sox and the it auditor controls framework for its sarbanes-oxley program. sarbanes-oxley act section...
TRANSCRIPT
1/12/2018
1
SOX AND THE IT AUDITOR
15 Years Later, Has Life Changed or Does It
Just Drone on and on and on and …
Ross E. Wescott MA CISA CIA CCP CUERME
Wescott & Associates
The Conference that Counts, Albany New York
Monday March 19, 2018
ROSS WESCOTT is Principle of Wescott and Associates, established in 2016 to provide IT audit, risk,
governance, and control consulting to a variety of industries and government. He has experience in
• IT audit program development and implementation using leading standards including Cobit5
• IT governance
• Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance
• Risk identification and assessment
• Controls identification, design and evaluation
• Data analytics
• End-to-end IT audit management and execution
• IT SOX program development and operation
• Disaster recovery plan development and review, scenario/exercise development and testing
• Recruiting, team building, development, teaching.
Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science.
He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal
Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise
Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the
Information Systems Audit and Control Association. He has been published in the major Internal Auditing
publications and has been a speaker at conventions and conferences on many Internal Audit topics.
2
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
2
IT Audit has always had a role in SOx evaluations. They have not
always been the primary focus as IT controls are generally
secondary to their financial control counterparts. Much has changed
in the organizational world since Sarbanes-Oxley came out in 2004
especially that there is more integration of financial processes with
IT systems than there was in 2004. In this session, you will learn:
• where we have been and where we are – the short history,
• handling the debate – is SOx beneficial enough to continue?
• old principles still apply – what should we focus upon?
• IT Audit’s continuing role,
• the future – is it as clear as the past
3
Wescott & Associates. Copyright 2018. All rights reserved.
4
Wescott & Associates. Copyright 2018. All rights reserved.
This publication provides CIOs, IT
managers, and control and assurance
professionals with scoping and
assessment ideas, approaches and
guidance in support of the IT-related
Committee of Sponsoring
Organizations of the Treadway
Commission (COSO) internal control
objectives for financial reporting.
1/12/2018
3
5
Wescott & Associates. Copyright 2018. All rights reserved.
Every organization is required to use a recognized
internal controls framework for its Sarbanes-Oxley
program. Sarbanes-Oxley Act Section 404 mandates
that all publicly traded companies must establish
internal controls and procedures for financial reporting
and must document, test, and maintain those controls.
Norman Marks shows readers how to:
Design a scope of work for their Sarbanes-Oxley
assessment that is top-down and risk-based.
Understand the relationship between Sarbanes-Oxley
Sections 302 and 404.
Appreciate the alternative methods, including the use of
technology, to test key controls.
Improve the overall efficiency of their internal controls
systems, not just the controls relied on for financial
reporting.
Where We Were – At The Beginning
• Fifteen years ago, IT was not a direct part of SOX legislation
• It became quickly clear that it should
• Then, nearly every IT general control was a key control and IT
became the area with the highest number of deficiencies!
• To make the corrections, IT needed a standard to follow to
bring consistency to an area that had no consistency.
6
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
4
Where We Were – At The Beginning
• CobIT became the default IT standard alongside
COSO
• Costs to correct were high with long-term
consequences
• It was not much fun
7
Wescott & Associates. Copyright 2018. All rights reserved.
8
Wescott & Associates. Copyright 2018. All rights reserved.
What We Have Become
• The realization that financial controls heavily relied
on IT controls has resulted in an increased focus on
IT controls
• With AS5 and subsequent improvements, IT is now a
formal part of the consideration of transaction flow
• Top down risk-based assessments have reduced the
number of key controls.
1/12/2018
5
9
Wescott & Associates. Copyright 2018. All rights reserved.
What We Have Become
• CobIT still de facto IT governance standard
• Cost of compliance for many was high but IT is now
stronger.
• But it is not time to relax, improvements still to be
made.
10
Wescott & Associates. Copyright 2018. All rights reserved.
What We Have Become
The main improvement: financial control automation
through integrated systems.
1/12/2018
6
11
Wescott & Associates. Copyright 2018. All rights reserved.
What We Have Become
And this has put a brighter spotlight onto the IT
Auditor as their role has come from the not initially
thought of to the cannot live without.
I am not sure if it’s an enviable position.
