|EXECUTIVE SUMMARY |
| SARBANES-OXLEY REQUIRES MANAGEMENT to include an assessment of internal controls over financial reporting, using a suitable framework, in the annual report. While a number of frameworks are available, some do not adequately assess technology controls.
SEC RULES SAY MANAGEMENT MUST BASE its evaluation of the effectiveness of internal controls over financial reporting on a recognized control framework issued by a group that followed due-process procedures. The framework must be free from bias, complete and relevant to the task at hand, and must permit consistent quantitative and qualitative measurements.
SEVERAL GROUPS, INCLUDING COSO, COBIT and AICPA/CICA Trust Services, have issued frameworks CPAs can use to evaluate internal controls, particularly controls over a system’s IT aspects. In a survey of CEOs and CFOs, 28.4% said they used a model other than COSO to assess the effectiveness of their IT internal control structure.
A FIVE-STEP PROCESS ENABLEs CPAs to use the Trust Services framework in conjunction with the COSO framework to evaluate the IT control aspects of the required internal control assessment. The process defers to Trust Services for a more detailed assessment of whether the IT systems used to support and create the financial reports are reliable.
|MARTIN J. COE, CPA, CISA, CISM, is an assistant professor of accountancy at Western Illinois University, Moline, and a practicing information technology auditor. His e-mail address is MJ-Coe@wiu.edu . |
t would be an understatement to say the Sarbanes-Oxley Act of 2002 has had a significant impact on every CPA working for or auditing a public company. Among other things, Sarbanes-Oxley requires management to include an internal control assessment using a suitable framework in the company’s annual report. But how exactly are companies performing the required assessment?
This has been a hot topic for professional associations such as the AICPA, the Institute of Management Accountants and the Institute of Internal Auditors. In response the AICPA created an ad-hoc task force to address management’s responsibility under section 404 of Sarbanes-Oxley. The task force assembled a list of key issues, including the act’s requirement to use suitable criteria for an effective internal control system.
This article explains how I use the AICPA/CICA Trust Services framework in my work as an information systems auditor to evaluate internal controls, particularly controls over information technology. CFOs, internal audit executives and financial managers as well as external auditors will see how the framework can supplement some commonly used measures that do a good job of assessing overall controls but don’t focus on technology controls.
|Compliance Costs Growing
Meeting the requirements of section 404 of the Sarbanes-Oxley Act of 2002 will cost public companies an average 62% more than first anticipated. The increase stems from a 109% rise in internal costs, a 42% jump in external costs and a 40% increase in the fees charged by external auditors.
Source: Financial Executives International, www.fei.org , 2004 survey.
Section 404 requires public companies to include in their annual reports an assessment by management of their internal controls over financial reporting. This includes a statement of management’s responsibility for establishing and maintaining adequate internal control, an assessment of the effectiveness of those controls as of the end of the most recent fiscal year, a statement identifying the framework that was used to evaluate those controls and a statement that the external auditor issued an attestation report on management’s internal control assessment.
The final SEC rules say management must base its internal control evaluation on a suitable, recognized control framework established by a body or group that followed due-process procedures. The rules do not mandate the use of a particular framework but say a suitable one must
Be free of bias.
Permit reasonably consistent qualitative and quantitative measurements.
Include all relevant factors that might alter a conclusion about the effectiveness of the internal controls.
Be relevant to an evaluation of internal control over financial reporting.
As a practicing information systems auditor charged with preparing the IT control aspects of the required internal control assessment, my search for an appropriate model uncovered three suitable ones:
COSO ( www.coso.org ). The framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) satisfies the SEC criteria. Companies may use it to meet management’s annual internal control evaluation and disclosure requirements. The COSO framework defines internal control, describes its components and provides criteria against which CPAs can evaluate control systems. However, since COSO does not provide specific criteria for IT controls, some companies may find a supplemental framework necessary.
COBIT ( www.isaca.org ). The Information Systems Audit and Control Foundation developed the control objectives for information and related technology (COBIT). The objective is a generally applicable and accepted standard for IT security and control practices that provides a reference framework for management, users, auditors and security practitioners.
