Trust services: a better way to evaluate I.T. controls: fulfilling the requirements of section 404.EXECUTIVE SUMMARY * SARBANES-OXLEY REQUIRES MANAGEMENT to include an assessment of internal controls over financial reporting, using a suitable framework, in the annual report. While a number of frameworks are available, some do not adequately assess technology controls. * SEC RULES SAY MANAGEMENT MUST BASE its evaluation of the effectiveness of internal controls over financial reporting on a recognized control framework issued by a group that followed due-process procedures. The framework must be free from bias, complete and relevant to the task at hand, and must permit consistent quantitative and qualitative measurements. * SEVERAL GROUPS, INCLUDING COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) , COBIT (Control OBjectives for Information and related Technology) A business-oriented set of standards for guiding management in the sound use of information technology from the Information Systems Audit and Control Association (ISACA) (www.isaca.org). and AICPA/CICA Trust Services, have issued frameworks CPAs can use to evaluate internal controls, particularly controls over a system's IT aspects, in a survey of CEOs and CFOs, 28.4% said they used a model other than COSO to assess the effectiveness of their IT internal control structure. * A FIVE-STEP PROCESS ENABLES CPAs to use the Trust Services framework in conjunction with the COSO framework to evaluate the IT control aspects of the required internal control assessment. The process defers to Trust Services for a more detailed assessment of whether the IT systems used to support and create the financial reports are reliable. ********** It would be an understatement to say the Sarbanes-Oxley Act See SOX. of 2002 has had a significant impact on every CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. working for or auditing a public company. Among other things, Sarbanes-Oxley requires management to include an internal control assessment using a suitable framework in the company's annual report. But how exactly are companies performing the required assessment? This has been a hot topic for professional associations such as the AICPA AICPA See American Institute of Certified Public Accountants (AICPA). , the Institute of Management Accountants The Institute of Management Accountants (IMA) is a professional organization headquartered in Montvale, New Jersey consisting of over 70,000 members worldwide. The IMA is dedicated to advancing the role of the management accountant and financial manager within the business and the Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in . In response the AICPA created an ad-hoc task force to address management's responsibility under section 404 of Sarbanes-Oxley. The task force assembled as·sem·ble v. as·sem·bled, as·sem·bling, as·sem·bles v.tr. 1. To bring or call together into a group or whole: assembled the jury. 2. a list of key issues, including the act's requirement to use suitable criteria for an effective internal control system. This article explains how I use the AICPA/CICA Trust Services framework in my work as an information systems auditor auditor n. an accountant who conducts an audit to verify the accuracy of the financial records and accounting practices of a business or government. A proper audit will point out deficiencies in accounting and other financial operations. to evaluate internal controls, particularly controls over information technology. CFOs, internal audit executives and financial managers as well as external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. will see how the framework can supplement some commonly used measures that do a good job of assessing overall controls but don't don't 1. Contraction of do not. 2. Nonstandard Contraction of does not. n. A statement of what should not be done: a list of the dos and don'ts. focus on technology controls. INTERNAL CONTROL ASSESSMENT Section 404 requires public companies to include in their annual reports an assessment by management of their internal controls over financial reporting. This includes a statement of management's responsibility for establishing and maintaining adequate internal control, an assessment of the effectiveness of those controls as of the end of the most recent fiscal year, a statement identifying the framework that was used to evaluate those controls and a statement that the external auditor issued an attestation report Noun 1. attestation report - a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else attestation service on management's internal control assessment. The final SEC rules say management must base its internal control evaluation on a suitable, recognized control framework established by a body or group that followed due-process procedures. The rules do not mandate the use of a particular framework but say a suitable one must * Be free of bias. * Permit reasonably consistent qualitative and quantitative measurements. * Include all relevant factors that might alter a conclusion about the effectiveness of the internal controls. * Be relevant to an evaluation of internal control over financial reporting. As a practicing information systems auditor charged with preparing the IT control aspects of the required internal control assessment, my search for an appropriate model uncovered Uncovered may refer to:
