SOX AND THE IT AUDITOR

Transcription

1 SOX AND THE IT AUDITOR 15 Years Later, Has Life Changed or Does It Just Drone on and on and on and Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates The Conference that Counts, Albany New York Monday March 19, 2018 ROSS WESCOTT is Principle of Wescott and Associates, established in 2016 to provide IT audit, risk, governance, and control consulting to a variety of industries and government. He has experience in IT audit program development and implementation using leading standards including Cobit5 IT governance Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance Risk identification and assessment Controls identification, design and evaluation Data analytics End-to-end IT audit management and execution IT SOX program development and operation Disaster recovery plan development and review, scenario/exercise development and testing Recruiting, team building, development, teaching. Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science. He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the Information Systems Audit and Control Association. He has been published in the major Internal Auditing publications and has been a speaker at conventions and conferences on many Internal Audit topics. 2 1

2 IT Audit has always had a role in SOx evaluations. They have not always been the primary focus as IT controls are generally secondary to their financial control counterparts. Much has changed in the organizational world since Sarbanes-Oxley came out in 2004 especially that there is more integration of financial processes with IT systems than there was in In this session, you will learn: where we have been and where we are the short history, handling the debate is SOx beneficial enough to continue? old principles still apply what should we focus upon? IT Audit s continuing role, the future is it as clear as the past 3 This publication provides CIOs, IT managers, and control and assurance professionals with scoping and assessment ideas, approaches and guidance in support of the IT-related Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control objectives for financial reporting. 4 2

3 Every organization is required to use a recognized internal controls framework for its Sarbanes-Oxley program. Sarbanes-Oxley Act Section 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test, and maintain those controls. Norman Marks shows readers how to: Design a scope of work for their Sarbanes-Oxley assessment that is top-down and risk-based. Understand the relationship between Sarbanes-Oxley Sections 302 and 404. Appreciate the alternative methods, including the use of technology, to test key controls. Improve the overall efficiency of their internal controls systems, not just the controls relied on for financial reporting. 5 Where We Were At The Beginning Fifteen years ago, IT was not a direct part of SOX legislation It became quickly clear that it should Then, nearly every IT general control was a key control and IT became the area with the highest number of deficiencies! To make the corrections, IT needed a standard to follow to bring consistency to an area that had no consistency. 6 3

4 Where We Were At The Beginning CobIT became the default IT standard alongside COSO Costs to correct were high with long-term consequences It was not much fun 7 What We Have Become The realization that financial controls heavily relied on IT controls has resulted in an increased focus on IT controls With AS5 and subsequent improvements, IT is now a formal part of the consideration of transaction flow Top down risk-based assessments have reduced the number of key controls. 8 4

5 What We Have Become CobIT still de facto IT governance standard Cost of compliance for many was high but IT is now stronger. But it is not time to relax, improvements still to be made. 9 What We Have Become The main improvement: financial control automation through integrated systems. 10 5

6 What We Have Become And this has put a brighter spotlight onto the IT Auditor as their role has come from the not initially thought of to the cannot live without. I am not sure if it s an enviable position. 11 Organizations now must understand how the financial reporting process works and identify the areas where technology plays a critical part, and distinguish which IT controls have a direct vs. an indirect impact on the financial reporting process. For instance, IT application controls ensure completeness and accuracy of transactions, integrated systems ensure no manually induced errors, and quarterly application access reviews reduce segregation of duties problems. These can all be directly related to financial assertions. 12 6

7 The key has been for over a decade to distinguish IT controls that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly has reduced the scope of IT general control testing relative to the first few years. 13 The last 15 years has not always been smooth sailing. 14 7

8 A December 21, 2008 Wall St. Journal editorial stated, "The new laws and regulations have neither prevented frauds nor instituted fairness. But they have managed to kill the creation of new public companies in the U.S., cripple the venture capital business, and damage entrepreneurship Cooked up in the wake of accounting scandals earlier this decade, [SOx] has essentially hamstrung the NYSE and Nasdaq (while making the London Stock Exchange rich), and cost U.S. industry more than $200 billion by some estimates." 15 Despite its enactment in 2002 (most of the Sarbanes Oxley Act's provisions came into effect as early as 2003), SOX was still unable to prevent the financial crisis of 2008, which was precipitated by the Lehman Brothers Holdings financial scandal! 16 8

9 But that was then and this is now. We no longer find detractors to the legislation as it has become everyday life for public companies in the United States and their subsidiaries. 17 From an August 2016 article in The Audit Board, John Kim has said that SOx has improved the reliability of financial reporting and auditing. SOX ended self-regulation by the audit profession and established an independent oversight of the auditing process, the Public Company Accounting Oversight Board (PCAOB) SOX strengthened and expanded audit committees by stipulating that a) all listed companies must have an audit committee, b) members must be independent of management, c) committees contain at least one financial expert, and d) be directly responsible for appointing auditors and ensuring their company s financial reporting is correct. 18 9

