|
|
|
Features
< Back
Sarbanes Oxley : Technology : Internal Controls
Enforcing Application Controls under SOX
A Closed-Loop Approach
By
Chris Capdevila
|
|
Chris Capdevila
CEO and Co-founder
LogicalApps
|
The Challenge is companies have devoted intense effort and considerable resources to comply with Sarbanes-Oxley (SOX) legislation to ensure accurate and timely financial reporting. Companies have used the traditional top-down approaches, such as those codified by COSO (Committee of Sponsoring Organizations) and related COBIT framework for IT, to drive these efforts. At the highest level, COSO sets the compliance tone for the entire organization via
? Organizational structure and operating style
? Integrity and ethical values
? Board and Audit Committee oversight
? Management philosophy
SOX follows the COSO framework for regulatory and risk management, which standardizes the definition of internal controls as referenced in Section 404. It also provides a framework for risk management and regulatory compliance, which requires risk assessments and related policies, a control-based environment, control-based activities, information and communication procedures, and a monitoring mechanism for the control environment.
While not required by COSO, COBIT was developed and issued by the IT Governance Institute as a standard that provides effective governance for good IT security and control practices. COBIT is internationally accepted de facto and formally accepted by the Information Systems Audit and Control Association (ISACA) as being a good practice for control over information, IT and related risks. COBIT contains a framework for control and measurability of IT by providing tools to assess and measure the enterprise?s IT capability for the 34 COBIT IT processes. COBIT makes COSO real for systems by defining
? General Controls ? information systems
? Application Controls ? complete and accurate processing of authorized business transactions
Lastly, COSO and related COBIT require assessing the quality and performance of internal controls over time.
By now, it is apparent that compliance efforts will not be a one time leap, but will be ongoing and will need to address evolving standards, including new global regulations (see figure 1). Appropriately, governmental bodies have to comply as well.
|
Regulation
|
Domain
|
|
Sarbanes-Oxley Act
|
U.S. publicly-traded companies
|
|
ISO 17799
|
IT security industry
|
| Canada's Instruments
52-109 and 52-111
| Canada's SOX-equivalent
|
| UK's Turnbull Guidance and Combined Code
| UK's SOX-equivalent
|
| Basel II Accords
|
G10 Regulations for banking industry
|
| HIPAA
| U.S. health and medical industries
|
| OMB Circular A-123 | U.S. Federal agencies
|
| Solvency II
| European insurers
|
| IFRS
| Global GAAP
|
| OECD Principles
| EU internal controls
| |
Figure 1: Various Compliance Regulations
Internal controls for enterprise applications are mandated by Section 404 of SOX and must be comprehensive, no matter the adverse operational impact. In fact, application internal controls are inherently the weakest link in the risk and compliance matrix, since they must deal with large numbers of users on a daily basis and often directly affect accurate financial reporting, which is the primary objective of SOX. Without automating the enforcement of continuous application internal control, there is little to prevent the reoccurrence of unintentional, innocent errors and intentional, criminal fraud. Both of these could result in declaring material weaknesses and inaccurate financial reporting. Closed-loop controls automation, which allows and requires contemporaneous review on-line, is now absolutely required, since after-the-fact detection tools only document that a breach occurred and manual auditing can only verify controls at a point in time.
Minimizing the Time to Compliance
Initial SOX efforts have been intensive and extremely expensive as organizations have spent in the millions of dollars to comply with the initial year of the new regulation. With the initial year?s experience behind them, organizations are looking for ways to significantly reduce these costs moving forward by leveraging from solutions that help ensure automated and continuous compliance. There is no more tolerance for slack in material defect findings and automated closed-loop enforcement of application internal controls is now critical.
Fortunately, these automated solutions can be implemented in parallel with the massive, long?lead time risk assessment, policy and control documentation and security efforts. In this way, application internal controls can be accelerated, even before all policies have been identified and written. Proving that enforcement is closed loop and quantifying risk, in terms of financial costs, are essential to an aggressive defense against material weakness concerns or unwarranted audit expense, since they transcend any gradual heightening of the compliance threshold/hurdle.
Enterprise applications exist to help automate business processes, most of which directly or indirectly affect financial reporting. Consequently, enforcing and automating internal controls for these applications is essential to real compliance and to achieving the ultimate SOX objective of timely and accurate financial reporting. In today?s typical business environment, users are not just employees and contractors, but may be personnel from outsourced or shared services operations. Incomplete or sporadic enforcement of application internal controls is one of the weakest and most dangerous links in the compliance chain.
