IT Controls Part I,Sarbanes-Oxley and IT Governance:Overview of SOX Sections 302 and 404.
Overview of SOX Sections 302 and 404
SOX of 2002 established new corporate governance regulations and standards for public companies registered with the Securities and Exchange Commission (SEC). Although the act contains many sections, this chapter and the two following chapters concentrate on internal control and audit responsibilities pursuant to Sections 302 and 404.
Section 302 requires corporate management (including the chief executive officer [CEO]) to certify financial and other information contained in the organization’s quarterly and annual reports. The rule also requires them to certify the internal controls over financial reporting. The certifying officers are required to have designed internal controls, or to have caused such controls to be designed, and to provide reasonable assurance as to the reliability of the financial reporting process. Furthermore, they must disclose any material changes in the company’s internal controls that have occurred during the most recent fiscal quarter.
Section 404 requires the management of public companies to assess the effectiveness of their organization’s internal controls over financial reporting. Under this section of the act, management is required to provide an annual report addressing the following points:
1. Describe the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise.
2. Using a risk-based approach, assess both the design and operating effectiveness of selected internal controls related to material accounts.1
3. Assess the potential for fraud in the system and evaluate the controls designed to prevent or detect fraud.
4. Evaluate and conclude on the adequacy of controls over the financial statement reporting process.
5. Evaluate entity-wide (general) controls that correspond to the components of the Statement on Audit- ing Standards No. 78 (SAS 78)/COSO framework.
Regarding the final point, the SEC has made specific reference to SAS 78/COSO as a recommended con- trol framework. Furthermore, the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 endorses the use of SAS 78/COSO as the framework for control assessment. Although other suitable frameworks have been published, any framework used should encompass all of COSO’s general themes.2 We discussed the key elements of the SAS 78/COSO framework in Chapter 3. Our focus at this point is on IT controls (a subset of control activities), which were not previously discussed. This aspect of the SAS 78/COSO framework is used to present control and audit issues in this and the following two chapters.
RELATIONSHIP BETWEEN IT CONTROLS AND FINANCIAL REPORTING
Information technology drives the financial reporting processes of modern organizations. Automated sys- tems initiate, authorize, record, and report the effects of financial transactions. As such, they are inextricable elements of the financial reporting processes that SOX considers and must be controlled. SAS 78/ COSO identifies two broad groupings of information system controls: application controls and general controls. The objectives of application controls are to ensure the validity, completeness, and accuracy of financial transactions. These controls are designed to be application-specific. Examples include:
• A cash disbursements batch balancing routine that verifies that the total payments to vendors reconciles with the total postings to the accounts payable subsidiary ledger.
• An account receivable check digits procedure that validates customer account numbers on sales transactions.
• A payroll system limit check that identifies employee time card records with reported hours worked in excess of the predetermined normal limit.
These examples illustrate how application controls have a direct impact on the integrity of data that make their way through various transaction processing systems and into the financial reporting process. Application controls are examined in detail in Chapter 17.
The second broad group of controls that SAS 78/COSO identifies is general controls. They are so named because they are not application-specific but, rather, apply to all systems. General controls have other names in other frameworks, including general computer controls and information technology controls. Whatever name is used, they include controls over IT governance, IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program changes.
Whereas general controls do not control specific transactions, they have an effect on transaction integrity. For example, consider an organization with poor database security controls. In such a situation, even data processed by systems with adequate built-in application controls may be at risk. An individual who is able to circumvent database security (either directly or via a malicious program) may then change, steal, or corrupt stored transaction data. Thus, general controls are needed to support the functioning of application controls, and both are needed to ensure accurate financial reporting.
AUDIT IMPLICATIONS OF SECTIONS 302 AND 404
The material covered in the remainder of this chapter and the following chapters assumes a basic under- standing of the audit process. Specifically, the reader should:
1. Be able to distinguish between the attest function and assurance.
2. Understand the concept of management assertions and recognize the relationship between assertions and audit objectives.
3. Know the difference between tests of controls and substantive tests and understand the relationship between them.
The appendix to this chapter contains a brief overview of these topics. Those lacking this knowledge should review the appendix before continuing with this section.
Prior to SOX, external auditors were not required to test internal controls as part of their attest function. They were required to be familiar with the client organization’s internal controls, but had the option of not relying on them and thus not performing tests of controls. The audit could, and often did, therefore consist primarily of substantive tests.
SOX legislation dramatically expands the role of external auditors by mandating that they attest to management’s assessment of internal controls. This constitutes the issuance of a separate audit opinion in addition to the opinion on the fairness of the financial statements. The standard for this new audit opinion is high. Indeed, the auditor is precluded from issuing an unqualified opinion if only one material weak- ness in internal control is detected. Interestingly, auditors are permitted to simultaneously render a quali- fied opinion on management’s assessment of internal controls and an unqualified opinion on the financial statements. In other words, it is technically possible for auditors to find internal controls over financial reporting to be weak, but conclude through substantive tests that the weaknesses did not cause the financial statements to be materially misrepresented.
