| EXECUTIVE
SUMMARY |
 SARBANES-OXLEY REQUIRES
MANAGEMENT to include an
assessment of internal controls over
financial reporting, using a suitable
framework, in the annual report. While a
number of frameworks are available, some
do not adequately assess technology
controls. SEC RULES SAY MANAGEMENT MUST
BASE its evaluation of the
effectiveness of internal controls over
financial reporting on a recognized
control framework issued by a group that
followed due-process procedures. The
framework must be free from bias,
complete and relevant to the task at
hand, and must permit consistent
quantitative and qualitative
measurements.
SEVERAL GROUPS, INCLUDING
COSO, COBIT and AICPA/CICA Trust
Services, have issued frameworks CPAs can
use to evaluate internal controls,
particularly controls over a
system’s IT aspects. In a survey of
CEOs and CFOs, 28.4% said they used a
model other than COSO to assess the
effectiveness of their IT internal
control structure.
A FIVE-STEP PROCESS ENABLEs
CPAs to use the Trust Services
framework in conjunction with the COSO
framework to evaluate the IT control
aspects of the required internal control
assessment. The process defers to Trust
Services for a more detailed assessment
of whether the IT systems used to support
and create the financial reports are
reliable.
|
| MARTIN J. COE, CPA, CISA, CISM,
is an assistant professor of accountancy
at Western Illinois University, Moline,
and a practicing information technology
auditor. His e-mail address is MJ-Coe@wiu.edu. |
 t
would be an understatement to say the
Sarbanes-Oxley Act of 2002 has had a significant
impact on every CPA working for or auditing a
public company. Among other things,
Sarbanes-Oxley requires management to include an
internal control assessment using a suitable
framework in the company’s annual report.
But how exactly are companies performing the
required assessment?
This has been a hot topic for
professional associations such as the AICPA, the
Institute of Management Accountants and the
Institute of Internal Auditors. In response the
AICPA created an ad-hoc task force to address
management’s responsibility under section
404 of Sarbanes-Oxley. The task force assembled a
list of key issues, including the act’s
requirement to use suitable criteria for an
effective internal control system.
This article explains how I use
the AICPA/CICA Trust Services framework in my
work as an information systems auditor to
evaluate internal controls, particularly controls
over information technology. CFOs, internal audit
executives and financial managers as well as
external auditors will see how the framework can
supplement some commonly used measures that do a
good job of assessing overall controls but
don’t focus on technology controls.
| Compliance
Costs Growing Meeting the
requirements of section 404 of the
Sarbanes-Oxley Act of 2002 will cost
public companies an average 62% more than
first anticipated. The increase stems
from a 109% rise in internal costs, a 42%
jump in external costs and a 40% increase
in the fees charged by external auditors.
Source:
Financial Executives International, www.fei.org, 2004 survey.
|
INTERNAL CONTROL ASSESSMENT
Section 404
requires public companies to include in their
annual reports an assessment by management of
their internal controls over financial reporting.
This includes a statement of management’s
responsibility for establishing and maintaining
adequate internal control, an assessment of the
effectiveness of those controls as of the end of
the most recent fiscal year, a statement
identifying the framework that was used to
evaluate those controls and a statement that the
external auditor issued an attestation report on
management’s internal control assessment.
The final SEC rules say
management must base its internal control
evaluation on a suitable, recognized control
framework established by a body or group that
followed due-process procedures. The rules do not
mandate the use of a particular framework but say
a suitable one must
 Be free of bias.
Permit reasonably consistent
qualitative and quantitative measurements.
Include all relevant factors that
might alter a conclusion about the effectiveness
of the internal controls.
Be relevant to an evaluation of
internal control over financial reporting.
As a practicing information
systems auditor charged with preparing the IT
control aspects of the required internal control
assessment, my search for an appropriate model
uncovered three suitable ones:
COSO
(www.coso.org).
The framework issued by the Committee of
Sponsoring Organizations of the Treadway
Commission (COSO) satisfies the SEC criteria.
Companies may use it to meet management’s
annual internal control evaluation and disclosure
requirements. The COSO framework defines internal
control, describes its components and provides
criteria against which CPAs can evaluate control
systems. However, since COSO does not provide
specific criteria for IT controls, some companies
may find a supplemental framework necessary.
COBIT
(www.isaca.org).
The Information Systems Audit and Control
Foundation developed the control objectives for
information and related technology (COBIT). The
objective is a generally applicable and accepted
standard for IT security and control practices
that provides a reference framework for
management, users, auditors and security
practitioners.
Trust Services
(www.aicpa.org/trustservices). The foundation of the AICPA/CICA
Trust Services framework is a set of principles
and criteria CPAs can use to assess the
reliability of a company’s IT systems. The
criteria constitute professional guidance as well
as serve as best practices for system
reliability.
