| EXECUTIVE SUMMARY |
 SARBANES-OXLEY REQUIRES MANAGEMENT to
include an assessment of internal controls over financial
reporting, using a suitable framework, in the annual report.
While a number of frameworks are available, some do not
adequately assess technology controls.
SEC RULES SAY
MANAGEMENT MUST BASE its evaluation of the
effectiveness of internal controls over financial reporting on
a recognized control framework issued by a group that followed
due-process procedures. The framework must be free from bias,
complete and relevant to the task at hand, and must permit
consistent quantitative and qualitative
measurements.
SEVERAL GROUPS,
INCLUDING COSO, COBIT and AICPA/CICA Trust Services,
have issued frameworks CPAs can use to evaluate internal
controls, particularly controls over a system’s IT aspects. In
a survey of CEOs and CFOs, 28.4% said they used a model other
than COSO to assess the effectiveness of their IT internal
control structure.
A FIVE-STEP PROCESS
ENABLEs CPAs to use the Trust Services framework in
conjunction with the COSO framework to evaluate the IT control
aspects of the required internal control assessment. The
process defers to Trust Services for a more detailed
assessment of whether the IT systems used to support and
create the financial reports are reliable. |
| MARTIN J. COE, CPA,
CISA, CISM, is an assistant professor of accountancy at
Western Illinois University, Moline, and a practicing
information technology auditor. His e-mail address is
MJ-Coe@wiu.edu.
|
 t would be an understatement to say the Sarbanes-Oxley Act
of 2002 has had a significant impact on every CPA working for or
auditing a public company. Among other things, Sarbanes-Oxley
requires management to include an internal control assessment using
a suitable framework in the company’s annual report. But how exactly
are companies performing the required assessment?
This has been a hot topic for professional
associations such as the AICPA, the Institute of Management
Accountants and the Institute of Internal Auditors. In response the
AICPA created an ad-hoc task force to address management’s
responsibility under section 404 of Sarbanes-Oxley. The task force
assembled a list of key issues, including the act’s requirement to
use suitable criteria for an effective internal control system.
This article explains how I use the AICPA/CICA Trust
Services framework in my work as an information systems auditor to
evaluate internal controls, particularly controls over information
technology. CFOs, internal audit executives and financial managers
as well as external auditors will see how the framework can
supplement some commonly used measures that do a good job of
assessing overall controls but don’t focus on technology
controls.
| Compliance Costs
Growing
Meeting the requirements of section
404 of the Sarbanes-Oxley Act of 2002 will cost public
companies an average 62% more than first anticipated. The
increase stems from a 109% rise in internal costs, a 42% jump
in external costs and a 40% increase in the fees charged by
external auditors.
Source: Financial Executives
International, www.fei.org, 2004
survey. |
INTERNAL CONTROL
ASSESSMENT
Section 404 requires
public companies to include in their annual reports an assessment by
management of their internal controls over financial reporting. This
includes a statement of management’s responsibility for establishing
and maintaining adequate internal control, an assessment of the
effectiveness of those controls as of the end of the most recent
fiscal year, a statement identifying the framework that was used to
evaluate those controls and a statement that the external auditor
issued an attestation report on management’s internal control
assessment.
The final SEC rules say management must base its
internal control evaluation on a suitable, recognized control
framework established by a body or group that followed due-process
procedures. The rules do not mandate the use of a particular
framework but say a suitable one must
 Be free of bias.
Permit reasonably
consistent qualitative and quantitative measurements.
Include all
relevant factors that might alter a conclusion about the
effectiveness of the internal controls.
Be relevant to an
evaluation of internal control over financial reporting.
As a practicing information systems auditor charged
with preparing the IT control aspects of the required internal
control assessment, my search for an appropriate model uncovered
three suitable ones:
COSO (www.coso.org). The framework issued
by the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) satisfies the SEC criteria. Companies may use it
to meet management’s annual internal control evaluation and
disclosure requirements. The COSO framework defines internal
control, describes its components and provides criteria against
which CPAs can evaluate control systems. However, since COSO does
not provide specific criteria for IT controls, some companies may
find a supplemental framework necessary.
COBIT (www.isaca.org). The Information
Systems Audit and Control Foundation developed the control
objectives for information and related technology (COBIT). The
objective is a generally applicable and accepted standard for IT
security and control practices that provides a reference framework
for management, users, auditors and security
practitioners.
Trust Services (www.aicpa.org/trustservices). The
foundation of the AICPA/CICA Trust Services framework is a set of
principles and criteria CPAs can use to assess the reliability of a
company’s IT systems. The criteria constitute professional guidance
as well as serve as best practices for system
reliability.