As part of the new attestation responsibility, PCAOB Standard No. 5 specifically requires auditors to understand transaction flows, including the controls pertaining to how transactions are initiated, author- ized, recorded, and reported. This involves first selecting the financial accounts that have material implications for financial reporting. Then, auditors need to identify the application controls related to those accounts. As previously noted, the reliability of application controls rests on the IT general controls that support them. These include controls over access to databases, operating systems, and networks. The sum of these controls, both application and general, constitute the relevant internal controls over financial reporting that need to be reviewed. Figure 15-1 illustrates this IT control relationship.
Compliance with Section 404 requires management to provide the external auditors with documented evidence of functioning controls related to selected material accounts in its report on control effective- ness. The organization’s internal audit function or a specialized SOX group would likely perform these tests. Hence, management must actually perform its own tests of controls prior to the auditors performing theirs.
Section 302 also carries significant auditor implications. In addition to expressing an opinion on the effectiveness of internal control, auditors have responsibility regarding management’s quarterly certifications of internal controls. Specifically, auditors must perform the following procedures quarterly to identify any material modifications in controls over financial reporting:
• Interview management regarding any significant changes in the design or operation of internal control that occurred subsequent to the preceding annual audit or prior review of interim financial information.
• Evaluate the implications of misstatements identified by the auditor as part of the interim review that relate to effective internal controls.
• Determine whether changes in internal controls are likely to materially affect internal control over financial reporting.
Finally, SOX places responsibility on auditors to detect fraudulent activity and emphasizes the importance of controls designed to prevent or detect fraud that could lead to material misstatement of the financial statements. Management is responsible for implementing such controls, and auditors are expressly required to test them. Because computers lie at the heart of the modern organizations’ accounting and financial reporting systems, the topic of computer fraud falls within the management and audit responsibilities imposed by SOX. The following section deals with several computer fraud issues.
Computer Fraud
We saw in Chapter 3 that fraud loss estimates for 2008 exceed $990 billion. How much of this can be traced to computer fraud is difficult to say. One reason for uncertainty is that computer fraud is not well defined. For example, we saw in the ethics section of Chapter 3 that some people consider copying commercial computer software to be neither unethical nor illegal. On the other side of this issue, software vendors consider such acts to be criminal.
Regardless of how narrowly or broadly computer fraud is defined, it is a rapidly growing phenomenon. For purposes of our discussion, computer fraud includes:
• The theft, misuse, or misappropriation of assets by altering computer-readable records and files.
• The theft, misuse, or misappropriation of assets by altering the logic of computer software.
• The theft or illegal use of computer-readable information.
• The theft, corruption, illegal copying, or intentional destruction of computer software.
• The theft, misuse, or misappropriation of computer hardware.
The general model for accounting information systems shown in Figure 15-2 conceptually portrays the key stages of an information system.3 Each stage in the model—data collection, data processing, data- base management, and information generation—is a potential area of risk for certain types of computer fraud. In this section we examine only the risks; the specific control techniques needed to reduce the risks are discussed later in this chapter and in the remaining two chapters.
DATA COLLECTION. Data collection is the first operational stage in the information system. The control objective is to ensure that event data entering the system are valid, complete, and free from material errors. In many respects, this is the most important stage in the system. Should erroneous or fraudulent transactions pass through data collection undetected, the organization runs the risk that the system will process the transaction and that it will impact the financial statements.
The most common access point for perpetrating computer fraud is at the data collection stage. Frauds of this type require little or no computer skills on the part of the fraudster, but do require poorly designed controls. The perpetrator need only understand how the system works its control weaknesses. The fraudulent act involves entering falsified data into the system. This may involve deleting, altering, or creating a transaction. For example, to commit payroll fraud, the perpetrator may insert a fraudulent payroll transaction along with other legitimate transactions. Unless internal controls are in place to detect the insertion,
the system will generate an additional paycheck for the perpetrator. A variation on this type of fraud is to change the Hours Worked field in an otherwise legitimate payroll transaction to increase the amount of the paycheck. Still another variant on this fraud is to disburse cash in payment of a false account payable. By enter- ing fraudulent supporting documents (purchase order, receiving report, and supplier invoice) at the data collection stage of the accounts payable system, a perpetrator can fool the system into creating an accounts payable record for a nonexistent purchase. Once the record is created, the system will presume it is legitimate and, on the due date, will disperse funds to the perpetrator in payment of a bogus liability.
