In our highly competitive and increasingly connected world, we see broader adoption and growing use of complex information technology (IT) applications at companies in all industries. And why not? Automation within financial and operational applications continues to make businesses more efficient and effective, while also reducing the potential for human error. However, with increased reliance on IT, Sarbanes-Oxley (SOX) requires management to augment its activities and the auditors to enhance their testing and documentation.
In this article, we aim to shed light on some of the reasons behind the increased efforts felt by all parties. These boil down to:
- a rise in the number of applications, all of which need to be maintained, controlled and audited;
- enhanced requirements for maintaining the quality of the control environment, regardless of its size or complexity; and
- increased demands on the auditors’ work and their documentation.
Further, we will elaborate on the impact that each of these has on the ongoing work required by management and on the annual external audit. All else being equal, each reason noted above will, by itself, increase the impact to management and its auditors, and we will illustrate the inner workings of each to clarify why this is the case.
Why IT has taken a more prominent role in SOX
As technology evolves and applications continue to mature, they can better assist employees who work in exponentially complex environments. Enterprise Resource Planning (ERP) software handles ever wider aspects of a company’s operations, and therefore is getting more intricate with every version. At the same time, the challenges associated with implementing custom built applications have significantly decreased, and therefore many applications today have been created with the expectation that they will be used in conjunction with multiple applications or ERP modules. Furthermore, Software as a Service (SaaS) is increasing in popularity due to the ubiquity of high-speed internet and affordable online hosting, which allows companies to take advantage of vendor applications at significantly reduced costs. These factors have allowed companies to successfully integrate and rely upon an increasing number of applications to support their operations, whether internally through complex ERP or custom software, or externally through service providers.
However, these advantages can only be realized to their full potential if the company maintains a well-controlled IT environment. This becomes increasingly challenging for management, as they continue to add additional applications and increase their reliance on them to perform their daily business activities. It is the responsibility of management to ensure that these applications continue to operate effectively, even as the scope of their coverage continues to grow. To address the increasing risks associated with these applications, management must implement or enhance its standard operating procedures and existing controls to ensure that all significant IT risks are effectively mitigated.
Lastly, with the increasing importance of IT in the audit, as well as the increased scrutiny from the Public Company Accounting Oversight Board (PCAOB), there has been a noticeable shift in the external auditor’s approach to testing internal controls over the last decade. Auditors are performing more detailed IT-focused test procedures, require enhanced documentation and support from management, and, in turn, are required to produce more detailed documentation to support their additional work.
Understanding the impact of IT’s expansion
While it may be clear that the scope of applications has grown, that the IT environment is expected to be better controlled, and that management and auditors are expected to maintain higher quality documentation, the extent of the impact each of these has may not be readily apparent. We will tackle each section separately.
The impact of an increased scope
From management’s perspective, an increased scope means additional applications and/or service providers to monitor and control. From an audit perspective, whether internal SOX testing or external auditing of the financial statements, the following downstream impacts are worth noting:
- Additional walkthroughs are to be conducted: Each application should be considered independently, and therefore the internal or external IT auditor must meet with the application owners to confirm the processes for each application. This includes understanding the workflows and required control points (both from an IT and business perspective) for each of the applications. These can be quite different from one application to another.
- Increased number of IT general control instances: Rarely does an established company implement a new IT process that had not existed previously, where one would see an increase in the number of key IT general controls (for instance, implementing a job scheduler for the first time, and having to implement a job scheduling control.) Rather, in most cases, the increased burden of controls is often not explicit. At times, when a new application is added and it follows similar processes already in existence (e.g. change management or user access), it may appear that the control count remains static. While they may be controlled in a similar manner, the people, process, and/or technology may be sufficiently different to consider these as separate instances of the same control. In such cases, multiple controls can be represented by one overarching control, however, the walkthroughs, samples, and other required audit procedures must be performed independently of one another, and increases proportionately with the number of applications.
- Increased number of application controls: The automation of processes and controls are only effective if the applications are configured effectively. Each manual process that gets automated does so by using an automated application control. Management must properly identify and test each control’s configurations and settings. Therefore, the more that gets automated, the more configurations and settings are to be controlled and monitored.
- Data feeds and interface considerations: With the increase in the number of applications, there is a potentially exponential increase in interfaces and data feeds throughout the environment. Data quality and security across applications must be considered by management. As the environments continue to become more complex, ensuring data integrity across applications becomes paramount. If data is lost or inappropriately modified during processing between applications, this can significantly impact the operating effectiveness of downstream controls and processes.
- Additional monitoring of service providers: When management relies on service providers, they must consider the risks associated with using those vendors. Additionally, management must acknowledge that while the vendor is responsible for performing some of the control activities, management still owns the risks associated with those activities. With that in mind, management must perform sufficient procedures to ensure that all risks have been appropriately mitigated for all service providers. As ‘the cloud’ becomes a more cost-effective means of storing and processing information, the monitoring of service organizations becomes ever more crucial for appropriate risk management and for SOX.
The impact of an improved IT control environment
As noted above, while significant efficiencies can be gained by relying on applications to automate business processes and control activities, management must also perform sufficient procedures to ensure that the applications are operating effectively. As the reliance on these applications continues to grow, so do the risks associated with their effective management. Due to this, there has been an elevated level of focus and increased scrutiny on the procedures required to be performed by management to manage these risks. External IT auditors are also adjusting their audit approach accordingly.
The increase in management’s requirements includes performing additional controls, enhancing existing controls, and improving the documentation and support maintained around existing processes. The three areas in which we have seen the greatest increase in scrutiny and focus are management review controls, key reports, and application controls. Whether companies today are improving these three key areas by adding these as new controls, by enhancing the existing controls, or by improving the related documentation depends on the quality of their processes in the past. However, to level-set, we will outline a few key points for each area that should be addressed.
- Management review controls: When management reviews information and decides to take necessary action based on the results of the review, this is defined as a review control. Therefore, the sequence of events (or lack thereof) following a review control depends on the quality of the review. While designing and executing review controls effectively, consideration must be given to several components of the review. These include an assessment of:
- The competence of the reviewer;
- The review process (including additional follow-ups and procedures performed subsequent to the review);
- Segregation of duties conflicts; and
- The completeness and accuracy of the documentation used to perform the review.
- Key reports: Reports that are used as part of a key control are defined as key reports. For management and for both the IT and Finance audit teams to rely on the completeness and accuracy of the information provided by these reports, management must have sufficient controls in place to effectively control the information therein. This includes:
- Consideration for who has the ability to update the reports;
- Whether changes are appropriately managed;
- Whether the reports are fit for purpose; and
- Whether the reports and their sources of data are complete and accurate. The latter of which includes, but is not limited to:
- Validation of the data source;
- Testing the functionality of the report under all possible working scenarios;
- Assessing query parameters, condition statements; and
- Ensuring user access and change management controls over the system in which the reports are generated are effective.
- Application controls: Application controls, as noted above, are automated controls built into the applications to allow for automation of an otherwise manual control. As application controls continue to become more complex, management must continue to consider all the risks associated with the operating effectiveness of the controls. Examples of matters that must be assessed by management include:
- Whether there are multiple versions (or instances) of the application;
- Whether several possible outcomes for each control could exist, depending on transaction type or scenario;
- Whether the control is configurable, by whom, and whether changes are captured in the application change management process; and
- If the control can be overridden, whether a permanent audit trail exists and whether exceptions to the normal process are reviewed.
The impact of enhanced audit work and documentation
In addition to the challenges presented above by the increasing scope of applications, there are also the ever-increasing audit requirements enforced by the PCAOB that the IT auditor must consider while performing his/her review, specifically for public companies. The increased expectation around controls, key reports, population completeness, etc. do not impact management alone. They have also had a significant impact on the procedures performed during an IT audit by the external auditors.
- Management review controls, key reports, and application controls: As noted above, there has been an increased level of focus and scrutiny on management’s work. The IT auditor is also being scrutinized to a greater degree and is required to validate all additional components of management’s work for their independent audit. This includes performing similar procedures to test review controls, validating the completeness and accuracy of reports, and assessing application configurations, and much more.
- Population completeness: Testing of controls is performed on a sample basis, so as not to validate 100% of the instances in which the control has operated in the year (i.e. the full population of control instances). However, auditors are required to obtain the full population from which to select their sample, and that population needs to be validated as being complete. If the population is incomplete, certain instances could never be subject to sample selection and testing. As population completeness has become more of a focus in the audit, the level of documentation expected from the IT auditor has also significantly increased. The IT auditor must clearly document all procedures and considerations that were taken into account while performing their assessment. This includes clearly identifying whether the information is being extracted from the appropriate source, that any parameters or condition statements used were appropriate based on the desired information, and that no changes were made to the files provided by management prior to being assessed by the auditor. Additionally, the time spent on these procedures can be significantly impacted by the addition of new applications. As noted above, even if the controls are not separated out by application, the IT auditor must assess an additional population for each new application for each key IT control.
In summary, as technology continues to evolve and mature, companies are more reliant on applications to perform their business processes. The use of these applications can automate many manual processes and significantly increase the efficiency and effectiveness of existing controls and procedures. However, as the number of applications and reliance on existing applications continues to grow, so does the risk associated with IT.
As a result, the requirements associated with management’s assessment of the effectiveness of their control environment continues to evolve and grow as well. This has led to a significant amount of additional work that is to be performed by management and auditors alike. Management should expect that this level of focus will only continue to expand, and should adequately plan for additional requirements and challenges associated with the effective management of their IT environment.