10 SOX made executives more accountable and protected investors by forcing them to demonstrate ownership of their companies financial statements through personally certifying the financial reports. SOX enhanced auditor independence by ensuring that [external] auditors remain independent by prohibiting them from providing services such as bookkeeping, actuarial services, or management functions to the companies they audit. 19 But, you may be asking, what has this got to do with the IT Auditor? Everything - because IT SOx is only a branch off of the SOx family tree. What happens to the trunk will happen to the IT SOx branch and the financial SOx branch. They cannot be separated

11 Let s look at some SOx family statistics before we get more specific with the IT SOx branch. 21 Protiviti Surveys 2010 to 2016; Workiva, Moss Adams, SOx Pro Survey

12 Some interesting trends for the IT Auditor to note: In 2017, the total number of IT controls: 40% reported 0 to 25 30% reported 26 to 50 14% reported 51 to % reported 101 to 250 1% reported over 250 IT controls Workiva, Moss Adams. SOxPro Survey: 2017 State of the SOX /Internal Controls Market 23 Most Significant Challenge Ranking Compliance Challenge Executive Priority Direction Direction Priority Priority Priority Priority Replacement of Legacy Technology n/a Increase Focus on IT and Cyber Security Controls Workiva, Moss Adams. SOxPro Survey: 2017 State of the SOX /Internal Controls Market 24 12

13 Does your organization use outside resources for Sarbanes-Oxley compliance related to IT controls? Resources Used for IT SOx Compliance 39% 46% 46% 39% 15% 15% Yes, Co-source Yes, Outsource No, Internal Protiviti Survey % of surveyed companies have moderate to significant plans to automate IT processes and controls. Average percentage of all controls that are IT General Controls 32% Protiviti Survey

14 So, what does this mean for the IT Auditor? There will be much work to do in Pre-Implementation reviews for legacy replacements, Rework of former manual controls to be automated controls, Changing out old automated controls for new ones, and A renewed focus of the audit universe to add cyber security coverage. 27 When reviewing all of these new controls (if you are to do it), here are the questions to ask of each new or changed control and its particular place in a business process: What is the most critical step in this process? What is the related control that ensures the step is performed thoroughly and timely? If the control didn t exist, would there be an increased risk of a material misstatement? Is the control related to a significant or complex account review or reconciliation? Is the control designed to prevent transactions from being changed after management approval? The answers will help determine the level of testing (it s sort of a risk assessment) 28 14

15 Here are additional roles an IT Auditor can take in the SOx role. Use of CAAT software to automate financial sampling, where applicable. Promote use of SOx central repository and control software (GRC) for risk and control documentation, key control tests, testing results, gaps, remediation's, and the status of all. 29 And, perform a QA on the IT SOx group of controls. Ensure that they cover: SDLC Covering the process of acquiring and developing in-scope systems (including infrastructure) SDLC Covering implementing in-scope applications and technology. Policies Covering support for all business process activities in a consistent and objective manner. Change Acceptance Covering testing and validation prior to migration to production

16 Manage Change Covering all functionality change to in-scope technology. Service Levels Covering how in-scope systems meet functional and operational expectations. Vendor Management Covers outside relationships that could impact financial results. Systems Security Covering access through physical and logical means, including in-scope applications. Configuration Covering performance of in-scope systems and infrastructure over their lifetimes. Incidents and Problems Covering identifying and responding to events. 31 Data Covering integrity, completeness, accuracy, authorization, and existence of in-scope data. Operations Covering the maintenance of in-scope systems in support of the business. End User Computing and Data Configuration Covering user-controlled in-scope methods that relate to financial statement integrity, completeness, accuracy, authorization, timeliness, and existence

17 The goal of all previous steps is to have efficient and effective testing based on more accurate documentation to achieve the ultimate goal The ultimate goal: better conclusions as to the state of financial and IT general and application controls better certifications by the CIO, CFO, and CEO greater reliability by the public accountant reduced costs, over time compliance 33 A Word of Cheerleading or Two Continue to use a well-known standard to measure against CobIT Use risk-based identification of key controls Implement technology whenever possible to document controls, risks, tests, and remediation's steer away from the miles and poundage of paper binders or disassociated Word and Excel documents! 34 17

18 THE END (BUT NOT REALLY, AS SOX IT WILL KEEP GOING, AND GOING, AND GOING, AND ) 35 Any Final Questions? 36 18

19 If you have any questions, please feel free to call and have a meaningful conversation: Ross Wescott MA CISA CIA CCP CUERME Principal Wescott and Associates rew5@comcast.net 37 Thank You! 38 19