1. Sarbanes-Oxley Act (404) An IT Viewpoint
Darin Kreimeyer, Senior Manager
Newel Linford, Senior Manager
January 2, 2019

2. 404 IT Agenda Section 404: Overview and Impact IT Controls Overview
404 IT Focus
Significant Accounts and Processes
IT Documentation Considerations
Identifying Possible IT Errors
Identifying Relevant IT Controls
Evaluating and Reporting Deficiencies
404 IT Viewpoint
Summary
January 2, 2019

3. Overview of Section 404 Internal Control Evaluation and Reporting
Sarbanes-Oxley Act Language Excerpt “…each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.”
Background on Standards
PCAOB Standards Language Excerpt “The bottom line for Congress, and for the PCAOB, is the reliability of the company's financial statements – statements relied on by shareholders, management, directors, regulators, lenders, investors and the market at large.”
January 2, 2019

4. Overview of Section 404 Two Attestations Compliance Deadline
Financial Statement Opinion
Internal Control Opinion
Compliance Deadline
Accelerated Filers November 15, 2004
Others (ie, Market Cap.<$75M) July 15, 2005
January 2, 2019

5. Impact of Section 404 Compliance costs in the tens of billions
Substantial and direct impact to information systems and related environments
Creation of specific 404 job positions
Impact from disclosure of material weaknesses unknown
January 2, 2019

6. IT Controls Overview Standards and Guidance Entity Level Controls
General Controls
Application Controls
January 2, 2019

7. Standards and Guidance
IT Controls Overview
Standards and Guidance
PCAOB
Internal Control Standards Issued March 9, 2004
Based on COSO
AICPA
SAS 94 – “The effect of IT on internal control in a financial statement audit.”
IT Governance Institute
Guidance on IT Related Controls Specific to 404
Based on COBIT
January 2, 2019

8. IT Controls Overview Entity Level Controls General Controls
404 requires an assessment at the following levels of controls:
Entity Level Controls
Strategic Planning
Organizational Structure
Policies and Procedures
Risk Assessment
Third Party Management
General Controls
Logical Access
Program Change
Program Development
Computer Operations
Application Level Controls
Input
Transmission
Processing / Recording
Output / Reporting
January 2, 2019

9. 404 IT Focus Significant Accounts and Processes
Virtually every process is IT dependent in some form or fashion
Transaction flows are typically automated
Management often relies on programmed controls for routine and non-routine processes
Estimation processes are normally dependent on IT generated data elements
January 2, 2019

10. 404 IT Focus IT Documentation Considerations
Should describe flow of transaction initiation, recording, processing and reporting
Flowcharts, diagrams and narratives
Level of required system and control documentation dependent on:
Number of businesses / locations
Degree of IT centralization
Nature / complexity of transactions
Degree of management reliance on IT systems
January 2, 2019

11. 404 IT Focus Identifying Possible IT Errors
Errors that individually or collectively could have a material effect on the financial statements
Root cause for errors include:
Integrity of major input sources
Significant processing procedures
Access to important data files
Erroneous factors and assumptions
Competency of personnel
Functional segregation of duties
January 2, 2019

12. 404 IT Focus Identifying Relevant IT Controls
Should involve a collaboration with process owners and knowledgeable IT personnel
Automated application controls
System generated information
IT general controls
January 2, 2019

13. 404 IT Focus Evaluating & Reporting Control Deficiencies Deficiency
Significant Deficiency
Material Weakness
January 2, 2019

14. 404 IT Viewpoint Summary of Findings
IT has been an integral part of the evaluation process.
Organizations are taking advantage of new ERP implementations to also meet SOX requirements.
IT functions that are segregated across multiple locations have been using a “teaming” and sometimes automated approach to document controls.
Organizations are looking to streamline and improve IT processes as a result of the documentation effort.
Organizations have placed heavy reliance on manual controls. As a result, application controls are not effectively used.
January 2, 2019

15. 404 IT Viewpoint Summary of Findings
Focus has been on key and selective IT controls to be used for testing.
Organizations without proper IT audit experience and knowledge appear to have developed “inadequate” documentation.
Documentation has been in narrative format vs flowcharts to save time and effort.
IT documentation has been kept separate from the manual / financial process documentation.
January 2, 2019

16. 404 IT Viewpoint Challenges
Organizations who require IT assistance have had difficulty finding resources internally or externally. Resources are extremely scarce!
Determining what and how much to document are key areas of concerns.
Integrating the IT documentation within the manual / financial process documentation is difficult.
Coordination and documentation efforts for decentralized IT operations is challenging.
Organizations don’t have access to automated tools to efficiently analyze application controls.
January 2, 2019

17. 404 IT Viewpoint Leading Practices
Include IT executives on project team.
Hire or engage qualified IT auditors.
Consider COBIT standards as a baseline for consideration of IT controls.
Use automated tools to analyze financial applications.
Documentation should describe flow of transaction initiation, recording, processing and reporting
Consider documenting controls in the form of flowcharts rather than narratives, or a combination of the two.
January 2, 2019

18. 404 IT Viewpoint Leading Practices
Consider standard surveys and questionnaires for organizations with decentralized IT operations.
Validate and test only those IT controls considered critical and key to the financial process.
Meet with your external auditor frequently to obtain “buy-in”.
Consider using application controls to reduce dependence on manual controls
January 2, 2019

19. 404 IT Viewpoint Moving Forward – Year 2
Maintaining ownership of IT processes and controls
Building sustainability for long term
Gaining efficiencies through centralized IT processes and increased use of application controls
Building skill sets internally vs use of auditing firms
Ongoing software implementations / upgrades
Implementing enhanced documentation tools
January 2, 2019

20. Summary Key Things to Remember about 404 from an IT Perspective:
Controls help to maintain the integrity of business processes, including financial reporting
Information systems play a key role in these processes
Stronger control environments will reduce the likelihood of another Enron or Worldcom
404 requires extensive documentation
January 2, 2019

21. Thanks For Listening! Questions / Answers
January 2, 2019