an information technology perspective of sarbanes-oxley david m. cannon, ph.d., cpa (ohio), ccp...
TRANSCRIPT
![Page 1: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/1.jpg)
An Information Technology An Information Technology Perspective of Sarbanes-Perspective of Sarbanes-
OxleyOxley
David M. Cannon, Ph.D., CPA (Ohio), CCPDavid M. Cannon, Ph.D., CPA (Ohio), CCP
Assistant ProfessorAssistant Professor
Department of Accounting and TaxationDepartment of Accounting and Taxation
Grand Valley State UniversityGrand Valley State University
West Michigan Accounting and Auditing West Michigan Accounting and Auditing SymposiumSymposium
May 27, 2004May 27, 2004
![Page 2: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/2.jpg)
Primary Sarbanes-Oxley Primary Sarbanes-Oxley Sections Relevant to ITSections Relevant to IT• Section 302Section 302
– CEOs and CFO must attest to accuracy of financial CEOs and CFO must attest to accuracy of financial statements (a)(2)statements (a)(2)
– CEO and CFO must certify that to their knowledge, CEO and CFO must certify that to their knowledge, quarterly and annual reports contain no untrue quarterly and annual reports contain no untrue statement of a material fact or fails to omit material statement of a material fact or fails to omit material factfact
– CEOs and CFO must certify thatCEOs and CFO must certify that• they are responsible for internal controls (a)(4)(A)they are responsible for internal controls (a)(4)(A)• that the controls are designed such that material information that the controls are designed such that material information
is made known to the CEO and CFO (a)(4)(B)is made known to the CEO and CFO (a)(4)(B)• that they have evaluated the effectiveness of internal control that they have evaluated the effectiveness of internal control
within 90 days prior to quarterly and annual reports (a)(4)(C)within 90 days prior to quarterly and annual reports (a)(4)(C)
![Page 3: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/3.jpg)
Primary Sarbanes-Oxley Primary Sarbanes-Oxley Sections Relevant to ITSections Relevant to IT• Section 404Section 404
– Annual report must contain a report on Annual report must contain a report on the effectiveness of internal controlthe effectiveness of internal control
– external auditor must provide assurance external auditor must provide assurance on internal control reporton internal control report
• Section 409Section 409– Real time disclosure requirements for Real time disclosure requirements for
“material changes in the financial “material changes in the financial condition or operations”condition or operations”
![Page 4: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/4.jpg)
Pervasiveness of IT in Pervasiveness of IT in business processesbusiness processes• IT is critical to financial business IT is critical to financial business
processes in all but tiniest processes in all but tiniest organizationsorganizations
• Many significant transactions entered Many significant transactions entered into and/or processed without human into and/or processed without human interventionintervention– Stock tradesStock trades– Goods OrdersGoods Orders– Payments for Goods and ServicesPayments for Goods and Services
![Page 5: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/5.jpg)
Pervasiveness of IT in Pervasiveness of IT in business processes business processes (continued)(continued)• Trend toward integrated, inter-Trend toward integrated, inter-
enterprise systemsenterprise systems– Supply Chain Management (SCM)Supply Chain Management (SCM)– Electronic Data Interchange (EDI)Electronic Data Interchange (EDI)– eXtensible Markup Language (XML)eXtensible Markup Language (XML)– eXtensible Business Reporting Language eXtensible Business Reporting Language
(XBRL)(XBRL)– Enterprise Application Integration (EAI)Enterprise Application Integration (EAI)
![Page 6: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/6.jpg)
Pervasiveness of IT in Pervasiveness of IT in business processes business processes (continued)(continued)• Real-time, integrated global systems Real-time, integrated global systems
now commonnow common
• Current emphasis is on advance Current emphasis is on advance specification of business rules specification of business rules instead of human judgements on instead of human judgements on individual transactionsindividual transactions
![Page 7: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/7.jpg)
Basic Perspective Basic Perspective Differences Between IT and Differences Between IT and FinanceFinanceOrganizational PerspectiveOrganizational Perspective
• IT typically views IT typically views individual information individual information systems in isolationsystems in isolation
Risk PerspectiveRisk Perspective
• IT is concerned with IT is concerned with information technology information technology operational and operational and systems development systems development risksrisks
• Finance is concerned Finance is concerned with the entire with the entire reporting entityreporting entity
• Finance is concerned Finance is concerned with financial risk and with financial risk and reporting riskreporting risk
![Page 8: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/8.jpg)
Characteristics of Characteristics of Section 302 & 404Section 302 & 404
Compliant Systems Compliant Systems
• Well-defined and documentedWell-defined and documented
• TransparentTransparent
• AccurateAccurate
• VerifiableVerifiable
Based on Based on Sarbanes-Oxley and insurance IT: think you don’t have to worry?Sarbanes-Oxley and insurance IT: think you don’t have to worry?