INFORMATION
TECHNOLOGY CONTROLS
Because companies
rely heavily on technology, the criteria they use
to assess the effectiveness of their IT-related
controls are particularly important. While COSO
addresses the topic of IT general controls, it
does not dictate requirements for control
objectives and related activities. Indeed, the
audit standards issued by the Public Company
Accounting Oversight Board highlight the
importance of IT general controls but do not
specify which in particular a company must
include. Thus, to meet the requirements of
section 404, IT management and auditors need a
specific IT control framework.
When I asked companies whose
CEOs and CFOs are required to file sworn
statements with the SEC which framework they
used, 28.4% said they used a model other than
COSO (exhibit
1). In evaluating
models I first turned to COBIT because I had used
it in the past and it was well-received by
clients. Now in its third edition, COBIT is
increasingly accepted as good practice for
control over IT and related risks. It’s a
robust framework, comprising 4 domains, 34 IT
processes and 318 detailed control objectives.
It’s a comprehensive approach for managing
risk and control of IT, explaining how IT
processes deliver the information a business
needs to achieve its objectives.
| Exhibit
1:
Assessing IT Controls |
| What criteria does
your company use to assess the
effectiveness of the IT-related
internal control structure? |
Number of companies
using criteria |
Percentage |
| COBIT |
27 |
14.2% |
| Trust
Services (formerly SysTrust) |
1 |
0.5% |
| COSO |
136 |
71.6% |
| Combination
of the three |
26 |
13.7% |
Respondent base: 190
companies.
|
One reason
companies are using the COBIT framework for
Sarbanes-Oxley compliance is that its objectives
have been mapped to COSO in a publication
entitled IT Control Objectives for
Sarbanes-Oxley (available at www.isaca.org ). COBIT also has been mapped to
popular enterprise resource planning (ERP)
systems such as SAP, Oracle and PeopleSoft. This
mapping and related guidance provides COBIT
framework references and methodologies for
auditing and testing the major ERP systems.
While COBIT is an excellent
comprehensive framework for assessing IT
controls, I was seeking a narrower framework that
would complement the overall COSO model many
clients were using. To this end, I decided to use
Trust Services because of its focus on the
controls that are in place to ensure the
company’s systems carry out business
processes reliably.
APPLYING
THE FRAMEWORK
The AICPA and CICA
developed the following Trust Services principles
and related criteria for CPAs to use to perform
consulting engagements, as well as branded
attestation engagements such as SysTrust and
WebTrust.
Security. The
system is protected against unauthorized access,
both physical and logical.
Availability. The
system is available for operation and use as
committed to or agreed upon.
Processing
integrity. System processing is
complete, accurate, timely and authorized.
Confidentiality. Information
designated as confidential is protected as
committed to or agreed.
Privacy. Personal information
is collected, used, retained and disclosed in
conformity with the commitments the entity makes
in its privacy notice and with the AICPA/CICA
Trust Services privacy criteria.
The privacy principles and
criteria include 10 components that are essential
to the proper protection and management of
personal information. They are based on
internationally known fair information practices
included in the privacy laws and regulations of
jurisdictions around the world and recognized
good privacy practices. For each component there
are relevant, objective, complete and measurable
criteria for evaluating an entity’s privacy
policies, communications and procedures and
controls. There are also illustrations and
explanations to enhance understanding of the
criteria. For more details on the privacy
criteria, go to www.aicpa.org/innovation/baas/ewp/privacy_framework.asp.
The security, availability,
processing integrity and confidentiality
principles and criteria are organized into four
broad areas:
Policies. The
entity has defined and documented its policies
relevant to the particular principle.
Communications. The
entity has communicated its defined policies to
authorized users.
Procedures. The
entity uses procedures to achieve its objectives
in accordance with its defined policies.
Monitoring. The
entity monitors the system and maintains
compliance with its defined policies.
These principles and criteria
include attributes the entity must meet to
demonstrate it has achieved each principle. Trust
Services also provides illustrative controls as
examples of controls the entity might have in
place to conform to the criteria. Alternative and
additional controls also may be appropriate.
