Protiviti Misguides on IT Key Controls and SOX

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

It is very unfortunate that Protiviti, who was one of the leaders and great contributors to the development of IIA guidance on IT General Controls and SOX, has gone so wrong in their Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition).

The IIA guidance I am referring to, which is referenced briefly by Protiviti, is the highly-acclaimed GAIT Methodology (a free download for IIA members).

Of course, this is just my personal opinion, but the evidence is, I suggest, conclusive. For example:

  • It focuses only on automated (IT) controls and IT general controls (ITGC), instead of the combination of controls that are relied upon to address financial reporting risks. It assumes that there is always a reliance on IT controls and ITGC by every organization, regardless of the nature of the risks to the financial statements and the manual controls in place. While true in principle, this assumption will lead to including more IT and ITGC controls in scope than necessary to address financial reporting risk. (See the payroll example below)
  • While it references GAIT, it has lost the key message in that guidance: that the key controls should be identified based on the presence of a risk of material misstatement of the financial statements, and that the identification of ITGC key controls should be a continuation of the top-down and risk-based approach used to identify the combination of manual and IT controls relied upon within business processes. I call the approach taken in this document middle-down instead of top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.
  • It also ignores another key lesson in GAIT, echoed in the SEC SOX guidance, that only the functionality in critical applications that is relied upon to prevent or detect material misstatement of the financials represents a risk for which you need to assess related ITGC. Only ITGC controls that, should they fail, would cause IT business controls to fail to prevent/detect a material misstatement need to be in scope.
  • This document covers a wide variety of important ITGC controls that are necessary to operate the business with confidence, but are not all necessary to prevent or detect material misstatements. The latter is how you define the scope for SOX. For example, if there are high-level controls where fluctuations in account balances are reviewed (such as payroll costs) and that is sufficient to detect a material misstatement in that account (payroll rarely fluctuates so much that a material error would not be a highly-visible red flag), there is no reliance on the payroll system – nor on the related IT and ITGC controls.
  • The (sorry, guys) blind focus on IT instead of looking at the larger picture of what controls are required to prevent/detect a material misstatement has resulted in the error (refer to PCAOB guidance) of saying that you need controls over data backup and recovery. This is specifically excluded from the scope of SOX because, as the SEC explained to me, a failure to recover will not result (except in rare cases) in an error in the financial statements, only a delay in filing. That delay is not a SOX deficiency.

I have a lot of good friends at Protiviti, whom I respect and admire. It is distressing to see the firm get this so wrong, even as they reference GAIT.

I recommend reading the following instead:

I welcome your comments.

Posted on Jan 15, 2013 by Norman Marks

Share This Article:    

  1. Hi Mark,

    How can is there a way to download this article and distribute it to people in my organization

  1.  Mike, if you click on the bold blue hyperlink it will take you to where you can download the document.

  1. Norman, do you have more on "as the SEC explained to me, a failure to recover will not result (except in rare cases) in an error in the financial statements, only a delay in filing. That delay is not a SOX deficiency?"

    We'd like to explore the idea of backup and recovery are part of the SOX program further.  However, as you state, the GAIT methodology, which we are using, points out there is a risk of material misstatement.

    Thanks for the blog.

    Steve

  1.  All:

    PCAOB provided guidance on backup and recovery in Auditing Standard Number 2. This text was not repeated in AS/5, although the logic remains valid:

    C5. Furthermore, management's plans that could potentially affect financial reporting
    in future periods are not controls. For example, a company's business continuity or
    contingency planning has no effect on the company's current abilities to initiate,
    authorize, record, process, or report financial data. Therefore, a company's business
    continuity or contingency planning is not part of internal control over financial reporting.

  1.  

    Norman,

    I always look forward to your postings. They are very interesting and allow me to look at things differently.

    Here is a thought on the backup and recovery whether in scope or not in scope for SOX. What if the financial statements could not be prepared at all due to lack of data? Perhaps this would not necessarily constitute a misstatement but there would be no financial reporting at all.

