House of IT Controls 

By Bob Broda, Managing Partner - Visage Solutions

Raleigh, NC

Auditors and consultants are explaining the requirements for assessing the effectiveness of a corporation's IT controls over financial reporting by using an effective metaphor - the House of IT Internal Controls. This House consists of a Roof, Columns, and a Foundation. All three of these components are inter-related IT controls.

The majority of senior IT executives believe that by having assisted the Controller's department in evaluating financial reporting controls - the Columns of the House - they will pass their corporation's external auditor's tests for IT controls. The auditors at the Big 4 public accounting firms would strongly disagree with this assumption. They will be testing the effectiveness of IT controls throughout the entire House - from the Roof through the Foundation.

Sarbanes-Oxley Section 404 dictates that companies use an industry standard to document internal controls over financial reporting. The PCAOB (Public Accounting Oversight Board) Auditing Standard No. 2 discusses the

importance of IT in the context of internal control. In particular, it states:

The nature and characteristics of a company’s use of

information technology in its information system affect the

company’s internal control over financial reporting.

Although, Section 404 identifies the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Controls framework, some auditing companies identify a more complete industry standard for IT,  COBIT (Controls Over Information and related Technology), produced by the IT Governance Institute.

The COSO IC Framework identifies five components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. In the area if Information Technology, it identifies two basic Control Types, General Controls and Application Controls.

The COBIT control objectives are organized into four areas including: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. These processes are broken down into thirty four (34) specific IT processes. Each of these processes should have 1 Maturity Model, 5-7 Key Goal Indicators, 8-10 Critical Success Factors and 6-8 Key Performance Indicators to be effective.

The House metaphor is an attempt by industry leaders to draw a parallel between the two frameworks. COBIT also identifies General and Application control at a much more detailed level. It also identifies Enterprise or Company wide controls that may be ignored by following the COSO framework. COSO does identify Control Environment and one of it’s five components. However, most organizations view this control environment in the business sense and although they should include IT in this component, it is often overlooked.

The roof or the enterprise type of controls protect the entire organization. It includes such items as Planning,  Operating style,  Policies,  Codes of Conduct and Fraud Prevention.

The foundation are general  controls that ensure the entire IT infrastructure is stable and includes items such as Maintenance,  Disaster Recovery, Security,  Data management and Incident Response.

Application related control is the area where Sarbanes 404 projects have spent most of their time. These controls include Embedded Controls,  Access, Authorizations,  Approvals,  Tolerance Levels,  Reconciliations and  Edits.

In conclusion, make sure you communicate with your external auditor in the area of IT controls. Although it is managements’ responsibility to ensure there are no material weaknesses and there is not more than a remote likelihood a material misstatement will occur, it will be the external auditor that either agrees or disagrees with that assertion. Make sure you are prepared to the level of detail necessary to make that assertion. Following the COBIT framework may be your best chance in getting a positive assertion.

 Further information can be found at:

         Committee of the Sponsoring Organizations of the Treadway Commission             www.coso.org

         Public Company Oversight Board      www.pcaobus.org

         IT Governance Institute               www.itgi.org

         Information Systems Audit and Control Association                                     www.isaca.org

 

VisageSolutions is a group of experienced operational executives focused on providing cost-effective, technology-based Sarbanes-Oxley solutions. By working carefully with their clients VisageSolutions provides customized solutions that focus on reducing the “operational cost” of sustained compliance through an optimum combination of existing and new technologies and tools, and business process integration.  See www.visagesolutions.com for more information and related links.

  


To subscribe to our newsletter. Enter your Email ID in the box below.

Newsletter conceived and designed by webdesignstudio.com
You received this email because you opted to receive this Visage Solutions Mailer through one of our valued partners or by subscribing through www.visagesolutions.com. If you believe you received this message in error or would no longer like to receive uniform periodic updates, please follow the unsubscription instructions at the bottom of this email.
Copyright © 2003 Visage Solutions, LLC.