It wasn’t supposed to be like this, but IT has emerged as an unexpectedly vexing aspect of Sarbanes-Oxley compliance. According to a recent CFO IT survey, almost all companies reporting weaknesses or deficiencies under Sarbox have found IT to be at least part of the problem, if not the sole source. Worse, many CFOs feel that regulators have not done a good job of explaining what companies must do to satisfy Section 404 requirements for internal controls from an IT perspective. They also say the auditors charged with giving or withholding a thumbs-up don’t understand the IT issues well enough to render an accurate judgment (see “Survey Says“).
“In some sense I’m surprised, but in another sense I’m not,” says Steve Hill, a partner in the risk advisory services practice at KPMG. “IT issues account for 20 percent of the key-controls portfolio at a typical company, which is almost twice as many as the next two areas combined.” That is, IT is so pervasive at most companies that any examination of internal controls is bound to turn into a de facto audit of IT.
Indeed, a majority of survey respondents said there is no clear line between what constitutes financial versus IT controls. That’s one reason why the Institute of Internal Auditors has inaugurated a new series of Global Technology Audit Guides that includes one that focuses on IT controls. While not intended as a Sarbox manual per se, the guide does provide useful baseline knowledge and some specific tools for understanding and implementing IT controls, according to Jay R. Taylor, general director for IT Audit at General Motors. (The guide is available at www.theiia.org.)
At this point, any guidance is welcome. “No one had a reference point,” says William Chiasson, CFO at Leapfrog Inc., a maker of children’s educational products. “It’s been an uphill battle for auditors and everyone else.” Leapfrog’s first audit uncovered material weaknesses in accounts receivable, inventory, and IT. Rob Moon, the company’s CIO, says software from Logical Apps and Oracle’s Internal Control Manager product should help the company resolve its problems, particularly regarding segregation of duties and access rights. And he says that in some sense, Sarbox has had a silver lining. “It can prevent fraud and conflicts of interest, and it is a prime motivator to simplify, simplify, simplify,” explains Moon.
But that won’t happen overnight. Chiasson believes that year two of Sarbox compliance will be even more demanding than year one. “In the first year, we described our systems,” he says. “Now we have to update and fix them, which is more work.” KPMG’s Hill says, “Sarbox can accelerate business, much as Six Sigma and IT itself did. Compliance can become a new lens through which to evaluate your company.”
So far, few companies like what they see. But if it is any consolation, last month the Government Accountability Office found that the SEC’s own internal controls suffered from several material weaknesses, including IT.