INFORMATION
TECHNOLOGY CONTROLS
Because
companies rely heavily on technology, the criteria they use to
assess the effectiveness of their IT-related controls are
particularly important. While COSO addresses the topic of IT general
controls, it does not dictate requirements for control objectives
and related activities. Indeed, the audit standards issued by the
Public Company Accounting Oversight Board highlight the importance
of IT general controls but do not specify which in particular a
company must include. Thus, to meet the requirements of section 404,
IT management and auditors need a specific IT control
framework.
When I asked companies whose CEOs and CFOs are
required to file sworn statements with the SEC which framework they
used, 28.4% said they used a model other than COSO (exhibit 1). In evaluating models I
first turned to COBIT because I had used it in the past and it was
well-received by clients. Now in its third edition, COBIT is
increasingly accepted as good practice for control over IT and
related risks. It’s a robust framework, comprising 4 domains, 34 IT
processes and 318 detailed control objectives. It’s a comprehensive
approach for managing risk and control of IT, explaining how IT
processes deliver the information a business needs to achieve its
objectives.
| Exhibit 1: Assessing IT
Controls |
| What criteria does your company use
to assess the effectiveness of the IT-related internal
control structure? |
Number of companies
using criteria |
Percentage |
| COBIT |
27 |
14.2% |
| Trust
Services (formerly SysTrust) |
1 |
0.5% |
| COSO |
136 |
71.6% |
| Combination
of the three |
26 |
13.7% |
Respondent base: 190
companies. |
One reason companies are using the COBIT framework
for Sarbanes-Oxley compliance is that its objectives have been
mapped to COSO in a publication entitled IT Control Objectives
for Sarbanes-Oxley (available at www.isaca.org ). COBIT also has been
mapped to popular enterprise resource planning (ERP) systems such as
SAP, Oracle and PeopleSoft. This mapping and related guidance
provides COBIT framework references and methodologies for auditing
and testing the major ERP systems.
While COBIT is an excellent comprehensive framework
for assessing IT controls, I was seeking a narrower framework that
would complement the overall COSO model many clients were using. To
this end, I decided to use Trust Services because of its focus on
the controls that are in place to ensure the company’s systems carry
out business processes reliably.
APPLYING THE
FRAMEWORK
The AICPA and CICA
developed the following Trust Services principles and related
criteria for CPAs to use to perform consulting engagements, as well
as branded attestation engagements such as SysTrust and
WebTrust.
Security. The system is
protected against unauthorized access, both physical and
logical.
Availability. The system
is available for operation and use as committed to or agreed
upon.
Processing integrity.
System processing is complete, accurate, timely and
authorized.
Confidentiality.
Information designated as confidential is protected as
committed to or agreed.
Privacy. Personal information is collected, used,
retained and disclosed in conformity with the commitments the entity
makes in its privacy notice and with the AICPA/CICA Trust Services
privacy criteria.
The privacy principles and criteria include 10
components that are essential to the proper protection and
management of personal information. They are based on
internationally known fair information practices included in the
privacy laws and regulations of jurisdictions around the world and
recognized good privacy practices. For each component there are
relevant, objective, complete and measurable criteria for evaluating
an entity’s privacy policies, communications and procedures and
controls. There are also illustrations and explanations to enhance
understanding of the criteria. For more details on the privacy
criteria, go to www.aicpa.org/innovation/baas/ewp/privacy_framework.asp.
The security, availability, processing integrity and
confidentiality principles and criteria are organized into four
broad areas:
Policies. The entity has defined
and documented its policies relevant to the particular principle.
Communications. The entity has
communicated its defined policies to authorized users.
Procedures. The entity uses procedures to
achieve its objectives in accordance with its defined policies.
Monitoring. The entity monitors the system
and maintains compliance with its defined policies.
These principles and criteria include attributes the
entity must meet to demonstrate it has achieved each principle.
Trust Services also provides illustrative controls as examples of
controls the entity might have in place to conform to the criteria.
Alternative and additional controls also may be
appropriate.
