Guidelines for Establishing a General Framework

A survey of 22 companies by The Hackett Group found that nearly half do not have IT represented on their Section 404 Project Steering Committee, which is leading the Sarbanes-Oxley compliance efforts.

This poses several potential hazards and problems. If IT does not get involved, the rest of the business, particularly Finance, may impose cumbersome systems on the department. Because IT systems run companies and are essential to compliance, IT can take the lead in the process. Moreover, IT should seize compliance as an opportunity to manage, minimize, and mitigate departmental risk and improve the security and stability of IT systems.

The assessment of the IT control environment is an integral part of any Section 404 internal controls evaluation process. IT will be significantly involved in this effort, including organizing the activities and developing the detailed processes and work plans required to support it. IT executives should develop a work plan that phases the work and begins with the systems and processes that you know will be significant or material under any definition as well as identify any area where you will have potential issues.

IT executives should also gain an immediate understanding of key matters such as materiality, internal control concerns, significant accounts and processes, and the current state of IT systems and control procedures. As work plans are developed and refined, you should determine the appropriate staffing levels and whether or not any additional resources or technology, if any, will be required.

Evaluating Internal Controls
The first place to start is to establish a framework that allows companies to assess existing internal controls. This framework has five key phases that allow companies to define, establish, and maintain the control processes required for Sarbanes-Oxley compliance.

• Define Internal Control
• Organize Project Team and Plan
• Evaluate Controls at the Entity-Level
• Evaluate Controls at the Process, Transaction, or Application Level
• Evaluate, Improve, and Monitor

Phase One: Define Internal Control
The first step towards Sarbanes-Oxley compliance is defining what internal control means to your company. Since the SEC recommends the COSO internal control framework, it is a good place to begin.

The SEC defines internal control as a process that is designed to provide reasonable assurance regarding the achievement of objectives. To simplify this phase, COSO created a three-dimensional matrix, in the shape of a cube, which represents the various elements required to define internal control within a company, including:

• Objectives
• Internal Control Components
• Organizational Structure

• Objectives
  The first step required for defining internal control is the establishment of business objectives, which are represented as the vertical columns on the COSO matrix. These objectives must exist before management can identify events that can potentially affect their achievement. There are three types of objectives that must be established:



• Operations Objectives: relate to effectiveness and efficiency of the company's operations, such as performance and profitability goals. The objectives vary based on management's choices about structure and performance.



• Reporting Objectives: relate to the effectiveness of the company's reporting. Reporting objectives, while originally defined as published financial statements, now cover all reports developed by a company, whether disseminated internally or externally. Reporting should also include both financial information and non-financial information. Non-financial information is often used to make decisions that have a financial impact on a company.



• Compliance Objectives: relate to the company's compliance with applicable laws and regulations, including Sarbanes-Oxley.



• Internal Control Components
  Objectives are directly related to the second dimension of the COSO matrix, internal control components. There is a synergy and integration among control components that helps form an integrated system that reacts dynamically to changing conditions. This internal control system is intertwined with the company's operating activities. Internal control components are most effective when the controls are built into the company's infrastructure, support quality and empowerment initiatives, avoid unnecessary costs, and enable responsiveness.
  
  The five key components required for effective internal control include:



• Control Environment: serves as the foundation for all other internal control components by setting the tone for a company and influencing the control consciousness of its employees. Control environment factors include the integrity, ethical values, and competence of a company, its management philosophy and operating style.



• Risk Assessment:is how a company identifies and analyzes risks to achieving its business objectives. The assessment forms the basis for determining how the risks should be managed.



• Control Activities: are the policies and procedures that help ensure management directives are carried out and actions are taken to address the risks to achieving a company's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.



• Information and Communication: are systems that support the identification, capture, and exchange of information that enables employees to carry out their responsibilities. Information systems produce reports containing operational, financial, and compliance-related information that make it possible to run and control a business. They deal not only with internally generated data, but also information about external events, activities, and conditions necessary to informed decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. Employees must understand the objectives that apply to them, their own role in the internal control system, how their activities relate to the work of others as well as be able to communicate that information upstream and to external parties.



• Monitoring: is a process that assesses internal control performance over time by monitoring activities on an ongoing basis, conducting separate evaluations, or a combination of the two. Any internal deficiencies should be reported to management.



• Organizational Structure
  The third and final dimension of the COSO matrix reflects the organizational structure of the company itself, including Entity-Level, Division, Business Unit, and Subsidiary.

Phase Two: Organize the Project Team and Plan
During Phase Two, companies should create a project team and develop a plan for evaluating its internal controls. As with any enterprise-wide initiative, there should be an active executive sponsor.

The project team should also consist of members from key areas within a company, including:

• Finance and Accounting: CFO, Controller, Business Unit Controllers, etc.
• IT: CIO, Security Officer, IT Audit Director, etc.
• Operations: Representatives from major business segments or organizational units
• Internal Auditors: General Auditor, etc.

