Suivez nos tweets!
Bonjour, Ann Dushane, thank you for your participation on our Faciliware® Blog. We asked you to share your IT Internal Audit experience with us. To start, please present us your company. (voir la Version française )
Control Solutions is the leading global provider of independent internal audit, compliance, risk management and technology solutions. For over 15 years, Control Solutions has been the trusted advisor to over 500 public, private, non-profit and government clients.
With more than 800 employees working in 25 different locations around the world, Control Solutions offers its clients a direct presence in Europe, North America, South America and Asia.
Our business is divided into 4 areas of expertise: Internal Audit, Regulatory, Financial and Ethics Compliance , Risk Management Technology
Would you present yourself: your function, your expertise, your responsabilities?
Senior Manager of internal audit for Information Technology, I have been working for Control Solutions since 2005 in both the US and in France. My professional experience includes 10 years as an IT project manager within a variety of sectors. I have a MBA from Thunderbird, The Garvin School of International Management and a BA in Economics and French from the University of Pennsylvania. I first started working with Sarbanes Oxley compliance as the IT project manager for an oil-field services company in 2004 where I oversaw the retest phase of their first year compliance project. Thanks to this experience, I was able to join Control Solutions as an IT Audit Manager.
Can we talk about specific issues (geographic or sector) regarding compliance?
Any company quoted on the US stock exchange (NYSE, Nasdaq, …) is impacted by the Sarbanes Oxley Act of 2002 (SOX or Sarbox to many). This law is not reserved for just certain business sectors; it touches every sector quoted on the stock exchange. The law was first applied to the very largest American companies in terms of market cap in 2004. Following two years of SOX compliance efforts, we have started to see a stabilization of activities amongst our clients’ for whom their controls now start to become part of the on-going routine. Some clients have even started to turn the corner to a continuous controls monitoring stage where the controls can be tested automatically throughout the year versus as a part of a special project. Small- and medium-sized companies who “non-accelerated filers” have been accorded a delay in compliance with SOX until at the earliest 15 June 2007 to 15 December 2007 depending on the end of their fiscal year.
For the “foreign private issuers”, such as the large French companies traded on the US stock exchange, we have seen a very sharp increase in their levels of activity associated with compliance as of the beginning of this year and expect the activity to continue well into 2007. The large non-American companies who file a 20-F or 40-F with the SEC – in order to be registered in the US markets – must be in full compliance as of 15 July 2006 or thereafter depending on their year-end closing period. Like the domestic “non-accelerated filers”, the “foreign private issuers” who are also “non-accelerated filers” have won a similar delay in compliance deadlines with the first date of compliance now set for 15 July 2007 or thereafter depending on the company’s year-end closing period.
What is the attitude of your customers, with respect to this regulation, how do they handle the project, when do they come to you? Maybe you can describe for us a specific profile.
We have noticed two types of opposing attitudes from our clients with respect to their approaching compliancy with the Act. Many of our clients take the bull by the horns and lay out a clear-cut plan for becoming compliant by the current stated deadlines. Other clients take a more relaxed approach in hopes that the deadline will change or the law will change such that they become excluded from the demands of Sarbanes Oxley. Clearly the second approach can lead to major problems when the law does not change in these companies’ favour or the deadline does not get pushed as anticipated.
Regardless of the approach chosen, we have also noticed that companies tend to underestimate the amount of work associated with becoming SOX compliant. Thanks to this underestimation, companies often engage our services at any stage of the project to assist them with completing their assessments by their fiscal-end deadline.
Our experience has shown that it takes a full year, or more for very decentralised companies, to prepare for compliance with the law. For companies which already have well defined and documented policies and procedures in place and a stringent overall control environment, it is possible to delay the compliance efforts slightly, but the majority of the companies we’ve seen do not necessarily have the foundations in place in a strictly “SOX” sense of the term. The effort to document and communicate existing policies and procedures can take a significant amount of time and effort and all the more so when a procedure or policy does not even exist. But Sarbanes Oxley compliance is more than just the documentation of policies and procedures, there is also the proof that the procedures actually function according to how they are designed and described within the documentation. There must also be proof that certain control mechanisms exist, are configured correctly to control the IT and financial environments, and then tested to ensure they actually perform as configured. The phase of documentation and testing can be quite an undertaking for any size company, and thus it is often at this stage of the project that clients engage our services to assist them with certain aspects of the project or to take full ownership of the project on their behalf.
How do you answer to their needs?
As with any internal audit, the Sarbanes Oxley audit is superimposed on the daily activities of the company. The complexity and effort that SOX requires clearly has the potential to impact the normal business environment. Our philosophy, thus, is to organise the project in such a manner that we minimize to the greatest extent possible any disruption to the daily tasks of our key contacts and to our client’s business overall. To this point, we customize our process methodology to either undertake every aspect of the project from A to Z or to jump into an in-progress project to lend our expertise in order to complete the tasks more efficiently than our clients could alone and above all avoid any rework as a result of objectives not being well defined in the beginning. Rework is too expensive for any company. Our experience gained from leading our clients through SOX compliance projects permits us to understand the requirements of the law from the beginning of the project and to avoid costly rework.
We act as a partner with our clients to help them prepare for their annual audit by their external auditors. This partnership means that we work with our clients to identify any possible weaknesses or deficiencies in their control process and then recommend possible solutions to remediate the weaknesses and to institutionalise our recommendations.
Based on your experience, can you share with us some of the "best practices" of a risk management approach?
A complete risk management process must be both top-down and bottom-up. The first step of the process involves identifying all of the risks that the company wants to ensure are managed. There are some risks that are identified but then chosen to not be addressed with a control mechanism, particularly when the cost of controlling the risk is greater than the inherent risk itself. Once the control mechanisms or processes associated with each risk have been identified, they must be clearly documented for all parties involved with or affected by the process. Finally, to ensure that all parties follow the procedures, the activities associated with the procedures must be periodically tested. Sarbanes Oxley puts in place a systematic control process which before could be more sporadic and run the risk of missing a breach of control.
From an IT perspective, many companies have problems with controlling user access to applications and systems. The majority of the companies we’ve worked with do not have a consistent process in place to manage changes to user access from department or job moves. In certain instances they are also lacking procedures for managing initial user access and deletion of user access associated with the arrivals and departures of employees. Some companies may not even be able to provide proof that access is authorised, let alone even requested. Furthermore, prior to the end of the first year audit, we find that many of the user access databases have rarely, if ever, been reviewed which means there can be several years worth of open inactive accounts which still have access to critical information.
Another area of weakness that is quite prevalent is in the management of changes to financial applications or operating systems. Over three-quarters of the clients I’ve worked with did not have the necessary controls in place to ensure that the risk of fraudulent activities within a financial application was adequately controlled. Changes made to the applications are not consistently documented, and there is rarely proof that an application change was tested. Additionally, among certain clients, we notice a lack of distinct separation between IT personnel with access to the development/test environment and access the production environment.
Two critical points in a SOX audit are the documentation and proof of controls. For our clients who are preparing their first year of Sarbanes Oxley compliance, we regularly see a lack of these two elements. In many cases, there are other points that are missing, but these two fundamental elements are rarely available at the start of a project for 100% of our clients.
Besides regulatory requirements, can we talk about qualitative or quantitative gains from implementing a compliance programme?
It is true that the Sarbanes Oxley law is often criticised for the amount of money it takes to put all of the controls in place. Nevertheless, there are still some positive results that can be directly derived from the law. First of all, there is a reduction in the risk of fraud that could occur. Additionally, as a result of implementing a sound user access management process, companies can realize a reduction in the number of licenses they need to purchase as a result of having a precise idea of the actual number of users of the application in question.
SOX can also save companies time and effort in certain processes. For example, one of my clients did not have any process in place for systematically tracking issues and requests to change application functionality. Such demands would arrive to any member of the team by telephone, by email, on pieces of paper or in person as the requestor passed by the IT Manager’s office. SOX requires that all problems and changes to financially significant applications be tracked to ensure effective and authorised resolution. Not having any budget to purchase an application to track problem tickets or manage change requests, the manager developed a database in-house to track all requests. The database had much of the same functionality as a commercially-developed user request tracking program that would have cost him a couple of thousand euros to implement. Thanks to the new tool, the IT manager immediately had a better idea of the issues his team was addressing as well as a global vision of the current and recurring problems. This requirement of SOX definitely had a positive impact on the efficiency and control of my client’s IT department.
Can you identify some "key points" concerning this type of projects that companies may not have thought of?
When people think of the Sarbanes Oxley Law and its impact on IT, they have a tendency to think that the law is only concerned with IT security strictly speaking. It is true that security can be about 50% of all IT controls, but as in the previous example, the law also calls for controls over major and minor program changes. Additionally, it requires policies and procedures for backups and restore of data as well as IT operations including problem and incident management. If companies use third parties to operate or store their financial information, they must also have controls in place to manage these third party relations as well as the controls of the vendors..
Companies like Control Solutions know the ins and outs of the demands of the Sarbanes Oxley law. To date, we have helped more than 350 companies through out the world in their compliance efforts. We assist our clients in meeting the demands required by SOX as well as help them to implement long-lasting methods for ensuring that the policies implemented in the early years of compliance can become regular business practices implemented into the fabric of the company versus just as a response to a regulatory requirement. SOX compliance today is seen as and managed as a project, however, it is essential that companies manage the law for the long-term to ensure the controls become continuous and not once a year responses to SEC regulations. This is the lesson we try to teach our clients from the beginning and the knowledge we leave them with at the end of our engagements.
