IT systems play a critical role in ensuring the accuracy of a company's financial reports. As a result, validation of IT controls is a key part of Sarbanes-Oxley compliance initiative.
However, in Year 1 most companies pursued IT control validation in a reactive manner. As a result, the cost of compliance was very high. This brief reviews the most common weaknesses in IT controls, discusses a framework for defining and assessing IT controls in Year 2 and examines how the proposed IT controls structure will map to the COSO framework used for SOx compliance.
Based on our recent research, the leading control weakness discovered in IT controls during the IT audit was in the improper provisioning of user accounts with Segregation of Duties (SOD). SOD reduces risks by providing an internal control on performance through separation of custody of assets from accounting personnel, separation of authorization of transactions from custody of related assets and separation of operational responsibilities from record keeping responsibilities. Commonly used SOD controls include segregating expense approval from accounts payable or segregating requisitioning from purchasing or segregating receiving from purchasing.
There are various alternatives available to implement SOD and the chosen method should be clearly documented for the appropriate IT applications, so the SOD control can be easily tested and retested. Alternatives include:
- Forbid the transaction under all circumstances
- Forbid the transaction except with high-level authority
- Permit the transaction based on rules, such as dollar value approval levels
- Permit the transaction with "reason codes" to justify the action for subsequent review
- Permit the transaction with subsequent approval (transaction should be flagged and the approval logged)
The other common weaknesses discovered during the IT audit include insufficient controls for change management; a general lack of understanding around key system configurations; audit logs not being reviewed (or that review itself not being logged) and abnormal transactions not identified in a timely manner. These key weaknesses in IT controls can materially affect the integrity of financial data within a company, leading to inaccurate (or false) financial reporting.
Companies are deploying COBIT-based controls structure to identify and design key IT level controls. The picture below shows the recommended IT control structure that was derived from the COBIT model. The general IT level controls in this structure map to the entity-level controls for the IT function within the SOx controls hierarchy, while the application-level controls in this structure should be included in process/sub-process level controls defined within the SOx controls hierarchy. For further details, refer to the documentation on COBIT from Information Systems Audit & Control Association, available at their website on www.isaca.org.
Once the IT level controls are defined using the above structure, they are ready to be assessed for design effectiveness and operational effectiveness. The following seven step process streamlines the design, assessment and remediation process.
- Identify the IT-related controls based on the "House of IT Controls" structure displayed above
- Document the existing IT controls and the associated processes related to the IT control
- Create a checklist for assessing the operational effectiveness of controls
- Test the controls
- Identify issues needing to be addressed
- Define corrective actions and ensure they have been implemented
- Audit the IT controls to ensure the corrective actions have addressed the issue
Since IT systems are at the core of the financial reporting process for any organization, the automation of assessment and remediation of IT controls should not be done in isolation from the automation of assessment and remediation of internal controls for Sarbanes-Oxley compliance. In addition, the process for assessment and remediation of internal controls for Sarbanes-Oxley compliance also maps very closely to the seven step process described above. Hence, it is essential that user select a software vendor that supports both - automation of assessment and remediation of internal controls for Sarbanes-Oxley compliance and automation of audit & assessment of IT controls.