Quick Links
Advertise with Sarbanes Oxley Compliance Journal
Features


< Back

Sarbanes Oxley : Technology : Policy Management

IT Organization: A Year Two Survial Guide


By Scott Fenton
Scott Fenton
VP & CIO Peregrine Systems
Peregrine Systems
As enterprise finance and IT organizations are well aware, 2004 was the first year of mandatory compliance with Sections 302 and 404 of the Sarbanes-Oxley Act. These sections of the legislation require management to establish and maintain internal controls, and external auditors to audit and certify compliance.

Total 2004 spending on Sarbanes-Oxley compliance has been estimated to be over $6 billion1. So it is no surprise that organizations now are looking back at the substantial investments in time, effort, and money that were made to meet the regulatory requirements in year one ? and searching for ways to automate and simplify processes to mitigate some of the compliance risks and associated costs necessary going forward.

For CIOs and other IT professionals, taking a "wait and see" attitude about Sarbanes-Oxley compliance is no longer an option. The time to act is now. Section 404 compliance ? as defined by the Public Company Accounting Oversight Board?s (PCAOB) auditing standards ? is the most critical Sarbanes-Oxley issue facing large companies as a whole, and IT organizations specifically.

To meet the PCAOB?s compliance standards for Sarbanes-Oxley, there are two major areas of concern:
  • Exhibiting controls over the IT components that make up the company?s financial reporting system
  • Safeguarding IT assets, particularly if those assets make up a significant percentage of total capital assets
Sarbanes-Oxley auditors now have been at work for almost a year in most companies, yet it still may not be clear how to use automated processes like change management and IT asset management to improve efficiency, reduce the need for outside resources, and lower the costs of Sarbanes-Oxley compliance going forward. This is the IT organization?s major objective for year two and beyond.

Sarbanes-Oxley and the PCAOB standards clearly justify implementing strong general IT controls, such as change management and IT asset management. Implementing these controls delivers benefits that go far beyond simply surviving a Sarbanes-Oxley audit. They provide opportunities for improving processes and reducing IT costs, redundancies, complexity, and waste.

As a blueprint for implementing these IT controls, the PCAOB has virtually mandated using the Committee of Sponsoring Organizations (COSO) Framework as a method to assess and document the effect of IT controls over the financial reporting system. Through COSO, companies can establish a comprehensive and interrelated set of controls that are fully integrated into the management process and monitor the effectiveness of business operations.

Other frameworks, such as COBIT (Control OBjectives for Information and related Technology), ITIL® (IT Infrastructure Library) and ISO 17779 can be used in conjunction with COSO to demonstrate Control Activities.

Implementing documentation and control processes
Documentation and control processes in the two aforementioned areas of concern are the foundation for delivering the results called for in the PCAOB?s auditing standards for Section 404 compliance. Implementing them is accomplished through defined practices and automated, technology-based processes. Specifically, change management and IT asset management can provide the technology foundation to ensure the PCAOB's auditing requirements are met. As an added benefit, putting these controls in place enables CIOs and IT managers to reduce spending on external consultants and manual labor in IT, while also reducing capital costs through improved IT asset and change management control. Greater process automation (and the resulting improvements in documentation) means further cost savings, as well as reducing auditing risks for year two and beyond.

According to the PCAOB, the general IT controls for applications and IT infrastructure that support financial reporting systems include:
  • Change management (application maintenance)
  • IT asset management
  • Security administration
  • Data management and disaster recovery (ensuring continuity)
  • Problem management (technical infrastructure and operations)
These IT controls must be exhibited for every component that makes up a financial reporting system.

Change management, IT asset management, and Sarbanes-Oxley
Let?s look specifically at the first two types of controls mentioned above. Change management and IT asset management are the two practices that can deliver the biggest and quickest potential gains, both in terms of Sarbanes-Oxley compliance and in terms of reduced costs and improved efficiency.

Change management
PCAOB standards for Sarbanes-Oxley compliance require that IT controls are in place to document processes and procedures for making changes to applications, databases, servers, etc., and that these changes do not disrupt the organization?s ability to create accurate and timely financial reports. Implementing these change management processes can have a significant positive impact, including:
  • Assuring that transactions can only be initiated, modified, or deleted by appropriate individuals
  • Authenticating that routine infrastructure changes (such as server maintenance and scheduled upgrades to financial systems) are defined, documented, and secure
  • Authenticating that unplanned infrastructure changes (such as power outages) are defined, documented, and secure
  • Implementing a process for forwarding significant infrastructure changes to the internal Change Advisory Board for review and further documentation
IT asset management
A fully-implemented IT asset management practice helps safeguard IT assets that might have a material effect on financial statements, while also representing the financial value of those assets more accurately. Because IT asset management addresses the full lifecycle of technology assets from both an operational and financial point of view, asset value can be updated based on key
  • Acquisition
  • Deployment (particularly in the area of software licensing)
  • Disposal
  • General ledger reconciliation
IT asset management provides complete visibility into an enterprise asset portfolio at all times: location, ownership, status, and balance sheet value. IT asset management also provides control over software compliance, making it easy to eliminate the purchase of unnecessary licenses and to spot rogue applications that pose significant risks to IT operations.