Trust Services ( www.aicpa.org/trustservices ). The foundation of the AICPA/CICA Trust Services framework is a set of principles and criteria CPAs can use to assess the reliability of a company’s IT systems. The criteria constitute professional guidance as well as serve as best practices for system reliability.
Because companies rely heavily on technology, the criteria they use to assess the effectiveness of their IT-related controls are particularly important. While COSO addresses the topic of IT general controls, it does not dictate requirements for control objectives and related activities. Indeed, the audit standards issued by the Public Company Accounting Oversight Board highlight the importance of IT general controls but do not specify which in particular a company must include. Thus, to meet the requirements of section 404, IT management and auditors need a specific IT control framework.
When I asked companies whose CEOs and CFOs are required to file sworn statements with the SEC which framework they used, 28.4% said they used a model other than COSO (exhibit 1 ). In evaluating models I first turned to COBIT because I had used it in the past and it was well-received by clients. Now in its third edition, COBIT is increasingly accepted as good practice for control over IT and related risks. It’s a robust framework, comprising 4 domains, 34 IT processes and 318 detailed control objectives. It’s a comprehensive approach for managing risk and control of IT, explaining how IT processes deliver the information a business needs to achieve its objectives.
|Exhibit 1 : Assessing IT Controls |
|What criteria does your company use to assess the effectiveness of the IT-related internal control structure?
||Number of companies using criteria
|Trust Services (formerly SysTrust)
|Combination of the three
Respondent base: 190 companies.
One reason companies are using the COBIT framework for Sarbanes-Oxley compliance is that its objectives have been mapped to COSO in a publication entitled IT Control Objectives for Sarbanes-Oxley (available at www.isaca.org ). COBIT also has been mapped to popular enterprise resource planning (ERP) systems such as SAP, Oracle and PeopleSoft. This mapping and related guidance provides COBIT framework references and methodologies for auditing and testing the major ERP systems.
While COBIT is an excellent comprehensive framework for assessing IT controls, I was seeking a narrower framework that would complement the overall COSO model many clients were using. To this end, I decided to use Trust Services because of its focus on the controls that are in place to ensure the company’s systems carry out business processes reliably.
The AICPA and CICA developed the following Trust Services principles and related criteria for CPAs to use to perform consulting engagements, as well as branded attestation engagements such as SysTrust and WebTrust.
Security. The system is protected against unauthorized access, both physical and logical.
Availability. The system is available for operation and use as committed to or agreed upon.
Processing integrity. System processing is complete, accurate, timely and authorized.
Confidentiality. Information designated as confidential is protected as committed to or agreed.
Privacy. Personal information is collected, used, retained and disclosed in conformity with the commitments the entity makes in its privacy notice and with the AICPA/CICA Trust Services privacy criteria.
The privacy principles and criteria include 10 components that are essential to the proper protection and management of personal information. They are based on internationally known fair information practices included in the privacy laws and regulations of jurisdictions around the world and recognized good privacy practices. For each component there are relevant, objective, complete and measurable criteria for evaluating an entity’s privacy policies, communications and procedures and controls. There are also illustrations and explanations to enhance understanding of the criteria. For more details on the privacy criteria, go to www.aicpa.org/innovation/baas/ewp/privacy_framework.asp .
The security, availability, processing integrity and confidentiality principles and criteria are organized into four broad areas:
Policies. The entity has defined and documented its policies relevant to the particular principle.
Communications. The entity has communicated its defined policies to authorized users.
Procedures. The entity uses procedures to achieve its objectives in accordance with its defined policies.
Monitoring. The entity monitors the system and maintains compliance with its defined policies.
These principles and criteria include attributes the entity must meet to demonstrate it has achieved each principle. Trust Services also provides illustrative controls as examples of controls the entity might have in place to conform to the criteria. Alternative and additional controls also may be appropriate.