Networked systems expose organizations to transaction frauds from remote locations. Masquerading, piggybacking, and hacking are examples of such fraud techniques. Masquerading involves a perpetrator gaining access to the system from a remote site by pretending to be an authorized user. This usually requires first gaining authorized access to a password. Piggybacking is a technique in which the perpetrator at a remote site taps in to the telecommunications lines and latches on to an authorized user who is log- ging in to the system. Once in the system, the perpetrator can masquerade as the authorized user. Hacking may involve piggybacking or masquerading techniques. Hackers are distinguished from other computer criminals because their motives are not usually to defraud for financial gain. More often they are motivated by the challenge of breaking into the system rather than the theft of assets. Nevertheless, hackers have caused extensive damage and loss to organizations by destroying and corrupting corporate data.
DATA PROCESSING. Once collected, data usually require processing to produce information. Tasks in the data processing include mathematical algorithms (such as linear programming models) used for production scheduling applications, statistical techniques for sales forecasting, and posting and summarizing procedures used for accounting applications. Data processing frauds fall into two classes: program fraud and operations fraud.
Program fraud includes the following techniques: (1) creating illegal programs that can access data files to alter, delete, or insert values into accounting records; (2) destroying or corrupting a program’s logic using a computer virus; or (3) altering program logic to cause the application to process data incorrectly. For example, the program a bank uses to calculate interest on its customers’ accounts typically will produce rounding errors because the precision of the interest calculation is greater than the reporting precision. Therefore, interest figures that are calculated to several decimal places produce values to a fraction of one cent and must be rounded to whole numbers for reporting purposes. Interest calculation programs typically have a standard rounding routine to keep track of the rounding errors so that the total interest charge to the bank equals the sum of the individual credits. This involves temporarily placing fractional amounts left over from each calculation in an internal memory accumulator. When the amount in the accumulator totals one cent (plus or minus), the penny is added to the specific customer’s account that is being processed at that time. In other words, one cent is added to (or deducted from) customer accounts randomly. A form of program fraud called the salami fraud involves modifying the rounding logic of the program so it no longer adds the one cent randomly. Instead, the modified program always adds the plus cent to the perpetrator’s account, but still adds the minus cent randomly. This can divert a considerable amount of cash to the perpetrator, but the accounting records stay in balance to conceal the crime.
Operations fraud is the misuse or theft of the firm’s computer resources. This often involves using the computer to conduct personal business. For example, a programmer may use the firm’s computer time to write software that he sells commercially. A CPA in the controller’s office may use the company’s computer to prepare tax returns and financial statements for her private clients. Similarly, a corporate law- yer with a private practice on the side may use the firm’s computer to search for court cases and decisions in commercial databases. The cost of accessing the database is charged to the organization and hidden among other legitimate charges.
DATABASE MANAGEMENT. The organization’s database is its physical repository for financial and nonfinancial data. Database management fraud includes altering, deleting, corrupting, destroying, or stealing an organization’s data. Because access to database files is an essential element of this fraud, it is often associated with transaction or program fraud. A common fraud technique is to access the database from a remote site and browse the files for useful information that can be copied and sold to competitors.
Disgruntled employees have been known to destroy company data files simply to harm the organization. One method is to insert a destructive routine called a logic bomb into a program. At a specified time, or when certain conditions are met, the logic bomb erases the data files that the program accesses. For exam- ple, a disgruntled programmer who is contemplating leaving an organization inserts a logic bomb into the payroll system. Weeks later when the system detects that the programmer’s name has been removed from the payroll file, the logic bomb is activated and erases the entire payroll file.
INFORMATION GENERATION. Information generation is the process of compiling, arranging, for- matting, and presenting information to users. Information can be an operational document such as a sales order, a report sent to a computer screen, or published financial statements.
A common form of computer fraud at the information generation stage is to steal, misdirect, or misuse computer output. One low-tech but effective technique called scavenging involves searching through the trash of the computer center for discarded output. Thus, a perpetrator may obtain useful information from hard-copy reports that were rejected during processing. Sometimes output reports that are misaligned on the paper or slightly garbled during printing are discarded into the trash.
Another form of fraud called eavesdropping involves listening to output transmissions over telecommunications lines. Technologies are readily available that enable perpetrators to intercept messages being sent over unprotected telephone lines and microwave channels. Most experts agree that it is practically impossible to prevent a determined perpetrator from accessing data communication channels. Data encryption, however, can render useless any data captured in this way.
With this backdrop in place, the scene is set for viewing control techniques and tests of controls that might be required under SOX. PCAOB Auditing Standard No. 5 emphasizes that management and auditors use a risk-based approach rather than a one-size-fits-all approach to the design and assessment of controls. In other words, the size and complexity of the organization needs to be considered in determining the nature and extent of controls that are necessary. The reader should recognize, therefore, that the controls presented in the remainder of this chapter and in the following two chapters describe the needs of a generic organization and may not apply in specific situations.
Comments
Post a Comment