The purpose of internal controls is to identify, manage and control risks that could prevent the organization from achieving its objectives. The information technology (IT) function designs, develops, implements and maintains much of an organization’s business processes. Their attitudes toward risk and internal control are a major factor in the internal control environment of any organization.
This article discusses the importance of IT to the internal control environment and describes aspects of information technology professional culture that influence IT’s perception of its role with respect to financial controls. This perception of their role has implications for the internal control environment and may be inimical to compliance with the Sarbanes-Oxley Act or shortly known as SOX. This topic is particularly important in light of Sarbanes-Oxley initiatives in progress at most publicly traded and many non-publicly traded companies.
Internal controls of business organizations are receiving unprecedented attention as firms rush to comply with the Sarbanes-Oxley Act. Two provisions of the Act relate to internal controls. Section 302 requires both the CEO and CFO of a publicly traded company to certify that the organization has established and maintains an effective system of internal control. Section 404 requires the organization’s auditor to provide assurance on management’s assessment of internal control. This provision has been operationalized in the first Standard issued by the Public Companies Accounting Oversight Board (PCAOB), PCAOB Auditing Standard Number
2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.
Attitudes and risk awareness of the IT function are crucial to compliance with the internal control requirements of Sarbanes-Oxley. IT is responsible for designing, implementing and maintaining many of the controls over an organization’s business processes and has a critical role in collecting, processing and storing transaction data that is summarized and reported in financial statements. In a discussion document on IT controls and Sarbanes-Oxley issued by the Information Systems Audit and Control Foundation (ISCAF) (2003), several comments are made on the importance of IT:
“…IT professionals, especially those in executive positions, need to be well versed in internal control theory and practice to meet the requirements of the Act” (p. 2)
“IT . . . systems are deeply integrated in financial transactions . . . and inextricably linked to the overall financial reporting process.” (p. 6)
“IT is very important to internal control over financial reporting.” (p. 29)
Many of the internal controls over financial data are incorporated in computer programs, processes, and procedures that are written, implemented and maintained by the IT function. Corporate assets can be transferred and liabilities incurred through transactions initiated without human action by computerized processes. Securities transactions, purchases of materials, and wire transfers are routinely initiated by computer processes and consummated within computer processes residing within external entities. The degree of automation can be such that human activity is limited to promulgating policies and rules, and, reviewing results.
IT Culture and Risk
Culture is defined as the shared values, beliefs and assumptions of a people or group. Discussions of organizational culture are not uncommon in popular business magazines and newspapers. The concept of a professional culture is likewise well accepted. It is not difficult to think in terms of the professional culture of engineers, social workers and lawyers. The information technology profession has a culture that can influence a firm’s internal control environment.
Information technology culture affects the control environment on two levels. First, IT culture affects the environment through the manifestation of culture at the individual level. The performance of routine and non-routine tasks is influenced by IT practitioners’ shared culture. Second, business literature is replete with examples of intra organizational conflict that arises from cultural differences between the IT function and other functional areas.
The IT practitioner’s attitudes toward risk and internal control should not be a surprise. With the exception of IT professionals holding degrees in accounting, few information technology practitioners are formally trained in financial control concepts (e.g., ISACF, 2003). At the undergraduate level, those with degrees in accounting or accounting information systems have usually covered financial controls in their curricula. IT practitioners with other business degrees, including management information systems (MIS) majors, receive limited coverage of financial controls concepts in first-year accounting courses and incidental coverage in other business courses. Computer science (CS) majors are much less likely to have received any formal training in internal control as it relates to business processes, although some may have taken electives in computer security. And those with other majors or without college degrees are unlikely to have received any training in internal controls.
Surprisingly, individuals with MBA degrees or master’s degrees in information systems are also likely to not have any significant training in financial controls unless they obtained an accounting or AIS concentration. While MBAs usually are familiar with business processes, their training in internal controls is not much different than undergraduate business students. Thinking often applies to IT workers’ perception of internal controls, with detrimental results.
IT environmental dynamism and risk
One element of risk that an organization faces is the stability of the environment in which it operates. Moore’s Law[1] holds that computer processing power doubles every 18 months. The exponentially increasing power of computers and rapid growth of the Internet have resulted in a highly dynamic information technology environment. This environmental dynamism in the IT environment has significant implications for the internal control environment.
Technological advances in computing have added new and important ways that computer systems support and implement business processes. However, new computer technologies often have unanticipated risks associated with them that could affect the integrity of financial reports.
A technology change with profound implications for internal control over IT systems involved in financial reporting has been the gradual shift from the “legacy” mainframe environment to the distributed client-server network environment using servers and PCs. The centralized mainframe environment is tightly controlled. Unlike most of the new and emerging technologies, the internal controls and security features found on mainframes have evolved over four decades. Access to files and programs is tightly controlled and managed. Audit trails and logs are liberally dispersed throughout the operating system. Elaborate scheduling software ensures that programs are executed when properly authorized and in the correct sequence, and that the correct input files are used. Change control software protects the integrity of production application libraries by restricting changes to production applications to those for which all required approvals have been obtained and testing completed.
[1] Moore’s Law actually states that the number of transistors that can fit on a given size of silicon will double every eighteen months. The number of transistors is a rough approximation of computing power.
CAclubindia
