IIA Cost/Benefit Analysis
Nice cost/benefit analysis of what SOX 404 compliance actually brings to an organization. I find it particularly stunning that there still appears to be controversy over who should own IT controls.
The process owners are not “control experts,” but they are an integral part of the control system. Process owners also have an obligation to ensure that the processes under their control are efficient — and rightly, or wrongly, they often believe that “controls” create unnecessary work and slow down the underlying processes, or at a minimum add unnecessary overhead. Controllers (and auditors) are generally the control experts within the organization. However, they usually do not have the authority to mandate controls, and more important, they are not part of the system that ensures that employees are motivated to comply with control requirements or follow control procedures. That is management’s job.
......
What is surprising is the percentage of companies planning to have internal audit responsible for maintaining controls documentation (23%) or for overall ownership of the evaluation process (28%) — areas generally viewed as the clear responsibility of management: the controller, a compliance manager, and/or the business process owners.
If controls are not built into the organization's DNA, we can count on a corrupted control environment. If I as a manager don't know my controls like the back of my hand, I'm not going to recognize when the project of the week is putting them in jeopardy, or when my documentation needs to be modified.
Another point of the analysis was the uncertainty companies faced throughout 2004. Shoot, there's uncertainty now! The fact that auditing firms continue to look at SOX as a binary process -- an application is in scope or out of scope -- and all process controls of equal weight -- make no sense to an organization trying to take a holistic view of risk mitigation on financial reporting.
The one flaw I saw in this document was benefits were not quantified, where everyone knows what the costs are. If my benefits consist of a better control environment, WHY DO I CARE? Auditors and SOX control experts should spend more time communicating the inherent benefits of our activities, and keeping our eye on the bigger picture of making the company stronger through better availability, security, integrity and on and on....
posted by Jennifer Russell at 8:28 PM
3 Comments:
The controversy is unclear -- is it controversial that the companies are choosing to have the internal auditor team control the documentation -- instead of the business process owner? It would be much easier for the business process owner to own the control documentation; but the internal auditor teams should be the experts on helping craft appropriate controls that can be maneuvered through the relevant test periods. A business process owner is more likely to make a change in the process too late in the day to follow through with the appropriate testing methods.
10:35 PM
The internal auditor is the ideal person to help out with providing a framework, and identifying control gaps. After that, the business process owner should be responsible for coming up with the appropriate approach for resolving that gap, and validating that approach with the internal auditor to ensure that it adequately covers the control. But the control should be designed and owned by the business process owner. Otherwise you run the risk that a control, adapted from another environment, may turn out to be burdensome or awkward in another company's processes and structure.
Also, my personal experience is that when a business owner sees the control documentation as "the auditor's thing," controls are never truly owned, so changes to the control environment are not adequately recognized.
1:17 PM
I definately agree that the design and ownership should be from the business process owner, but the documentation should be kept by a different function. (Yes! More corporate bureaucracy !)
On the SOX financial side, I've seen truly burdensome controls over minor details (controls, unfortunately done by the manager and not the actual process owner). And these controls just won't prevent the things SOX is really after. We joke about the company going down because the revenue accountant forgot to date his sign off on one of a thousand journal entries...
Yet (and I realize I'm forcing a quibble on semantics here)I do think there are benefits to having actual control of the documentation (the documentation, not the process) should be outside of the relevant function -- otherwise, the business process change will be made in documentation without cross check or reviewing global impact, etc.. From my experiencethe SOX controls for the most part are really only asking the company to be compliant with their own internal, identified process -- not even to fix obvious, missing gaps.
And most of the controls are just things the company should have doing anyway -- and that's the weird thing. The corporate world now forgets history even faster than the rest of the world and is doomed to repeat mistakes.
3:57 PM
Post a Comment
<< Home