control, and governance
Aiding the Compliance Effort
An audit director contemplates his team’s participation in a companywide IT initiative, and its potential impact on audit independence.
WeHaveItAll Inc. (WHIA) is a publicly traded discount retailer based in the central United States, with 1,100 store locations and more than US $40 billion in annual revenues. In addition to its retail operations, WHIA maintains separate consumer financing and transportation divisions and is considered a major competitor in most areas of the country. While less known than its main competitors, the company experienced 13 consecutive quarters of revenue and profit growth and expects that trend to continue.
Mark is WHIA’s director of IT audit and has served in that role during the last four of the 16 years he’s worked for the company. He has two managers and 14 staff members to cover the company’s extensive IT environment, which includes a robust online retail store and a fully integrated enterprise resource planning system that houses all financial and human resources transactions, including those at the store level. Mark has just returned from a meeting with the Information Assurance and Security Department (IASD), where team members explained their mandate for a compliance program focused on the company’s IT resources. The program aims to consolidate all IT compliance efforts related to the U.S. Sarbanes-Oxley Act of 2002, payment card industry (PCI) standards, the U.S. Health Insurance Portability and Accountability Act (HIPAA), and several smaller initiatives. The group invited Mark to join the effort.
Mark has to decide what level of involvement, if any, he and his department should have in this program. Although he believes the initiative could benefit from internal audit expertise, he is concerned about how his participation might affect the department’s independence. He also wonders how the new compliance program, once in place, should be evaluated by both external and internal auditors.
What should Mark keep in mind as he makes his decision? How can he add value to the program? Should he support this effort at all?
Assistant Vice President, Internal Audit
Senior Audit Manager
Mark’s IT team should be pleased to participate. As a public company subject to Sarbanes-Oxley, WHIA must ensure that controls over financial reporting of IT data are documented and operating effectively. The company needs to devote careful attention to systems access and authorization, data processing, and numerous other elements that support the integrity of IT controls. Examples of major risk areas include revenue recognition, access to master file price lists and customer information, and inventory control for both in-store and Internet-based sales.
PCI standards require companies to assess whether credit card processors maintain restricted and secured cardholder information; failure to comply can result in significant fines. Most likely, the standards’ control environment requirements, such as those pertaining to customer billing data, overlap with requirements from Sarbanes-Oxley. An IT audit manager familiar with WHIA’s technology-related Sarbanes-Oxley controls should be able to help prepare the required PCI questionnaire, identify possible internal control deficiencies and remediation plans, and complete the required attestation of compliance within the specified period.
HIPAA relates to the privacy of medical information, as specified under U.S. federal law. The act covers employee and customer medical information, both of which may be relevant to WHIA if it operates pharmacies or other health-related activities. HIPAA requires companies to restrict access to all health information, which must be accomplished via physical and logical access controls. To meet this requirement, and fulfill its other compliance obligations, WHIA needs to compare the roles and responsibilities of all current users of HIPAA, Sarbanes-Oxley, and PCI-related data against actual authorization and business needs. Access to unauthorized individuals should be removed at once, and a process should be in place to prevent future access by unauthorized users.
For both internal and external auditors, independence can be a concern when the internal auditors assist with systems implementations and then later audit those same systems. In the United States, external auditors can rely on the work of internal auditors only after evaluating the internal auditors’ technical competence and independence. Mark can help mitigate independence concerns by ensuring that the IT auditors who participate on this project do not also conduct audits that examine its effectiveness.
KIMBERLY DE VRIES, CISA, PMP
Senior Audit Manager
Zurich North America
Mark should assign two people to participate on the project team in an advisory capacity. By involving his department in this effort, he can support an initiative that should result in better use of company time and resources and effective alignment across WHIA’s numerous compliance efforts. Given the size of WHIA’s IT audit staff, devoting two individuals to the project should not affect Mark’s ability to deliver his audit plan. He should allocate 50 percent of their time to the initiative, which should yield a perspective that benefits not only the two individuals but the rest of his staff as well.
Alternatively, Mark could consider performing a “checkpoint” audit, which would give the project team the benefits of audit involvement without jeopardizing the auditors’ independence. The standard focus areas for this type of audit include project governance, reporting, and financials, as well as risk management and contract management. The checkpoint approach would support the project team’s efforts while providing management with an “inside” view of the effort. In addition, it would help Mark determine the most appropriate method for evaluating WHIA’s new compliance program. Auditors assigned to the project can leverage their knowledge of the organization’s control environment to help support the elimination of redundant or unnecessary controls. Their level of engagement would be close to that of the actual project team, without direct ownership of output. If for any reason the project team auditors become too enmeshed in the project, the risk of compromised independence would be limited to only the two staff members who participated on the team.
JOHN M. STEPHENSON
Mark should first evaluate the situation from a risk standpoint. With 1,100 retail stores and a robust online store, WHIA’s IT compliance initiative is significant to the company and the audit function. Moreover, given the regulatory climate in which WHIA operates, it is safe to assume the compliance efforts address a significant risk and warrant internal auditing’s attention — risk should always be a primary driver of audit resource allocation across the organization. By factoring this knowledge into his risk assessment efforts across the organization, Mark will be able to better align the audit department’s annual plan with WHIA’s key objectives.
With regard to independence, Mark should keep in mind that regulatory compliance evaluations remain part of his department’s core responsibility, especially given the risks associated with retail and consumer finance businesses. Close involvement with the design of the compliance program could impair his team’s ability to remain independent in their evaluations of the compliance program. Nonetheless, his group could add value and potentially benefit the audit effort by leveraging its knowledge of control concepts, regulatory requirements, and company practices to advise the compliance team.
Control mandates across PCI, HIPAA, and Sarbanes-Oxley are fairly consistent with the generally accepted internal control frameworks, varying only in the amount of detail each one provides. By designing a comprehensive compliance program, WHIA can address the specific details and nuances for each mandate, while minimizing the duplication of work that currently exists across compliance efforts. Mark’s team can then add its control expertise to the effort.
Ultimately, the compliance program development team would benefit from the internal auditors’ security and controls expertise gained through their exposure to audit assignments throughout the company. Moreover, internal auditing would benefit by having the organization encourage and enforce a set of rules that should be consistent with its own audit objectives. Although audit independence is important, this project represents one instance where a somewhat flexible approach would unlock potential gains that could be realized within the overall control environment. By clearly defining the scope and limits of the participating auditors’ work, the overall department’s independence and objectivity can be preserved.
To comment on this article, e-mail the editors at email@example.com.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.