Effective Application Internal Controls
Internal controls seek to prevent fraudulent activities and detect potentially fraudulent activities after the fact, based on suspicious situations or inferences. Internal controls can also be used to identify and prevent unintentional errors by honest people. Some of the key elements to effective application controls consist of the following:
Segregation of Duties (SOD): Transactions and the ?Need to Know?
A focus on segregation of duties reduces risks by providing an internal control on performance through separation of custody of assets from accounting personnel, separation of authorization of transactions from custody of related assets, and separation of operational responsibilities from record keeping responsibilities. Consequently, access to functions, and even to information down to the field level, must be controlled in the application to accomplish this. Some well-known generic SOD controls are
? Receiving Segregated From Purchasing and Supplier Master Data
? Requisitioning Segregated From Purchasing
? Purchasing Segregated From Accounts Payable and Supplier Master
? Item Master Segregation From Most Supply Chain Activities
? Inventory Control Segregation From Accounts Payable/Settlement
? Segregation of Purchasing From Supplier Returns/Debit Memos
Segregation of duties applies to IT personnel as well as users of software applications. As part of application internal controls, professional practice demands that functions, such as programming, operating, controlling and using are performed by different people in order to enhance mutual control. Of course, everyone has experienced system and application bugs or operational problems that have required allowing one IT person broad powers to be able to diagnose and fix the problem under tight deadlines, in spite of the significant risks, and been relieved about the outcome.
Implementing segregation of duties, e.g. removing the conflicts, can often have an adverse impact on operational performance and introduce delays or errors in a process by involving multiple people. Based on the risk and operational factors, a spectrum of capabilities is needed in this area to address day-to-day realities:
? Forbid the transaction under all circumstances
? Forbid the transaction except with high-level authority
? Permit the transaction based on rules, such as dollar value approval levels
? Permit the transaction with ?reason codes? to justify the action for subsequent review and/or attaching supporting calculations, such as EXCEL spreadsheets or applications reports
? Permit the transaction with subsequent approval
With the need for function- and field-level SOD rules, an enterprise with tens of thousands of users could easily have thousands of conflicts. Enterprises with multiple, heterogeneous applications or with multiple organizations operating within their applications, e.g. Oracle Applications ?multi-org,? can increase this SOD conflict matrix exponentially. Automated management and enforcement of these complex segregation of duties policies becomes essential.
Authorizations/Approval Automation
In order to manage SOD policies, which allow for approvals, it is important to provide automation for the authorizations and approvals. This approval functionality should also provide for escalations in the event of delayed approvals or suspended/incomplete transactions. A list of each application responsibility/role and the titles of all related employees can help eliminate clerical errors related to assigning access to the right person, even in the case of duplicate names.
Case Study: Automating Application Internal Controls
A major high-tech manufacturer faced with board-level mandates to ensure application internal controls compliance on an accelerated basis, turned to Logical Apps? software solutions to automate the enforcement of critical application internal controls. The solution was implemented in phases to tackle the highest risk controls first. Since the enterprise-wide controls effort was so large, the organization decided to implement the Logical Apps compliance solution in parallel with short phases to remove SOD conflicts according to risk. Since instant removal of all SOD conflicts could bring operations to a halt, this phased approach was necessary. The following risk categories were defined by Oracle?s ?responsibility? permissions, which often comprise multiple functions and access to many fields:
? High risk intra-responsibility
? Lower risk intra-responsibility
? High risk inter-responsibility
? Lower risk inter-responsibility
? Ongoing, comprehensive SOD conflict remediation for all risk levels and including company-specific controls
The first step was to ?end-date? all seeded or pre-loaded responsibilities provided by the software applications vendor (Oracle). Policies and controls were then developed, often on an exception basis, for the hundreds of generic SOD conflicts with over a thousand controls provided with the Logical Apps compliance solution. All changes to authorizations and approvals were tracked with on-line notifications sent as appropriate for prompt review and auditing. Each of the first four risk phases above took, on average, one to two weeks. In this way, compliance was accelerated, while adverse operational impacts were mitigated by using a common sense approach. For example, threshold levels to require additional approval were developed to minimize risk, yet permit operational efficiency.
Segregation of Duties conflicts were identified and resolved within a few weeks and preventative and detective controls were deployed to continuously enforce the company?s unique SOD policies.
Summary
Meeting regulatory compliance mandates is not limited to just a single deadline that expires and is forgotten. Rather, compliance is merely the starting point of a continuous effort to ensure that appropriate controls and processes are in place to guarantee the integrity of financial systems. Incomplete or sporadic enforcement of application internal controls is one of the weakest and most dangerous links in the compliance chain ? making the automation and continuous enforcement of application controls an absolutely critical element of a sustainable and cost-effective compliance effort.
|
|
|
|