    Beata

    Norman,

    I always look forward to your postings. They are very interesting and allow me to look at things differently.

    Here is a thought on the backup and recovery whether in scope or not in scope for SOX. What if the financial statements could not be prepared at all due to lack of data? Perhaps this would not necessairly constitute a missstament but there would be no financial reporting at all.

    Beata

  1.  Hi Beata, 

    When I spoke to the SEC and PCAOB while writing my book on SOX (the IIA guidance), they explained that the failure to file is not a SOX failure - that only arises when the controls are not adequate to prevent a material error in the financals that are filed with the SEC.

    While a failure to file by the deadline may be a violation of other regulations, it is not a SOX failure.

    I hope that helps, and appreciate your reading and contributing to the discussion of my posts.

    Norman

  1. Hi Norman,

    If a loss of data occurs (severity depending of course), and backups are not done properly, I don't see how that could not result in a possible mistatement. If the data is not backed up how can we conclude there is not a reaonable possibility of a mistatement?

    Also, since you admit your refernce was not rolled forward to AS 5, can we still say the statement applies?

    Dan

  1. Dan,  a failure to file is not a misstatement. The thinking covered by the text of AS 2 was confirmed to me by the SEC (as I said above) so yes, back-up and contingency planning are not financial reporting risks and do not need to be in scope.

    Norman

  1.  Norman,

     

    Thanks for the post.  In the post-SOX years I have been both a partner at a Big 4 and an internal auditor inside a large Corporate.  I am convinced that SOX testing in general and IT SOX testing in particular provide a false sense of security.

    This is because under SOX, companies and their auditors are encouraged to stop as soon as controls are identified that could prevent or detect material misstatement and some evidence is found that they are at least periodically in place.  This provides the least-cost way to get through the SOX 404 marathon.

    In my experience, deep and broad testing of transactions are what tell you clearly, and rather quickly, whether and how controls are being compromised or by-passed.  Outcomes are what matter, not the journey. Sadly, this type of testing has been largely sacrificed to make way for the avalanche of controls work, which, as you point out, is vulnerable because it largely fails to acknowledge that controls are not only highly interdependent but also are dependent on the skill and diligence of the operator. 

    I am not advocating an end to SOX 404 altogether.  But I do believe that the profession needs to promote a no-questions asked approach that re-emphasizes real transaction testing.  Internal auditors need to be on the front line here because they should have the knowledge and capacity to go deep and broad in the most important transaction streams.

    Anthony

  1.  Hi Norman,

    Your views here definitely resonate with my opinion on backup and recovery as a "SOX" control. If an organisation loses their data and cannot recover to report their financials to the market, there is technically no misstatement. Notwithstanding the effects of telling the market of this is likely to be the same as disclosing there is a material misstatement in the financials.

    I would like get your thoughts on another concept I've been pondering. From my experience, Batch/Schedule Job Failures have always been tested as an ITGC but never properly considered for it's impact on automated controls (e.g. interface, reporting, financial consolidation). Automated control testing generally require a sample of one (towards financial year end) to cover it for both DE and OE. But this thinking/application is err. The OE testing for automated controls such as interfaces, reporting etc should be cover by testing the incident management over Batch/Schedule Job Failures.

    Danny

  1. Danny,

    I would only include Batch/Schedule Job Controls if they were key - based on a top-down risk assessment. Would they  cause a key application control (itself identified from a top-down scoping program) to fail?

    Even if a failure of the batch scheduling control would cause a key application control to fail, would that go undetected? Also, am I concerned with controls over all batch jobs, or just a couple?

    I believe in testing ITGC only where they represent a risk of material misstatement, generally by causing a key application control or data security to fail. See the IIA's GAIT Methodology for more.

    Do you agree?

  1.  The deep you dig into the subject and give us the accurate data is appreciable.

  1.  Nice Post.. Excellent Info.. Really amazing.. This was a fantastic article... really superb....

Leave a Reply