Overview of Sarbanes-Oxley
Spurzem (2009) states that the Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, it also affects the IT departments whose job it is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years.” The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.
Section 404 of Sarbanes-Oxley
In consequence, Search Financial Security (2009) shows the Section 404 of SOX mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. The purpose of SOX is to reduce the possibilities of corporate fraud by increasing the stringency of procedures and requirements for financial reporting.
These reports require to be conveyed annually of the public company by management on the internal control over financial reporting within the organization. McGladrey ; Pullen (2006) indicated that the report should contain:
•A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company. •A statement identifying the framework used by management to evaluate the effectiveness of internal control. •Management’s assessment of the effectiveness of internal control as of the end of the company’s most recent fiscal year. •Disclosure of material weaknesses (A material weakness is a significant deficiency or combination of significant deficiencies that result in more than a remote likelihood that a material misstatement will not be prevented or detected.) •A statement that its auditor has issued an attestation report on management’s assessment
Information Technology Control in Sarbanes-Oxley
Information technology controls has an increased been focused after the SOX section 404 establishment of internal controls over the financial reporting. In order to assist with SOX compliance, the framework of COBIT can be used. Qualified Audit Partner (2007) states that the Control Objectives for Information and related Technology (COBIT) is a set of best practices for information technology (IT) management created by ISACA and the IT Governance Institute (ITGI) in 1996. ISACA (2007) indicates that COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.
COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. The framework does explain how the Information technology processes transfer the information that the business needs to reach its objectives. This approach is handled via 34 high-level control objectives, one for each information technology process. It also identifies several criteria of efficiency, effectiveness, reliability, confidentiality, availability, compliance and integrity. Furthermore, the resources of information technology including people, information, application and infrastructure, are important for the information technology processes.
According to the IT Governance Institute (2007, P.5), in order to make the IT
successfully in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:
•Making a link to the business requirements
•Organizing Information Technology activities into a generally accepted process model •Identifying the major IT resources to be leveraged
•Defining the management control objectives to be considered
In addition, ISACA (2007) also states that the latest version of COBIT 4.1 can be used to enhance work already done based upon earlier versions; it does not invalidate that previous work. When major activities are planned for IT governance initiatives, or when an overhaul of the enterprise control framework is anticipated, it is recommended to start fresh with the most recent version of COBIT.
Committee of Sponsoring Organizations (COSO)
According to Search Security (2006), the COSO was founded by professional accounting associations and is dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.
COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. Its original chairman was SEC Chairman James C., Treadway and Jr. Hence the popular name of the National Commission was The Treadway Commission. COSO published its Internal Integrated Control Framework that defines what a control is and describes the various aspects of the process of control including the control environment, risk assessment, control activities, information and communication, and monitoring. It also discusses how corporate roles map to responsibilities in effecting internal control in these areas. The COSO framework is designed to provide a model that corporation can use to run an efficient and well-controlled financial environment. Adherence to its principles can help with, but not guarantee, SOX compliance.
The COSO framework recognizes that IT requires a dedicated governance framework like COBIT. According to SOX-online (2006), the original COSO framework is outlined in a document: 1992 COSO Report: Internal Control – An Integrated Framework. In 1994, COSO issued another version of the Enterprise Risk Management – Integrated Framework. This framework defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management. The guidance introduces an enterprise-wide approach to risk management as well as concepts. Steinberg, Everson, Martens and Nottingham (2004, P3-4) states that the new COSO framework consists of eight components:
1.Internal control environment
7.Information and communication
Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another.