CPAs can use the framework’s principles and criteria to create a detailed analysis containing control objectives classified into broad categories, as shown in exhibit 2 . I found the illustrative controls to be particularly helpful. Keep in mind a large part of the internal control assessment process requires management to say what controls are in place to mitigate a given risk. Trust Services’ illustrative controls are detailed enough to help management identify the controls that exist and those that are missing. As an example of how the controls are helpful, consider those provided for one criterion, as shown in exhibit 3 .
|Exhibit 2 : Detailed Control Objectives |
||Policies: The entity defines and documents its policies for the security of its system. |
||Communications: The entity communicates its defined system security policies to authorized users. |
||Procedures: The entity uses procedures to achieve its documented system security objectives in accordance with its defined policies. |
||Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policies. |
||Policies: The entity defines and documents its policies for the availability of its system. |
||Communications: The entity communicates the defined system availability policies to authorized users. |
||Procedures: The entity uses procedures to achieve its documented system availability objectives in accordance with its defined policies. |
||Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system availability policies. |
|Processing Integrity |
||Policies: The entity defines and documents its policies for the processing integrity of its system |
||Communications: The entity communicates its documented system processing integrity policies to authorized users. |
||Procedures: The entity uses procedures to achieve its documented system processing integrity objectives in accordance with its defined policies. |
||Monitoring: The entity monitors the system and takes action to maintain compliance with the defined system processing integrity policies. |
||Policies: The entity defines and documents its policies related to the protection of confidential information. |
||Communications: The entity communicates its defined policies related to the protection of confidential information to internal and external users.. |
||Procedures: The entity uses procedures to achieve its documented confidentiality objectives in accordance with its defined policies. |
||Monitoring: The entity monitors the system and takes action to maintain compliance with its defined |
||Policies and Communications: The entity uses privacy policies that convey management’s intent, objectives, requirements, responsibilities and/or standards. The entity communicates to individuals, internal personnel and third parties about its privacy notice and its commitments therein and other relevant information. |
||Procedures and Controls: The entity uses procedures and controls to achieve its privacy objectives. |
Source: AICPA/CICA Trust Services principles and criteria.
When I provide these examples to IT management—instead of simply asking what controls exist to protect against unauthorized logical access to a particular system—it helps them understand what I’m looking for. The Trust Services framework provides illustrative controls for all criteria (objectives).
|Exhibit 3 : Sample Trust Services Security Principle Illustrative Controls |
|Procedures exist to protect against unauthorized logical access to the defined system. |
|1. Log-in sessions are terminated after three unsuccessful log-in attempts. Terminated log-in sessions are logged for follow-up by the security administrator. |
|2. Virtual private networking (VPN) software is used to permit remote access by authorized users. Users are authenticated by the VPN server through specific client software and user IDs and passwords. |
|3. Firewalls are used and configured to prevent unauthorized access. Firewall events are logged and reviewed daily by the security administrator. |
|4. Unneeded network services (for example, telnet, ftp and http) are deactivated on the entity’s servers. A listing of the required and authorized services is maintained by the IT department. This list is reviewed by entity management on a routine basis for its appropriateness for the current operating conditions. |
|5. Intrusion detection systems are used to provide continuous monitoring of the network and early identification of potential security breaches. |
|6. The entity contracts with third parties to conduct periodic security reviews and vulnerability assessments. Results and recommendations for improvement are reported to management. |
Source: AICPA/CICA Trust Services principles and criteria.
The following five-step process shows how CPAs can use the Trust Services framework to evaluate a company’s IT controls when the entity primarily uses the COSO approach. The first step uses only COSO, the second and third involve both COSO and Trust Services, and the last two use Trust Services only.
1. Use the COSO framework to identify the risks in each business cycle and the controls that mitigate them. This process will include many references to information systems.
PCAOB Auditing Standard no. 2 says: “Because of the frequency with which management of public companies is expected to use COSO as the framework for the assessment, the directions in the proposed standard are based on the COSO framework. Other suitable frameworks have been published in other countries and likely will be published in the future. Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass all of COSO’s general themes.” Thus, it is important for CPAs to demonstrate how IT controls support the COSO framework.
COSO identifies five internal control components that must be in place to achieve financial reporting and disclosure objectives: control environment, risk assessment, control activities, information and communication and monitoring. An organization should have IT control competency in all components.
