Under Sarbanes-Oxley (SOX), CEOs and CFOs of public companies are accountable for assessing the integrity of the company’s financial and information technology controls as well as certifying to the fair presentation of the financial statements. While an increasing percentage of data used in compiling financial statements is captured, processed and stored in the company’s information technology system, most IT audits are conducted independently from the financial audit, leaving potential gaps in the control systems.
Coordination of audits may ensure that compensating controls are in place. Coordinated audits can detect situations where “super users” have universal access to the system or administrators independently set up and manage the security and permission levels for the operating systems, applications and network, thus creating an opportunity for collusion, fraud or confidentiality breaches, says Robert Greene, IT Audit Practice leader with Haskell & White LLP.
“The CEO needs to understand that IT controls can complement financial controls. When these combined controls are understood and implemented, there is a greater assurance of the integrity of the financial statements and source data,” says Greene.
Smart Business spoke with Greene about how CEOs can create tighter controls by combining the IT and financial audit processes.
Why is there a tendency to separate the IT and financial audits?
Historically, CPAs did all of the auditing and the IT systems were not audited. Now, more and more data used by finance and accounting comes from IT applications, and the audit planning hasn’t necessarily kept up. The CPA usually has no IT audit experience and the audits are planned separately. IT audits primarily are focused on strategies to protect the firm’s data capabilities — not necessarily the financial statements. The CFO and CIO need to understand how IT and finance controls are interdependent; to create controls that will be effective for both.
What is the value of combining the two audits?
First, by understanding who creates and has access to the data, controls can be established that ensure both the integrity of the data and the manual processes that occur independently from the IT system.
For example, the company may have a manual control process that calls for the controller to approve any check exceeding $10,000. The CIO may not be aware of the process, and the software could be programmed to flag any entry that exceeds $10,000 when it is created. In this case, the new primary control would be the exception report generated by the system, the compensating control would be a review of an exceptions report by the controller, and the fail safe is a manual review of all checks over $10,000. This additional capability will allow the CFO to know how many checks should be coming through the manual review process and the CEO could also receive a copy of the report. Having the CIO and the CFO collaborate in creating controls will reduce gaps in both systems.
Second, when the entire team works together, it creates synergistic opportunities to advance the company’s mission and business plan, which fosters growth.
Third, by knowing that the controls in IT and finance work cohesively, the CEO and the board can have greater confidence in the effectiveness of the control system and the accuracy of financial statements.
How should the IT and finance audit teams work together, and what information should they share?
The finance audit team usually makes up the audit schedule. IT should be involved in planning to ensure it knows the time frame and how much time to allocate. The two audit teams should share any concerns in advance, to help stimulate both ideas and solutions.
Generally, IT doesn’t understand the financial processes and finance doesn’t understand the IT controls. Therefore, the opportunity to design or recommend complementing controls may be missed.
Jointly, both parties should look at the entire flow of data from creating users in the system, to entering information, processing information and who has access to the information. This process mapping will reveal gaps, as well as opportunities to jointly author process controls and safeguards.
What are the best practices to achieve the optimum results from a combined audit?
First, IT and finance should author the audit plan together. They should talk about what is important to both sides and collaborate on the scope of the audit and the audit program.
Second, the CEO should insure that the budget is sufficient to conduct a thorough, combined audit.
Third, by integrating the process and control training to include both the IT and finance auditors, as well as the respective leadership teams, each group will be able to understand each other’s needs and see the value in combining the audits.
ROBERT GREENE is the IT Audit Practice leader with Haskell & White LLP. Reach him at firstname.lastname@example.org or (949) 450-6340.