IT IT
IT Audit - The Institute Of Internal Auditors  

Home

Reference Library

Discussion Board

Contact the Editor

About ITAudit

Authors Wanted

Subscribe

Previous Issues

Search
print Print Article
PUBLISHED BY THE INSTITUE OF INTERNAL AUDITORS

Did IT Auditing Forget the Foreign Corrupt Practices Act?

April 15, 2005
Robert E. Davis, Audit Consultant, Robert Half International CISA

 

A Sarbanes-Oxley predecessor mandates that organizations deploy internal accounting controls over financial transactions.

 

The U.S. Sarbanes-Oxley Act of 2002 (PDF) continues to be a major topic of discussion for audit professionals, centering on domestic and international financial statements, attestation requirements, and compliance costs. A Sarbanes-Oxley Section 404 provision that concerns attestation requirements had been a cause of debate until the Public Company Accounting Oversight Board (PCAOB) interpreted internal controls to mean internal accounting controls. Although The IIA and the Information Systems Audit and Control Association (ISACA) have focused attention on internal accounting controls related to the deployment of financial computer applications, IT auditors have paid only minor attention to the predecessor of the Section 404 internal control provision: The U.S. Foreign Corrupt Practices Act (FCPA) of 1977, sections 78m (b) (2) through (5). The FCPA applies to U.S. publicly held companies and was adopted in the 1990s by the Organization of American States (OAS), the Organisation for Economic Co-operation and Development (OECD), and the Council of Europe (COE).

The FCPA codified bribery of foreign officials as a criminal offense for U.S. publicly held companies, required accurate financial-transactions accounting, and amended the Securities Exchange Act of 1934. With regard to accurate accounting, FCPA Section 78m (b) (2) legislated managerial responsibility for generating and retaining financial information to represent transactions accurately and fairly, and for deploying a "system of internal accounting controls." Furthermore, FCPA Section 78m (b) (5) has been interpreted as requiring U.S. businesses to create and sustain adequate internal accounting controls regardless of an organization's cost-benefit analysis ratio. This section of the FCPA mandates preventive controls to avoid financial statement fraud or misrepresentation.

FCPA control measures for an adequate system of internal accounting controls include employing quality personnel, appropriately documenting transactions, maintaining appropriate segregation of duties, allowing only authorized transaction execution, controlling access to assets, and reconciling documented assets to actual assets regularly. These control measures most often interact with — or are deployed through — IT financial applications, thus justifying IT auditor involvement in evaluating internal accounting controls compliance with the FCPA.

IT FINANCIAL ASSURANCE PRACTICES

Financial statement audits are based on three generally accepted high-level internal control objectives: financial reporting, compliance, and operations. These objectives have detailed activities that correspond to maintaining adequate internal accounting controls. For financial statement audits, control activities can have misstatements of existence, occurrence, completeness, valuation, allocation, presentation, disclosure, or safeguarding. Some financial audit control domains, such as existence and occurrence, are isolated. Others, such as presentation and disclosure, are combined. Subcategories of domain classifications include validity, cutoff, summarization, transaction completeness, accuracy, measurement, ownership, rights, obligations, segregation of duties, and protection of assets. These subcategories represent basic principles of FCPA internal accounting controls auditing.

Completeness, accuracy, authorization, and accessibility are key internal accounting controls that fulfill FCPA legal requirements. Accuracy controls are those that epitomize correct recording of information. Completeness controls help assure that valid transactions are documented and properly classified. Authorization controls are designed to provide reasonable assurance transactions are executed in accordance with laws, regulations, and managerial policies affecting an organization. Accessibility controls protect tangible and intangible assets from harm, theft, loss, misuse, or unauthorized availability. Key internal accounting controls mapped to selected control measures clarify FCPA IT audit assurance responsibilities (see Figure 1).