CPAs can use the framework’s principles and criteria
to create a detailed analysis containing control objectives
classified into broad categories, as shown in exhibit 2. I found the illustrative
controls to be particularly helpful. Keep in mind a large part of
the internal control assessment process requires management to say
what controls are in place to mitigate a given risk. Trust Services’
illustrative controls are detailed enough to help management
identify the controls that exist and those that are missing. As an
example of how the controls are helpful, consider those provided for
one criterion, as shown in exhibit 3.
| Exhibit 2: Detailed Control
Objectives |
| Security |
| 3
objectives |
Policies: The entity defines and documents its
policies for the security of its system. |
| 5
objectives |
Communications: The entity
communicates its defined system security policies to
authorized users. |
| 12
objectives |
Procedures: The entity uses procedures to achieve
its documented system security objectives in accordance
with its defined policies. |
| 3
objectives |
Monitoring: The entity monitors the
system and takes action to maintain compliance with its
defined system security policies. |
| |
|
|
| Availability
|
| 3
objectives |
Policies: The entity defines and documents its
policies for the availability of its
system. |
| 5
objectives |
Communications: The entity
communicates the defined system availability policies to
authorized users. |
| 15
objectives |
Procedures: The entity uses procedures to achieve
its documented system availability objectives in
accordance with its defined policies. |
| 3
objectives |
Monitoring: The entity monitors the
system and takes action to maintain compliance with its
defined system availability policies. |
| |
|
|
| Processing Integrity
|
| 3
objectives |
Policies: The entity defines and documents its
policies for the processing integrity of its
system |
| 5
objectives |
Communications: The entity
communicates its documented system processing integrity
policies to authorized users. |
| 19
objectives |
Procedures: The entity uses procedures to achieve
its documented system processing integrity objectives in
accordance with its defined policies. |
| 3
objectives |
Monitoring: The entity monitors the
system and takes action to maintain compliance with the
defined system processing integrity
policies. |
| |
|
|
| Confidentiality
|
| 3
objectives |
Policies: The entity defines and documents its
policies related to the protection of confidential
information. |
| 5
objectives |
Communications: The entity
communicates its defined policies related to the
protection of confidential information to internal and
external users.. |
| 15
objectives |
Procedures: The entity uses procedures to achieve
its documented confidentiality objectives in accordance
with its defined policies. |
| 3
objectives |
Monitoring: The entity monitors the
system and takes action to maintain compliance with its
defined
confidentiality policies. |
| |
|
|
| Security |
| 14
objectives |
Policies and Communications: The entity uses
privacy policies that convey management’s intent,
objectives, requirements, responsibilities and/or
standards. The entity communicates to individuals,
internal personnel and third parties about its privacy
notice and its commitments therein and other relevant
information. |
| 42 objectives |
Procedures and Controls: The entity
uses procedures and controls to achieve its privacy
objectives. |
Source: AICPA/CICA Trust Services
principles and
criteria. |
When I provide these examples to IT
management—instead of simply asking what controls exist to protect
against unauthorized logical access to a particular system—it helps
them understand what I’m looking for. The Trust Services framework
provides illustrative controls for all criteria
(objectives).
| Exhibit 3: Sample Trust Services
Security Principle Illustrative Controls |
| Procedures
exist to protect against unauthorized logical access to
the defined system. |
| 1.
Log-in sessions
are terminated after three unsuccessful log-in attempts.
Terminated log-in sessions are logged for follow-up by
the security administrator. |
| 2.
Virtual private
networking (VPN) software is used to permit remote
access by authorized users. Users are authenticated by
the VPN server through specific client software and user
IDs and passwords. |
| 3.
Firewalls are
used and configured to prevent unauthorized access.
Firewall events are logged and reviewed daily by the
security administrator. |
| 4.
Unneeded network
services (for example, telnet, ftp and http) are
deactivated on the entity’s servers. A listing of the
required and authorized services is maintained by the IT
department. This list is reviewed by entity management
on a routine basis for its appropriateness for the
current operating conditions. |
| 5.
Intrusion
detection systems are used to provide continuous
monitoring of the network and early identification of
potential security breaches. |
| 6.
The entity
contracts with third parties to conduct periodic
security reviews and vulnerability assessments. Results
and recommendations for improvement are reported to
management. |
Source: AICPA/CICA Trust Services
principles and
criteria. |
FIVE STEPS TO
COMPLIANCE
The following five-step
process shows how CPAs can use the Trust Services framework to
evaluate a company’s IT controls when the entity primarily uses the
COSO approach. The first step uses only COSO, the second and third
involve both COSO and Trust Services, and the last two use Trust
Services only.
1. Use the COSO framework to identify
the risks in each business cycle and the controls that mitigate
them. This process will include many references to information
systems.
PCAOB Auditing Standard no. 2 says: “Because of the
frequency with which management of public companies is expected to
use COSO as the framework for the assessment, the directions in the
proposed standard are based on the COSO framework. Other suitable
frameworks have been published in other countries and likely will be
published in the future. Although different frameworks may not
contain exactly the same elements as COSO, they should have elements
that encompass all of COSO’s general themes.” Thus, it is important
for CPAs to demonstrate how IT controls support the COSO
framework.
COSO identifies five internal control components
that must be in place to achieve financial reporting and disclosure
objectives: control environment, risk assessment, control
activities, information and communication and monitoring. An
organization should have IT control competency in all components.
2. Gather initial IT information,
including a list of all application software the company is using;
copies of network maps, security policies and any contingency
planning and disaster recovery documents; procedures related to how
system changes are made; an explanation of the typical system
development lifecycle; and the company’s IT organization
chart.
Given the pervasive nature of IT, identifying what
needs to be assessed for Sarbanes-Oxley compliance can be an
overwhelming task. Gathering information that describes the IT
environment, procedures and computer software helps CPAs understand
the big picture so they can organize their efforts to identify IT
controls for Sarbanes-Oxley compliance. In many cases, companies
already have this initial information so CPAs can gather it without
incurring additional costs.
3. From the information gained in the
first two steps, identify all information systems that relate to
financial reporting.
Organizations must understand how the financial
reporting process works and where technology is critical in
supporting it. This will help CPAs identify key systems and
subsystems that need to be included in the Sarbanes-Oxley
assessment. Include systems that participate in the initiation,
recording, processing and reporting of financial information, such
as the accounting information system and all systems that feed
source transaction data to it.
| AICPA RESOURCES |
| The AICPA/CICA Trust Services Principles and Criteria
(Framework), www.aicpa.org/trustservices.
The AICPA/CICA Privacy Framework, www.aicpa.org/privacy.
Books
Trust
Services: Understanding and Implementing Trust Services
(# 056520).
Privacy Matters: An Introduction to Personal Information
Protection (# 056590JA).
Understanding and Implementing Privacy Services: A CPA’s
Resource (# 056509JA).
CPE
Privacy Issues for
Businesses…Whose Information Is It Anyway? CD-ROM (#
780005JA). For more information or to place an order, go to http://www.cpa2biz.com/ or
call the AICPA at 888-777-7077.
IdentiRISK for Trust Services Privacy Principles and Criteria
(# 103104). For more information or to place an order, go to
www.identirisk.com/x/aicpa
or call 866-433-7475. |
4. Use the Trust Services framework to
create one overall IT control matrix, so that you can assess
controls that cross systems, and another matrix for each system that
relates to financial reporting.
COSO identifies two broad groupings of information
system control activities that organizations should
assess:
General controls apply to all information
systems and support secure and continuous operation. This category
includes controls that support the quality and integrity of
information and are designed to mitigate the identified risks. The
IT general control categories the PCAOB set forth are program
development, program changes, computer operations, and access to
programs and data.
Application controls apply to the business
processes they support and are designed to prevent and detect
unauthorized transactions. When combined with manual controls,
application controls help ensure completeness, accuracy,
authorization and validity of processing transactions. Organizations
should first identify significant accounts that could have a
material impact on the financial reporting and disclosure process.
Then they should identify and document application controls relevant
to such accounts.
CPAs can use the Trust Services framework to create
detailed IT control matrices (usually in the form of spreadsheets)
that contain a row for each of the 58 criteria. CPAs also should
create a control matrix for the application systems upon which the
organization is relying to achieve financial reporting and
disclosure objectives. This is where the benefit of using the Trust
Services framework is apparent, because its principles define a
reliable system as one capable of operating without material error,
fault or failure during a specified period in a specified
environment. For each principle it lists criteria against which CPAs
can evaluate a system.
5. Assess the controls identified in the
matrices created above. As a general rule there should be an
effective control technique in place for every control objective
that applies to a system.
CPAs can use the detailed control matrices that
contain a row for each of the Trust Services criteria to form
questions that will determine whether key controls are in place. The
framework is based on the premise that if system controls operate
effectively, the system itself will perform reliably.
One example is the use of personal identification
numbers to prevent unauthorized access to a system. An entity may
adopt such a control in its written objectives, but the control will
not achieve its objectives unless it operates effectively. The Trust
Services framework makes it easier for CPAs to determine whether the
controls over a system operate effectively during the period covered
by the examination.
These steps allow the COSO framework to defer to the
Trust Services framework for a more detailed evaluation to determine
whether the IT systems a company uses to support and create the
financial reports are reliable.
MEETING THE
CHALLENGE
Fulfilling the IT control
aspects of the internal control assessment that Sarbanes-Oxley
requires can be a challenge for CPAs. While each company will need
to decide the framework most appropriate for its needs, Trust
Services is a useful option that CPAs will find particularly helpful
when the overall framework they use does not pay sufficient
attention to IT issues.
| 
The commonly
used COSO internal control framework does not provide
specific criteria for IT controls, so it may be
necessary to turn to a supplemental framework such as
the AICPA/CICA Trust Services framework to ensure that
the systems a company uses are reliable.
