Since companies began complying with the Sarbanes-Oxley Act, one common complaint about auditor scrutiny has been loud and clear: external auditors have spent too much time on technology systems that seem unrelated to financial statements.
It’s an issue that has been confusing for both sides. The problem: Information technology has an often indirect relationship with the final results in financial statements, and there’s little standard guidance to tell companies how to determine the strength and security of IT-specific internal controls.
With its newly released guidance, the Institute of Internal Auditors is hoping to end much of the anxiety and confusion surrounding the testing of IT controls. The methodology will help companies streamline their preparation for testing, help them defend themselves better when questioned by external auditors, and even possibly save money on compliance costs, according to the IIA.
If the new guidance does those things, it will certainly address a compliance sore spot for companies. Outdated IT guidance and internal-control regulations barely address IT’s role in attesting and assessing controls. Companies have referred to COBIT — the Control Objectives for Information and Related Technology — which was put out in the 1990s by the IT Governance Council as an IT-governance framework. They have also turned to guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). But for the most part, companies have had to decipher for themselves how the Securities and Exchange Commission and Public Company Accounting Oversight Board regulations apply to them and hope that their external auditors agree with their reasoning.
Recently proposed revisions from the SEC and the PCAOB to their internal-control standards encourage companies and auditors to concentrate only on those areas that could most likely lead to a material misstatement. Likewise, the IIA guidance — which the member association delayed releasing fully until it had looked over the SEC and PCAOB changes — could help companies decide which IT controls are worth testing by basically answering this question: Which IT controls’ failure could lead to a material misstatement? Like the PCAOB’s Auditing Standard No. 2 — whose proposed replacement standard is in a public-comment period — the IIA guidance uses a top-down, risk-based approach.
Without clarification, some audits have ballooned in scope and subsequent cost, according to Sarbox critics, because auditors have taken what some consider to be an overly conservative approach to their work, particularly with their testing of technology systems — leading to high auditing bills. The IIA guidance could actually put companies and their external auditors on the same page as to which IT controls are most important for the companies, according to Steve Mar, senior director of IT audit at Microsoft, who helped create the five-step methodology.
The IIA’s guidance could give companies leverage for pushing back on their external auditors if they believe questions related to the testing of IT controls have gone too far, according to Heriot Prentice, director of technology practices for the IIA. If your company properly used the guidance and documented why certain decisions were made, you can use that previous work to “challenge auditors,” Prentice told CFO.com. “And ask them ‘Why would this be in scope?’ or the IS department can call the auditors and say, ‘Why are you looking at this? We followed this methodology and this is not in scope.’”
The IIA’s Guide to the Assessment of IT General Controls Based on Risk — which the IIA succinctly refers to as GAIT — does not define which IT controls are critical; rather, it helps companies determine which ones are critical for their unique needs and goals as they relate to financial reporting. Norman Marks, vice president of internal audit at Business Objects, cautions about getting caught up with an arbitrary number of controls. “GAIT is not about limiting the number of key controls,” he said during an IIA Webcast. “It’s all about getting at the right ones.”
The IIA has been working on these principles for the past 18 months, partly with the help of input from companies that had already gone through Sarbox compliance, including General Motors, Intel, and Microsoft. The IIA says it hopes the methodology will be particularly helpful to smaller companies that have not yet had to comply with the law.
GAIT also incorporates feedback from the Big Four and several midsize accounting firms, several companies registered with the SEC, the PCAOB, the American Institute of Certified Public Accountants, and the International Federation of Accountants. The association released four principles related to GAIT in the fall, but waited to release its methodology for reaching those ideals until it could review the proposed revision to the internal-control provisions of Sarbox’s Section 404 and the PCAOB’s AS2. The guidance will still be in compliance if the new PCAOB standard, commonly referred to as AS5, is approved, says IIA president David Richards.
GAIT relies on the following four principles:
• While identifying risks and related controls in processes related to IT general controls, companies need to use a top-down, risk-based approach.
• Scoping for risks in IT control systems should result in assessing only those controls that could “reasonably” and likely lead to a risk of a material error.
• To identify risk, companies should look at all levels of their technology systems, such as programming codes and databases.
• Risk mitigation should be based on the impact a failing control could have on the goals of a company’s IT systems, and not the risk of failure to an IT control itself.
GAIT’s 40-page methodology, available on the IIA’s Website, is a work in progress and will likely change as standards change, Richards noted.