CPAs can use the
framework’s principles and criteria to
create a detailed analysis containing control
objectives classified into broad categories, as
shown in exhibit 2. I
found the illustrative controls to be
particularly helpful. Keep in mind a large part
of the internal control assessment process
requires management to say what controls are in
place to mitigate a given risk. Trust
Services’ illustrative controls are detailed
enough to help management identify the controls
that exist and those that are missing. As an
example of how the controls are helpful, consider
those provided for one criterion, as shown in exhibit 3.
| Exhibit
2:
Detailed Control Objectives |
| Security |
| 3 objectives |
Policies:
The entity defines and documents
its policies for the security of
its system. |
| 5 objectives |
Communications: The
entity communicates its defined
system security policies to
authorized users. |
| 12 objectives |
Procedures:
The entity uses procedures to
achieve its documented system
security objectives in accordance
with its defined policies. |
| 3 objectives |
Monitoring: The
entity monitors the system and
takes action to maintain
compliance with its defined
system security policies. |
| |
|
|
| Availability |
| 3 objectives |
Policies:
The entity defines and documents
its policies for the availability
of its system. |
| 5 objectives |
Communications: The
entity communicates the defined
system availability policies to
authorized users. |
| 15 objectives |
Procedures:
The entity uses procedures to
achieve its documented system
availability objectives in
accordance with its defined
policies. |
| 3 objectives |
Monitoring: The
entity monitors the system and
takes action to maintain
compliance with its defined
system availability policies. |
| |
|
|
| Processing Integrity
|
| 3 objectives |
Policies:
The entity defines and documents
its policies for the processing
integrity of its system |
| 5 objectives |
Communications: The
entity communicates its
documented system processing
integrity policies to authorized
users. |
| 19 objectives |
Procedures:
The entity uses procedures to
achieve its documented system
processing integrity objectives
in accordance with its defined
policies. |
| 3 objectives |
Monitoring: The
entity monitors the system and
takes action to maintain
compliance with the defined
system processing integrity
policies. |
| |
|
|
| Confidentiality |
| 3 objectives |
Policies:
The entity defines and documents
its policies related to the
protection of confidential
information. |
| 5 objectives |
Communications: The
entity communicates its defined
policies related to the
protection of confidential
information to internal and
external users.. |
| 15 objectives |
Procedures:
The entity uses procedures to
achieve its documented
confidentiality objectives in
accordance with its defined
policies. |
| 3 objectives |
Monitoring: The
entity monitors the system and
takes action to maintain
compliance with its defined
confidentiality policies. |
| |
|
|
| Security |
| 14 objectives |
Policies
and Communications: The entity
uses privacy policies that convey
management’s intent,
objectives, requirements,
responsibilities and/or
standards. The entity
communicates to individuals,
internal personnel and third
parties about its privacy notice
and its commitments therein and
other relevant information. |
| 42 objectives |
Procedures and
Controls: The entity uses
procedures and controls to
achieve its privacy objectives. |
Source: AICPA/CICA Trust
Services principles and criteria.
|
When I provide
these examples to IT management—instead of
simply asking what controls exist to protect
against unauthorized logical access to a
particular system—it helps them understand
what I’m looking for. The Trust Services
framework provides illustrative controls for all
criteria (objectives).
| Exhibit
3:
Sample Trust Services Security Principle
Illustrative Controls |
| Procedures
exist to protect against
unauthorized logical access to
the defined system. |
| 1. Log-in
sessions are terminated after
three unsuccessful log-in
attempts. Terminated log-in
sessions are logged for follow-up
by the security administrator. |
| 2. Virtual
private networking (VPN) software
is used to permit remote access
by authorized users. Users are
authenticated by the VPN server
through specific client software
and user IDs and passwords. |
| 3. Firewalls
are used and configured to
prevent unauthorized access.
Firewall events are logged and
reviewed daily by the security
administrator. |
| 4. Unneeded
network services (for example,
telnet, ftp and http) are
deactivated on the entity’s
servers. A listing of the
required and authorized services
is maintained by the IT
department. This list is reviewed
by entity management on a routine
basis for its appropriateness for
the current operating conditions.
|
| 5. Intrusion
detection systems are used to
provide continuous monitoring of
the network and early
identification of potential
security breaches. |
| 6. The entity
contracts with third parties to
conduct periodic security reviews
and vulnerability assessments.
Results and recommendations for
improvement are reported to
management. |
Source: AICPA/CICA Trust
Services principles and criteria.
|
FIVE STEPS TO COMPLIANCE
The following
five-step process shows how CPAs can use the
Trust Services framework to evaluate a
company’s IT controls when the entity
primarily uses the COSO approach. The first step
uses only COSO, the second and third involve both
COSO and Trust Services, and the last two use
Trust Services only.
1. Use the COSO
framework to identify the risks in each business
cycle and the controls that mitigate them. This
process will include many references to
information systems.
PCAOB Auditing Standard no. 2
says: “Because of the frequency with which
management of public companies is expected to use
COSO as the framework for the assessment, the
directions in the proposed standard are based on
the COSO framework. Other suitable frameworks
have been published in other countries and likely
will be published in the future. Although
different frameworks may not contain exactly the
same elements as COSO, they should have elements
that encompass all of COSO’s general
themes.” Thus, it is important for CPAs to
demonstrate how IT controls support the COSO
framework.
COSO identifies five internal
control components that must be in place to
achieve financial reporting and disclosure
objectives: control environment, risk assessment,
control activities, information and communication
and monitoring. An organization should have IT
control competency in all components.
