David M. Katz, CFO.com | US
December 14, 2006
It is a fruitless effort to try to find an entity to blame for the state of IT compliance. 404 and AS2 did not attempt to specifically address this, and everyone involved has taken their best shot. CFO's, CEO's, and audit professionals have struggled to understand how IT is controlled while IT management has struggled with how to apply financial controls to the technology.
Having been involved from the beginning as an IT executive and as a consultant, I can vouch for the fact that consistent guidance and feedback often aren't given to IT, driving IT organizations to be overly risk averse (especially given the stakes and the assertive statements that must be formally presented to top management by CIO's).
Also problematic is the reliance on relatively broad pre-404 standards such as COBIT as being the only definitive reference point for IT and audit professionals to come together. One would have hoped for more by now.
The answer is all about looking ahead and creating objective guidelines for classifying and managing the critical IT controls with standardized risk assessment criteria (from somewhere).
It is not a given that this will come about through the AS2 revisions. Don't expect for much to change on the IT front, unless there are standards that IT and audit professionals can easily rally around and jointly understand.
Posted by Brad Couch | Dec 19, 2006 9:42 PM ET
Mr. Scott's assumption the "Non-technical" finance types won?t apply risk assessment and materiality to IT controls is misguided. If a process shouldn?t be in scope, the related IT controls shouldn?t be in scope either. I have to say it doesn't take a rocket scientist to understand program change controls, access & permissions, scheduling and other automated controls. If anything, as we've reduced the count of manual key controls by applying risk and materiality considerations, we've not seen an equivalent decrease in IT controls. Just who exactly is doing the nitpicking?
Posted by Rick Richman | Dec 18, 2006 5:52 PM ET
I can't believe the SEC is accusing the corporate executives of nitpicking with respect to internal control review. The entire debacle that is known as 404 has been driven by the auditing field since the day AS2 was issued. Granted, that standard was poorly written and, thus, open to a strict interpretation by the accounting firms. But, to say that corporate management willfully took internal control review to the level it was taken is ridiculous. The SEC should be ashamed of itself. They should just admit they blew it when the PCAOB issued the original guidance. Then again, I guess the proposed scrapping of AS2 is admission enough.
Posted by Mark Seymour | Dec 15, 2006 12:40 PM ET
IT is estimated to represent 60% of the Sarbox 404 effort yet the original AS2 and SEC Rulings have not provided reasonable guidance in this critical area. Will the new and improved Guidance and AS2 be based on meaningful experience and adequate understanding of IT? Since, Sarbox 404 is managed by financial types without technical backgrounds, probably NOT.
Posted by Rod Scott | Dec 15, 2006 9:17 AM ET
Risk Assessment based on 'Overall Materiality' and 'Planning Materiality' would truly take the sting out of 404 compliance.
Coupled with an objective analysis of the significant accounts and disclosures in the financial statements and keeping a very close watch on 'significant risks' in 'insignificant locations', there would be a pragmatic approach to designing, implementing and maintaining controls.
Posted by Chandrasekar Venkataraman | Dec 15, 2006 8:35 AM ET
One must take care, in consideration of rulings on topics of materiality, that an aggregate of significant deficiencies could constititute a material weakness. Therefore, one should look for those items that traditionally represent significant areas of exposure and assess the materiality from an aggregated standpoint.
Quoted:
A "material weakness" is defined in Statement on Auditing Standards No. 60 (codified in Codification of Statements on Auditing Standards AU ?325) as a
-reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by errors or fraud in amounts that would be material in relation to the financial statements being audited
-[and that this error]may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. See discussion in Section II.B.3.b. below. EXTRACTS FROM FINAL RULE OF SEC
This, in my opinion, has always been the guidance in the history of compliance.
Posted by Jean Marshall | Dec 14, 2006 10:10 AM ET
Copyright 2011 © CFO Acquisitions LLC. All rights reserved Privacy Policy Site Map
