Impact of IT General Control Deficiencies 643



  • A question to the auditors out there, if you please…
    I’d love to hear some hypothetical examples of how deficiencies in ITGC could aggregate to a significant deficiency or (gasp) material weakness in our overall reporting controls.
    Two public firms audit our IT General Controls, one as internal auditors doing control design review and periodic testing of design and execution, the other (one of the bigs) our external auditor.
    The folks doing the internal role tend to dig a lot deeper, and tend to evaluate deficiencies, in terms of severity, on a general ‘temperature’ reading of the control based on its own merit (vulnerability, likelyhood, potential impact, etc.).
    The external folks seem to view ITGC as more of an ‘enabler’, that a single control deficiency in IT in and of itself (even one that seems on the surface to be substantial) is unlikely to be identified as a significant deficiency unless it gains some ‘weight’ when combined with other, related deficiencies (like multiple holes in the dyke). They’ve also indicated that some causation needs to be established between these IT deficiencies and something that actually did happen (something material to the financials), where generally speaking, IT controls are evaluated in a bit different light than other financial controls, where more weight is placed on what could happen as a result of a given deficiency in IT.
    Did that question make sense? I’m trying to figure out exactly what it would really take in terms of ITGC deficiencies, to constitute a significant deficiency, other than a general condition where so many minor deficiencies exist that it indicates a general state of being ‘asleep at the wheel’ in IT, causing reasonable concern that IT would be unable to identify or react to a real problem, which is absolutely not the case with our department - the combined list of management-identified defs and those noted by our external auditors is not very large, nor are many of them more than an occasional execution failure in some control activity, e.g. ‘2 of 45 samples did not have the signature of the janitor’.
    I would really hate to be surprised with a black eye for IT on our management letter this year… any enlightenment is greatlly appreciated.



  • Our auditors made it pretty clear that they would categorize IT issues the same as accounting issues and they would be reported to the board as such, but in their external attestation, they would only bring up issues where an IT gap and a corresponding accounting gap would lead to an overall gap. I can imagine that most auditors will have varying opinions on this, but I think you’re pretty much on target with your thinking.
    Any weaknesses in IT will most certainly be brought to the board, which is a bad thing in and of itself, so your IT management will have to be prepared for that. We found that very regular reporting to the audit committee has made things very smooth. No suprises is a good idea.



  • And just to follow on from HairSOX’s question…
    Would a perfect IT shop (all implemented controls) prevent another Enron?



  • No
    Even with SOX:

    1. Legislation can not stop bad people from doing bad thingslike the threat of prison has not stopped people from killing etc.
    2. Auditors are unlikely to identify every lapse, they will provide opinion’ that the financial statements are fairly presented and after that they will state that the financial statement is responsibility of the company’s management.
    3. Lawyers have managed to be out of the scope and the problems of SOX.
    4. The real culture in many companies says: cover the trails
    5. Some C level executives will always be able to do a lot of creative things and now they will start to learn about offshore companies
    6. Auditors hate computer forensics and business intelligence so these are in fact out of the scope of SOX.


  • I don’t think the full intent of the SOX act is to prevent another enron necessarily. I’m sure it will have the effect of cleaning some ‘at-risk’ companies up, but like lekatis said, making it illegal to break the law won’t stop criminals from being criminals.
    I believe the main purpose behind the act is to get companies thinking about controls and more specifically, ensure that the senior management of a company has an understanding of the controls, so that there can no longer be the ‘I’m just the CEO, I don’t have any idea what happens under me’ defense, because if they try to use it, they have violated the their SEC submissions stating that they understand the controls that are in place and feel that they are adequate, effectively creating a no-win situation for the CEO/CFO (go to jail for doing bad business, or go to jail for lying on your SOX paperwork)
    IT is just swept up in this mix. Companies that had a good handle on IT won’t benefit much from the involvement, but companies that didn’t put the right focus on IT are being ‘helped’ along.



  • I believe the main purpose behind the act is to get companies thinking about controls and more specifically, ensure that the senior management of a company has an understanding of the controls.
    I had an experience regarding this, yesterday at my company…
    The purchasing Lead for the region where my office is, asked if we could be less spesific when documenting the processes as the way it was now we would catch all the undocumented shortcuts.
    I just replied quickly : ‘Well, isn’t this what it is all about? If you want to change the documentation, start to change your process first.’, which offcourse would never be allowed to that extend that he wants it.



  • Confusion wrote: …there can no longer be the ‘I’m just the CEO, I don’t have any idea what happens under me’ defense, because if they try to use it, they have violated the their SEC submissions stating that they understand the controls that are in place and feel that they are adequate, effectively creating a no-win situation for the CEO/CFO (go to jail for doing bad business, or go to jail for lying on your SOX paperwork)
    Could somebody explain to me how thia affected Richard Scrushy (HealthSouth) in Birmigham? Lat’s see how this will affect Ken Lay, Jeff Skilling and/or Richard Causey (Enron) in Houston January next year.



  • %0ACould somebody explain to me how thia affected Richard Scrushy (HealthSouth) in Birmigham? Lat’s see how this will affect Ken Lay, Jeff Skilling and/or Richard Causey (Enron) in Houston January next year. %0AI’m not 100% sure I understand your question, but SOX doesn’t cover any of the cases that you are referring to, because it was not in effect when the alleged crimes were committed. %0ANow, going forward, a CEO is going to have very little wiggle room because he is swearing under penalty of law that he believes the controls of the company are adequate, so if something bad happens, the CEO was either a knowing accomplice to the crime, or he was negligent in his SOX duties of ensure adequate controls, either way, he can go to jail.



  • I stand corrected. Scruchy was bound by SOX and found not guilty. That certainly does make things more interesting, but from what I can tell of the case, I don’t think it’s necessarily a reflection on the strength of the law.


Log in to reply