For many of the attendees at a recent Sarbanes-Oxley Act compliance conference, getting technology managers and staffers involved in the process of documenting internal IT controls is turning out to be a big challenge.
In an informal poll, roughly half of the 250 or so attendees indicated that their IT departments have been reluctant to help corporate auditors document IT controls in order to meet the Section 404 requirements of the U.S. financial-reporting law.
Some auditors who were at the Texas conference cited an inability or unwillingness on the part of IT staffers to step away from managing day-to-day technology operations.
Other attendees said IT professionals often lack an understanding of auditing procedures and concepts such as application controls. “A lot of IT people struggle with these terms because they’re audit-centric terms,” noted Paul Zonneveld, a senior manager at Deloitte & Touche LLP’s enterprise risk services consulting practice in Calgary.
Refusing to assist with documentation work could have dire consequences for some IT executives. Such a refusal played a role when one CIO lost his job last year, said an audit manager who requested anonymity. The manager said the CIO was pressured into resigning, in part “because IT had a number of outstanding audit issues and he wasn’t willing to address them, claiming the IT department was too busy.”