COSO (www.coso.org See .org. (networking) org - The top-level domain for organisations or individuals that don't fit any other top-level domain (national, com, edu, or gov). Though many have .org domains, it was never intended to be limited to non-profit organisations. RFC 1591. ). The framework issued by the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO) satisfies the SEC criteria. Companies may use it to meet management's annual internal control evaluation and disclosure requirements. The COSO framework defines internal control, describes its components and provides criteria against which CPAs can evaluate control systems. However, since COSO does not provide specific criteria for IT controls, some companies may find a supplemental framework necessary. COBIT (www.isaca.org). The Information Systems Audit and Control Foundation developed the control objectives for information and related technology (COBIT). The objective is a generally applicable and accepted standard for IT security and control practices that provides a reference framework for management, users, auditors AUDITORS, practice. Persons lawfully appointed to examine and digest accounts referred to them, take down the evidence in writing, which may be lawfully offered in relation to such accounts, and prepare materials on which a decree or judgment may be made; and to report the whole, together and security practitioners. Trust Services (www.aicpa.org.trustservices). The foundation of the AICPA/CICA Trust Services framework is a set of principles and criteria CPAs can use to assess the reliability of a company's IT systems. The criteria constitute professional guidance as well as serve as best practices for system reliability. INFORMATION TECHNOLOGY CONTROLS Because companies rely heavily on technology', the criteria they use to assess the effectiveness of their IT-related controls are particularly important. While COSO addresses the topic of IT general controls, it does not dictate TO DICTATE. To pronounce word for word what is destined to be at the same time written by another. Merlin Rep. mot Suggestion, p. 5 00; Toull. Dr. Civ. Fr. liv. 3, t. 2, c. 5, n. 410. requirements for control objectives and related activities. Indeed, the audit standards issued by the Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. highlight the importance of IT general controls but do not specify which in particular a company must include. Thus, to meet the requirements of section 404, IT management and auditors need a specific IT control framework. When I asked companies whose CEOs and CFOs are required to file sworn statements with the SEC which framework they used, 28.4% said they used a model other than COSO (exhibit 1, page 70). In evaluating models I first turned to COBIT because I had used it in the past and it was well-received by clients. Now in its third edition, COBIT is increasingly accepted as good practice for control over IT and related risks. It's it's 1. Contraction of it is. 2. Contraction of it has. See Usage Note at its. it's it is or it has it's be ~have a robust framework, comprising 4 domains, 34 IT processes and 318 detailed control objectives. It's a comprehensive approach for managing risk and control of IT, explaining how IT processes deliver the information a business needs to achieve its objectives. One reason companies are using the COBIT framework for Sarbanes-Oxley compliance is that its objectives have been mapped to COSO in a publication entitled en·ti·tle tr.v. en·ti·tled, en·ti·tling, en·ti·tles 1. To give a name or title to. 2. To furnish with a right or claim to something: IT Control Objectives for Sarbanes-Oxley (available at www.isaca.org.). COBIT also has been mapped to popular enterprise resource planning See ERP. (application, business) Enterprise Resource Planning - (ERP) Any software system designed to support and automate the business processes of medium and large businesses. (ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. ) systems such as SAP, Oracle and PeopleSoft (PeopleSoft, Inc., Pleasanton, CA, www.peoplesoft.com) A software company that specialized in enterprise-wide applications for client/server environments. Initially specializing in human resources, its package offerings covered the gamut including financial, distribution, manufacturing . This mapping and related guidance provides COBIT framework references and methodologies for auditing and testing the major ERP systems. While COBIT is an excellent comprehensive framework for assessing IT controls, I was seeking a narrower framework that would complement the overall COSO model many clients were using. To this end, I decided to use Trust Services because of its focus on the controls that are in place to ensure the company's systems carry out business processes reliably. APPLYING THE FRAMEWORK The AICPA and CICA CICA Competition In Contracting Act of 1984 (USA) CICA Canadian Institute of Chartered Accountants CICA Competition In Contracting Act CICA Criminal Injuries Compensation Authority (UK) developed the following Trust Services principles and related criteria for CPAs to use to perform consulting engagements, as well as branded attestation The act of attending the execution of a document and bearing witness to its authenticity, by signing one's name to it to affirm that it is genuine. The certification by a custodian of records that a copy of an original document is a true copy that is demonstrated by his or her engagements such as SysTrust and WebTrust WebTrust is a seal of assurance service developed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). . Security. The system is protected against unauthorized access, both physical and logical. Availability. The system is available for operation and use as committed to or agreed upon Adj. 1. agreed upon - constituted or contracted by stipulation or agreement; "stipulatory obligations" stipulatory noncontroversial, uncontroversial - not likely to arouse controversy . Processing integrity. System processing is complete, accurate, timely and authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: . Confidentiality. Information designated as confidential is protected as committed to or agreed. Privacy. Personal information is collected, used, retained and disclosed in conformity with the commitments the entity makes in its privacy notice and with the AICPA/CICA Trust Services privacy criteria. The privacy principles and criteria include 10 components that are essential to