12
Wescott & Associates. Copyright 2018. All rights reserved.
• Organizations now must
understand how the financial reporting process works and identify the areas where technology plays a critical part, and
distinguish which IT controls have a direct vs. an indirect impact on the financial reporting process.
• For instance, IT application controls ensure completeness and accuracy of transactions, integrated systems ensure no manually induced errors, and quarterly application access reviews reduce segregation of duties problems.
• These can all be directly related to financial assertions.
1/12/2018
7
• The key has been for over a decade to distinguish IT controls
that are associated with a significant account or related
business process and mitigate specific material financial risks.
• This focus on risk enables management to significantly has
reduced the scope of IT general control testing relative to the
first few years.
13
Wescott & Associates. Copyright 2018. All rights reserved.
The last 15 years has not always been smooth
sailing.
14
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
8
15
Wescott & Associates. Copyright 2018. All rights reserved.
• A December 21, 2008 Wall St. Journal editorial stated, "The
new laws and regulations have neither prevented frauds
nor instituted fairness. But they have managed to kill the
creation of new public companies in the U.S., cripple the
venture capital business, and damage entrepreneurship…
Cooked up in the wake of accounting scandals earlier this
decade, [SOx] has essentially … hamstrung the NYSE and
Nasdaq (while making the London Stock Exchange rich),
and cost U.S. industry more than $200 billion by some
estimates."
16
Wescott & Associates. Copyright 2018. All rights reserved.
Despite its enactment in 2002 (most of the Sarbanes
Oxley Act's provisions came into effect as early as
2003), SOX was still unable to prevent the financial
crisis of 2008, which was precipitated by the Lehman
Brothers Holdings financial scandal!
1/12/2018
9
But that was then and this is now. We no longer find
detractors to the legislation as it has become
everyday life for public companies in the United
States and their subsidiaries.
17
Wescott & Associates. Copyright 2018. All rights reserved.
• From an August 2016 article in The Audit Board, John Kim has said
that SOx has improved the reliability of financial reporting and
auditing.
• SOX ended self-regulation by the audit profession and established an
independent oversight of the auditing process, the Public Company
Accounting Oversight Board (PCAOB)
• SOX strengthened and expanded audit committees by stipulating that
a) all listed companies must have an audit committee, b) members
must be independent of management, c) committees contain at least
one financial expert, and d) be directly responsible for appointing
auditors and ensuring their company’s financial reporting is correct.
18
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
10
• SOX made executives more accountable and protected investors
by forcing them to demonstrate ownership of their companies’
financial statements through personally certifying the financial
reports.
• SOX enhanced auditor independence by ensuring that [external]
auditors remain independent by prohibiting them from providing
services such as bookkeeping, actuarial services, or management
functions to the companies they audit.
19
Wescott & Associates. Copyright 2018. All rights reserved.
But, you may be asking, what has this got to do with
the IT Auditor?
Everything - because IT SOx is only a branch off of the
SOx family tree. What happens to the trunk will
happen to the IT SOx branch and the financial SOx
branch. They cannot be separated.
20
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
11
Let’s look at some SOx family statistics before we get
more specific with the IT SOx branch.
21
Wescott & Associates. Copyright 2018. All rights reserved.
22
Wescott & Associates. Copyright 2018. All rights reserved.
Protiviti Surveys 2010 to 2016; Workiva, Moss Adams, SOx Pro Survey 2017
1/12/2018
12
23
Wescott & Associates. Copyright 2018. All rights reserved.
Some interesting trends for the IT Auditor to note:
In 2017 , the total number of IT controls:
40% reported 0 to 25
30% reported 26 to 50
14% reported 51 to 100
15% reported 101 to 250
1% reported over 250 IT controls
Workiva, Moss Adams. SOxPro Survey: 2017 State of the SOX /Internal Controls Market
24
Wescott & Associates. Copyright 2018. All rights reserved.
Ranking
Compliance Challenge Executive Priority
2016 2017 Direction 2016 2017 Direction
Priority Priority Priority Priority
Replacement of Legacy Technology 5 3 + - 4 n/a
Increase Focus on IT and Cyber Security Controls 2 4 - 5 3 +
Workiva, Moss Adams. SOxPro Survey: 2017 State of the SOX /Internal Controls Market
Most Significant Challenge
1/12/2018
13
25
Wescott & Associates. Copyright 2018. All rights reserved.
