When Phillip Bennett, head of the US-based hedge fund
giant Refco, was suspended earlier this month after his company
announced a £240m accounting irregularity, it was a wake-up call to
everyone involved in corporate compliance.
Not only has Bennett been charged with fraud, but Refco was also
forced to admit its financial statements for the past four years
"should no longer be relied upon". Part of the group was put into
receivership and its core futures brokerage is being sold off.
The headlines proclaimed it the worst financial scandal since
Enron and WorldCom, and its impact is likely to see a tightening of
corporate governance regulations around the world.
Even before Refco, it was clear the clean-up of US financial
reporting ushered in by the Sarbanes-Oxley regulations in 2002
would be mirrored elsewhere.
Sarbanes-Oxley covers firms with US stock market listings, but
it has raised the compliance bar globally, with company
shareholders and the financing banks now wanting to see firms
managing their risks more effectively and transparently.
In the UK, Sarbanes-Oxley-inspired legislation may lie around
the corner, with the UK Companies Bill likely to take the country
down a path towards tighter auditing requirements and greater
corporate transparency.
There is also the likelihood of European legislation, though
nothing firm is yet on the table, according to Debra Curtis,
research vice-president at analyst group Gartner.
With US firms having completed their first Sarbanes-Oxley annual
audit, and European headquartered firms listed on US exchanges due
to be compliant by the end of 2006, some trends and lessons are
already apparent.
Many are highlighted in a paper on the IT implications of the
act, published by the Business Application Software Developers
Association (Basda) in association with PricewaterhouseCoopers.
Among the paper's findings was that, despite the billions of
pounds spent globally on enterprise resource planning applications,
many organisations rely heavily on basic spreadsheets for
accounting and financial planning.
Gartner analyst Jay Heiser highlighted the issue in a recent
paper. "Even though governance regulations such as the US
Sarbanes-Oxley Act have resulted in higher levels of visibility and
control for enterprise applications, spreadsheets remain a source
of both inadvertent error and deliberate manipulation," he
wrote.
Dennis Keeling, chief executive of Basda, said that in addition
to these dangers, "The use of such spreadsheets is classed as a
manual process under Sarbanes-Oxley, requiring testing on a yearly
basis to prove their effectiveness."
The Basda paper said that in many firms literally thousands of
manual processes were being used - all of which had to be
documented and tested regularly under the terms of
Sarbanes-Oxley.
Not surprisingly, the best way to keep down audit costs is to
automate as many of these processes as possible, said Basda.
But Basda also warned that a move towards greater automation
would demand a fundamental change of culture in many organisations.
It called on chief information officers to get a grip on what it
called "end-user computing" - the creation of quick-fix manual
documents such as spreadsheets by senior managers, rather than
using data from the organisation's enterprise systems.
If controls cannot be imposed, the process should be abandoned
on the basis that it functions beyond company controls, is likely
to contain errors, and is expensive to set up, maintain, use and
audit.
Another issue was highlighted at the launch of the Basda paper
by Anton Ruddenklau, a senior manager at PricewaterhouseCoopers. He
said many global organisations found they had duplicated processes
across different locations. Making the necessary changes to the IT
infrastructure to enable the removal of that duplication could have
a "massive" effect on audit efficiency.
"Automating controls has been a high priority in the US, but
enterprise resource planning systems with great functionality are
still not being properly utilised," Ruddenklau said.
Software suppliers are offering an increasing range of audit and
compliance products, whether an organisation deploys new software
or not.
Keeling said CIOs and company boards must remember that
achieving compliance "is not a one-off" and keeping down audit fees
every year will only be achieved by taking full control of the
processes and architecture within the business.
Compliance challenges facing CIOs
Inadequate use of automated controls resident in IT
systems
Companies' IT systems often fail to make the most of automated
control capabilities. Automating the monitoring and enforcement of
these controls can speed up time to compliance and cut costs.
Segregation of duties violations
These kinds of violations are common in IT systems.
Organisations need to identify where there are possible duty
conflicts among staff and address them, while developing systems to
avoid future problems.
Too many roles
If a firm has more roles allocated than necessary, that can also
easily create conflicts of duty. Again, organisations should
automate role management where possible to prevent authorisation
conflicts.
Manual user provisioning
Using manual processing to manage user access rights is another
potential control issue. It is much better to use automated,
workflow-driven solutions that incorporate risk analysis to prevent
potential future audit issues.
Excessive time spent assessing the control
environment
It is usually costly to spend a lot of time detecting and
remediating, or mitigating any control deficiencies. Approaches
that combine efficient remediation and mitigation with preventive
risk analysis and automated reporting can substantially cut the
costs of Sarbanes-Oxley compliance.
Choosing a governance framework
There are numerous IT governance frameworks that CIOs might
consider adopting. Those charged with making the decision should
take time to ensure they select the one that is the best match for
their business - possibly by taking a lead from industry peers and
enterprises of a similar size and nature. The three main frameworks
are:
Coso
The least prescriptive in terms of IT, Coso has the benefit of
being more flexible than the alternatives. Four key concepts
underpin the framework:
- Internal control is a process. It is a means to an end rather
than an end in itself
- Internal control is brought about by people at every level of
the organisation - it is not just about keeping to the letter of
rules laid out in policy manuals and forms
- Internal control should be expected to provide only reasonable
assurance rather than absolute assurance to an organisation's
board
- Internal control is designed to meet objectives in multiple
separate, but overlapping, categories.
Cobit
This framework offers more detailed control objectives than
Coso. For some firms, however, it may prove too specific and
cumbersome to operate effectively.
Cobit (Control Objectives for Information and related
Technology) was originally released as an IT process and control
framework designed to link IT and business requirements.
In 1998 management guidelines were added and Cobit is now used
increasingly as a framework for IT governance, offering management
tools such as metrics and maturity models to complement the control
framework.
ISO17799
Unlike Cobit, which specifies actual controls required for
different areas, ISO17799 flags key domains without being
prescriptive. Although it goes into less detail than Cobit, it can
still be challenging for some organisations.
ISO/IEC 17799:2000 is an international standard based on
BS7799-1. It is presented as best practice for those responsible
for implementing information security management in an
organisation.