We've heard CIOs voice their concerns and fears about Sarbanes-Oxley (SOX) compliance, but what's going through the minds of auditors as they prepare to invade the IT department? Lawrence Baye, a management advisory services principal with Grant Thornton LLP and a SOX expert, talks about some common mistakes CIOs are making and what situations send the red flags flying on Sarbanes-Oxley auditor's checklist.
What' are some of the toughest SOX challenges for CIOs?
CIOs were brought to the table late. SOX was viewed to be a financial accounting project. In many cases, CIOs thought it was another Y2k initiative, and they didn't have to worry about it after Jan. 1. I think SOX is more like Y2k every day This is a permanent issue, and most organizations aren't set up to deal with that. One of the toughest questions is 'what do you do from a compliance standpoint next year and thereafter?'
Also, some accounting firms are asking for evidence of controls from the time systems were implemented. Nobody kept that documentation, so it's really hard to reconstruct. That makes it especially difficult in some environments where IT systems are customized or modified -- where there's a lot of knowledge in individuals' heads that's not committed to paper. There's not a lot of quality assurance in IT that ensures evidence is committed to paper -- that's almost a new priority.
It's also vague and open to interpretation by accounting firms and individuals serving that account. Different firms have different expectations. A lot of this is judgment.
What does the CIO need to be doing?
I think depending on the size of the company that the CIO has to get involved from a project management standpoint and know the quality and integrity of the systems that are already deployed. Compliance is not as important as other things [to many firms] and may not be in their budget and was not a business objective at the beginning of year. It's a pain!
The CFO and the audit committee are usually the two who have to understand SOX. But you need a culture where the CIO also understands it. The CIO doesn't have to certify, but I'd want CIOs to certify. Why wouldn't I want my colleague to sign before I sign a public document? That's already happening in larger companies, although you'll never see it in writing publicly. It's done internally though -- it's called accountability.
As an auditor, what are you looking for when you enter the IT department?
IT controls of particular importance are related to physical and access security systems, development and change, and operations backups production. I look for governance -- how the IT function is managed. The more systems you have and the more people in the building running and maintaining them, the more likelihood of slip ups.
The bar is very high for passing and very low for stumbling. IT controls are considered pervasive -- poor controls could undermine the integrity of financial systems and processes. It requires more to prove everything's running soundly in an IT environment.
CIOs are fearful that if they get adverse opinions from auditors, it will be in operations backups and security over the network and database. You can have a great accounts payable, but if it runs on a computer that people can break into, management has to prove that if a break-in did happen, something was done before anything bad happened. You have to prove you can detect and fix wrongdoing quickly.
What red flags are you looking for?
Is IT organized to show evidence of supervision, governance and segregation of duties? When you can't find that, and you don't know who reports to whom, that's disconcerting. If a CIO doesn't have a business focus and is a techie who ended up as CIO as the result of turnover, their ability to adapt to controls becomes a stretch.
Also, if there's a lot of systems in a lot of locations that don't talk to each other -- especially if they're old systems -- that's a problem. The absence of documented policies and procedures – no paperwork or protocol – that's a problem too.
That's what we look at when we're scoping this out. If we don't have it, we've got an uphill battle. If there's a level of disinterest on finance or IT, then the chance of success goes down.
What are some common mistakes you see IT making in regards to SOX compliance?
We've found companies with a general ledger system, and more people than necessary have access to it and can change records. We're also seeing contractors and other third parties with too much physical access to computers. You can't have too many people in the computer area who don't belong there. We've also seen companies with backup facilities that don't kick in.
November 15 is creeping closer and closer. What would you say to CIOs who won't make the deadline?
There's a firm I'm aware of that has so much to do, that a good portion of their business won't be compliant. They're trying a bunch of things concurrently -- some documentation, some testing. They could end up spending a lot of money and will have nothing to show for it.
Do some testing so you know controls are sound going into next year as opposed to just saying 'some things work, and some don't -- we don't know which ones.' Either way, you'll have weaknnesses. But you don't want the weakness to be governance. You don't want to say that management didn't care. Everything else will be tainted.
So some compliance is better than none?
Absolutely. How many firms will get done fast enough so there's enough time to get new or remediated controls in place that are testable? No comment. There are estimates all over the place, but no one really knows.
A lot of CIOs say there's no precedent for SOX, so they're still unclear as to what to do. Is that a valid argument?
But you could argue no one went through Y2k either, and we survived it. But Y2k was always an IT event. People thought this was an accounting problem. Last winter, I was giving a speech to big company CIOs talking about their getting involved in Sarbanes. I got a lot of blank expressions. When I asked how many were involved in SOX planning and understood what needed to be done on the IT side, one out of about 100 raised their hands. I was shocked.