2. Gather initial IT information, including a list of all application software the company is using; copies of network maps, security policies and any contingency planning and disaster recovery documents; procedures related to how system changes are made; an explanation of the typical system development lifecycle; and the company’s IT organization chart.
Given the pervasive nature of IT, identifying what needs to be assessed for Sarbanes-Oxley compliance can be an overwhelming task. Gathering information that describes the IT environment, procedures and computer software helps CPAs understand the big picture so they can organize their efforts to identify IT controls for Sarbanes-Oxley compliance. In many cases, companies already have this initial information so CPAs can gather it without incurring additional costs.
3. From the information gained in the first two steps, identify all information systems that relate to financial reporting.
Organizations must understand how the financial reporting process works and where technology is critical in supporting it. This will help CPAs identify key systems and subsystems that need to be included in the Sarbanes-Oxley assessment. Include systems that participate in the initiation, recording, processing and reporting of financial information, such as the accounting information system and all systems that feed source transaction data to it.
|AICPA RESOURCES |
| The AICPA/CICA Trust Services Principles and Criteria (Framework), www.aicpa.org/trustservices .
The AICPA/CICA Privacy Framework, www.aicpa.org/privacy .
Trust Services: Understanding and Implementing Trust Services (# 056520).
Privacy Matters: An Introduction to Personal Information Protection (# 056590JA).
Understanding and Implementing Privacy Services: A CPA’s Resource (# 056509JA).
Privacy Issues for Businesses…Whose Information Is It Anyway? CD-ROM (# 780005JA). For more information or to place an order, go to www.cpa2biz.com or call the AICPA at 888-777-7077.
IdentiRISK for Trust Services Privacy Principles and Criteria (# 103104). For more information or to place an order, go to www.identirisk.com/x/aicpa or call 866-433-7475.
4. Use the Trust Services framework to create one overall IT control matrix, so that you can assess controls that cross systems, and another matrix for each system that relates to financial reporting.
COSO identifies two broad groupings of information system control activities that organizations should assess:
General controls apply to all information systems and support secure and continuous operation. This category includes controls that support the quality and integrity of information and are designed to mitigate the identified risks. The IT general control categories the PCAOB set forth are program development, program changes, computer operations, and access to programs and data.
Application controls apply to the business processes they support and are designed to prevent and detect unauthorized transactions. When combined with manual controls, application controls help ensure completeness, accuracy, authorization and validity of processing transactions. Organizations should first identify significant accounts that could have a material impact on the financial reporting and disclosure process. Then they should identify and document application controls relevant to such accounts.
CPAs can use the Trust Services framework to create detailed IT control matrices (usually in the form of spreadsheets) that contain a row for each of the 58 criteria. CPAs also should create a control matrix for the application systems upon which the organization is relying to achieve financial reporting and disclosure objectives. This is where the benefit of using the Trust Services framework is apparent, because its principles define a reliable system as one capable of operating without material error, fault or failure during a specified period in a specified environment. For each principle it lists criteria against which CPAs can evaluate a system.
5. Assess the controls identified in the matrices created above. As a general rule there should be an effective control technique in place for every control objective that applies to a system.
CPAs can use the detailed control matrices that contain a row for each of the Trust Services criteria to form questions that will determine whether key controls are in place. The framework is based on the premise that if system controls operate effectively, the system itself will perform reliably.
One example is the use of personal identification numbers to prevent unauthorized access to a system. An entity may adopt such a control in its written objectives, but the control will not achieve its objectives unless it operates effectively. The Trust Services framework makes it easier for CPAs to determine whether the controls over a system operate effectively during the period covered by the examination.
These steps allow the COSO framework to defer to the Trust Services framework for a more detailed evaluation to determine whether the IT systems a company uses to support and create the financial reports are reliable.
Fulfilling the IT control aspects of the internal control assessment that Sarbanes-Oxley requires can be a challenge for CPAs. While each company will need to decide the framework most appropriate for its needs, Trust Services is a useful option that CPAs will find particularly helpful when the overall framework they use does not pay sufficient attention to IT issues.