Figure 1: FCPA Control Measure — IT Audit Key Control Matrix

Key Control

Control Measure  Completeness   Accuracy   Authorization  Accessibility 
Quality Personnel

 x

 x

   

Documenting Transactions

 x

 x

 x

 
Segregation of Duties      

 x

Authorization 

 

 

 x

 x

Access Control

 

 

 x

 x

Reconcilement

 x

 x

 

 

Based on FCPA requirements, an IT auditor typically assists the financial auditor in understanding, describing, and documenting the processes of significant information systems as well as general and application controls. If consulted during financial statement audits, the IT auditor often provides transaction initiation, processing, classification, and reporting, along with the type and description of computer files and significant information systems processes related to internal accounting controls.

Depending on the organization, another possible FCPA IT audit responsibility is evaluating the veracity of management's assertions concerning the system of internal accounting controls. To dispatch reporting requirements, an IT auditor must identify, understand, test, and document internal accounting controls, potential misstatements, control objectives, and control activities. Essentially, an IT auditor assumes responsibility for assessing financial applications for FCPA compliance.

Through FCPA Section 78m (b) (5) interpretation, IT auditors participating in a publicly held company's financial statement audit should plan and perform tests — providing reasonable assurance that internal accounting controls circumvention did not occur, financial fraud does not exist, and a system of internal accounting controls has been deployed. Consequentially, these requirements dictate following audit program fraud-detection procedures when determining the extent of management's internal accounting controls efforts and demonstrating IT auditor due diligence.

 When fraud occurs, an auditor's focus often is limited to fraud condition, correction, and elimination. When IT auditors suspect wrongdoing, they should inform the proper authorities within the organization. As consultants, IT auditors may recommend the type of investigation and approach. Specialists typically conduct fraud investigations — security personnel and law enforcement officials are the primary investigators in cases of fraud accusation. The IT auditor should avoid personal contact with fraud suspects to prevent hindering the investigation and to reduce the risk of legal action associated with the auditor.

The ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals  — Guideline 030.010 Section 6.1.5 states: "Unless otherwise required, the IS auditor is only responsible to report the events and circumstances surrounding the [irregular or illegal] act." However, if during the course of examining internal accounting controls, the IT auditor discovers an irregularity or illegal act, the auditor must abide by applicable government statues. Specifically, in "certain jurisdictions the IS auditor may have further obligations that go beyond the requirements specified in section 6.1.5. In that case, the auditors must provide reasonable assurance that they are in compliance [with] those additional requirements as well." 

Along with the examination practices of IT audit financial statements, general and application IT audit procedures are influenced by the FCPA, including assessments of:

  • Planning and organization.
  • Protection of information assets.
  • System development life cycle methodologies.
  • Technical infrastructure and operations.

Technically, application controls should be present during input, processing, and output of an auditable unit. An example of an application control is the comparison and reconciliation of computer output to source documents or other input. Determining computer file integrity, examining computer processing edit and validation controls, and simulating computer processing are some procedures IT auditors are expected to provide during FCPA financial application audits.

SARBANES-OXLEY VERSUS FCPA ASSURANCE PRACTICES

Sarbanes-Oxley impacts the IT control requirements of U.S. publicly held enterprises. Section 404, in particular, documents the legislative rules and requirements of internal control evaluation reporting with regard to management's assessment of internal controls. Section 404 applies to Security Exchange Act of 1934 filers. Therefore, Sarbanes-Oxley affects an organization's internal control environment by indirectly imposing management's assurance of an adequate IT control environment. Sarbanes-Oxley also requires an organization's public accounting firm to attest and report on management's assessment of internal controls, and stipulates that internal control attestation is not a separate engagement subject matter. Based on the PCAOB's interpretation, the Sarbanes-Oxley control parameter, in effect, is the same as that of the FCPA. Therefore, U.S. IT auditors participating in financial statement audits of Security Exchange Act of 1934 filers may not be aware of FCPA legal requirements — yet, they should have been performing the necessary FCPA audit tasks since 1977. Similarly, European Union, OAS, and OECD member countries should be engaging IT auditors in assessments of internal accounting control.