multiple platforms
Operating systems
Programming languages
Networks
System operating cycles
• Batch vs. real-time
• Daily, weekly, monthly cycles
• Ad Hoc Interfaces between business
•
processes
Manual Procedures
Technologies conducive to
Section 409 compliance
• ERP systems
• Real-Time systems
• Middleware
• Data Warehouses
• Data Marts
• Section 409 Reporting systems
Information Technology Cultural
Issues
•
•
•
•
•
•
Lack of domain knowledge
Preference for “elegant” solutions
Preference for new and emerging technologies
Focus on individual tasks instead of the big
picture
Sense that organizational rules don’t always
apply to IT
The “others just don’t get it”
The Information Technology
Function’s Role
Pre-Sarbanes-Oxley:
• IT is responsible solely for controls over IT
operational processes
– controls over IT operations
– controls over IT development
– general controls over IT function processes
• Financial controls are outside IT domain
– view often promoted by finance/accounting
– controls are merely application function to IT
The Information Technology
Function’s Role (continued)
Pre-Sarbanes-Oxley:
• “no need for IT to have basic
understanding of business processes”
– “business process is within functional domain”
– “tell us what you want and we’ll build it”
– “system meets specifications” … but not
necessarily business requirements
The Information Technology
Function’s Role (continued)
Pre-Sarbanes-Oxley:
• “no need to understand financial controls”
– viewed as functional requirement of
application
– few IT professionals have formal training in
internal control
– assumes that choice of technical design and
implementation has no effect on controls
The Information Technology
Function’s Role (continued)
Pre-Sarbanes-Oxley:
• controls often viewed by IT as separate
from business process rather than integral
to process
• IT’s Risk perspective limited to
– IT security risks
– IT operational risks
• IT TYPICALLY HAS LITTLE OR NO KNOWLEDGE
OR CONSIDERATION OF FINANCIAL
REPORTING RISK!
What can IT do to comply with
Sarbanes-Oxley?
• Understand that the rules have changed
– Business processes and their controls must be
continuously transparent
– Controls must be viewed as an essential component
of systems
– Complete, correct, and up-to-date documentation is
no longer simply a good practice, it is critically
necessary
– IT Governance is here and now
What can IT do to comply with
Sarbanes-Oxley?
• Understand that the rules have changed
(continued)
– Financial reporting risk must be considered in all IT
decisions
• Outsourcing and inter-enterprise integration
• Choice of technology
• Systems design, implementation and maintenance
• Vendor selection
– IT professionals must have a basic understanding of
business processes and financial controls
What can IT do to comply with
Sarbanes-Oxley?
• Insist on full representation on and participation
•
•
in Sarbanes-Oxley compliance projects
Provide technical expertise to assist in the
documenting of controls
Assist in the selection and implementation of
Sarbanes-Oxley compliance tools
–
–
–
–
Business Process Management (BPM) tools
Document management tools
Data mining applications
Monitoring tools (dashboards, exception reporting
systems)
What can IT do to comply with
Sarbanes-Oxley? (continued)
• Request the internal audit function to
facilitate a control self-assessment
• Adopt a Comprehensive IT Control
Framework
– Control Objectives for Information Technology
(COBIT)
The good news for IT . . .
“There is no discretionary
spending where the alternative is
a prison sentence.”
From Sarbanes-Oxley and insurance IT: think you don’t have to worry?
RebusIS Insurance Solutions White Paper
Questions?