Abc Co. has the opportunity of a lifetime: to benchmark Sarbanes-Oxley compliance. Year one of a Sarbanes-Oxley implementation is extremely difficult and at times very frustrating but is a golden opportunity to implement Sarbanes-Oxley not just the right way, but perhaps the ideal way. Abc Co. has an opportunity to automate Sarbanes-Oxley compliance.
The initial Auditing Standard (AS) No. 21 that governed the internal controls over financial reporting was nonspecific and left much open to interpretation. This resulted in hurried, nonrefined implementation of Sarbanes-Oxley. In addition, in 2004 most companies did not have sufficient time or resources to devote to an effort to fully understand the new control requirements. This general lack of understanding of the newly implemented standard often led to overspending and overcontrolling the environment. The controls environment was often patched with numerous manual controls as a result of the insufficient time available to adequately identify, evaluate and develop inherent application controls. The benefits to automated controls were not specifically outlined and known early on in the Sarbanes-Oxley era.
Finally, many who have been working with Sarbanes-Oxley controls now know the very small window of opportunity to institute any significant form of change in organizations over the past five years. From planning, to walk-throughs, to initial testing, to updates and yearend testing, there is a narrow window annually to foster significant change.
It is difficult to assign a tangible value to the significance of application controls, but it is often evident how important application controls can be in regards to efficiently and effectively enabling a company to be compliant with Sarbanes-Oxley requirements. The Public Company Accounting Oversight Board (PCAOB), regardless of which auditing standard governed the Sarbanes-Oxley compliance process, highlighted the benefits of application control benchmarking.
To continue to provide guidance to auditors, the PCAOB staff provided guidance for the benchmarking of application controls.2 The PCAOB staff also provided guidance for external auditors about the level and extent of testing required with regard to application controls and reinforced the concept of benchmarking application controls. In question 45, the PCAOB noted:
Entirely automated application controls, therefore, are generally not subject to breakdowns due to human failure and this feature allows the auditor to “benchmark,” or “baseline,” these controls. If general controls over program changes, access to programs and computer operations are effective and continue to be tested, and if the auditor verifies that the automated application control has not changed since the auditor last tested the application control, the auditor may conclude that the automated application control continues to be effective without repeating the prior year’s specific tests of the operation of the automated application control. …The nature and extent of the evidence that the auditor should obtain to verify that the control has not changed may vary depending on the circumstances, including depending on the strength of the company’s program change controls.3
Additionally, the PCAOB staff clarified what factors should be taken into account when determining a benchmarking strategy:
- The extent to which the application control can be matched to a defined program within an application
- The extent to which the application is stable (i.e., there are few changes from period to period)
- Whether a report of the compilation dates of all programs placed in production is available and is reliable (This information may be used as evidence that controls within the program have not changed.)4
To determine whether to reestablish a benchmark, the auditor should evaluate the following factors:
- The effectiveness of the IT control environment, including controls over applications and systems, software acquisition and maintenance, access controls and computer operations
- The auditor’s understanding of the effects of changes, if any, on the specific programs that contain the controls
- The nature and timing of other related tests
- The consequences of errors associated with the application control that was benchmarked5
Automating internal controls is a challenge. Companies that automate application controls end up with a potentially more consistent and reliable control system than existed with previous manual controls. Automated controls also typically are more efficient than their manual counterparts, which are often prone to human error and intervention.
Application controls are also less costly to audit given that properly established automated controls need to be tested less often, as outlined previously. By limiting exposure to human error, a company is improving its overall control environment and the automation saves the organization money by reducing overall compliance costs in addition to possibly significantly reducing general and administrative expenses.
In an automated control environment, application controls are considered a more reliable line of defense, as they are in general less subject to human failure.
