An Information Technology An Information Technology Perspective of Sarbanes-Perspective of Sarbanes-

OxleyOxley

David M. Cannon, Ph.D., CPA (Ohio), CCPDavid M. Cannon, Ph.D., CPA (Ohio), CCP

Assistant ProfessorAssistant Professor

Department of Accounting and TaxationDepartment of Accounting and Taxation

Grand Valley State UniversityGrand Valley State University

West Michigan Accounting and Auditing West Michigan Accounting and Auditing SymposiumSymposium

May 27, 2004May 27, 2004

Primary Sarbanes-Oxley Primary Sarbanes-Oxley Sections Relevant to ITSections Relevant to IT• Section 302Section 302

– CEOs and CFO must attest to accuracy of financial CEOs and CFO must attest to accuracy of financial statements (a)(2)statements (a)(2)

– CEO and CFO must certify that to their knowledge, CEO and CFO must certify that to their knowledge, quarterly and annual reports contain no untrue quarterly and annual reports contain no untrue statement of a material fact or fails to omit material statement of a material fact or fails to omit material factfact

– CEOs and CFO must certify thatCEOs and CFO must certify that• they are responsible for internal controls (a)(4)(A)they are responsible for internal controls (a)(4)(A)• that the controls are designed such that material information that the controls are designed such that material information

is made known to the CEO and CFO (a)(4)(B)is made known to the CEO and CFO (a)(4)(B)• that they have evaluated the effectiveness of internal control that they have evaluated the effectiveness of internal control

within 90 days prior to quarterly and annual reports (a)(4)(C)within 90 days prior to quarterly and annual reports (a)(4)(C)

Primary Sarbanes-Oxley Primary Sarbanes-Oxley Sections Relevant to ITSections Relevant to IT• Section 404Section 404

– Annual report must contain a report on Annual report must contain a report on the effectiveness of internal controlthe effectiveness of internal control

– external auditor must provide assurance external auditor must provide assurance on internal control reporton internal control report

• Section 409Section 409– Real time disclosure requirements for Real time disclosure requirements for

“material changes in the financial “material changes in the financial condition or operations”condition or operations”

Pervasiveness of IT in Pervasiveness of IT in business processesbusiness processes• IT is critical to financial business IT is critical to financial business

processes in all but tiniest processes in all but tiniest organizationsorganizations

• Many significant transactions entered Many significant transactions entered into and/or processed without human into and/or processed without human interventionintervention– Stock tradesStock trades– Goods OrdersGoods Orders– Payments for Goods and ServicesPayments for Goods and Services

Pervasiveness of IT in Pervasiveness of IT in business processes business processes (continued)(continued)• Trend toward integrated, inter-Trend toward integrated, inter-

enterprise systemsenterprise systems– Supply Chain Management (SCM)Supply Chain Management (SCM)– Electronic Data Interchange (EDI)Electronic Data Interchange (EDI)– eXtensible Markup Language (XML)eXtensible Markup Language (XML)– eXtensible Business Reporting Language eXtensible Business Reporting Language

(XBRL)(XBRL)– Enterprise Application Integration (EAI)Enterprise Application Integration (EAI)

Pervasiveness of IT in Pervasiveness of IT in business processes business processes (continued)(continued)• Real-time, integrated global systems Real-time, integrated global systems

now commonnow common

• Current emphasis is on advance Current emphasis is on advance specification of business rules specification of business rules instead of human judgements on instead of human judgements on individual transactionsindividual transactions

Basic Perspective Basic Perspective Differences Between IT and Differences Between IT and FinanceFinanceOrganizational PerspectiveOrganizational Perspective

• IT typically views IT typically views individual information individual information systems in isolationsystems in isolation

Risk PerspectiveRisk Perspective

• IT is concerned with IT is concerned with information technology information technology operational and operational and systems development systems development risksrisks

• Finance is concerned Finance is concerned with the entire with the entire reporting entityreporting entity

• Finance is concerned Finance is concerned with financial risk and with financial risk and reporting riskreporting risk

Characteristics of Characteristics of Section 302 & 404Section 302 & 404

Compliant Systems Compliant Systems

• Well-defined and documentedWell-defined and documented

• TransparentTransparent

• AccurateAccurate

• VerifiableVerifiable

Based on Based on Sarbanes-Oxley and insurance IT: think you don’t have to worry?Sarbanes-Oxley and insurance IT: think you don’t have to worry?