2. Gather initial
IT information, including a list of all
application software the company is using; copies
of network maps, security policies and any
contingency planning and disaster recovery
documents; procedures related to how system
changes are made; an explanation of the typical
system development lifecycle; and the
company’s IT organization chart.
Given the pervasive nature of
IT, identifying what needs to be assessed for
Sarbanes-Oxley compliance can be an overwhelming
task. Gathering information that describes the IT
environment, procedures and computer software
helps CPAs understand the big picture so they can
organize their efforts to identify IT controls
for Sarbanes-Oxley compliance. In many cases,
companies already have this initial information
so CPAs can gather it without incurring
additional costs.
3. From the
information gained in the first two steps,
identify all information systems that relate to
financial reporting.
Organizations must understand
how the financial reporting process works and
where technology is critical in supporting it.
This will help CPAs identify key systems and
subsystems that need to be included in the
Sarbanes-Oxley assessment. Include systems that
participate in the initiation, recording,
processing and reporting of financial
information, such as the accounting information
system and all systems that feed source
transaction data to it.
| AICPA RESOURCES |
| The AICPA/CICA Trust Services
Principles and Criteria (Framework), www.aicpa.org/trustservices. The AICPA/CICA Privacy
Framework, www.aicpa.org/privacy.
Books
Trust Services:
Understanding and Implementing Trust
Services (# 056520).
Privacy
Matters: An Introduction to Personal
Information Protection (# 056590JA).
Understanding
and Implementing Privacy Services: A
CPA’s Resource (# 056509JA).
CPE
Privacy Issues for
Businesses…Whose Information Is It
Anyway? CD-ROM (# 780005JA). For more
information or to place an order, go to www.cpa2biz.com
or call the AICPA at 888-777-7077.
IdentiRISK for
Trust Services Privacy Principles and
Criteria (# 103104). For more information
or to place an order, go to www.identirisk.com/x/aicpa
or call 866-433-7475.
|
4.
Use the Trust Services framework to create one
overall IT control matrix, so that you can assess
controls that cross systems, and another matrix
for each system that relates to financial
reporting.
COSO identifies two broad
groupings of information system control
activities that organizations should assess:
General controls apply
to all information systems and support secure and
continuous operation. This category includes
controls that support the quality and integrity
of information and are designed to mitigate the
identified risks. The IT general control
categories the PCAOB set forth are program
development, program changes, computer
operations, and access to programs and data.
Application controls apply
to the business processes they support and are
designed to prevent and detect unauthorized
transactions. When combined with manual controls,
application controls help ensure completeness,
accuracy, authorization and validity of
processing transactions. Organizations should
first identify significant accounts that could
have a material impact on the financial reporting
and disclosure process. Then they should identify
and document application controls relevant to
such accounts.
CPAs can use the Trust Services
framework to create detailed IT control matrices
(usually in the form of spreadsheets) that
contain a row for each of the 58 criteria. CPAs
also should create a control matrix for the
application systems upon which the organization
is relying to achieve financial reporting and
disclosure objectives. This is where the benefit
of using the Trust Services framework is
apparent, because its principles define a
reliable system as one capable of operating
without material error, fault or failure during a
specified period in a specified environment. For
each principle it lists criteria against which
CPAs can evaluate a system.
5. Assess the
controls identified in the matrices created
above. As a general rule there should be an
effective control technique in place for every
control objective that applies to a system.
CPAs can use the detailed
control matrices that contain a row for each of
the Trust Services criteria to form questions
that will determine whether key controls are in
place. The framework is based on the premise that
if system controls operate effectively, the
system itself will perform reliably.
One example is the use of
personal identification numbers to prevent
unauthorized access to a system. An entity may
adopt such a control in its written objectives,
but the control will not achieve its objectives
unless it operates effectively. The Trust
Services framework makes it easier for CPAs to
determine whether the controls over a system
operate effectively during the period covered by
the examination.
These steps allow the COSO
framework to defer to the Trust Services
framework for a more detailed evaluation to
determine whether the IT systems a company uses
to support and create the financial reports are
reliable.
MEETING THE CHALLENGE
Fulfilling the IT
control aspects of the internal control
assessment that Sarbanes-Oxley requires can be a
challenge for CPAs. While each company will need
to decide the framework most appropriate for its
needs, Trust Services is a useful option that
CPAs will find particularly helpful when the
overall framework they use does not pay
sufficient attention to IT issues.
|
| HOME | ARCHIVE | CONTACT | ADVERTISE | SUBSCRIBE | AICPA 
The
commonly used COSO internal
control framework does not
provide specific criteria for IT
controls, so it may be necessary
to turn to a supplemental
framework such as the AICPA/CICA
Trust Services framework to
ensure that the systems a company
uses are reliable.