Loic Jegousse, CISA, CISM, CGEIT, CRISC
A fine-tuning scoping methodology will help provide senior management with greater latitude in deciding whether an application system is deemed in scope for the purpose of an IT control assessment, as mandated by the US Sarbanes-Oxley Act and equivalent regulations/legislation. The proposed approach will assist in reducing reliance on IT automated controls (ITAC) when it makes business sense to do so. This article assumes that baseline data exist regarding the application system and controls deemed in scope.
Many complexities are involved when managing large internal controls programs such as those mandated by legal requirements. Many suggested approaches have been provided to perform comprehensive IT risk assessments so that the scope of the program is focused on areas with the highest risk of financial data integrity. Frequently, compliance assessment teams struggle with the IT-related components of internal control assessments and call their IT auditor/control specialists to evaluate a balanced approach. A typical scoping process within an organization’s program is:
Here are the issues caused by such a mechanical approach to scoping:
Who wants to spend time testing controls and reporting deficiencies that will remain in the deficiency listing for a long time? Unfortunately, the usual methodologies, i.e., what was described previously, do not necessarily address such a problem. Also, in accordance with the Pareto principle,1 it could be that 20 percent of the application systems in scope are causing 80 percent of the problems. Therefore, it would be beneficial to come up with a method for identifying easy opportunities for improvement and to build the business case for a compliant and cost-effective control design.
Here are the proposed steps to identify the target applications for further analysis:
In figure 1, the target applications are App1 and App2 because they meet the criteria. App3 was not selected based on its “medium” pervasiveness to financial reporting. As further explanation, a number of application controls is deemed “low” based on a comparison to the number of ITGC for the environment. As an example, if there are, on average, 20 ITGC, “low” would probably mean anything between one and 10 application controls.
Following is a look at the target applications identified from the cost and compliance angles:
With respect to the target applications with weak IT assurance, management does not seem to have many options available:
An alternative option should be contemplated, whereby the application system controls are substituted to a strong manual control. This alternative strategy is the core of this article and relies on the team’s ability to think from the perspective of the business and articulate the decisions in terms of costs/benefits. The selling point is that in instances such as described previously, i.e., weak IT controls with limited use of automated controls, it is often cheaper and more effective to implement key manual controls rather than rely on automation. This will sound counterintuitive to many readers, and of course, this method is not recommended in areas in which IT systems are relied on pervasively. Here are the proposed steps to reach a decision regarding the control design and the trade-offs between automation and manual operation:
The discussion may reveal new mitigating controls that were not identified before. Also, the participants may realize that it could be quite easy for the business to implement a reasonableness check that would validate, on a regular basis, that the target application output is within range of acceptable value, i.e., within the agreed-on materiality threshold. Whatever existed as an informal control could then be turned into a strong key control—with the corresponding audit ability requirements. The business may initially be reluctant to accept the extra burden of operating a new manual key control, but will certainly recognize that the proposed “third option” is cheaper and/or more compliant than options 1 and 2 (noted previously).
A cost- and risk-effective approach is derived from a holistic view of the objective and from evaluating options for conformance based on the business control environment and culture. If workshops were completed successfully for App1 and App2 of figure 1 and the business agreed to implement a total of three new manual key controls to replace the three application controls, ITGC testing would no longer be required, saving approximately the cost of testing 40 controls. Remediation would be still encouraged, but with decreased pressure from the controls assessment team. (Note: from a strict financial reporting standpoint only—there may be other rationale to drive remediation efforts.) Implementing the new manual controls is likely to cost less than remediation of ITGC deficiencies. As a result, senior management can now allocate resources to where they are the most needed in the organization—to the benefit of the organization’s stakeholders.
1 The Pareto Principle (also known as the 80/20 rule) states that for many events, roughly 80 percent of the effects come from 20 percent of the causes. The principle is named after Italian economist Vilfredo Pareto, who observed in 1906 that 80 percent of land in Italy was owned by 20 percent of the population. Koch, Richard; The 80/20 Principle: The Secret of Achieving More With Less, Random House, USA, 19982 Rajamani, Baskaran; “Certifying Automated Information Technology Controls: Common Challenges and Suggested Solutions,” Deloitte, www.deloitte.com/view/en_CA/ca/services/ceocfocertification/article/c1fcfa9d452fb110VgnVCM100000ba42f00aRCRD.htm
Loic Jegousse, CISA, CISM, CGEIT, CRISCis an independent technology risk consultant with a track record of removing unnecessary complexity from highly regulated organizations and delivering cost reductions while ensuring that operational and technological risks are managed at an acceptable level. In his past role with MDS Inc., a global life sciences corporation, Jegousse was able to reduce significantly the ongoing costs of regulatory compliance and improve the organization’s posture toward internal and external audits.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.