Statutory Audit and IT Governance
5 Pages
English

Statutory Audit and IT Governance

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

Copyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.Statutory Audit and IT Governance“The IT audit profession, with its capabilities and standards, is part of the solution.”Erik Guldentops, CISA, CISMThere are some immediate relations one can draw withen years ago there was frankly not much talk aboutstatutory audit requirements when we look at some of thecorporate governance. Neither, to be truthful, was audit1major drivers for IT governance (see figure 1) , including:T discussed much. Today the reverse is true. The reason• Trust—With investors willing to pay significantly more foris because we tend to operate in a “plugging holes” mode,shares of well-governed enterprisesas the recent flurry of emerging audit and governance• Value—When considering the majority of enterprise marketstandards illustrates. value is in intangible assetsThese recent developments (IAASB, COSO II, Sarbanes-• Survival—When trust can vanish overnight when based onOxley, etc.) focus strongly on the system of internal control inintangibles and governance practicesresponse to recent scandals that have damaged the public trust• Assurance—With its increasing requirements for riskin financial information and corporate disclosure. It is nowtransparency and increasing focus on internal controlsmandatory for the CEOs of public corporations quoted eitherThe enormous value of information for most enterprisesin New York or London to perform a ...

Subjects

Informations

Published by
Reads 65
Language English

Copyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Statutory Audit and IT Governance
“The IT audit profession, with its capabilities and standards, is part of the solution.”
Erik Guldentops, CISA, CISM
There are some immediate relations one can draw withen years ago there was frankly not much talk about
statutory audit requirements when we look at some of thecorporate governance. Neither, to be truthful, was audit
1major drivers for IT governance (see figure 1) , including:T discussed much. Today the reverse is true. The reason
• Trust—With investors willing to pay significantly more foris because we tend to operate in a “plugging holes” mode,
shares of well-governed enterprisesas the recent flurry of emerging audit and governance
• Value—When considering the majority of enterprise marketstandards illustrates.
value is in intangible assetsThese recent developments (IAASB, COSO II, Sarbanes-
• Survival—When trust can vanish overnight when based onOxley, etc.) focus strongly on the system of internal control in
intangibles and governance practicesresponse to recent scandals that have damaged the public trust
• Assurance—With its increasing requirements for riskin financial information and corporate disclosure. It is now
transparency and increasing focus on internal controlsmandatory for the CEOs of public corporations quoted either
The enormous value of information for most enterprisesin New York or London to perform a review of internal control
increases the priority of the statutory audit requirement to lookat least annually and to publicly disclose their formal
at how management exercises its custodianship over theseevaluation. This is an important and burning driver but not
intangible assets.the only one influencing the role of IT in governance and
Equally, when considering the dependence on intangiblesstatutory audit.
and the speed with which trust can be lost (e.g., Enron and This article will attempt to illustrate the importance of IT to
the ensuing demise of Arthur Andersen), the statutory auditenterprise reporting systems and, hence, to internal control,
requirement to warn when there is an issue with the and thereby to corporate officers and auditors responsible for
going concern cannot be ignored. There is now such certification. At the same time, the relevance of IT and IT
corporate reliance.governance will be shown. They are relevant to the processes
Trust and assurance depend on the integrity of theby which financial information is produced, and most
information reported and on the system of internal control thatimportantly, they are essential to survival and growth of the
an enterprise operates. Good governance and a sound systementerprise as a whole. Ultimately this increases the importance
of internal control are the responsibilities of management andof the role of IT auditors in IT governance, corporate
the board. Where they exist, the task of external auditors—inreporting, internal control and statutory audit.
terms of statutory opinion and attestation of the evaluation of
internal control—is made a lot easier.
Figure 1—IT Governance Drivers The US Sarbanes-Oxley Act is undoubtedly the most far-
reaching piece of legislation to affect the governance of US
and international corporations. The act puts strong
Value
requirements on management and auditors for the
(Brookings)
establishment, evaluation and reporting on internal control (see
figure 2). In addition, it goes well beyond the financial
controls traditionally associated with statutory audits, with the
ITTrust introduction of “disclosure controls and procedures,” whichAssurance
(McKinsey) Governance (Turnbull) are more in line with the compliance and operational controls
of COSO (Committee of Sponsoring Organisations of the