RebusIS Insurance Solutions White PaperRebusIS Insurance Solutions White Paper
![Page 9: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/9.jpg)
Well-defined and Well-defined and documented processesdocumented processesDocumentation of business processes oftenDocumentation of business processes often
– IncompleteIncomplete– InconsistentInconsistent– ObsoleteObsolete– ObscuredObscured– Just plain wrongJust plain wrong
• Internal control documentation situation is Internal control documentation situation is worseworse
• Repeatability lacking for manual processesRepeatability lacking for manual processes
![Page 10: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/10.jpg)
Well-defined and Well-defined and documented processes documented processes (continued)(continued)• What about non-routine processes?What about non-routine processes?
• How do we ensure that changes in How do we ensure that changes in business processes are documented?business processes are documented?
• What about outsourced processes?What about outsourced processes?
![Page 11: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/11.jpg)
TransparencyTransparency
• Most financial controls are embedded Most financial controls are embedded within information systems and require within information systems and require specialized IT knowledge to identify, specialized IT knowledge to identify, understand and testunderstand and test– Parameter files (Software, Hardware and Network)Parameter files (Software, Hardware and Network)– Program source codeProgram source code– Job Control Language (JCL), ScriptsJob Control Language (JCL), Scripts– Scheduling Software (ex: CA-7)Scheduling Software (ex: CA-7)– Access Control Software (ex: RACF)Access Control Software (ex: RACF)– Change Control Software (ex: Librarian)Change Control Software (ex: Librarian)
![Page 12: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/12.jpg)
TransparencyTransparency
• Many business processes cross organizational Many business processes cross organizational boundaries boundaries – OutsourcingOutsourcing– Enterprise Application Integration (EAI)Enterprise Application Integration (EAI)– Supply Chain Management (SCM)Supply Chain Management (SCM)– eXtensible Markup Language (XML)eXtensible Markup Language (XML)– eXtensible Business Reporting Language (XBRL)eXtensible Business Reporting Language (XBRL)
• Are the processes used by external entities to Are the processes used by external entities to implement outsourced business processes implement outsourced business processes known, visible and documented?known, visible and documented?
• Are the controls over such processes known, Are the controls over such processes known, visible and documented?visible and documented?
![Page 13: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/13.jpg)
AccuracyAccuracy
• Does a company’s business Does a company’s business processes result in the “right processes result in the “right number” being reported? number” being reported? (Reliability)(Reliability)– Human errorHuman error– System design deficiencies System design deficiencies – Program bugsProgram bugs– System operational errorsSystem operational errors
![Page 14: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/14.jpg)
AccuracyAccuracy
• Is there repeatability (stability) in the Is there repeatability (stability) in the processes? Potential problems:processes? Potential problems:– Manual entriesManual entries– SpreadsheetsSpreadsheets– Manual procedures and processesManual procedures and processes
![Page 15: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/15.jpg)
VerifiabilityVerifiability
• Does the information system provide Does the information system provide the information required to verify the information required to verify how the reported numbers are how the reported numbers are produced?produced?– Audit trailsAudit trails– Change control system(s)Change control system(s)– Business process and control Business process and control
documentation tracking systemsdocumentation tracking systems
![Page 16: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/16.jpg)
Section 409 Compliance Section 409 Compliance IssuesIssues• Diversity of operating environmentsDiversity of operating environments
– Multiple vendorsMultiple vendors– Multiple platformsMultiple platforms– Operating systemsOperating systems– Programming languagesProgramming languages– NetworksNetworks– System operating cyclesSystem operating cycles
• Batch vs. real-timeBatch vs. real-time• Daily, weekly, monthly cyclesDaily, weekly, monthly cycles
• Ad Hoc Interfaces between business Ad Hoc Interfaces between business processesprocesses
• Manual ProceduresManual Procedures
![Page 17: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/17.jpg)
Technologies conducive to Technologies conducive to Section 409 complianceSection 409 compliance
• ERP systemsERP systems
• Real-Time systemsReal-Time systems
• MiddlewareMiddleware
• Data WarehousesData Warehouses
• Data MartsData Marts
• Section 409 Reporting systemsSection 409 Reporting systems
![Page 18: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/18.jpg)
Information Technology Information Technology Cultural IssuesCultural Issues• Lack of domain knowledgeLack of domain knowledge
• Preference for “elegant” solutions Preference for “elegant” solutions
• Preference for new and emerging Preference for new and emerging technologiestechnologies
• Focus on individual tasks instead of the big Focus on individual tasks instead of the big picturepicture
• Sense that organizational rules don’t always Sense that organizational rules don’t always apply to ITapply to IT
• The “others just don’t get it”The “others just don’t get it”
![Page 19: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/19.jpg)
The Information Technology The Information Technology Function’s RoleFunction’s RolePre-Sarbanes-Oxley:Pre-Sarbanes-Oxley:• IT is responsible solely for controls over IT IT is responsible solely for controls over IT
operational processesoperational processes– controls over IT operationscontrols over IT operations– controls over IT developmentcontrols over IT development– general controls over IT function processesgeneral controls over IT function processes
