|
|
|
Features
< Back
Sarbanes Oxley : Section 404 : Thought Leader
IT Automation Can Increase SOX Cost Savings
Improving Processes and Bolstering Security Posture
By
Ellen Libenson
|
|
Ellen Libenson
VP of Product Management
Symark Software
|
From the seemingly endless testing of IT controls, to the escalating costs, to the extra burden on limited staff resources, IT professionals know full well the pains of Sarbanes-Oxley compliance.
SOX Section 404 has been roundly criticized by both IT and business executives for lax guidelines that have bred a checklist approach to assessing companies’ internal controls. This prescriptive approach to auditing has led, in some cases, to serious over-testing of IT general controls, encompassing even those with only peripheral connections to business processes that impact on corporate financial statements, or worse yet, no relationship at all.
In fiscal year 2006, the total average cost for SOX Section 404 compliance was $2.9 million, according to a Financial Executives International survey of 172 companies with market capitalization above $75 million. This forced march to SOX does have its advantages, including greater insight into ways to bring down operational costs, better documentation and more standardization of IT and other processes, and a stronger control environment. However, despite the overall cost of compliance being down from 2005 thanks to efficiency gains, audit fees were largely unchanged.
Now, organizations have the opportunity to reap the benefits of SOX compliance with far less pain.
Thanks to the May 2007 adoption of Auditing Standard No. 5 (AS 5), auditors now have greater authority in making judgments about which IT general controls must be tested. They now focus their attention on the ones that relate to processes that should help a company avoid material weaknesses in financial statements. Following right on the heels of the SEC’s new guidelines for Section 404—which advise companies to hone in on controls that present the greatest risks for impacting their financial reports—AS 5 takes a complementary, principles-based and top-down approach to risk assessment.
This means that auditors have greater authority in making judgments about which systems must be tested, and can focus their attention on the ones that relate to processes that should help a company avoid material weaknesses in financial statements. Such anti-fraud controls are a cornerstone of governance. They support the proper operations of applications and automated calculations for “in-scope” systems (for example, anything that eventually contributes to a company’s financial statements, as well as operating systems). They also protect against unauthorized changes to programs and data, even though deficiencies within these controls themselves do not directly cause material weaknesses.
The savings in SOX compliance work and costs can be substantial, now that auditors can be guided by their own judgments and scoping methodologies such as the Guide to the Assessment of IT General Controls Scope Based on Risk. (GAIT was developed by the Institute of Internal Auditors to help organizations identify key IT general controls where a failure might indirectly result in a material error in a financial statement.)
But to realize these savings—along with the other potential benefits of SOX compliance—companies need to automate their anti-fraud controls. Manual controls are not as effective, and they are certainly more time-consuming to test. And while the initial cost of adding new technology and changing processes can be high, the efficiencies gained in other areas will ultimately offset those costs.
Small Business Must Get With the Program
In recent years, these issues are becoming as important to smaller public companies as they have been to their larger competitors since 2004, which marked the end of the two-year implementation period they were given to get up to speed on SOX compliance. Businesses with less than $75 million in market capital have until late 2008 for external audit checks. Some lawmakers have been trying to delay this and other compliance dates, which have already been delayed multiple times by the SEC. But that’s not likely to happen this time around.
Auditors will have to make some finer judgments related to risk assessment in smaller companies, where IT personnel may have to wear more than one hat (developer, database administrator, and application support person), and duties may not be as minutely segregated as they are in larger businesses. Yet that won’t change the requirement that smaller businesses pay equally close attention to monitoring their personnel’s activity and privileged users’ access to systems.
On the positive side, some smaller companies may be ahead of the game compared to the big businesses that had to start from scratch in 2002. If they regularly do business with large public companies, for example, they’ve often wound up inadvertently complying with some SOX requirements, especially regarding IT controls for encryption. Other small companies in the retail sector may be able to take some of the lessons they’ve learned from their PCI compliance efforts and apply them towards their SOX projects. Though focused exclusively on credit/debit card systems, PCI is very similar to SOX in certain respects.
Additionally, smaller businesses do not use as much custom software and in-house code as larger companies tend to use. They usually do not heavily modify the off-the-shelf application software that they typically buy, and smaller businesses are generally able to rely on commercial vendors’ automated controls at that level.
Where the Risk Lies
When it comes to exercising judgment about testing anti-fraud controls, auditors target two areas in the security domain: Default user names and passwords in vendors’ products that are never changed or removed, and thus can be used to perpetrate fraud; and privileged passwords such as the administrator or root password that, if freely shared, can give fraudsters the anonymous ability to access an in-scope financial system and change its data or schema.
For auditors, it is all about accountability and the proper identification of users and their activities—and specifically the privileged account users who administer corporate systems. So, for public companies, it is all about proving to auditors that they are effectively managing Windows Administrator passwords—as well as the root passwords within UNIX and Linux systems—by automating the provisioning of administrative privileges at a very granular level. It is also important to implement security policies that define role, user or system access restrictions while automatically maintaining an audit trail of administrative user tasks that confirms to auditors that these restrictions are being enforced. In addition, by automatically monitoring logs and generating reports, companies can verify that certain tasks have been performed by authorized administrative users.
Auditors who are not satisfied with a company’s anti-fraud IT general controls—whether it is because they are manual or non-existent—will be forced to review back-end processes to see if there is a mitigating control on the business end to catch a fraudulent activity. This includes going through the rigmarole of questioning who has root account access, why and whether they should be using that access in certain ways.
Without automation, getting the information to prove compliance in an efficient way is a chore. Most auditors will recommend purchasing automated solutions whenever possible, especially if they also audit activity. A system that clearly defines who has what privileges can streamline the testing process and drastically reduce testing costs.
From Problem to Best Practice
The immediate benefits of the revisions to SOX Section 404—for companies that have automated their processes to manage all user accounts, including privileged users, and maintain automated logs for tracking their activities—is a reduction in the number of controls that are being tested, and more importantly, a reduction in the costs of that testing. But the longer-term benefits of a process-driven approach to SOX will manifest themselves year-round, in automated and more efficient business processes and financial controls.
When administrative root privileges are routinely delegated at a granular level and automatic activity monitoring is integrated into IT processes, a major SOX burden is lifted off of IT management. The year-end ritual of coordinating and sitting in on interviews with process owners, gathering screen shots to prove process flow and otherwise answering to the auditors may become a distant memory.
The good news is that IT departments, initially very resistant to SOX, have each year become warmer to the idea of turning their SOX project into a process, as they’ve realized the benefits of that approach. With the revisions to the Section 404 guidelines and the new PCAOB AS No.5—and by implementing tools to take advantage of these changes—any remaining resistance should further decrease.
Ellen Libenson
VP of Product Management
Symark Software
Ellen Libenson, vice president of product management at Symark Software, a maker of identity management and access control solutions for heterogeneous IT environments.
She can be reached at elibenson@symark.com.
|
|
|
|
|