the proper protection and management of personal information. They are based on internationally known fair information practices included in the privacy laws and regulations of jurisdictions around the world and recognized good privacy practices. For each component there are relevant, objective, complete and measurable criteria for evaluating an entity's privacy policies, communications and procedures and controls. There are also illustrations and explanations to enhance understanding of the criteria. For more details on the privacy criteria, go to www.aicpa.org/innovation/baas/ewp/privacy_framework.asp. The security, availability, processing integrity and confidentiality principles and criteria are organized into four broad areas: * Policies. The entity has defined and documented its policies relevant to the particular principle. * Communications. The entity has communicated its defined policies to authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal . * Procedures. The entity uses procedures to achieve its objectives in accordance Accordance is Bible Study Software for Macintosh developed by OakTree Software, Inc.[] As well as a standalone program, it is the base software packaged by Zondervan in their Bible Study suites for Macintosh. with its defined policies. * Monitoring. The entity monitors the system and maintains compliance with its defined policies. These principles and criteria include attributes the entity must meet to demonstrate it has achieved each principle. Trust Services also provides illustrative il·lus·tra·tive adj. Acting or serving as an illustration. il·lus  tra·tive·ly adv.Adj. 1. controls as examples of controls the entity might have in place to conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?" fit, meet coordinate - be co-ordinated; "These activities coordinate well" the criteria. Alternative and additional controls also may be appropriate. CPAs can use the framework's principles and criteria to create a detailed analysis containing control objectives classified into broad categories, as shown in exhibit 2, page 72. I found the illustrative controls to be particularly helpful. Keep in mind a large part of the internal control assessment process requires management to say what controls are in place to mitigate mit·i·gate v. To moderate in force or intensity. mit  i·gation n. a given risk. Trust Services'
illustrative controls are detailed enough to help management identify
the controls that exist and those that are missing. As an example of how
the controls are helpful, consider those provided for one criterion, as
shown in exhibit 3, page 74.
Exhibit 3: Sample Trust Services Security Principle Illustrative Controls Procedures exist to protect against unauthorized logical access to the defined system. 1. Log-in sessions are terminated after three unsuccessful log-in attempts. Terminated log-in sessions are logged for follow-up by the security administrator. 2. Virtual private networking (VPN) software is used to permit remote access by authorized users. Users are authenticated by the VPN server through specific client software and user IDs and passwords. 3. Firewalls are used and configured to prevent unauthorized access. Firewall events are logged and reviewed daily by the security administrator. 4. Unneeded network services (for example, telnet, ftp and http) are deactivated on the entity's servers. A listing of the required and authorized services is maintained by the IT department. This list is reviewed by entity management on a routine basis for its appropriateness for the current operating conditions. 5. Intrusion detection systems are used to provide continuous monitoring of the network and early identification of potential security breaches. 6. The entity contracts with third parties to conduct periodic security reviews and vulnerability assessments. Results and recommendations for improvement are reported to management. Source: AICPA/CICA Trust Services principles and criteria. When I provide these examples to IT management--instead of simply asking what controls exist to protect against unauthorized logical access to a particular system--it helps them understand what I'm I'm Contraction of I am. Our Living Language Speakers of some scattered varieties of American English sometimes use I'm instead of I've or I have in present perfect constructions, as in looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. . The Trust Services framework provides illustrative controls for all criteria (objectives). FIVE STEPS TO COMPLIANCE The following five-step process shows how CPAs can use the Trust Services framework to evaluate a company's IT controls when the entity primarily uses the COSO approach. The first step uses only COSO, the second and third involve both COSO and Trust Services, and the last two use Trust Services only. 1. Use the COSO framework to identify the risks in each business cycle and the controls that mitigate them. This process will include many references to information systems. PCAOB PCAOB Public Company Accounting Oversight Board Auditing Standard no. 2 says: "Because of the frequency with which management of public companies is expected to use COSO as the framework for the assessment, the directions in the proposed standard are based on the COSO framework. Other suitable frameworks have been published in other countries and likely will be published in the future. Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass all of COSO's general themes." Thus, it is important for CPAs to demonstrate how IT controls support the COSO framework. COSO identifies five internal control components that must be in place to achieve financial reporting and disclosure objectives: control environment, risk assessment, control activities, information and communication and monitoring. An organization should have IT control competency COMPETENCY, evidence. The legal fitness or ability of a witness to be heard on the trial of a cause. This term is also applied to written or other evidence which may be legally given on such trial, as, depositions, letters, account-books, and the like. 2. in all components. 