Linking IT Controls to Business Objectives
 

By Jack Bess
KnowledgeLeader Contributing Writer

 
Web AuditNet

Text Box: Using technology to make SOX a less costly, more reliable process By Steve Stanek KnowledgeLeader Contributing Writer

  

On a July 25, 2006 Institute of Internal Auditors (IIA) web cast, four panelists spoke about linking IT business controls to business objectives using a top-down approach and how GAIT supports the process

 

Much like how computer technology is inextricably woven into the fabric of everyday life, information technology (IT) controls are an essential part of what a business sets out to achieve. There is a complex interrelationship between IT and business. It is easy to see how, for example, damage to a data center results in business disruption. A link is less clear if you ask how IT functionality impacts the financial statements. But that link is there. Accordingly, IT controls must be included in an audit from the start, as an essential part of a top-down, risk-based approach.

 

Over the last year, companies have paid more attention to the link between IT risks and business risks as they relate to Sarbanes-Oxley Act (SOX) compliance. Driving that trend is the company’s own experience during the first two years of addressing SOX regulation, says Ed Hill, a Protiviti managing director.

 

“In the first couple of years, everybody erred on the side of putting everything they could think of into scope,” Hill says. “If you had any questions about whether a certain process is in scope, they erred on the side of including it.” Subsequently, “people understood they were doing too much work on the IT controls in SOX because they did not have a tight definition of exactly which IT controls should be in scope.”

 

That brought two results forth that no company wants: unnecessary work and unnecessary cost. For everything deemed in scope for SOX auditing, there is an extra cost to the company for external auditors to revalidate all the controls.

 

That is why risk specialists recommend a top-down approach for scoping IT controls. That is, start the analysis by defining the overarching goals of the business; what are the threats, or risks, that could prevent it from reaching those objectives; and what are the controls to prevent, detect, or mitigate those threats, says Norman Marks, vice president for internal audit at Business Objects, a business intelligence firm based in San Jose, California.

 

The connection between IT and business activity may not be obvious, “but once you start looking at those controls, you may find that you are relying on IT,” he says. Devising a top-down approach involves peeling back the onion layers of business processes, and Marks gives the example of a financial firm periodically audited for signs of insider trading.

 

The firm has an objective: comply with federal regulations. To do that, it needs a policy; and employees at all levels have to know about that policy. So the firm sets up processes: continuous policy training for all employees, periodic certification of the training, and management review of employee attendance.

 

Peel back another layer of the onion, and you will likely discover IT functions such as online employee training and certification, Marks says. From there, you can identify potential points of failure like access to certification data and security controls, all of which would fall into scope.


Tailoring the process

 

Businesses that erred on the side of including all processes in scope during the first years of SOX now have a better understanding which applications and IT processes are linked with business objectives, says Protiviti’s Hill, adding, “The better that linkage becomes, the more focused the scope of the Section 404 assessment can be.”

 

At Hewlett-Packard Company (HP), categorizing IT risks into three compartments – infrastructure, application and financial process – helps define what is in scope and measure the system’s reliability, says Brad Ames, IT auditing director at HP. In each compartment, there are three guiding principles: change management, security and operations.

 

“When you see the controls in each one of those principles working effectively, then you can say that system will generate reliable information,” Ames says.

 

Indicators for each principle are collected systematically, measured on a monthly basis and analyzed quarterly, Ames says. Each indicator is analyzed by aligning it with others. For instance, infrastructure indicators collected at the operating-system level are aligned with indicators collected at the application and financial levels, he says. Conclusions are “more credible” when they are made in this context.

 

“At HP, we have several SAP transaction processing applications in scope for SOX, so you can watch indicators and benchmark– application against application, technology against technology – to see if those applications run well,” says Ames. “If you have an application with indicators that are not in proximity to the better-run applications, then you know that application seems to be accepting more risk; and those are the processes that are probably degrading more quickly than the others.”

 

For each of the three compartments, HP uses a tool to collect information across the enterprise. Application and financial processes each use a tool HP developed in-house; for infrastructure, HP uses its commercially available OpenView Compliance Manager to pull information at the operating-system level, Ames says. Risk is then assessed by aligning those indicators across the board.

 

“What we have done is categorically organize these indicators so that they map to assertions,” Ames says. “This gives the external auditor a level of comfort regarding an assertion that the control environment is operating effectively. They can see how our assertions are being supported on a monthly basis. The intent is to get more and more continuous (in measuring).”

 

Ames notes that the principles of The IIA’s A Guide for the Assessment of IT General Controls Scope Based on Risk (GAIT) correspond with HP’s monitoring principles. GAIT is a simple, clear vehicle that helps companies identify automated control and then determine how to measure and monitor them in ways that will produce evidence about operating effectiveness, he says.

 

GAIT also helps ensure an “interlock” between IT auditors and business-process auditors during the SOX process, according to Ames. Financial auditors need to consider IT audits in their assessment of the business assertions.

 

Making that connection leads to a realization that “you can reduce the financial process testing and rely more on the IT general controls and application controls,” he says. There are cost savings in that decision because “you can test fewer samples with the IT controls than you would have with the financial processes by themselves.”

 

Understanding that you can monitor and measure automated controls remotely, via technology, means you can observe them continuously and in context, Ames says. Monitoring controls on a “dashboard” enables a company to understand how the control environment is functioning as early as the first or second quarter, he adds. “You want to preempt that degradation of applications and technology, and then remediate before the auditors come,” he says.

