Computerworld - Nov. 15 looms large for corporate executives who will soon have to certify compliance with Section 404 of the Sarbanes-Oxley Act.
Their assertions on the effectiveness of internal controls over financial reporting within public financial statements and the requirement of independent attestation by the company's auditors significantly raises the level of personal risk to those executives signing quarterly and annual corporate reports.
Without question, a key component allowing management to assert the strength of its controls over the financial reporting process focuses on system controls in the organization's IT environment. Critical elements of the IT environment include the controls that ensure the overall performance and integrity of IT systems affecting financial systems, business process application controls and specific controls of applications.
Strong technical safeguards that prevent violations of policies and procedures will strengthen the effectiveness of the overall IT control environment, significantly reduce initial compliance and subsequent testing costs, mitigate risk within the IT environment and enhance the overall quality of business operations.
Annual compliance with Sarbanes-Oxley Section 404 requires more than just updating processes and documentation to ensure the integrity of financial data. Management must continue to evaluate and test their internal controls over financial reporting across all business units and functional areas as risk factors evolve over time. While Sarbanes-Oxley doesn't specify which measures to take to mitigate risks introduced by control weakness, the use of strong technical safeguards to enhance the control environment is critical.
Moreover, sole reliance on human or "soft" controls such as written, but unenforced procedures, and detective procedures, such as manual audit reviews, will result in significant recurring costs associated with periodic retesting of the environment, especially where the risk of a significant IT vulnerability is present. In this scenario, achieving annual compliance will require compensating measures that rely on unenforced policies and manual processes, the costs of which can easily exceed the cost of implementing technical safeguards.
This chart shows some examples of specific costs associated with the risks introduced by weak internal controls over enterprise data integrity:
| IT Control Process (CobiT Framework) | Risk | Compliance Costs |
| Acquire and Maintain Application Software | • Introduction of unauthorized applications or unauthorized modification of applications may result in incorrect financial reporting • Unauthorized changes can threaten reliability of separation of duty controls | Compensating controls that may include: • Frequent and regular audits of system and application integrity • Testing to determine vulnerabilities to data arising from modified applications • Increased documentation and planning of manual controls • Increased supervision of systems administration activities |
| Ensure Systems Security | • Inappropriate use or viewing of sensitive data by unauthorized data users | Compensating controls that may include: • Extensive risk analysis • Increased documentation and planning of supervisory controls • Review of application-level audit reports |
| Manage the Configuration | • Inappropriate use or viewing of sensitive data by unauthorized administrators | Compensating controls that may include: • Extensive risk analysis • Increased documentation and planning of supervisory and activities management controls |
| Manage Data | • Introduction of tampered data through an unauthorized data restoration • Vulnerability of stored backup data to inappropriate use • Exposure of data to unauthorized users during data management operations | Compensating controls that may include: • Extensive risk analysis • Improved documentation and planning of backup and restoration process • Notification to data users of data restoration and review of data management audit records |
Free Insider Guide
Rising salaries boost IT optimism, though not everyone is feeling upbeat. Our survey of 4,000+ IT workers shows who's riding the wave and why. Use our interactive tool and compare your own paycheck. Read more...
Copyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