IT must be properly represented on the project team due to management's dependency of IT to support the company's day-to-day operations including financial reporting. The demands of Sarbanes-Oxley compliance, coupled with the complexity of today's IT systems, require senior IT representation as only IT has the understanding and knowledge required.

Once the team has been identified, the members should develop a project plan that includes details about organization, scope, timing, and reporting and communications. The plan should also provide for involving internal auditors, identifying potential problems, and developing supporting documentation and reporting.

IT executives are strongly encouraged to organize a support team within their department that can assist with the compliance activities generated by the project team.

Phase Three: Evaluate Controls at the Entity Level
The objective of this phase is to evaluate the internal controls that exist at the entity or company-wide level.

IT executives should also evaluate their own organization according to the five major internal control components defined in the COSO matrix:

• Control Environment
  Just as the executive management team set the tone for control at the corporate level, IT executives set the tone for their own organization. IT executives should consider the following when evaluating their control environment:



• Overall IT structure and organization
• Executive management interest in IT functions
• Decentralization of IT operations
• IT staffing, training, and competence levels
• IT policies and procedures
• Ownership of data and applications
• Segregation of duties


• Risk Assessment
  IT executives must identify and examine the risks within their department to determine best how to mitigate those risks and minimize the impact they might have on business objectives. IT executives should examine the following:



• Existence and/or support for a IT strategic plan
• Mechanisms to identify technology risks
• Action plans and budget to mitigate risks
• Inclusion of IT in major transactions
• Interaction with external auditors


• Control Activities
  IT executives must also concern themselves with control activities required for compliance, including:



• Documentation of systems and controls
• Segregation of IT duties
• Automated application controls
• Use of system generated information
• Change control procedures
• Security over data and related IT assets


• Information and Communication
  As this component deals with information systems, it is largely a responsibility of IT. IT executives need to evaluate:



• Ability to deliver timely and accurate reporting
• Coordination between finance and IT
• Use of outside service organizations
• End-user satisfaction and involvement
• Application and data back-up procedures
• Disaster recovery processes


• Monitoring
  IT executives need to be concerned with how they monitor departmental activities on a ongoing basis, including:



• Intrusion detection system and follow-up
• Adequacy of IT internal audit program
• IT performance monitoring

Phase Four: Evaluate Controls at the Process, Transaction, or Application Level
In this phase, IT executives must evaluate individual processes and activities that can impact the achievement of business objectives, including:

• Identifying Significant Business Processes
  IT executives should help identify significant business processes within their company as virtually every key business process is dependent on IT in some form or another — from automated transactions and programmed controls to system generated data.
  
  IT executives should work with Finance and Business Unit personnel to map out typical processes to help identify where errors can occur, including transaction initiation, recording, processes, and reporting. The level of documentation required for this phase will depend on the number of business units or locations, the degree of IT centralization, the nature and complexity of business transactions, and the degree to which the management team relies on the supporting IT systems.



• Identifying Possible Errors
  Next, IT executives must consider possible IT errors that could individually or collectively have a material effect on a company's financial statement, including:



• Integrity of major data input sources
• Significant processing procedures
• Access to important data files
• Erroneous factors and assumptions
• Competency of personnel
• Functional segregation of duties



• Identifying Relevant Controls to Detect or Prevent Errors
  Finally, IT executives should collaborate with business process owners as well as knowledgeable members of their own teams to identify possible IT detection and prevention controls that can be put in place. Detection controls monitor business processes and are typically applied to a group of transactions. Prevention controls prevent errors or fraud and are typically applied to a single transaction level.
  
  These controls also include automated application-based controls, manual IT-dependent controls, and general IT controls. Application-based controls are controls that can be automated within an existing application, such as programmed control procedures (e.g., edit, matching, reconciliation routines) and computer processes (e.g., calculations, on-line entries, automatic system interfaces.) Manual IT-dependent controls are controls that rely on system-generated information or functionality for their effectiveness and are typically used to detect errors. General IT controls are IT processes and related controls that govern the above controls.

Phase Five: Evaluate, Improve, and Monitor
The final phase involves evaluating the controls put in place in Phase Four, designing and implementing new controls to correct deficiencies, and implementing monitoring systems.

IT executives should evaluate the overall effectiveness of internal controls under their responsibility, prepare a report, and discuss the findings and recommendations with the appropriate business process owners.

Increasingly, IT executives will also be responsible for providing support for the management assertions regarding internal controls to the external auditors as well as developing a quarterly self-assessment strategy.

To accomplish this, IT executives absolutely must establish a system to facilitate continuous monitoring and updates, whether handled by regular meetings or from self-assessment tools. Whatever monitoring mechanism is used, IT must:

• Refresh documentation and validates system changes regularly
• Reassess IT control processes every 90 days
• Report any significant changes or process deficiencies to senior management