 

Linking IT controls to business objectives has multiple benefits, Ames says. It saves money and time; and because monitoring is automated, a company can test more activities and move the testing earlier in the interim period. At HP, manual controls are typically tested in the third quarter, but with automation, “We can test in Q1 and Q2, get linearity with our testing and smooth it out across the year, rather than increasing our effort for SOX in Q3 and peaking in Q4,” he says. “What we are trying to do is peak our efforts in Q2, so we are near completion by Q3. In Q4 you can go after anything that has changed.”

 

With GAIT as a guide

 

GAIT codifies four principles for SOX IT general control scoping. In doing so, it creates a structured reasoning process for a top-down, risk-based approach, as well as a common context and language for auditors and management to share information, says Hill. Protiviti’s Hill describes these principles as:

 

  1. Identifying IT general control risk is a continuation of the SOX top-down, risk-based process.
  2. The only IT infrastructure elements that are in scope for IT general risk assessment are those that support financially significant applications and data. “Financially significant,” Hill says, is a most important concept. If an application does not function consistently or correctly, or if data is affected by unauthorized change that bypasses normal controls, the likely result is a material misstatement that would not be prevented or detected. The potential for that result is what determines whether an application or data is considered in scope, he says.
  3. The elements of IT general controls that should be considered in scope are the processes for change management, operations and security.
  4. The IT processes that should actually be placed into scope are the ones that can impact the integrity of the financially significant applications and data. GAIT is not considered an exclusive process in that it can be used in conjunction with COBIT and other methodologies to identify key controls.
Leveraging GAIT

 

Midway through its third year of SOX, the Intel Corporation is continuously looking for ways to leverage GAIT and improve the scoping process built in the previous two years, says Fawn Weaver, IT SOX compliance manager at Portland, Oregon-based Intel. As with many companies, there was a learning curve at Intel.

 

In the first year, Intel reasoned that “if an application is in scope, then all of the general controls come in by default leading us to test all general controls,” says Weaver. “In Year Two, we became a little smarter and implemented a risk-based approach.” She says the company asked how the failure of general controls affects the application control, and if that happens, would it result in material misstatement to the financial statements?

 

Now in Year Three, the question is how can the company reach a conclusion more quickly? Finding the answer reveals some of the scoping challenges Intel faces. For one thing, Weaver says, there is a lack of knowledge about the end-to-end process.

 

“We have a lot of control owners who know their piece of the process and the controls within it. But very few within our organization understand the end-to-end data flow, from initiation of a financial transaction all the way to the end when it hits our financial statements,” she says. “So we started integrating the business areas with the IT control owners and starting having a conversation. You can get a lot of good information from those conversations. For example, a lot of times the business places reliance on something in the system and they are unclear on how that functionality actually works.”

 

An integrated team representing IT, business, management, internal audit and the SOX program office, can help identify flaws in assumptions, Weaver says. But first, all those sides have to speak a common language without the distractions of specialized jargon. They have to communicate in order to make a judgment, one that has to be aligned with management and internal and external auditors. This language barrier between the business and IT sides is probably the “greatest hurdle” to overcome in the scoping process, she says.

 

GAIT is a useful tool in helping bridge that barrier, and it also provides a methodology for dealing with a scope process that constantly changes, Weaver says. For example, last year’s manual control might be automated this year, pulling a new application into scope. Or a personnel change within the group could create a whole new dynamic in decision-making. As a proponent of a risk-based approach, Weaver says companies always have to keep in mind that risk cannot be eliminated, only reduced to a reasonable level that you are willing to accept.

 

Scoping is never “done,” in the sense of being a finished process, Weaver says, making it essential that “we use the tools such as GAIT to get that methodology nailed down to reach a conclusion faster as a group.”

 

In addition to the emphasis on business objectives and the risk of material financial misstatements, GAIT has also helped Intel clarify the “likelihood factor” regarding general control failure, Weaver says. Identifying how such a failure impacts the financial statements was easy, she continues, but it was harder to determine the likelihood of general-control failure and how that would impact application controls and financial statements. Where GAIT helped was to put some criteria around that likelihood so Intel’s group could begin addressing the issue, she says.

 

The fruits of horizontal testing

 

Intel is striving for greater efficiency in SOX testing through a process it calls “horizontal testing,” Weaver says. In Year One of SOX, the company tried “vertical testing,” in which there were four controls in change management as a general control area. Intel would test those four controls on every application, she said. But the company subsequently found a more efficient model.

 

With horizontal testing, you are “taking the change-management controls and sampling from multiple applications,” Weaver says. “You pull your sample from a multiple-application population and end up with the same sample size. But you will not have to pull as many samples, making your testing more efficient.”

 

Intel also looks for ways to improve its continuous monitoring, she says. For instance, Intel developed a tool that pulls configurable data from the servers, such as employee passwords, which expire every 90 days. When the tool creates a list of employees who did not change their passwords, control owners are notified that they are out of compliance, she said. A continuous process helps manage IT control health, with such benefits as centralization of evidence, standardization, early detection of issues, and SOX testing efficiencies, she says.

 

“It also helps management gain visibility into how well we are complying with our own controls,” says Weaver.

“Having visibility can drive accountability, and accountability drives getting your controls embedded in the organization.”

 

Driving change in an organization is typically a challenge. But the task of linking IT controls to business goals is made easier once a common language and methodology are employed in a top-down approach.

  

Article from Protiviti KnowledgeLeader – www.knowledgleader.com.

 

KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.

 

 

Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.

 

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.