Treadway Commission). To exercise that responsibility,
management and the auditors also need to look at:
Survival • IT’s role in the integrity of information
(Greenspan)
• The system of internal controls over IT
• The support IT provides to the overall system of internal controls
I NFORMATION S YSTEMS C ONTROL J OURNAL,V OLUME 5, 2003Figure 2—Internal Control Requirements, Sarbanes-Oxley Act
Section 302 Section 404
Requires the company’s CEO/CFO to certify that: Requires the SEC to prescribe rules for internal control
• SEC reports filed have been reviewed, are accurate and do reports which:
not omit material fact. • State the responsibility of management for establishing and
• Financial statements fairly represent the financial position. maintaining an adequate internal control structure and
• Disclosure controls have been designed, established, procedures for financial reporting
maintained and evaluated. • Contain an assessment of the effectiveness of this structure
• Internal control and fraud issues are disclosed to audit and procedures
committee and auditors. • Require external auditors to attest to the assessments made
by management
• The management of IT risks With these differences, it would be foolish to deny that
However, none of these responsibilities can be exercised strong IT governance has no impact on the integrity of
without considering the enterprise information and the systems information, the system of internal control or audit risk.
that capture, process, store and distribute it. From a statutory audit perspective, strong IT governance
This is where IT audit competencies and practices need to reduces audit risk from, for example:
be applied—more extensively than in the past—to support • Poor security over business transaction capture, transfer,
management’s and external auditors’ responsibilities relative to analysis and reporting
the integrity of information, the appropriateness of risk • Poor management controls over completeness and integrity of
management and the adequacy of internal control. The business transaction capture, transfer, analysis and reporting
complexity and widespread deployment of IT systems in terms • Misdirected or poor financial transparency of IT investments
of organisational structures and resources, as well as • Fraud or wilful manipulation or concealment of business
technologies used, has created the need for highly specialised information
IT auditors who—as experts in IT governance best practice— While noting that most external auditors truly appreciate the
can opine on these issues. importance of IT, it is disappointing to see that statutory audit
Enterprise governance relates to the rules and processes standards appear to restrict themselves to those aspects which
through which business opportunities and risks are recognised strictly relate to the preparation of financial statements, while
and managed to ensure enhanced and sustainable stakeholder there is a much larger array of risks that enterprises need to
2value. IT governance covers the management processes address. The good news is that IT governance issues are in
which ensure the delivery of the expected benefits of IT fact becoming integrated into the audit procedures of major
in a controlled manner so that it supports current operations audit firms which are evolving from financial audit to a more
and helps enhance the long-term sustainable success of performance assurance perspective, including IT.
the enterprise. But even a strict financial audit process needs to start with
There is a significant difference between strong and weak understanding the business environment. The pervasiveness of
IT governance, as illustrated in figure 3. The difference has a IT and the importance of information as an enterprise asset
profound impact on trust and assurance. imply that the enterprise’s IT governance processes need to be
identified and assessed, with special focus on the going
concern, intangible assets and custodianship over these assets.Figure 3—Strong and Weak IT Governance
This analysis needs to occur in the first step of the statutory
audit process (see figure 4).Strong IT Governance W
Recognising the importance of IT in understanding the
IT governance disciplines are IT governance disciplines are
business and its subsequent role in internal control will reduce
more likely to lead to the more likely to lead to
audit risk. Therefore, auditors can no longer avoid considering
effective use of technology ineffective or incomplete use
up front:to enable and support the of technology, thus increasing
• The organisational structure of information processingbusiness, resulting in higher the risk of poor control and
• The complexity of information processinglevels of control and security, security, and reducing the
• The significance of information processing in eachgreater integrity of financial integrity and reliability of
accounting application and management information, management and financial
Even more fundamental, the extensive processing ofand therefore reduced audit information, therefore
information that occurs from the creation of the businessrisk. increasing audit risk.
transaction until the ultimate recording of that transaction in
the financial statements is rife with information processing. As
such, all of the steps, processes (operational, managerial and
I NFORMATION S YSTEMS C ONTROL J OURNAL,V OLUME 5, 2003














