IT Ignored for Sarbanes-Oxley?
|
With the ever increasing reliance on automation in financial reporting, the readiness of the IT department can be critical to the success of the review process for an evaluation of internal controls. Sarbanes-Oxley compliance could be a very torrid experience if IT is not ready. Experience has shown that the IT department and management have to be knitted into the review of internal controls. Whilst they may only be involved with IT controls in relation to financial reporting, these are some of the most important in the entire control environment. The IT department may have implemented other frameworks or regulatory controls, for example COBIT or taken part in certification for the Capability Maturity Model. Sarbanes-Oxley and section 404 in particular are different. Evaluating the effectiveness of internal controls related to financial reporting is mandated in law. The infamous section 404 to be exact. Due to an ever increasing reliance on automated IT controls to handle financial reporting, the IT organisation in a company has a lot of questions to answer. The IT organisations of some industries will almost certainly have been through this kind of ordeal before. Highly regulated financial institutions such as banks will be fully of the work involved. Other, more lightly regulated industries such as retailing will find it more torturous. Indeed a recent survey by the University of Nebraska at Omaha found that retailer's audit costs rose by 181% to take account of SOX. Banks only rose by just over 70%. We need to establish the degree to which the IT department will be integrated with the rest of the Sarbanes-Oxley steering team. An important point is that every company has its own individual internal controls, IT controls and the interaction between IT and financial reporting. Consequently the level of integration will differ between companies. A number of questions need answering before we can say the IT organisation has been properly integrated with the SOX review. Does the SOX team understand importance of IT? In many instances the "SOX team" will consist of the CFO. In others a dedicated team of finance people and consultants direct operations. Whatever the make-up of the team, there is always the possibility that they may ignore involving IT or, not understand how important it is. The level of involvement by IT people, should be based on the amount of IT in the internal controls, not based on financial staff or consultants preconceptions or predjudices. CIO have sufficient knowledge of IT controls and financial reporting? Many CIO's are still coming to terms with the need to deal with regulatory matters such as SOX. In particular they are not finance or business managers. Also, they may not have any experience of working within frameworks such as COBIT or COSO. Where there is not the experience within the firm, then a consultant may be hired in the short term. Long-term, this will have to be identified as a training requirement. Especially as SOX is not going to go away. Have business process managers written requirements for financial reporting controls? The IT executives may be fully integrated into the SOX review team. However a big gap may occur, if the more business-oriented managers have not laid down the requirements they have of internal controls, in particular the IT controls.
|
Related Articles
Similar Areas Selected Books Keywords internal controls and financial reporting
|