As mentioned on the above, Section 404 of the Sarbanes-Oxley Act required U.S. publicly traded corporations to utilize a control framework in their internal control assessments. New guidance issued by the Securities and Exchange Commission (SEC) and PCAOB in 2007 placed increasing scrutiny on top-down risk assessment. According to Lahti ; Peterson (2007, P74-75), a “Top-Down” Risk Assessment (TDRA) approach is a hierarchical framework that dictates the application of specific risk factors in determining the scope and evidence required in the assessment of internal control. During each phase of the audit assessment, qualitative or quantitative risk factors are used to define the scope and identify the required evidence. Since this is in all likelihood the approach your auditor will utilize, it is important that a company uses the same approach when they evaluate possible frameworks to assist in the evaluation process as they work through the particular components of their selected framework. Key TDRA considerations include:
1.Identification of significant financial reporting elements 2.Identification of material financial statement risks within accounts or disclosures 3.Determination of which entity-level controls that address any risks 4.Determination of which transaction-level controls that address risks in the absence of entity-level controls 5.Determination of the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls.
As part of the audit process, management is required to document how TDRA was interpreted and applied to derive the scope of controls tested. In addition, the sufficiency of evidence required is derived from the auditor’s and managements top-down risk assessment.
Internal Control Vulnerability in Hong Kong
Vulnerability arises because there is no control over. That is why internal control becomes significant. SOX emphasized the effectiveness of IT controls, because there is a number of control deficiencies that existing in an enterprise of IT operations. IT control deficiencies in Hong Kong enterprises are mainly as the following:
•During system development process, many Hong Kong companies are accustomed to: “who develop, who is the one responsible for”. From the perspective of internal controls, this customary practice is incorrect. Many different aspects of the development process require different people for the approval. If there is only one person to take the responsibilities, it can easily lead to hidden dangers •For the data backup area, a good data backup management requires the establishment of off-site backup, while some companies do not have off-site backup. Some enterprises have so-called off-site backup is actually in the same building, but not in the same floor. And there is no sense. •In the system access control, which require the user to enter a password when logging on the system.
The password length should be specified during setting up the system access policy and rules. Although a similar provision in some companies, in actual operation, some password is the default, or in the system configuration does not meet the requirements of the relevant provisions. •In addition, the user’s permissions management can also be easily flawed; the user’s rights and responsibilities of their works are inconsistent. Everyone can access the system and data, which obviously will have loopholes •Many companies have branches in various places. However, many branches do not in accordance with the requirements of head office, which will lead to control deficiencies.
The above situation shows that the reason why IT controls deficiencies will produce, is because the companies are focused on functionality, but have neglected on the internal control. For a long time, enterprises only attach importance to the system that can play any role for themselves and solve any problem, but ignores the control of IT, namely, how to ensure the safety of the system. This has led to enterprises for IT control, and lack of understanding, or even never expected to be carried out on the IT control. If not doing the IT audits, we often do not see any problems. However, if using the strict criteria and measurement, you will find a lot of problems.
Conflicting between purpose of control and efficiency of business operations
There is an important reason to make control deficiencies are easily produced, which is the conflicting between purpose of control and business operations. Enterprise’s business operations are in pursuit of the efficiency. However, a standardized control processes, such as the process cannot continue until some tasks have been completed. Therefore, it may affect the efficiency and slow down the process of work. If some companies do not build the IT internal controls, they will soon develop and establish an IT system. However, if under the SOX Act, in the system development process, we must first obtain a user’s needs to go through each step of management approval, approval after completing allow programmers to write programs, do a good job before making a test, users come to testing, approval after the signature, the system re-signing his word to the independent person to implement, which would require a very long process. This process is often at the expense of efficiency. As a result, there are many Hong Kong enterprises are very easy to become disgusted with the strict control process
A need for huge investment
In order to achieve SOX compliance for all businesses, which is needed to invest a lot of resources, almost all sectors involved in company-wide project. The realization of the effectiveness of IT control is a very complex process, the degree of difficulty and workload beyond the imagination of the general. In order to achieve SOX Act compliance, well-financed companies have to invest huge amounts of money and manpower for the improvement of IT control. For the small company, its difficult is even greater. Due to this reason, some Hong Kong companies therefore have to consider changing the listing of sites.
In conclusion, although SOX section 404 requires a very high demand for the enterprises, it helps to improve enterprise information and provides an excellent opportunity to enhance Hong Kong’s IT governance.