• Financial controls are outside IT domainFinancial controls are outside IT domain– view often promoted by finance/accountingview often promoted by finance/accounting– controls are merely application function to ITcontrols are merely application function to IT
![Page 20: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/20.jpg)
The Information Technology The Information Technology Function’s Role (continued)Function’s Role (continued)
Pre-Sarbanes-Oxley:Pre-Sarbanes-Oxley:
• ““no need for IT to have basic no need for IT to have basic understanding of business processes”understanding of business processes”– ““business process is within functional business process is within functional
domain” domain” – ““tell us what you want and we’ll build it”tell us what you want and we’ll build it”– ““system meets specifications” … system meets specifications” … but not but not
necessarily business requirementsnecessarily business requirements
![Page 21: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/21.jpg)
The Information Technology The Information Technology Function’s Role (continued)Function’s Role (continued)Pre-Sarbanes-Oxley:Pre-Sarbanes-Oxley:
• ““no need to understand financial no need to understand financial controls”controls”– viewed as functional requirement of viewed as functional requirement of
application application – few IT professionals have formal training in few IT professionals have formal training in
internal controlinternal control– assumes that choice of technical design and assumes that choice of technical design and
implementation has no effect on controlsimplementation has no effect on controls
![Page 22: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/22.jpg)
The Information Technology The Information Technology Function’s Role (continued)Function’s Role (continued)Pre-Sarbanes-Oxley:Pre-Sarbanes-Oxley:
• controls often viewed by IT as controls often viewed by IT as separate from business process rather separate from business process rather than integral to processthan integral to process
• IT’s Risk perspective limited toIT’s Risk perspective limited to– IT security risksIT security risks– IT operational risksIT operational risks
• IT TYPICALLY HAS LITTLE OR NO IT TYPICALLY HAS LITTLE OR NO KNOWLEDGE OR CONSIDERATION OF KNOWLEDGE OR CONSIDERATION OF FINANCIAL REPORTING RISK!FINANCIAL REPORTING RISK!
![Page 23: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/23.jpg)
What can IT do to comply What can IT do to comply with Sarbanes-Oxley?with Sarbanes-Oxley?
• Understand that the rules have changedUnderstand that the rules have changed– Business processes and their controls must be Business processes and their controls must be
continuously transparentcontinuously transparent– Controls must be viewed as an essential Controls must be viewed as an essential
component of systemscomponent of systems– Complete, correct, and up-to-date Complete, correct, and up-to-date
documentation is no longer simply a good documentation is no longer simply a good practice, it is critically necessarypractice, it is critically necessary
– IT Governance is here and nowIT Governance is here and now
![Page 24: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/24.jpg)
What can IT do to comply What can IT do to comply with Sarbanes-Oxley?with Sarbanes-Oxley?
• Understand that the rules have changed Understand that the rules have changed (continued)(continued)– Financial reporting risk must be considered in all Financial reporting risk must be considered in all
IT decisionsIT decisions• Outsourcing and inter-enterprise integrationOutsourcing and inter-enterprise integration• Choice of technologyChoice of technology• Systems design, implementation and maintenanceSystems design, implementation and maintenance• Vendor selectionVendor selection
– IT professionals must have a basic understanding IT professionals must have a basic understanding of business processes and financial controlsof business processes and financial controls
![Page 25: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/25.jpg)
What can IT do to comply What can IT do to comply with Sarbanes-Oxley?with Sarbanes-Oxley?• Insist on full representation on and participation Insist on full representation on and participation
in Sarbanes-Oxley compliance projectsin Sarbanes-Oxley compliance projects• Provide technical expertise to assist in the Provide technical expertise to assist in the
documenting of controlsdocumenting of controls• Assist in the selection and implementation of Assist in the selection and implementation of
Sarbanes-Oxley compliance toolsSarbanes-Oxley compliance tools– Business Process Management (BPM) toolsBusiness Process Management (BPM) tools– Document management toolsDocument management tools– Data mining applicationsData mining applications– Monitoring tools (dashboards, exception reporting Monitoring tools (dashboards, exception reporting
systems)systems)
![Page 26: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/26.jpg)
What can IT do to comply What can IT do to comply with Sarbanes-Oxley? with Sarbanes-Oxley? (continued)(continued)• Request the internal audit function to Request the internal audit function to
facilitate a control self-assessmentfacilitate a control self-assessment
• Adopt a Comprehensive IT Control Adopt a Comprehensive IT Control FrameworkFramework– Control Objectives for Information Control Objectives for Information
Technology (COBIT)Technology (COBIT)
![Page 27: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/27.jpg)
The good news for IT . . .The good news for IT . . .
““There is no discretionary There is no discretionary spending where the spending where the
alternative is a prison alternative is a prison sentence.”sentence.”
From From Sarbanes-Oxley and insurance IT: think you don’t have to Sarbanes-Oxley and insurance IT: think you don’t have to worry?worry?
RebusIS Insurance Solutions White PaperRebusIS Insurance Solutions White Paper
![Page 28: An Information Technology Perspective of Sarbanes-Oxley David M. Cannon, Ph.D., CPA (Ohio), CCP Assistant Professor Department of Accounting and Taxation](https://reader035.vdocuments.net/reader035/viewer/2022081417/56649de95503460f94ae476c/html5/thumbnails/28.jpg)
Questions?Questions?