Protiviti’s publication Guide to the Sarbanes-Oxley Act: Managing Applications Risks and Controls6
cites a number of example benefits resulting from control automation:
- Decrease in employee time conducting or supervising tedious manual controls
- Decrease in the cost of annual assessments through replacing slow, manual, error-ripe testing with the far more efficient observation of an online setting
- Reduction in the odds of human error and fraudulent manipulation through forced online consistency and compliance
- Increase in quality and reduction in rework by detecting problems more quickly and placing emphasis on preventing them altogether
- Proactive management of audit fees by applying the same logic of test savings to external audits and achieving increased auditor reliance on internal testing of safer automated controls
As outlined previously, there are many benefits from the automation of Sarbanes-Oxley. Perhaps the greatest benefit of automation of controls is the inherent decrease in risk.
Based on the results of the Institute of Internal Auditor’s Global Audit Information Network (GAIN) Survey conducted in November 2008,7 approximately 50 percent of all responses stated that in Sarbanes-Oxley year one, between 75 and 99 percent of all controls were manual. By year four, companies had begun to shift toward automated controls, as noted by the more than 40 percent of respondents who stated that their companies had increased automated controls to between 25 and 50 percent of total controls. Nevertheless, 29 percent of respondents stated that their companies still have 0-25 percent of total controls automated, so there is much additional work that can be completed in these organizations.
These survey results support the position that control automation has increased over the past four years of Sarbanes- Oxley compliance, but not to the point of optimization. So, what can companies do to move efficiently toward automating Sarbanes-Oxley and how can they make the effort a smooth transition?
There are many ways to automate the Sarbanes-Oxley process at a company. Here are a few principles that can assist in this process:
- Educate management and users about the benefits of applications controls—Once process owners understand the benefits of automating controls, most will fully support this transition. Be sure to highlight the benefits, including a decrease in process owner time to utilize controls, increased precision, and potential decreases in audit sample sizes that should result in decreased audit fees.
- Focus on the window of opportunity—One of the largest challenges to overcome is the small window of opportunity to implement new controls. Sarbanes-Oxley is a year-end assessment, there is approximately a three-to-four-month window to manage these changes to controls. This might sound like an extensive period of time; however, this is a very limited time frame to implement new controls, including a number of competing priorities throughout this process. Focus on the major controls that need to be implemented and do not overextend the effort by attempting to implement too many controls.
- Control the change control process—To implement new controls, the process must be highly controlled. Automated controls should be thoroughly vetted with process owners, tested in a test environment, and signed off on and approved by the applicable owners. There should be a defined cutover period for the control to be live, and all controls should be tested thoroughly soon after going live.
- Engage the auditors—Finally, to implement any new controls, the company’s external auditors should be involved in every step along the way, and their clear agreement should be obtained for all changes. Alignment with auditors is crucial to gain the benefits of the changes and, thus, the benefits of auditor reliance on the work of others.
The automation of Sarbanes-Oxley controls is a valuable opportunity for all companies. It can provide increased efficiencies, decreases in risk and, last but not least, significant cost benefits, including potential reduction in audit fees and reduced costs associated with the decreases in manual processing. All of these factors should assist in motivating companies to move toward increased automation of controls, which also will help alleviate some of the negative connotations of Sarbanes-Oxley compliance.
1 Public Company Accounting Oversight Board, Auditing Standard No. 2, “An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements,” June 2004
2 PCAOB, “Questions and Answers, Auditing Internal Control Over Financial Reporting,” 16 May 2005
3 Ibid., p. 11-13
4 Ibid., p. 12-13
5 Ibid., p. 13
6 Protiviti, Guide to the Sarbanes-Oxley Act: Managing Application Risks and Controls, “Frequently Asked Questions,” May 2006
7 The Institute of Internal Auditors, “Manual vs. Automated Control Changes Due to Sarbanes Oxley (SOX) Implementation,” Global Audit Information Network (GAIN) Survey, 1 December 2008
Danny M. Goldberg
is the founder and principal of SOFT Audit Consulting. Goldberg has performed in a number of roles around the Dallas Fort Worth (Texas, USA) area and now wants to expand and share his audit methodology through his consulting practice. Most recently, he acted as the audit director at two diverse companies. He has assisted in leading the establishment of three internal audit/Sarbanes-Oxley departments over the past six years.
ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.