2. Gather initial IT information, including a list of all application software the company is using; copies of network maps, security policies and any contingency contingency n. an event that might not occur. planning and disaster recovery documents; procedures related to how system changes are made; an explanation of the typical system development lifecycle; and the company's IT organization chart. Given the pervasive pervasive, adj indicates that a condition permeates the entire development of the individual. nature of IT, identifying what needs to be assessed for Sarbanes-Oxley compliance can be an overwhelming task. Gathering information that describes the IT environment, procedures and computer software helps CPAs understand the big picture so they can organize their efforts to identify IT controls for Sarbanes-Oxley compliance. In many cases, companies already have this initial information so CPAs can gather it without incurring in·cur tr.v. in·curred, in·cur·ring, in·curs 1. To acquire or come into (something usually undesirable); sustain: incurred substantial losses during the stock market crash. 2. additional costs. 3. From the information gained in the first two steps, identify all information systems that relate to financial reporting. Organizations must understand how the financial reporting process works and where technology is critical in supporting it. This will help CPAs identify key systems and subsystems that need to be included in the Sarbanes-Oxley assessment. Include systems that participate in the initiation, recording, processing and reporting of financial information, such as the accounting information system and all systems that feed source transaction data to it. 4. Use the Trust Services framework to create one overall IT control matrix, so that you can assess controls that cross systems, and another matrix for each system that relates to financial reporting. COSO identifies two broad groupings of information system control activities that organizations should assess: General controls apply to all information systems and support secure and continuous operation. This category includes controls that support the quality and integrity of information and are designed to mitigate the identified risks. The IT general control categories the PCAOB set forth are program development, program changes, computer operations, and access to programs and data. Application controls apply to the business processes they support and are designed to prevent and detect unauthorized transactions. When combined with manual controls, application controls help ensure completeness, accuracy, authorization The right or permission to use a system resource; the process of granting access. See access control. and validity of processing transactions. Organizations should first identify significant accounts that could have a material impact on the financial reporting and disclosure process. Then they should identify and document application controls relevant to such accounts. CPAs can use the Trust Services framework to create detailed IT control matrices (usually in the form of spreadsheets The following is a list of spreadsheets. Freeware/open source software Online spreadsheets
5. Assess the controls identified in the matrices created above. As a general rule there should be an effective control technique in place for every control objective that applies to a system. CPAs can use the detailed control matrices that contain a row for each of the Trust Services criteria to form questions that will determine whether key controls are in place. The framework is based on the premise that if system controls operate effectively, the system itself will perform reliably. One example is the use of personal identification numbers to prevent unauthorized access to a system. An entity may adopt such a control in its written objectives, but the control will not achieve its objectives unless it operates effectively. The Trust Services framework makes it easier for CPAs to determine whether the controls over a system operate effectively during the period covered by the examination. These steps allow the COSO framework to defer de·fer 1 v. de·ferred, de·fer·ring, de·fers v.tr. 1. To put off; postpone. 2. To postpone the induction of (one eligible for the military draft). v.intr. to the Trust Services framework for a more detailed evaluation to determine whether the IT systems a company uses to support and create the financial reports are reliable. MEETING THE CHALLENGE Fulfilling the IT control aspects of the internal control assessment that Sarbanes-Oxley requires can be a challenge for CPAs. While each company will need to decide the framework most appropriate for its needs, Trust Services is a useful option that CPAs will find particularly helpful when the overall framework they use does not pay sufficient attention to IT issues.
Exhibit 1: Assessing IT Controls
What criteria does your company use Number of
to assess the effectiveness of the companies
IT-related internal control structure? using criteria Percentage
COBIT 27 14.2%
Trust Services (formerly SysTrust) 1 0.5%
COSO 136 71.6%
Combination of the three 26 13.7%
Respondent base: 190 companies.
Exhibit 2: Detailed Control Objectives
Security
3 objectives Policies: The entity defines and documents its
policies for the security of its system.
5 objectives Communications: The entity communicates its defined
system security policies to authorized users.
12 objectives Procedures: The entity uses procedures to achieve
its documented system security objectives in
accordance with its defined policies.
3 objectives Monitoring: The entity monitors the system and
takes action to maintain compliance with its
defined system security policies.
