One Hand Clapping

By George Spafford

(Back to article)

What is the sound of one hand clapping? Questions like drive a lot of people nuts because the answer is, there is no answer. In much the same way, I sense a great deal of frustration in IT about the Sarbanes-Oxley Act of 2002 (SOX).

The good news is things are clearer now that the Public Accounting Oversight Board (PCAOB), a private-sector, non-profit corporation created by SOX to oversee the auditors of public companies, has released its standard and the audit firms are finalizing what they want to see.

Also, the IT Governance Institute (ITGI) is planning to release its final document on the control objectives for Sarbanes-Oxley in the next several weeks. This absolutely is a key document for you to understand and share with your team. Be sure to monitor http://www.itgi.com for its release.

The bad news is many people are still scrambling for answers with little time left and are asking third parties what to do about section 404 compliance. While section 404 compliance deadlines (depending on what type of "filer" you're company is) have been extended from June 15, 2004 and April 15, 2005 to November 15, 2004 and July 15, 2005 respectively, they are rapidly approaching.

To meet the requirements, the guidance being given to auditors is "If it is not in writing, then it does not exist." No longer can auditors rely on verbal attestations. They must see everything in writing to prove management is following a process to put controls in place, has records to show those controls are being followed and the controls are working.

(Note: There is such a thing as too much documentation. Over documentation can cause everything to grind to a halt. Still, you must document processes, meetings and so on so an external party can conclude the salient steps have been identified and are being followed.)

First off, the scope of attention for section 404 is such that organizations must focus on material risk regarding financial reporting. Nobody can tell you what is important (materially) to your organization and this is one of the reasons people have not written "How to comply with Sarbanes-Oxley Section 404 in 20 easy steps."

For example, $10,000 may be material in one organization but very immaterial in another. Hence, IT must work with accounting to identify the key general ledger accounts that are significant to the organization and pose the greatest risks if compromised.

Next, the compliance team, comprised of IT, accounting and other stakeholders must focus on identifying systems core to the business processes and those that feed key accounts. The teams must be sure to document the decision making used to identify key accounts including the processes and systems that feed those accounts. Documentation is mandatory and the need for it can not be stressed enough.Developing Controls

Work with management, notably finance and internal audit, to develop the necessary controls required to protect the key accounts. These controls must be a balanced mixture of preventive (policies, procedures, etc.) and detective (change detection, log review, etc.) and based on standards wherever possible.

When asking auditors for assistance, bear in mind proper segregation of duties mandates they cannot design the processes they will eventually audit. You risk a over familiarity, the appearance of the possibility of fraud, as well as fraud itself. The point is auditors are a resource, but they are bound by their profession to be very careful in terms of what they do when it comes to process design.

In terms of an overall framework, use COBIT (Control Objectives for Information and related Technology) to identify what to do. The external auditor community is heavily versed in this framework and by using COBIT, or at least mapping your efforts to COBIT, you will be far better positioned to communicate with the auditors.

By adhering to COBIT audits will go far more smoothly, faster and, of course, cost less. The last thing you want, as my good friend Gene Kim, the CTO of Tripwire, puts it, is for the auditors to have to go into "archaeology mode" to determine how things are done.

Ideally, you'd implement all of COBIT, but because time is of the essence, sit down with management and identify what parts of COBIT are essential to protecting the organization. The selected detailed control objectives must be relevant to protecting the identified key accounts.

In terms of how to fulfill the various detailed COBIT control objectives, refer to the IT Infrastructure Library (ITIL), the IT Process Institute's (ITPI) Visible Ops, and ISO 17799 for best practice guidance. Again, be sure to document the thought processes used to identify key controls. In other words, document how you arrived at the key controls to put in place.

Document, Communicate, Train

Document, communicate and train people on the identified controls. One of the benefits of all this work should be useful formal documentation. Far too often, IT lacks proper documentation for what it does. As a result, people do things different ways and causes mistakes, difficulty in sharing best practices and longer learning curves for new employees, employees changing roles, etc.

Beware of shelfware. The outcome of this effort must not be simply a set of books on everyone's shelves. The controls must be followed and for this to happen, people must understand them and see the value. Whenever possible be very certain to highlight how controls benefit the organization and the various parties involved. Internalization of controls is far easier when people understand benefits versus a blunt message like "Follow these controls for now on" (or else).

Once in place, test the controls for operational effectiveness plus plan on regularly auditing of processes to ensure the controls are being followed, are still effective and so on. Document findings as well as corrective actions taken.

Review the controls annually. The only constant in life is change. Processes must evolve in order to be effective and continue to support the business. Do not plan on putting controls in place and never looking at them again. In fact, it is mandated controls over key accounts be reviewed at least annually. As always, be sure to document findings and corrective actions taken.

No Time Like the Present

The bottom line is IT must work with the business to determine what financial accounts, processes, reports and, thus, systems are important for financial reporting and how to protect them.

Careful consideration must be given to the timeframe left before your firm must be in SOX compliant. For example, many organizations would benefit from doing all of COBIT, yet there may not be sufficient time to do everything. Thus, it's important to focus on the controls most beneficial to the organization first and others afterwards.

Never forget, if it isn't in writing, meaning formally documented, then, by SOX standards, it doesn't exist. SOX 404 compliance is far from easy, but it is not impossible. Maybe the best way to start is to look at this challenge as an opportunity to improve.

George Spafford is a frequent author and consultant on IT process improvement, security and business impacts. Additional information is on his firm's Web site.

Want to discuss looming Section 404? Take it over to our IT Management Forum.