Friday, August 12, 2005

Sarbox surprises


It wasn’t supposed to be like this, but IT has emerged as an unexpectedly vexing aspect of Sarbanes-Oxley compliance. According to a recent CFO IT survey of finance chiefs in the US, almost all companies reporting weaknesses or deficiencies under Sarbox have found IT to be at least part of the problem, if not the sole source. Worse, many CFOs feel that regulators have not done a good job of explaining what companies must do to satisfy Section 404 requirements for internal controls from an IT perspective. They also say the auditors charged with giving or withholding approval don’t understand IT issues well enough to render an accurate judgment.

“IT issues account for 20% of the key controls portfolio at a typical company, which is almost twice as many as the next two areas combined,” says Steve Hill, a partner in the risk advisory services practice at KPMG. That is, IT is so pervasive at most companies that any examination of internal controls is bound to turn into a de facto audit of IT. Indeed, a majority of survey respondents said there is no clear line between what constitutes financial versus IT controls. That’s one reason why the Institute of Internal Auditors has inaugurated a series of global technology audit guides that in part focus on IT controls. While not intended as Sarbox manuals per se, the guides provide useful tools for implementing IT controls. (The guides are available at www.theiia.org.)

See full Article.