| ||
|
Roundtable
< Back What is the single most challenging Sarbanes-Oxley issue today?
Section 302 broadly states that certifying officers are responsible for establishing and maintaining internal controls over financial accounting. Section 404 requires annual assessments of the effectiveness of those internal controls. However, standards for applying these controls are not specifically defined and are, therefore, open to broad interpretation by practitioners and auditors alike. IT is being tasked to prove that they are doing the right things -- and doing them right in the absence of any guidance on what is right. Whats lacking is a set of standard guidelines, processes and practices for establishing and maintaining internal controls. In essence, whats needed is a set of Generally Accepted Accounting Principles (GAAP) for IT controls similar to what exists for financial systems reporting. In an attempt help identify, document and evaluate IT controls, the audit industry and the SEC have supported numerous open control frameworks and best practices such as IT Infrastructure Library (ITIL), Control Objectives for Information and related Technology (COBIT), and ISO17799. While useful in theory, these frameworks do not give comprehensive guidance to IT management on where to start, how to start, and how much it costs to implement initially and sustain over time. Worse, these frameworks do not provide quantitative analysis of how and why process initiatives using these frameworks affect business success beyond compliance and conversely, what impact -- or damage -- these initiatives cause when they fail. The next two years will be challenging as everybody tries to define what the GAAP standard for IT will be. In the mean time, IT has to get control of its infrastructure and start putting processes into place. Thankfully, some work is being done to mitigate this headache for CXOs. The Institute of Internal Auditors is producing a series of publications called the Global Technology Audit Guide (GTAG) with guidance on how to address timely issues related to IT management, control, and security. The first GTAG focuses on Information Technology Controls and covers technology topics, issues, and audit concerns as well as issues surrounding management, security, control, assurance, and risk management. The second guide, Change and Patch Management Controls: Critical for Organizational Success, will be available this summer and will provide guidance on how to evaluate and mitigate change-management risks and how to comply with constantly changing regulatory requirements. Like information security, management of IT changes is a fundamental process that can cause damage to the entire enterprise and easily disrupt operations if it is not performed well. Further, change plays a critical role in adapting IT to meet S-OX. This guide aims to deliver sound guidance on how manage this initiative. More info at http://www.theiia.org/index.cfm?doc_id=4706 The Information Technology Process Institute and the Software Engineering Institute at Carnegie Mellon is currently engaged in a broad research survey to define leading internal controls that have catalytic and sustaining properties, and therefore should be implemented as best practices. The purpose of the study is to determine whether IT controls affect the value, effectiveness, efficiency, and security of information-technology operations. More information about this project is available at http://www.itpi.org/home/veesc.php As S-OX compliance shifts from tactical response to strategic initiative, IT management is quickly coming to appreciate the importance of internal process control and its relevance to the highest levels of the corporation. Additionally, IT management is grappling with the significant effort required to continually prove that internal process controls are both in place and effective. Not only are such controls required for effective management, when properly implemented they are also good for business and fundamental to establishing an ongoing compliance management framework. Further, as regulation, audit and IT constituents come together to define the GAAP for IT, its clear that independent proof of processes and controls is fundamental. Tripwire provides change auditing solutions that prove system and process integrity to help enterprises comply with regulations while achieving greater network availability and security. Within a GAAP-like, standardized approach to IT controls, Tripwire provides verifiable ongoing proof that internal process controls surrounding changes to critical IT systems are in place and effective. This, in turn, provides IT with the necessary decision support tools that enable process improvement and better problem management. Because S-OX and a companys operations will inevitably change over time, companies that adopt a change auditing strategy that includes strong IT governance measures are best positioned for success. Change auditing is an essential capability to equip the principal executive and principal financial officers (who have the ultimate responsibility for compliance) with the tools needed to meet the evaluation and disclosure requirements of S-OX, and fulfill their duties to implement and certify the existence of internal financial controls.
|
| |||
© 2019 Simplex Knowledge Company. All Rights Reserved. | TERMS OF USE | PRIVACY POLICY |