A piece of technology that’s probably already available in your office can help solve many of the IT-related deficiencies that crop up in internal control audits. What is it? The electric elevator, first built by Werner von Siemens in 1880.
In all too many companies, before, during and after an audit, finance executives simply don’t go down to the data center, while IT executives don’t come upstairs to the finance department, says Michael Cangemi, an IT governance consultant who has been both a CFO and CIO at various times in his career.
In the first round of internal control audits performed after the Sarbanes-Oxley Act passed, control deficiencies related to IT proved to be a major irritant to finance executives. In one infamous example, Santa Fe, New Mexico-based Thornburg Mortgage complained in a letter to the SEC that it had installed up-to-date antivirus software to protect its computer systems — but was tagged with a deficiency by auditors because there was no paper trail documenting the software installation.
Frustration over such incidents boiled over during a 2005 roundtable on Sarbox section 404 sponsored by the Securities and Exchange Commission. Representatives of several major companies complained bitterly about the way audit firms evaluated IT control weaknesses, and argued that weaknesses might not even affect financial reporting.
Pronouncements issued since by both the SEC and PCAOB stressing the need for a risk-based assessment may reduce the number of IT audit horror stories, but the fact remains that audits of information technology are a challenge for finance professionals who rely heavily on IT systems, but don’t necessarily understand how they work. At the same time, regulation has now saddled IT professionals at most public companies with as many as three different types of audits, and not everyone in IT may understand the difference.
Many IT departments perform audits that focus not on financial issues, but on the company’s general computer controls, or GCCs. (For a description of such IT audits, see “You Bought It, Now Audit.”) Meanwhile, Sarbanes-Oxley section 404 requires testing of internal controls over financial reporting, which, of course, often reside on computer systems. That means the IT department is typically involved in both a readiness assessment — an internal audit that is part of getting ready for the actual 404 audit — and the attestation, or external, audit.
Cangemi, who is also a former president of the Information Systems Audit and Control Association and author of Managing the Audit Function, believes that the CFO should take a strong role in all three types of audits because “he or she is the one cutting the checks and the one ultimately responsible and accountable for the whole audit, part of which has consultants taking a look at the inner-sanctum of IT.”
That, however, is not often the case. “All the controls are related,” says Robert Greene, IT Audit Practice Leader for Haskell & White LLP. “But the CFO often knows little about IT controls or how they function or may be tailored to best address the corporate needs. There are also manual controls that are initiated in the finance department that are not addressed or understood by the IT team.”