Revised Guidance For Sarbanes-Oxley

May 9, 2007
If it wasn’t readily acknowledged before, the Sarbanes-Oxley Act of 2002 spurred manufacturers to thoroughly assess the extent to which financial reporting activities depend upon internal information technology (IT).
Manufacturers rely upon IT for substantially all operational activities, from billing and materials processes, through shipments of finished goods. That operational data feeds systems and applications used for financial reporting. Determining what IT controls were necessary for Sarbanes-Oxley compliance was not easy. To err on the safe side, companies and external auditors often applied a very broad scope for implementing and testing internal controls.In response to concerns raised regarding the cost and complexity of those efforts, the Public Company Accounting Oversight Board (PCAOB) released a proposed revision of Auditing Standard No. 2 in December 2006. The revision further refines the top-down, risk-based approach that the PCAOB advocated in 2005. Among other items, the revised guidance advises using “reasonable possibility” rather than “more than a remote likelihood” as a threshold for determining whether the potential for a misstatement exists. It also eliminates “significant deficiency” from the material weakness definition and identifies “significant” as the standard for identifying a control deficiency, rather than “more than inconsequential.” The proposed revised guidance was submitted to the Securities and Exchange Commission (SEC) in late-February 2007 for final review. Pending approval, companies can apply a narrower scope to internal control assessment and focus greater attention on significant risks. Other recent guidance provides insight for applying that approach toward IT controls.Application guidanceIn September 2006, the IT Governance Institute (ITGA) released its IT Control Objectives for Sarbanes-Oxley guidance. The Institute of Internal Auditors also released its Guide to the Assessment of IT General Controls Scope based on Risk (GAIT) in January 2007. The GAIT methodology is based on four principles that encompass applying a top-down, risk-based approach to IT general control processes; identifying IT general control processes that affect critical functionality in financially significant applications and related data; assessing general control process risks that exist in processes and various IT layers; and mitigating IT general control risks by the achievement of IT control objectives, not individual controls. Collectively, the ITGA and GAIT guidance provide direction for concentrating compliance efforts on IT units that directly affect financial reporting. Operating systems, for example, transmit significant financial data and drive critical financial reporting applications. Various duties associated with those operating systems must be segregated. User provisions for inventory, purchasing and other cycles that contribute significant financial data must likewise reflect defined segregations of duties.Passwords, automatic logouts for inactivity, and other access controls prevent improper application configurations, as well as unauthorized access to crucial data or significant applications. Critical applications require such controls.Applications and data entries for entering purchase orders, accounts receivables, invoices and accounts payable are typically linked, with entries made in one application automatically updating corresponding files. Such automated controls require periodic review to ensure accuracy and proper configuration. Manual controls require more frequent testing.Key reports, such as those used to initiate significant transactions or to review past transactions for accuracy, are typically IT-generated. Such IT capabilities must likewise be tested for accuracy and proper configuration. Change management policies need to focus on related hardware, the operating system and critical applications. Those policies should address the following change process steps: request, approval, configuration, testing, acceptance and production. To mitigate current and future compliance risks, companies resolved IT incompatibilities, migrated from legacy systems to newer technology and improved related processes throughout their organizations. That fostered greater efficiency and productivity, as well as enhanced accuracy in financial reporting. With a more clearly defined scope for IT-related Sarbanes-Oxley controls, manufacturers can continually realize such benefits, while also incurring lower compliance costs. Alyssa G. Martin, CPA, MBA, is partner in charge of the Risk Advisory Services Group at Weaver and Tidwell LLP, in Fort Worth, Texas.