Protiviti Survey 2016
Does your organization use outside resources for
Sarbanes-Oxley compliance related to IT controls?
39%
15%
46%
Resources Used for IT SOx Compliance
Yes, Co-source Yes, Outsource No, Internal
46% 39%
15%
26
Wescott & Associates. Copyright 2018. All rights reserved.
51% of surveyed
companies have
moderate to
significant plans
to automate IT
processes and
controls.
Average
percentage of all
controls that are
IT General
Controls – 32%
Protiviti Survey 2016
1/12/2018
14
So, what does this mean for the IT Auditor?
There will be much work to do in
• Pre-Implementation reviews for legacy replacements,
• Rework of former manual controls to be automated controls,
• Changing out old automated controls for new ones, and
• A renewed focus of the audit universe to add cyber security
coverage.
27
Wescott & Associates. Copyright 2018. All rights reserved.
When reviewing all of these new controls (if you are to do it), here are the
questions to ask of each new or changed control and its particular place in a
business process:
• What is the most critical step in this process?
• What is the related control that ensures the step is performed thoroughly
and timely?
• If the control didn’t exist, would there be an increased risk of a material
misstatement?
• Is the control related to a significant or complex account review or
reconciliation?
• Is the control designed to prevent transactions from being changed after
management approval?
• The answers will help determine the level of testing (it’s sort of a risk assessment)
28
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
15
Here are additional roles an IT Auditor can take in the SOx role.
• Use of CAAT software to automate financial sampling, where
applicable.
• Promote use of SOx central repository and control software
(GRC) for risk and control documentation, key control tests,
testing results, gaps, remediation's, and the status of all.
29
Wescott & Associates. Copyright 2018. All rights reserved.
And, perform a QA on the IT SOx group of controls. Ensure that
they cover:
• SDLC – Covering the process of acquiring and developing in-scope
systems (including infrastructure)
• SDLC – Covering implementing in-scope applications and technology.
• Policies – Covering support for all business process activities in a
consistent and objective manner.
• Change Acceptance – Covering testing and validation prior to migration
to production.
30
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
16
• Manage Change – Covering all functionality change to in-scope
technology.
• Service Levels – Covering how in-scope systems meet functional and
operational expectations.
• Vendor Management – Covers outside relationships that could impact
financial results.
• Systems Security – Covering access through physical and logical means,
including in-scope applications.
• Configuration – Covering performance of in-scope systems and
infrastructure over their lifetimes.
• Incidents and Problems – Covering identifying and responding to events.
31
Wescott & Associates. Copyright 2018. All rights reserved.
• Data – Covering integrity, completeness, accuracy, authorization, and
existence of in-scope data.
• Operations – Covering the maintenance of in-scope systems in support of
the business.
• End User Computing and Data Configuration – Covering user-controlled
in-scope methods that relate to financial statement integrity,
completeness, accuracy, authorization, timeliness, and existence.
32
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
17
• The goal of all previous steps is to have efficient and
effective testing based on more accurate documentation
to achieve the ultimate goal
• The ultimate goal:
• better conclusions as to the state of financial and IT general
and application controls
• better certifications by the CIO, CFO, and CEO
• greater reliability by the public accountant
• reduced costs, over time
• compliance
33
Wescott & Associates. Copyright 2018. All rights reserved.
A Word of Cheerleading or Two
• Continue to use a well-known standard to measure against – CobIT
• Use risk-based identification of key controls
• Implement technology whenever possible to document controls,
risks, tests, and remediation's – steer away from the miles and
poundage of paper binders or disassociated Word and Excel
documents!
34
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
18
35
Wescott & Associates. Copyright 2018. All rights reserved.
THE END(BUT NOT REALLY, AS SOX IT WILL KEEP
GOING, AND GOING, AND GOING, AND…)
36
Any Final
Questions?
Wescott & Associates. Copyright 2018. All rights reserved.
1/12/2018
19
37
If you have any questions, please feel free to call and have a meaningful conversation:
Ross Wescott MA CISA CIA CCP CUERME
Principal
Wescott and Associates
503-961-4780
Wescott & Associates. Copyright 2018. All rights reserved.
38
Thank You!
Wescott & Associates. Copyright 2018. All rights reserved.