In that vast expanse that still divides the concerns of the CFO and CIO, new efforts to combine the challenges of financial reporting and IT management are emerging—bringing hope that the distance between those two officers is slowly getting shorter.
In December, the IT Governance Institute issued version 4.0 of its IT framework commonly known as COBIT, short for “Control Objectives for Information and related Technology.” The new version specifically aims to bring the framework up to date with internal control reporting and other requirements associated with Sarbanes-Oxley.
COBIT is one of several IT frameworks that companies now use in tandem with the control framework established by the Commission of Sponsoring Organizations of the Treadway Commission. That COSO framework has been endorsed by regulators and widely adopted by public companies for complying with Section 404 of Sarbanes-Oxley.
Taken together, experts say, the two frameworks can provide executives a holistic, high-level view of all controls. That could prove vital to sustainable enterprise risk management programs, not to mention the new "risk-based, top-down" approach to SOX 404 being advocated by the Securities and Exchange Commission and the Public Company Accounting Oversight Board.
Out Of The GAIT
COSO's Internal Control—Integrated Framework was codified in the early 1990s to address a company's internal control over financial reporting. In October 2004, the organization released a final version of its highly anticipated ERM framework.
But while the frameworks address accounting controls and procedures, they have taken heat for providing little guidance on the role of IT to assure sound financial reporting. SOX 404, which requires companies to report on their internal control over financial reporting, requires companies to express some confidence in their IT systems that traffic data. The COBIT framework was designed to address the IT controls that make sound financial reporting possible.
While COBIT was recently spruced up to align it with financial reporting requirements, another initiative also seeks to bridge the gap between finance and IT. The Institute of Internal Auditors is developing a document called the Generally Accepted IT Principles, to help auditors grasp the language of IT so they can better evaluate and manage the risks associated with internal controls.
Kim
Gene Kim, chief technology officer of auditing-software maker Tripwire Inc., says the GAIT project is intended to create an “IT dictionary” for finance and audit professionals. “The goal is to bring together the best minds in internal audit, external audit and IT, and say, ‘We all know what we want, so how do we get there?’ ” he says. “GAIT is giving names to IT. Language is a big problem.”
Without COBIT, Kim says, COSO is “like Mr. Circle living in Flatland, trying to understand a cone.” Finance executives don’t have the terminology or the comprehension of IT issues, he says, to understand how IT relates to COSO.
Whatever help the GAIT document may provide, companies must still cope with the reality that COSO and COBIT—or any other IT framework for that matter—are not a direct fit. Richard Gibbons, a financial services consultant with Qumas, a maker of compliance software, warns that “there isn't a one-to-one relationship between the five COSO control components and the four COBIT objective domains.”
Instead, Gibbons says, other IT frameworks fill important gaps, such the IT Infrastructure Library and the Capability Maturity Model Integrated. Yet another is ISO 17799, a standard for computer security that is enjoying new popularity (see related frameworks in box above, right).
“These are emerging as alternatives to achieving compliance, through facilitating the adoption of their mature, effective processes on which to impose the COSO control framework,” Gibbons says. Their adoption “is increasing rapidly, driven by compliance concerns.”
Heriot Prentice, the IIA’s director of technology practices, notes that while the Securities and Exchange Commission suggests companies use the COSO framework for Sarbanes compliance, both the SEC and the Public Company Accounting Oversight Board are silent on a framework for IT controls. “As a result, most companies tend to pair COSO with the framework of their choice,” he says.
The IT Governance Institute recently published survey results that show COBIT is in use by only about 10 percent of the IT population so far, but the group also concluded that most IT users “are aware of the many problems inherent in the use of IT and the need to do something about them,” the ITGI said. “An even larger part of the IT user community recognizes IT governance as a solution to these problems, or as a practice they should undertake.”
Enter Section 404, With Headaches
Sarbanes-Oxley can claim at least some credit for focusing attention on the gap between finance and IT controls, experts say, but the pace of change is causing heads to spin.
Ferengul
“This stuff is changing so fast,” said Corey Ferengul, senior vice president at software firm Infogix. “And it’s so confusing, even to people who work with it.” Ferengul said he attended an information systems conference recently and heard a lengthy debate over the definition of a control—a term one might have expected to be commonly understood. “Six months ago, the best minds in IT said you had to separate risk from control,” he said. “Now they’re laughing and saying why would you separate them?”
Lee Dittmar, national leader of the enterprise governance practice for Deloitte Consulting, said Section 404 has been the “bright light” that has forced companies to look at things they’ve been ignoring for years, namely the complexity of the systems that have been implemented in piecemeal fashion as technology has evolved and demand for information has grown.
In the meandering, 40-year journey from “data processing” to “information technology,” Dittmar says, the focus on “information” has gotten lost in the shuffle. Instead, IT projects focused on automating transactions, creating “giant transaction machines, but you couldn’t get any information out of them.”
Finance executives have long acknowledged the inefficiency of having multiple systems that don’t relate to one another—the kinds that create “spaghetti diagrams” when mapped onto an organizational chart, Dittmar quips. But bigger barriers have been high cost in an era of tight IT budgets, plus an IT “credibility problem” thanks to disappointing results from prior investments, he says.
Dittmar
Now Section 404 is forcing companies to look at their systems and the relationship between IT and finance all over again. “If you’ve got five different systems for accounts payable, that’s five sets of controls to document, test and audit,” he says. “So now compliance costs five times what it should.”
Still, the tide is beginning to shift, Dittmar says. He’s working with one company preparing to replace 900 different systems across its global operations with a single application. The organization is starting from scratch, asking what information it needs to operate, and building a system that provides the right information within various governance requirements.
Such an approach, Dittmar says, means that one project will address multiple needs. “Compliance is a byproduct of good controls and process,” he says. “The focus is on information quality. Enterprise risk management is hot now, but to manage your risk, you need information. Performance management and SOX are all about information.” Dittmar believes poor information is even at the heart of the record number of restatements filed in 2005.
Gibbons cites market predictions saying one-third to one-half of public companies will face process-related risk and compliance issues in 2006, and many will find that they have real control weaknesses within their infrastructures. “Companies need to focus on ways to achieve increasingly efficient, sustainable compliance,” he says. “However, controlling people, processes, and systems comes with multiple challenges—which, in turn, create roadblocks to sustaining compliance over time.”
As the transition continues, however, filing deadlines still must be met. Ferengul credits employees in the corporate trenches are working feverishly to keep pace with change and still meet immediate information and compliance needs. “You can attend classes and read the documents, but who has time for all that when you’re on fire?” he says. “It takes time to learn stuff. It’s tough to keep the standards (between IT and finance requirements) compatible.”
No comments yet