It is important to note that ERP systems typically do not provide the level of operational and financial granularity required to maintain an accurate view of current asset value. By implementing an IT asset management practice, IT information and processes can be integrated with existing ERP processes, creating direct links to fixed assets, procurement, and human resources. This provides the detailed financial information and documented processes critical to financial managers.

IT asset management can also play an integral role in risk assessment and control activities required by PCAOB. As such, the IT professional should leverage its capabilities to ensure proper Sarbanes-Oxley 404 compliance.

The COSO Framework: a compliance blueprint
To establish and document the internal controls that demonstrate compliance, the PCAOB has identified the COSO Framework as its preferred system.

The PCAOB?s auditing standards are about the "what" of Sarbanes-Oxley compliance, while the COSO Framework is about the "how." COSO provides a framework for establishing the necessary controls and processes mandated by the PCAOB?s auditing standards.

COSO?s stated goal is "improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance." The COSO Framework is based on the idea of Internal Control ? Integrated Framework: establishing a comprehensive and interrelated set of controls that are fully integrated into the management process and monitor the effectiveness of business operations.

The COSO Framework has five basic components:
  1. Control Environment. Sometimes referred to as "the tone at the top," this involves senior management?s consistent communication of a company?s integrity and ethical values throughout the organization, and how the internal controls map back to those values.
  2. Risk Assessment. Identifying relative risks to a company?s business objectives. In the case of Sarbanes-Oxley 404 compliance, this means risks to financial reporting and risks to IT assets themselves.
  3. Control Activities. These are the policies, processes, and procedures that address control weaknesses and mitigate the identified risks.
  4. Information and Communication. Data gathered by the control activities must be processed and communicated across the enterprise so that reports can be prepared, individuals can properly discharge their responsibilities, and the "tone at the top" can be reinforced.
  5. Monitoring. Internal control systems must be monitored and evaluated continuously to ensure maximum effectiveness. Such monitoring should be an integral part of how these control systems are designed.
The COSO Framework is mentioned extensively in the PCAOB?s auditing guidelines. In fact, in many cases the PCAOB simply refers to it as "the framework" ? an indication of its perceived importance. Given the PCAOB?s attitude toward COSO, chances are that any given auditor will be using it. Therefore, the IT professional should be aware of COSO and how it might be used as an auditor?s framework.

The following table shows some of the specific tasks required for using change management and IT asset management practices to support the five components of the COSO Framework.


Source: Peregrine Systems

Other IT framework options: COBIT, ITIL, and ISO 17779
Although COSO will often be used as an overarching framework, it is important that IT organizations show processes through other frameworks specific to IT, and that these frameworks are used as part of managing the business.

COBIT, ITIL, and ISO 17779 are other examples of control frameworks for change management and IT asset management.

COBIT, ITIL, and ISO 17779 generally refer to Control Activities (COSO component #3): they help IT organizations define the controls that are in place and identify control weaknesses. They are not designed to be alternatives to COSO; rather they work within the COSO framework to ensure compliance in their specific areas. COBIT deals with overall IT processes. ITIL covers IT service and software asset management. And ISO17779 addresses security.

For example, suppose an IT organization must justify certain control activities in an audit. If the controls meet ITIL standards, they probably will have more credibility. Because these ITIL processes are well-known and generally accepted, the change management process is likely to be satisfactory to an auditor checking for Sarbanes-Oxley 404 compliance.

How to implement IT asset management controls and documentation
Taking the process a step further, let?s look more closely at the specific objectives, risks, and activities involved in implementing COSO-related controls and documentation using IT asset management practices:


Source: Peregrine Systems

Summary:
As we move into year two of the Sarbanes-Oxley era, companies now have had a chance to step back and begin making decisions about how to create long-term Sarbanes-Oxley compliance ? without spending a fortune.

The IT organization plays a key role in this process for two reasons: first, because IT software and equipment make up so much of the financial reporting infrastructure in virtually every company; and second, because IT assets represent such a large percentage of most companies? capital equipment purchases that they have a significant balance sheet effect.

The COSO framework specified by the PCAOB is a design for providing the IT organization the visibility and granularity it needs to meet its compliance and auditing requirements. In particular, implementing change management and IT asset management systems as part of COSO delivers clear and considerable benefits in addressing the PCAOB?s auditing standards ? while at the same time improving efficiency and reducing costs.

Peregrine develops enterprise software solutions that enable organizations to evolve their IT service and asset management practices for reduced costs, improved IT productivity and service, and lower risk. The company?s asset and service management offerings ? such as Asset Tracking, Expense Control, Service Establishment, Service Control and Service Alignment -- address specific business problems. These solutions make it possible for IT organizations to maintain a changing IT infrastructure, manage their relationships with end-users and service providers, and gain greater visibility into how their IT investments are performing. The Peregrine Evolution Model provides a roadmap for companies that want to systematically evolve the sophistication and effectiveness of their IT operating practices.

1 Source: AMR Research Alert #17849

Peregrine Systems is a registered trademark of Peregrine Systems, Inc. or its affiliates. All other marks are the property of their respective owners.



Scott Fenton
VP & CIO Peregrine Systems
Peregrine Systems
 Scott Fenton is vice president and CIO of Peregrine Systems, Inc., a provider of asset and service management solutions based in San Diego, Calif.

He has more than 20 years of technical and operational management experience in the high-technology and electronics industry.



About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY