<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar/21791921?origin\x3dhttp://grcprofessor.blogspot.com', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Friday, February 24, 2006

SEC's Moves On SOX: The Big Guns Come Out

Moves by a Securities And Exchange Commission advisory panel to exempt 80 per cent of companies from having their internal controls certified have come under fire from former SEC heavies, Paul Volcker and Arthur Levitt.In a letter they co-wrote...

It's refreshing to see that the people that held such high stations with influential companies and commissions continue to maintain their vigilance to protect the average investor. Men like Volcker, Levitt, Biggs, and Bogle, continue to echo the spirit of why the Sarbanes-Oxley was enacted in the first place. Without doubt, the cost of SOX compliance can be steep, but there is a lot of "institutional learning" about internal controls that has transpired over the past three years. Those efforts have flattened the learning curve for those who follow.

Read more

Thursday, February 23, 2006

Unified Compliance Summit

I'm on the scene of IT Compliance Institute's Unified Compliance Summit in Las Vegas. Overall, it is an impressive gathering of industry IT, audit, and compliance professionals sharing stories, better practices, and practical guidance. The instructors are practitioners, so the content has been relatively fresh.

Aside from the instructional tracks, I've been especially intrigued with ITCi's Unified Compliance Project. The project is an ambitious attempt to assess myriad compliance requirements various industries face to support a strategic approach to IT compliance. Tools produced by the project help crystallize the overwhelming need to gain an understanding of the overlapping requirements. Check it out.

The project inspires a broader vision of compliance management that non-IT managers may wish to collaborate. In my opinion, IT will be more successful with a unified compliance program if they can engage business units to invest the time to think similarly.

Tuesday, February 14, 2006

The End of SOX?

Is SOX legislation on the ropes? If you read the arguments of The Free Enterprise Fund you might think so. The FEF contends the Sarbanes-Oxley Act of 2002 is unconstitutional because of the manner in which the PCAOB has been empowered. Without knowing about the FEF's stand, I would say many public company managers would argue that the cost of the Act exceeds the benefits being reason enough to repeal the Act. On the other hand, citizens watching and reading excerpts from the Enron trial of Ken Lay and Jeff Skilling, may be thinking of due process and "justice". Accountants and Auditors, barreling through another 10K season, may be just wishing to catch their breath and stop second-guessing their professional judgment.

For over three years, public companies and public accounting firms have grappled with the vague passages of the Act and the wide degree of interpretation that have followed. Along the trail, there has been material weaknesses reported, numerous restatements, fraudulent practices rooted out, executive resignations, and shareholder lawsuits. Also along the trail you'll find process remediation, greater internal controls awareness, independent directors, and better transparency.

The scales are heavy on both sides of the equation. My observation is that the Act is slowly attaining the lofty goals of reassuring investor confidence in the U.S capital markets. The balance of cost and benefit will continue to be borne by all sides for a few more years.

A recent study of 404 costs by CRA International commissioned by the Big Four indicated that the cost of 404 would decrease markedly in year two largely due to reduction in control documentation efforts and a gradual flattening of the learning curve. Skepticism about costs continues for many large accelerated filers and may be shared by their respective auditors. I'd chalk this ambivalence up to the top-down, risk-based approach and reliance on others work that were major themes at the SEC roundtable in April of 2005.

While the implementation of section 404 has been clouded by overboard documentation and duplication of testing, I am optimistic that the balance sought by the many affected is taking a foothold. The consequences of not taking adequate time and effort to review ICOFR has a toll and will exact varying forms of discomfort to those constituents that ignore the principles of better corporate governance. If the spirit of the Act is not maintained, it would be akin to regressing to an unstructured, chaotic time where shareholders rely more on faith than good management. Invariably, production would marginalize back office processes and relegate financial reporting as a necessary evil. If the shoe drops for those companies that choose to trust without verifying, who will pay for the lapse of oversight?

Wednesday, February 01, 2006

Application Segregation of Duties

Your company may be going through the SOX blues when you consider application segregation of duties (SOD). What are your challenges? Defining the potential SOD conflicts? Reviewing which potential SOD conflicts need to be remedied? Figuring out how to document the mitigating controls? Implementing the changes requested by your reviewers? Do you know if all the requested changes were completed?

SOD isn't a fun topic for many large companies to address. The SOD topic has certainly caught a lot of attention for those companies having to comply with Sarbanes-Oxley section 404. But even, if your company isn't obligated to do so, there are principled reasons for your organization to consider the consequences of not monitoring segregation of duties.

Segregation of duties is a fundamental element of internal control and information security. Generally, we think of the physical segregation methods - different groups handling specific processes and separating the activities so that they are handled in a manner that will discourage fraudulent behavior. This is especially true in today's computing environment.

At the turn of the 20th century, it was commonplace for groups of employees to be physically separated from one another. Due to the manual nature of the work and number of employees, the boundaries of what was proper protocol were generally transparent. Manual effort was necssary whether it required brains or braun. At the turn of the 21st century, the advent of computer business applications being fused together as modules of a larger Enterprise Resource Planning systems with complex business rules, numerous security groups, and custom roles obscured a level of protocol that was once very visible. For some, it's not an ERP package; rather it is an extensively used general ledger package.

Many organizations struggle with a spectrum of security configurations. Some are too complex they force the administrator to create a security monster so rigid that they fear it may break the will of the users' to do their jobs. Others are are too simple they compromise application data integrity. In the wake of many these implementations are application security configurations "simplified" for administration purposes that leave organizations open to inadvertent processing errors, breaches of privacy, or clandestine data modifications.

Few applications have addressed SOD conflict management as a product feature. There are a few application vendors and third-party providers that have collaborated on the matter and provisioned bolt-on tools to facilitate the process. But if your organization isn't running SAP or Oracle applications, chances are you're going to have to figure out how to face the SOD issue from the ground up.

You may need to do a SOD analysis for any financially significant application in your organization or potentially for any applications that have "need to know" sensitive data. As you consider the effort, consider Comstock's Theorem of SOD Need, which states: "Applications that drive transaction processing which have diverse user groups, with varying roles, and multiple levels of security architecture will generally be the highest priority for SOD review and maintenance." You won't find that anywhere else but here, because I just made it up. That said it is an observation that resonates with me each time I assess an application that fits the profile. While there are many tasks and people necessary to implement and manage application SOD, my colleagues at GCRM have identified four major efforts necessary to manage the SOD process.


    1. Develop a SOD Conflict Matrix by engendering cross-departmental
      collaboration. A SOD Conflict Matrix defines the institutional understanding of
      how a company's employees work with an application and expresses the perceived
      and actual taboos. The conflict matrix should be granular enough to determine
      application activities that should not be performed by individuals
      defined by security or user groups necessary for their job function.
    2. Circulate a SOD conflict report to the departmental managers
      responsible for the oversight and design of effective SOD controls for their
      area so they may identify necessary changes or mitigating controls (risk
      acceptance).
    3. Capture the manager defined changes for future review and signoff.
      Your SOD administrator should periodically circulate SOD conflict reports to
      management to evaluate new conflicts that may need to be resolved, as well as
      confirm that the circumstances for conflict acceptance (mitigating controls)
      continue to persist. If you can put the acknowledgements in a database table, it
      would make future review more efficient, providing an effective way of creating
      exception reports to facilitate the efforts in item 2 above.
    4. Have your security administrator positively confirm all change
      requests, user id termination, privileges granted or revoked, etc. back to the
      management team in order to close the feedback loop and ensure that the
      audit trail for the change activity is well documented.

In closing, let me remind you that this effort is a process. As long as you add, change, or delete user access and their respective application rights, the SOD conflict map will need to be re-evaluated at least annually. If this control is not reflected in your IT policies and procedures, you should punch up that document to communicate the policy, risks, and necessary procedures that the application user community must understand. The first full pass at application SOD may take a Herculean effort. With regular review and periodic monitoring, the exception based SOD conflict reporting and positive confirmation for change requests should taper off to a very manageable workload for all involved.



The Final Mile

As we end the month of January 2006, I can't help but think of the flurry of activity that will transpire in the next 45 days. For many public companies, this is 10K season. The December 2005 books have been closed giving way to year-end closing analysis and SEC reporting. It also means that we've entered the "final mile" of the SOX-404 efforts to test and assess internal controls over financial reporting (ICOFR). Will you pass? It is an ominous question that takes substantial time and effort to answer.

It would be hard to believe that anyone could anticipate the concert of activities necessary throughout the year only to culminate in what might be an austere final evaluation. Documentation, testing, remediation, retesting, update testing, meetings, meetings about meeting...

Relatively speaking, before the Sarbanes-Oxley Act of 2002 was implemented by any public company, life was simpler for those responsible for SEC reporting, Edgarizing, and MD&A. Today, audit committees, auditors, and company management alike pause deeply as they discuss the conclusions drawn as they discuss the evaluation of internal control deficiencies. To aid the evaluation process, version 3 of the whitepaper entitled "A Framework for Evaluating Control Exceptions and Deficiencies" was released in December 2004.

Have you read the whitepaper? If you're responsible for evaluating the magnitude of a potential error caused by control deficiencies that weren't remediated by year-end (or remediated, but lacked an insufficent frequency to conclude by year-end), you owe it to yourself and your organization to read it. Maybe you should read it twice if you did not participate in the excercise last year. The whitepaper provides a framework to quantitatively and qualitatively analyzing individual deficiences, at least anecdotally. However, it doesn't give much guidance on how one might be able to meaningfully aggregate individual deficiencies along attrbiutes such as COSO component, financial statement assertion, or significant account. That is the beginning of the "final mile".

My partner Dale Timmons had a good analogy for this "final mile". SOX 404 is like a three-hour comprehensive, end of year final exam. Consider that you are back in high school taking the toughest exam in your least favorite subject. Pick your weakest subject back then, and imagine the whole year's struggle of learning new concepts, writing detailed research reports, and taking pop-quizes. All of it was a prelude to the infamous, three hour, comprehensive, open-book, end of year final exam. Yikes! Before administering the exam, the good and fair teacher says three words, "Show your work."

Three hours later, the teacher calls, "pencils down" for the end of the exam. That's it, you're done answering and explaining. Now it's time to wait for your grade. And as you wait you silently wonder, "Will there be partial credit? What about extra credit? Is each question weighted the same?" Did you show your work?

You answered some questions well and other questions not so well. She gives you full credit for everything that was right, partial credit for showing your work on questions that were incomplete but showed logical application of concepts, and no credit for not answering a question or the flawed logic that demonstrated you were clueless.

OK. Snap out of that stroll down memory lane. Let's get back to the control deficiency evaluation process. There are several decision trees in the whitepaper referred to as Chart 1 -4. Chart 1 walks you through a series of questions to evaluate whether an exception is really a deficiency. Once you've determined that you have a deficiency, Charts 2 -4, take you through a series of questions based on the types of control - Process/Trasactional Controls, IT General Controls (ITGC), and Pervasive Controls other than ITGC (think soft controls).

Integral to the analysis for Charts 2-4 is the Prudent Official. If you perceive yourself to be the Prudent Official, you may "anectdotally" conclude a potential error caused by the deficiency is a garden-variety, inconsequential deficiency, or has a magnitude more severe to characterized significant or worse, a material weakness. I use the term "anectdotal" in this evaluation because one would apply company specific knowledge of circumstances and financial impact to hazard an opinion of whether the deficiency was inconsequential, significant, or material. But chances are you're really not the Prudent Official. The Pruduent Official is some independent party - likely your auditors.

Let's flashback to the high shool memory of that tough, comprehensive, three hour, open-book final exam. Your teacher is the Prudent Official. Guess what? The teacher likes you and knows you are a good student, but if you didn't show your work, she can't give you credit. Ouch!

The moral of the story - Show Your Work. The quantification process can be gruelling because each deficiency has it's own circumstance and anlysis effort. But the silver lining is being able to discuss the qualitative factors that help mitigate the risk and reduce the exposure error, thus allowing you to confidently defend management's assertion that internal controls over financial reporting are effective or acknowledge the weaknesses with a remediation plan.

Here's some practical guidance to help put your best foot forward as you stroll, jog, or race your final mile:
  1. Build a uniform financial model in a spreadsheet or database that allows you to approach each deficiency evaluation the same way.
  2. When you get to the point in Chart 2-4 where you have to consider the magnitude of the deficiency, document your key financial data points - what are the quantitative brightlines? For some companies, values less than 1% of Net Income Before Tax are inconsequential and 5% and over is a material weakness. Discuss this matter with your management team and your auditor to come to a consensus.
  3. Take the time to really evalute the nature of the deficiency and boil it down to the significant accounts that are impacted to understand the gross exposure. You'll find definition of gross exposure in the whitepaper.
  4. Use your testing sample sizes (refer to the AICPA's sampling guide, appendix A) to determine if there is confidence level that you can factor in to arrive at a net exposure.
  5. Contemplate the compensating controls in your internal control system and think about the precision of the controls that operate independently upstream or downstream from the deficient control to qualitatively mitigate the exposure. Ascribe a factor to those controls and document your rationale to conclude the individual deficiency analysis.
  6. Having documented the rationale for your quantification of the potential error, you can easily add up the values across the like COSO elements, signficant accounts, or financial statement assertions to assess how items aggregate.
  7. Write a narrative to help the Prudent Official navigate your analysis, rationale, and conclusions.

In parting, let me also share one other thought prospectively for next year. In Stephen Covey's book "Seven Habits of Highly Effective People", Habit 2 articulates the virtues of beginning your endeavor with the end in mind. As you progress through your final mile of 2005's SOX 404 evaluation, think of what would make it better, easier, less harried next year. The fewer deficiencies left to evaluate the better. That is easy to say - but with that end in mind, you can work with all the consitutuents of your company to slowly change attitudes and behaviors. Emphasize more education, more monitoring, earlier testing, concerted efforts to remediate with a sense of urgency and proactive retesting. The effort will payoff for everyone involved.