Availability
3 objectives Policies: The entity defines and documents its
policies for the availability of its system.
5 objectives Communications: The entity communicates the
defined system availability policies to
authorized users.
15 objectives Procedures: The entity uses procedures to achieve
its documented system availability objectives in
accordance with its defined policies.
3 objectives Monitoring: The entity monitors the system and
takes action to maintain compliance with its
defined system availability policies.
Processing Integrity
3 objectives Policies: The entity defines and documents its
policies for the processing integrity of its
system.
5 objectives Communications: The entity communicates its
documented system processing integrity policies to
authorized users.
19 objectives Procedures: The entity uses procedures to achieve
its documented system processing integrity
objectives in accordance with its defined policies.
3 objectives Monitoring: The entity monitors the system and
takes action to maintain compliance with the
defined system processing integrity policies.
Confidentiality
3 objectives Policies: The entity defines and documents its
policies related to the protection of confidential
information.
5 objectives Communications: The entity communicates its defined
policies related to the protection of confidential
information to internal and external users.
15 objectives Procedures: The entity uses procedures to achieve
its documented confidentiality objectives in
accordance with its defined policies.
3 objectives Monitoring: The entity monitors the system and
takes action to maintain compliance with its
defined confidentiality policies.
Privacy
14 objectives Policies and Communications: The entity uses
privacy policies that convey management's intent,
objectives, requirements, responsibilities and/or
standards. The entity communicates to individuals,
internal personnel and third parties about its
privacy notice and its commitments therein and
other relevant information.
42 objectives Procedures and Controls: The entity uses
procedures and controls to achieve its privacy
objectives.
Source: AICPA/CICA Trust Services principles and criteria.
Compliance Costs Growing Meeting the requirements of section 404 of the Sarbanes-Oxley Act of 2002 will cost public companies an average 62% more than first anticipated. The increase stems from a 109% rise in internal costs, a 42% jump in external costs and a 40% increase in the fees charged by external auditors. Source: Financial Executives International, www.fei.org, 2004 survey. PRACTICAL TIPS TO REMEMBER * The commonly used COSO internal control framework does not provide specific criteria for IT controls, so it may be necessary to turn to a supplemental framework such as the AICPA/CICA Trust Services framework to ensure that the systems a company uses are reliable. * Establish a process that allows the overall assessment of internal controls under the COSO framework to defer to Trust Services for a more detailed evaluation of the IT systems the company uses to support and create the financial reports. * When using the Trust Services framework, create an overall IT control matrix to assess controls that cross systems and other individual matrices for each system that relates to financial reporting. AICPA RESOURCES * The AICPA/CICA Trust Services Principles and Criteria (Framework), www.aicpa.org/trustservices. * The AICPA/CICA Privacy Framework, www.aicpa.org/privacy. Books * Trust Services: Understanding and Implementing Trust Services (# 056520). * Privacy Matters: An Introduction to Personal Information Protection (# 056590JA). * Understanding and Implementing Privacy Services: A CPA's Resource (# 056509JA). CPE (Customer Premises Equipment) Communications equipment that resides on the customer's premises. CPE - Customer Premises Equipment * Privacy Issues for Businesses ... Whose Information Is It Anyway? CD-ROM CD-ROM: see compact disc. CD-ROM in full compact disc read-only memory Type of computer storage medium that is read optically (e.g., by a laser). (# 780005JA). For more information or to place an order, go to www.cpa2biz biz n. Informal Business. biz Noun Informal business Noun 1. .com or call the AICPA at 888-777-7077. * IdentiRISK for Trust Services Privacy Principles and Criteria (# 103104). For more information or to place an order, go to www.identirisk.com/x/aicpa or call 866-433-7475. MARTIN J. COE See common operating environment. , CPA, CISA (Certified Information Systems Auditor) The award for successful completion of an examination in information systems audit, control and security from the Information Security Audit and Control Association. See ISACA. , CISM (Certified Information Security Manager) The award for successful completion of an examination in information security management from the Information Security Audit and Control Association. See ISACA. , is an assistant professor of accountancy at Western Illinois University For another university which uses the abbreviation "WIU", see Webber International University Athletics
e-mail address - electronic mail address is MJ-Coe@wiu.edu See .edu. (networking) edu - ("education") The top-level domain for educational establishments in the USA (and some other countries). E.g. "mit.edu". The UK equivalent is "ac.uk". . |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion