More than a dozen corporate IT auditors attending a conference this week said they’re struggling mightily to document the controls used within their IT departments in time to meet the Sarbanes-Oxley compliance deadlines that most large companies are facing late this year.
The biggest challenge in meeting the deadline for documenting internal IT controls as required by Section 404 of the Sarbanes-Oxley Act is a lack of clarity from the government entity that’s overseeing compliance regarding which controls should be documented and the best ways to do it, attendees said.
They noted that the Public Company Accounting Oversight Board hasn’t told companies to use a specific methodology for documenting IT controls, such as COBIT, COSO or ISO 17799. That has made it difficult for the Big Four accounting firms and other external auditors to give advice on which IT controls need to be documented, according to attendees.
“It’s hard for us to do this when no one is able to tell us exactly what needs to be documented,” said an IT auditor who works at a New York-based investment bank. Like almost all of the other auditors interviewed at the conference, she asked not to be identified.
William Powers, associate director of the accounting oversight board’s inspections division in New York, said the regulatory body plans to devote a lot of attention this year to the IT controls assessment work done by public accounting firms. That work includes the risk-assessment process as well as the documentation and testing of general and application controls.
In turn, accounting firms are expected to monitor the IT risk-assessment procedures and information systems audit work that’s done by their clients to meet Sarbanes-Oxley mandates, Powers added. But when asked if the oversight board plans to recommend the use of a single IT controls standard, he said, “Absolutely not.”
The Rolling Meadows, Ill.-based Information Systems Audit and Control Association, which hosted the conference, said it plans to roll out a Web-enabled version of the COBIT standard within a few weeks. The new release of COBIT, which is formally called Control Objectives for Information and related Technology, is designed to help IT auditors browse for best practices, do benchmarking and obtain other guidance as part of Sarbanes-Oxley compliance efforts.
In addition to the lack of guidance from regulators, IT auditors said they’re also struggling with other issues as part of Sarbanes-Oxley projects. The challenges include identifying a hornet’s nest of controls and interfaces among decentralized business units and trying to manage the efforts with scarce resources.
For instance, Lynn Kilroy, IT audit director at Allstate Insurance Co. in Northbrook, Ill., said she has a team of just 11 auditors who work within the company’s internal audit group. By comparison, the insurer has a 5,000-person IT staff.
Companies with market capitalizations of US$75 million or more have to show they comply with Section 404 of Sarbanes-Oxley when they file their 10-K reports for fiscal years that end after Nov. 15.
Kenneth Gabriel, a consultant at KPMG LLP in Chicago, recommended that IT auditors simplify their compliance efforts as much as possible. “You don’t get extra credit for this exercise,” he said.
But for large companies that need to document dozens or even hundreds of IT controls in such a short period of time, the task can seem overwhelming. “For IT auditors, it’s going to get a lot worse before it gets better,” Kilroy said.