 IT Risk Management
SOX
IT Preparation & Audit
SAS No. 70 Services
IT Governance
Disaster Recovery Planning
Security & Privacy
SysTrust©
IT Forensics
 Related Articles
Four Reasons to Love Sarbox
Accounting Standard 5:
A Kinder, Gentler Compliance Standard
Reducing Risk - "How to Eat an Elephant:
What Boards and Audit Committees should know..."
Assurance and Compliance Applications
IT Governance
Can IT Save the U.S. Health Care System
5 Steps you can take to ensure your new IT system delivers the results you expect
SAS 70
|
AICPA Top Technologies 2006—
Assurance and Compliance Applications
"Reprinted with permission from AICPA InfoTech Update newsletter, a benefit of the AICPA InfoTech membership section."
Dan Schroeder, CPA, CITP, CISA, CIA
Technology Risk Services
Assurance and Compliance Applications: "Collaboration and compliance tools that enable various stakeholders to monitor, document, assess, test and report on compliance with specified controls."
New this year to the Top 10 Technologies List, this topic's emergence reflects a powerful movement by accounting technology professionals to apply process management principles and technology to drive significant improvements to the activities associated with executing and documenting Sections 302 and 404 of the Sarbanes-Oxley Act of 2002.
Early approaches to SOX compliance were frequently inefficient, expensive and disruptive. SOX filers quickly recognized that to make compliance efficient and sustainable, they needed to institutionalize the management of SOX control functions. Moreover, public registrants and organizations also have come to recognize that while SOX is critically important, it is just one element of an effective approach to corporate governance. In effect, SOX is intertwined with an organization's broader enterprise risk management (ERM) considerations, including:
- Operations risk management;
- Compliance with industry regulations, such as HIPAA (Health Insurance Portability and Accountability Act of 1996), GLBA (Gramm-Leach-Bliley Financial Services Modernization Act of 1999), and FFEIC (the Federal Financial Institutions Examination Council); and
- information technology governance
Accordingly, SEC registrants are increasingly approaching SOX compliance as an element of a broader initiative to institutionalize ERM. In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released Enterprise Risk Management – Integrated Framework. COSO defines ERM as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
Developers of compliance related software have been quick to respond to the need streamline the SOX compliance process and also extend the functionality to encompass ERM. Here are some common enabling characteristics of ERM compliance software that are emerging:
| Key Enabling
Characteristics |
Description/Examples
|
| Common platform |
ERM software is emerging as a comprehensive repository for the definition of risks, controls definitions, testing activities, test results and mitigation activities. Risk definitions and associated controls encompass financial reporting, operations management, and statutory and industry specific requirements (e.g., FFEIC, HIPAA, GLBA, SOX, etc.)
ERM solutions are becoming a standard part of the corporate network, much like ERP, with defined responsibilities and associated access privileges. |
| Organizational and process structure |
ERM software enables the complete mapping of organization structure (including operating divisions, regions, departments and cost centers) and association of business processes to those organizational elements. |
| Roles and responsibilities |
Controls and compliance involves ownership and accountability. ERM software enables companies to deploy compliance requirements throughout the company. For example, SOX Section 302 requires quarterly and annual certification statements from CEOs and CFOs. An effectively designed and deployed ERM solution would enable the CEO to monitor the status of all controls throughout the organization at any time. Moreover, this allows the organization to have sub-certification, where a business unit heads, and process owners submit, their certifications to the next level up in the company. |
| Continuous monitoring of risks and controls. |
ERM software enables companies to test controls throughout the year, following an organized approach that reflects risk and frequency on control activity.
ERM software often integrates with ERP (and other) applications to automatically monitor activities using predefined rules and reporting parameters (e.g., automatically identify disbursements over $xxx for testing.) |
| Deployment of ownership and accountability for effectiveness of controls. |
SOX filers are seeking to minimize their dependency on consulting firms for development of controls and conducting management's assessment. They are working aggressively to lower audit fees that spiked as a result of the increased burden audit firms borne as a result of their SOX responsibilities.
Example: Sub-certification linkage for 302 reporting to business unit management and functional process owners. |
| Embedded Workflow. |
Deployment of workflow into ERM means the automated assignment of testing and validation requirements to individuals and roles, coupled with predefined and automated routines for notifications, alerts and exception reporting. |
| Integration to corporate messaging system(s). |
An important underlying function for workflow and automated reporting is the ability to integrate to corporate messaging systems such as Microsoft Outlook, so reminders, exception notices and other reports can be automatically sent to auditors, valuators, process owners and executives. |
| Integration to corporate document or content management systems (DMS). |
SOX filers and others enacting aspects of corporate governance are increasingly deploying formal change control over policies and procedures, and formal retention over compliance controls. Integration of ERM to DMS systems helps to ensure that policies and procedures are linked to process definitions, control test requirements and test results. DMS can also serve as a repository for test results and supporting workpapers to fulfill both internal and regulatory requirements. |
The COSO 2004 ERM Integrated Framework outlined six concepts that are fundamental to the deployment of ERM:
- ERM is a process, ongoing and flowing through an entity.
- ERM is effected by people at every level of an organization.
- ERM is applied in strategy setting.
- ERM is applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk.
- ERM is designed to identify potential events that, if they occur, will affect the entity and manage risk within its risk appetite.
- ERM is a method to provide reasonable assurance to an entity's management and board of directors (relative to design and effectiveness of risk management activities).
The implications of effectively deploying SOX and ERM compliance are complicated and represent significant challenges in terms of being cost effective. Through the use of advanced process and technology concepts outlined in the table above, companies are increasingly finding it feasible and beneficial to deploy SOX and broader ERM compliance programs.
About the Author: Dan Schroeder, CPA.CITP, CISA, CIA, is the Officer in charge of the Technology Risk Services practice with Amper, Politziner & Mattia, P.C. Dan manages IT and Corporate Governance initiatives with clients in several industries, including Financial Services, Healthcare, Pharmaceuticals and Consumer Product Goods. Contact him at dschroeder@amper.com.
AICPA's Top Technologies 2006 is a project of the AICPA's Information Technology (IT) Membership Section, and led by the IT Executive Committee and CITP Credential Committee. For more information on the AICPA's technology initiatives, including Top Technologies, the CITP Credential and the IT Membership Section, visit http://www.aicpa.org/infotech. Any hardware or software products mentioned do not in any way represent an endorsement by the Institute or Section.
Contact: Dan Schroeder
|
Print this issue