Many CEOs are aware that achieving Sarbanes-Oxley (SOX) compliance means they must consider the interrelated nature of accounting and information technology internal controls.
However, if CEOs take a deeper dive into the compliance pool, they may find that the company’s policies and procedures, which are meticulously described on paper, don’t actually mirror the firm’s IT control processes that are enforced by the system.
Lee Barken, IT practice leader for Haskell & White LLP, says that user access controls are just one area that might need a review. As an example, Barken says that sometimes when he inquires about the company’s purchase authorization limit for employees, he discovers that the IT system will accept purchase requests for far greater amounts than what is specified in the company policy.
With no carry-through of the company’s policies into the IT control systems, a breakdown in controls can occur. User access controls are just one area that CEOs should be aware of when it comes to tightening internal control processes.
“CEOs can no longer just focus on dollars and cents at audit time,” says Barken. “They must also think about zeros and ones when they set up and review their internal controls.”
Smart Business spoke with Barken about the steps CEOs should take to avoid weak IT control processes and audit problems.
How can CEOs assure that company policies are reflected in the IT system and control processes?
First, check your software configurations and run numerous tests of the system to see if the company’s policies match the system. For example, if you have a company policy that only allows certain users the authority to approve purchases up to $100,000, log in as one of those users and see if the system will let you approve a purchase order for $100,001.
Second, make sure all of your control processes and your tests are thoroughly documented. Many chief information officers do a lot of things right, but they fail to document, and inquiry alone does not constitute a test of a control process. When the auditors arrive, they will want to see evidence that is documented.
Last, role-play some of the worst-case scenarios to make certain you’ll be ready come audit time. For example, what happens if our CIO wins the lottery and disappears to a Caribbean island? Do we have policies and procedures documented? Will we have the proper documentation of the control tests and the results to provide the auditors?
Is testing and documentation of the company’s data backup system required for an audit?
Having a clearly defined data backup policy is a vital control process because data loss can happen at any time, without warning, as a result of anything from a power loss to a natural disaster or even a simple mistake like someone accidentally deleting the wrong file. We learned a number of these lessons following Katrina and Sept. 11, so now auditors ask companies to provide evidence that the company will be able to continue after an unplanned service interruption.
Data should be frequently backed up and the tapes should be stored off-premises as part of the control process. While the tapes are awaiting transfer, they should be stored in a secure and fire-resistant location. Keep a log that documents when backups are made and transferred and, on occasion, run a test of the restore process and document the results to demonstrate that you can restore the company to operating mode quickly. If you are storing tapes off-site, be certain to encrypt them, especially if they contain sensitive information, such as social security numbers or credit card information.
What type of network security documentation should be maintained for audit purposes?
Devices called firewalls control what information is allowed in and out of the company through the network. Firewall parameters should be established and tested in accordance with the company policies and procedures around information security.
With more wireless access to networks, how should control processes be established and documented for audit purposes?
Our traditional methods for securing the company’s buildings and the information they house, like door locks and security cards, all go out the window when companies add wireless access to their networks. Think of encryption as the keys and access cards to your wireless network. Create a company policy about who can access the information and make certain that the data is properly encrypted with the appropriate encryption for wireless networks.
LEE BARKEN is the IT practice leader for Haskell & White LLP. Reach him at (949) 450-6200 or firstname.lastname@example.org.