how to deal with it on anything other than a partial basis. The
Figure 4—Statutory Audit Process IT Governance Institute’s Control Objectives for Information
and related Technology (COBIT) is a global standard that
IT governance processes includes guidelines offering management and auditors a way to
need to be identified and
bridge the gap among business risks, control needs and
Business assessed as part of
understanding understanding the business technical issues. COBIT is universally accepted as international
phase of the audit.
best practice in IT governance and control; it is 100 percent
COSO-compliant and easy to understand and apply.
Identify
management Information and Communication is one of the five
controls components of COSO, and it stretches across the three internal
control objectives. COSO II will focus even more attention on
Are controls
the IT component. Figure 6 illustrates how the controlappropriate and
effective? objectives of COBIT’s 34 processes map to the five components
of COSO. Increasing focus on IT in COSO II and further
detailed mapping to COBIT is being researched by the ITAssess residual
risk and substantiate Governance Institute (ITGI). Indications show that
opinion
Figure 6—High-level Mapping Between
COBIT and COSO
governance) and their supporting technologies need to be
COSO Components
considered to obtain assurance of the integrity of the
information. Figure 5 illustrates this information life cycle and
some of the processing and technologies that apply.
Figure 5—From Business Transaction
COBIT Processesto Financial Reporting
P01 Define a Strategic IT Plan
P02 Define the Information Architecture
E-business,
At every stage, it is IT EPOS, etc. P03 Determine Technological Direction
that enables and
Business P04 Define the IT Organisation and Relationshipsunderpins the business
environment and or reporting process P05 Manage the IT Investment
transactions
Enterprise systems, P06 Communicate Management Aims and Direction
data warehouse, CRM, etc. P07 Manage Human Resources
Transfer into P08 Ensure Compliance with External Requirements
business data P09 Assess Risks
OLAP tools, GL
P010 Manage Projects accounting, etc.
P011 Manage Quality Management
reporting and AI1 Identify Automated Solutions
internal accounting AI2 Acquire and Maintain Application Software
Excel, reporting and
AI3 Acquire and Maintain Technology Infrastructureconsolidation systems, etc.
AI4 Develop and Maintain Procedures Financial
statements and AI5 Install and Accredit Systems
annual report AI6 Manage Changes
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and CapacityAuditors increasingly face the problem that core processes
DS4 Ensure Continous Service
can be completely dematerialised, and financially material
DS5 Ensure Systems Security
entries are originated, calculated, analysed, summarised and
DS6 Identify and Allocate Costs
processed automatically into general ledgers, either directly
DS7 Educate and Train Users
or through interfaces. They have to face the fact that the DS8 Assist and Advise Customers
accounting systems are themselves large computer DS9 Manage the Configuration
applications. They have to recognise, too, that analytical DS10 Manage Problems and Incidents
DS11 Manage Datainformation used for substantive work also is probably entirely
DS12 Manage FacilitiesIT-controlled.
DS13 Manage OperationsEmerging standards have begun to devote some attention to
M1 Monitor the Processes
IT as an audit subject and an audit object. They have started to
M2 Assess Internal Control Adequacy
point to risks of upstream controls such as program
M3 Obtain Independent Assurance
maintenance, testing, configuration integrity, database and
M4 Provide for Independent Audit
operating system access. However, they offer no guidelines on
I NFORMATION S YSTEMS C ONTROL J OURNAL,V OLUME 5, 2003
Control
Environment
Risk Assessment
Information and
Communications
MonitoringCOSO/COBIT as combined control criteria will provide a Data are generated by companies and translated into
satisfactory independent measurement against externally information. That information is used to make decisions,
verifiable and representative norms, both for management predict outcomes, measure performance against objectives or
assertions and audit assurance of internal control. Assessment of meet external requirements. Information and information flow
internal control adequacy for what concerns the IT processes and are the operational lifeblood of the organisation. They are the
environment is in fact recognised as a specific process in COBIT economic measuring sticks and the essential building blocks of
(M2). Furthermore, reliability is one of the seven information financial reporting.
criteria that COBIT establishes as generically representing the Maybe not exclusively yet, but by far the majority of
business needs. How focused management’s control requirements information systems run on computer systems that are linked via
are on the reliability of management information is an essential networks. These systems store, process, share and move
element for obtaining assurance of internal control over IT. information. This information is critical to the efficiency and
