ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Sarbanes-Oxley World

Sarbanes-Oxley World

| Published: 4/4/2011 8:26 AM | Permalink | Email this Post | Comments (2)
Loic Jegousse, CISA, CISM, CGEIT, CRISC
 
As I was writing the article “A Cost-effective Approach for Sarbanes-Oxley-regulated Application Systems With Minimal IT Control Assurance,” I was wondering about another question in the Sarbanes-Oxley compliance world:  What is the right number of application controls and IT-dependent controls in proportion to the overall number of controls?
 
Application and IT-dependent controls can reduce the overall cost of a controls assessment program provided that the conditions for the test-of-one are met. This is because, usually, the unit cost of testing an application control is less than the unit cost of testing a manual control since it is faster to test a control once than to inspect a number of manual transactions. However, as soon as application controls are deemed in scope, management is also required to assess the effectiveness of the underlying IT general controls (ITGC) environment, which means a fixed (sunk) cost regardless of the number of IT controls. What if those application/IT-dependent controls could be replaced by manual controls? What approach is more cost-effective:  automated or manual? For the purposes of this blog post, we will assume that any application/IT-dependent control can be changed into an effective manual control.
 
Intuitively, there is a break-even point whereby the benefits of application controls testing will compensate for the sunk cost of ITGC testing.
 
Let us set the following variables, which may be specific to each application system:
  • M = Unit cost of testing 1 manual control
  • A = Unit cost of testing 1 application/automated control (where A < M)
  • GC = Labor cost of testing ITGC, e.g., system development life cycle (SDLC), change control, access control and computer operations. The more complex the IT environment, the greater GC is.

Note that all of the parameters should be expressed in the same unit of measure (hours, men*days, etc.). The equation to determine the break-even point as a function of n is:

n*M = n*A + GC, which gives:
n = GC/(M - A)

Let us practice an example in which ITGC are effective with M = 20 hours, A = 8 hours, and GC = 80 hours. We calculate n = 80/(20 - 8) = 6.6667, which rounds up to n = 7. This means that it makes business sense to use applications only if management relies on 7 or more application controls. The business case to expand reliance on application/IT-dependent controls (as opposed to manual controls) is compelling, provided that n is greater than 7.
 
In another example in which ITGC are not effective (which was the focus of the article), the conditions for the test-of-one are not met. That means that application/IT-dependent controls have to be tested in the same way as manual controls. If we have M = 20 hours, A = 19 hours and GC = 80 hours, we would find n = 80/(20 - 19) = 80, which is very high. Therefore, when ITGC are not effective, it is hard to support the business case of relying on application controls. This is due to the double whammy caused by ITGC testing and inefficiencies in the testing of application controls, which do not meet the test-of-one criteria. This is why it can make business sense to rely more on manual controls in an instance in which IT assurance is minimal (as detailed in the article).
 
Read Loic Jegousse’s recent Journal article:

Comments

Interesting

I have experienced situations where exactly these kinds of discussion have taken place, although without an attempt to quantify it as you described.  i.e. Is it efficient to implement a small number of application controls when it introduces the larger overhead of ITGC testing?
The one additional factor to consider would be the business cost of replacing application controls with manual controls - application controls should be more efficient, as well as more reliable.
dfrew1 at 4/8/2011 3:04 AM

Re: Interesting

drew1: I agree with your comments; the blog simplifies the broader business problem by only looking at assessment costs; in real life there are lots of factors to be considered when looking at the trade-off between automated and manual controls. As you mention, there are tangible costs in creating a manual control (e.g. additional staff to operate a manual control, procedure development, training). On the other hand, operating ineffective automated controls might look cheap when the system is already in place but can yield indirect ongoing costs, such as the overhead created to provide update on remediation plan, tracking, management oversight and the 'noise' that senior management would like to avoid, etc.  So at the end of the day, organization should articulate all the specific costs in their environment and come up with a more refined equation that will help determine the break-even point. Feel free to share more of your thoughts.
LoicJegousse at 4/11/2011 7:35 PM
Email