RebusIS Insurance Solutions White PaperRebusIS Insurance Solutions White Paper

Well-defined and Well-defined and documented processesdocumented processesDocumentation of business processes oftenDocumentation of business processes often

– IncompleteIncomplete– InconsistentInconsistent– ObsoleteObsolete– ObscuredObscured– Just plain wrongJust plain wrong

• Internal control documentation situation is Internal control documentation situation is worseworse

• Repeatability lacking for manual processesRepeatability lacking for manual processes

Well-defined and Well-defined and documented processes documented processes (continued)(continued)• What about non-routine processes?What about non-routine processes?

• How do we ensure that changes in How do we ensure that changes in business processes are documented?business processes are documented?

• What about outsourced processes?What about outsourced processes?

TransparencyTransparency

• Most financial controls are embedded Most financial controls are embedded within information systems and require within information systems and require specialized IT knowledge to identify, specialized IT knowledge to identify, understand and testunderstand and test– Parameter files (Software, Hardware and Network)Parameter files (Software, Hardware and Network)– Program source codeProgram source code– Job Control Language (JCL), ScriptsJob Control Language (JCL), Scripts– Scheduling Software (ex: CA-7)Scheduling Software (ex: CA-7)– Access Control Software (ex: RACF)Access Control Software (ex: RACF)– Change Control Software (ex: Librarian)Change Control Software (ex: Librarian)

TransparencyTransparency

• Many business processes cross organizational Many business processes cross organizational boundaries boundaries – OutsourcingOutsourcing– Enterprise Application Integration (EAI)Enterprise Application Integration (EAI)– Supply Chain Management (SCM)Supply Chain Management (SCM)– eXtensible Markup Language (XML)eXtensible Markup Language (XML)– eXtensible Business Reporting Language (XBRL)eXtensible Business Reporting Language (XBRL)

• Are the processes used by external entities to Are the processes used by external entities to implement outsourced business processes implement outsourced business processes known, visible and documented?known, visible and documented?

• Are the controls over such processes known, Are the controls over such processes known, visible and documented?visible and documented?

AccuracyAccuracy

• Does a company’s business Does a company’s business processes result in the “right processes result in the “right number” being reported? number” being reported? (Reliability)(Reliability)– Human errorHuman error– System design deficiencies System design deficiencies – Program bugsProgram bugs– System operational errorsSystem operational errors

AccuracyAccuracy

• Is there repeatability (stability) in the Is there repeatability (stability) in the processes? Potential problems:processes? Potential problems:– Manual entriesManual entries– SpreadsheetsSpreadsheets– Manual procedures and processesManual procedures and processes

VerifiabilityVerifiability

• Does the information system provide Does the information system provide the information required to verify the information required to verify how the reported numbers are how the reported numbers are produced?produced?– Audit trailsAudit trails– Change control system(s)Change control system(s)– Business process and control Business process and control

documentation tracking systemsdocumentation tracking systems

Section 409 Compliance Section 409 Compliance IssuesIssues• Diversity of operating environmentsDiversity of operating environments

– Multiple vendorsMultiple vendors– Multiple platformsMultiple platforms– Operating systemsOperating systems– Programming languagesProgramming languages– NetworksNetworks– System operating cyclesSystem operating cycles

• Batch vs. real-timeBatch vs. real-time• Daily, weekly, monthly cyclesDaily, weekly, monthly cycles

• Ad Hoc Interfaces between business Ad Hoc Interfaces between business processesprocesses

• Manual ProceduresManual Procedures

Technologies conducive to Technologies conducive to Section 409 complianceSection 409 compliance

• ERP systemsERP systems

• Real-Time systemsReal-Time systems

• MiddlewareMiddleware

• Data WarehousesData Warehouses

• Data MartsData Marts

• Section 409 Reporting systemsSection 409 Reporting systems

Information Technology Information Technology Cultural IssuesCultural Issues• Lack of domain knowledgeLack of domain knowledge

• Preference for “elegant” solutions Preference for “elegant” solutions

• Preference for new and emerging Preference for new and emerging technologiestechnologies

• Focus on individual tasks instead of the big Focus on individual tasks instead of the big picturepicture

• Sense that organizational rules don’t always Sense that organizational rules don’t always apply to ITapply to IT

• The “others just don’t get it”The “others just don’t get it”

The Information Technology The Information Technology Function’s RoleFunction’s RolePre-Sarbanes-Oxley:Pre-Sarbanes-Oxley:• IT is responsible solely for controls over IT IT is responsible solely for controls over IT

operational processesoperational processes– controls over IT operationscontrols over IT operations– controls over IT developmentcontrols over IT development– general controls over IT function processesgeneral controls over IT function processes

• Financial controls are outside IT domainFinancial controls are outside IT domain– view often promoted by finance/accountingview often promoted by finance/accounting– controls are merely application function to ITcontrols are merely application function to IT

The Information Technology The Information Technology Function’s Role (continued)Function’s Role (continued)

Pre-Sarbanes-Oxley:Pre-Sarbanes-Oxley:

• ““no need for IT to have basic no need for IT to have basic understanding of business processes”understanding of business processes”– ““business process is within functional business process is within functional

domain” domain” – ““tell us what you want and we’ll build it”tell us what you want and we’ll build it”– ““system meets specifications” … system meets specifications” … but not but not

necessarily business requirementsnecessarily business requirements

The Information Technology The Information Technology Function’s Role (continued)Function’s Role (continued)Pre-Sarbanes-Oxley:Pre-Sarbanes-Oxley:

• ““no need to understand financial no need to understand financial controls”controls”– viewed as functional requirement of viewed as functional requirement of

application application – few IT professionals have formal training in few IT professionals have formal training in

internal controlinternal control– assumes that choice of technical design and assumes that choice of technical design and

implementation has no effect on controlsimplementation has no effect on controls

The Information Technology The Information Technology Function’s Role (continued)Function’s Role (continued)Pre-Sarbanes-Oxley:Pre-Sarbanes-Oxley:

• controls often viewed by IT as controls often viewed by IT as separate from business process rather separate from business process rather than integral to processthan integral to process

• IT’s Risk perspective limited toIT’s Risk perspective limited to– IT security risksIT security risks– IT operational risksIT operational risks

• IT TYPICALLY HAS LITTLE OR NO IT TYPICALLY HAS LITTLE OR NO KNOWLEDGE OR CONSIDERATION OF KNOWLEDGE OR CONSIDERATION OF FINANCIAL REPORTING RISK!FINANCIAL REPORTING RISK!

What can IT do to comply What can IT do to comply with Sarbanes-Oxley?with Sarbanes-Oxley?

• Understand that the rules have changedUnderstand that the rules have changed– Business processes and their controls must be Business processes and their controls must be

continuously transparentcontinuously transparent– Controls must be viewed as an essential Controls must be viewed as an essential

component of systemscomponent of systems– Complete, correct, and up-to-date Complete, correct, and up-to-date

documentation is no longer simply a good documentation is no longer simply a good practice, it is critically necessarypractice, it is critically necessary

– IT Governance is here and nowIT Governance is here and now

What can IT do to comply What can IT do to comply with Sarbanes-Oxley?with Sarbanes-Oxley?

• Understand that the rules have changed Understand that the rules have changed (continued)(continued)– Financial reporting risk must be considered in all Financial reporting risk must be considered in all

IT decisionsIT decisions• Outsourcing and inter-enterprise integrationOutsourcing and inter-enterprise integration• Choice of technologyChoice of technology• Systems design, implementation and maintenanceSystems design, implementation and maintenance• Vendor selectionVendor selection

– IT professionals must have a basic understanding IT professionals must have a basic understanding of business processes and financial controlsof business processes and financial controls

What can IT do to comply What can IT do to comply with Sarbanes-Oxley?with Sarbanes-Oxley?• Insist on full representation on and participation Insist on full representation on and participation

in Sarbanes-Oxley compliance projectsin Sarbanes-Oxley compliance projects• Provide technical expertise to assist in the Provide technical expertise to assist in the

documenting of controlsdocumenting of controls• Assist in the selection and implementation of Assist in the selection and implementation of

Sarbanes-Oxley compliance toolsSarbanes-Oxley compliance tools– Business Process Management (BPM) toolsBusiness Process Management (BPM) tools– Document management toolsDocument management tools– Data mining applicationsData mining applications– Monitoring tools (dashboards, exception reporting Monitoring tools (dashboards, exception reporting

systems)systems)

What can IT do to comply What can IT do to comply with Sarbanes-Oxley? with Sarbanes-Oxley? (continued)(continued)• Request the internal audit function to Request the internal audit function to

facilitate a control self-assessmentfacilitate a control self-assessment

• Adopt a Comprehensive IT Control Adopt a Comprehensive IT Control FrameworkFramework– Control Objectives for Information Control Objectives for Information

Technology (COBIT)Technology (COBIT)

The good news for IT . . .The good news for IT . . .

““There is no discretionary There is no discretionary spending where the spending where the

alternative is a prison alternative is a prison sentence.”sentence.”

From From Sarbanes-Oxley and insurance IT: think you don’t have to Sarbanes-Oxley and insurance IT: think you don’t have to worry?worry?

RebusIS Insurance Solutions White PaperRebusIS Insurance Solutions White Paper

Questions?Questions?