Quest Software - www.quest.com Search Community
Advanced Search
Welcome, Guest
Login Login / Register
Help
NEW? Get Plugged In
Community Index
Home
Browse the Library
FAQ
Join a Discussion Forum
Reporter
InTrust Plug-in for Active Directory
InTrust
Quest Knowledge Portal
Intrust Plug-in for Exchange
Intrust Plug-in for File Access
Compliance Report Packs
Regulatory Requirements
General Discussion
Regulatory Requirements
SOX
HIPAA
FISMA
PCI
JSOX
Industry Events
Product Information
Quest Knowledge Portal
Compliance Suite for Windows
Reporter
InTrust Plug-in for Active Directory
InTrust
InTrust Plug-in for Exchange
InTrust Plug-in for File Access
Related Communities
Vintela
ActiveRoles
Refer a Friend

Sarbanes-Oxley Act

It is probably not an exaggeration, at least not in the U.S., to attribute the current popular usage of certain auditing terms entirely to the U.S. Sarbanes-Oxley Act (SOX). Historically heard almost exclusively within the auditing and accounting circles when referring to the protection of sensitive information, the word ?controls? is now widely used to describe every preventative, detective, and corrective measure (the categories also being auditing terms) that can be made to avoid fraud and mitigate risk; from company policies, standard procedures, business processes and remediation activities to automated business logic or computer and application settings; all are intended to eliminate fraud and keep risk within acceptable limits.

Because of the hard cold fact of cost that is associated with each control a company adopts for its environment, the universally recognized goal for SOX compliance has appropriately been down-sized to identify and track only those controls the business considered to be ?key? (i.e. a key control is ?one that provides reasonable assurance that material errors will be prevented or detected? in a timely manner1). Of course for SOX, this is limited to controls around the prevention and detection of material misstatements of the company?s quarterly and annual financial reports. Unfortunately, many disputes still occur between companies and their auditors over which controls are considered material or ?key?. In sum however, most agree (in theory anyway) that for SOX, the scope of key controls is limited to ?material? elements of the structure of Internal Control over Financial Reporting (ICFR).

In the first year of striving to achieve Sarbanes-Oxley compliance most accelerated filers experienced an unprecedented ICFR cost and resource burden in implementing what their auditors felt to be an effective set of internal controls. Many of these ?year one? controls were setup as manual, or as primarily manual, and amounted to simply a giant ?push? to achieve compliance. In year two, a shift in thinking came when SOX compliance necessarily evolved from a project to an on-going program considered essential to address the ?sustaining compliance? problem. Out of a desire to avoid repeating the sizable ?compliance project? effort of year one and easing the labor burden of ?compliance program? in years two and three, many companies have sought, and to large extent are still seeking, alternatives that provide relief.

The Case for Automation:

While not completely ignoring the advice from the SEC and PCAOB to avoid unnecessary testing of internal controls, public accounting firms typically focus their SOX audit efforts on assessing control effectiveness once the scope of controls is established. In the first years of SOX, a focus that was bias towards effectiveness was acceptable in light of the ?effectiveness of?internal controls? and ?effectiveness of the internal control structure? phrases that appear in the Act itself. However, this focus is now seen as problematic when performed at the expense of, rather than in concert with a concern for control efficiency2. Given that external auditors continue to combine this control-effectiveness bias with what, for practical purposes continues to be a ?bottom up? approach to recurring IT control assessments3, it is likely that many hours of their time is still spent on verification and validation of manual controls that can now largely be eliminated with automation.

To automate or partially automate a control is to instantiate one or more of the control elements that can be codified into software. As with most business practices, controls become more efficient when they are automated. And as expected, control automation can greatly reduce ?sustaining compliance? costs. Moreover, automating controls can shorten compliance auditing cycle times. In sum, control automation efficiency offers businesses at least 3 ways to save money: 1) by reduced cost of maintaining internal controls, 2) by fewer outside auditor hours, and 3) by fewer internal resource hours spent supporting compliance audits. Automating internal controls tends to demystify an auditor?s control testing process and shorten the audit engagement. To justify billing hundreds of hours for ?testing? only key internal controls becomes increasingly difficult as control automation pervades the enterprise.

1. Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners, p.29, IIA

2. ibid, pp. 52-53

3. See ?Speech by SEC Commissioner: Remarks before the Tenth Annual Corporate Counsel Institute, Priorities and Concerns at the SEC? by SEC Commissioner Cynthia A. Glassman