The benefits of using COBIT in this context are that it: effectiveness of the business, its ability to measure performance,
• Is universally accepted and globally practiced and its ability to meet the obligations placed on it.
• Is complete, objective and evolving Information has always been a critical corporate asset.
• Is actionable and easy to use Directors have always been concerned about the ability of IT
• Is easy to understand and explain to meet operational needs. They have been concerned whether
• Is 100 percent compliant with COSO I and COSO II the systems that handle information will give them the correct
• Provides a common language and approach for management measure of economic performance. No wonder the Sarbanes-
and auditors Oxley Act (and also the Turnbull Act before it, and perhaps
• Reduces the cost of audit risk assessment similar legislation worldwide yet to come) requires enterprises
• Decreases the cost of audit while improving efficiency to attest formally that the internal control system operates
• Provides a higher quality of audit and related opinion adequately. Such assessment will be formal, written, public
It is no exaggeration to say that IT will progressively form and independently reviewed, and negligence will result in fines
more of the trunk of the corporate organisation, rather than or prison.
serving as one of its “enabling” branches (e.g., finance). Now, any director signing such would ask him/herself:
Recent job advertisements in the Financial Times for executive Who is responsible for all the systems and networks that
positions that combine IT and finance responsibilities are but ensure the integrity, confidentiality and availability of
one sign of things to come. Equally, IT and IT audit must information?
progressively form an integral part of the statutory audit Answer: IT.
activities to reduce audit risk and obtain assurance of integrity The next question must be: What is the quality of my IT
of (financial) information and appropriate functioning of the governance? But that is another story.
system of internal controls.
Thus far, the following have been clarified: Author’s Notes:
• The immense value of intangibles, largely based on Sincere thanks must be expressed to Neil Anderson, Eddy
information, has an impact on the statutory audit requirement Schuermans, Chris Fox and Paul Williams for their significant
of the “custodianship of assets.” contributions to the development of this article.
• The importance of IT to enterprise survival and growth
influences the statutory audit principle of the going concern. Endnotes
1• The pervasiveness of IT in enterprises significantly Brookings Institute: 85 percent of market value of enterprises
influences, but also underpins, the system of internal is intangible, much of that captured in information;
controls. McKinsey: institutional investors are willing to pay up to 20
• The immense risks associated with IT need addressing as part percent premium on shares of enterprises that have
of the risk transparency requirements of emerging corporate implemented governance; Greenspan: testified before a US
governance regulations. Senate Commission that trust can vanish overnight but
• IT has a critical role in ensuring the integrity of information factories do not, referring to the dependence of many
throughout the business cycle from the business transaction enterprises on conceptual rather than physical assets;
all the way to the financial statements. Turnbull: setting the tone for governance requirements
• Strong IT governance practices reduce audit risk regarding risk transparency and internal control.
significantly.
2 BASLE II and its requirements for operational risk• Operational risk will create further pressures on statutory
management will add an operational risk dimension toaudit and its IT component.
statutory audit requirements over and above the dimensions• COSO/COBIT as combined control criteria provide
of information integrity and internal control. Whileindependent, verifiable and representative control standards.
admittedly only for the financial industry, it is likely thatWhen looking at emerging audit standards and regulations,
other industries will follow.the theme is convergence, and the thread running through all of
this is internal control.
I NFORMATION S YSTEMS C ONTROL J OURNAL,V OLUME 5, 2003Erik Guldentops, CISA
is advisor to the board of the IT Governance Institute and an
executive professor in the Management School of the
University of Antwerp, Belgium, where he teaches on the
subjects of IT security and control, IT governance and risk
management. In 2001, he retired as director of security from
SWIFT, where he also previously held the position of chief
inspector. He initiated and has headed the development of
COBIT since the early 1990s, and currently is chair of ISACA’s
COBIT Steering Committee.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
TM TM© Copyright 2003 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCA Information Systems Control Association
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org
I NFORMATION S YSTEMS C ONTROL J OURNAL,V OLUME 5, 2003