Manual processes must be automated to cut cost of Sarbanes-Oxley audits, says Basda

When Phillip Bennett, head of the US-based hedge fund giant Refco, was suspended earlier this month after his company announced a £240m accounting irregularity, it was a wake-up call to everyone involved in corporate compliance.

When Phillip Bennett, head of the US-based hedge fund giant Refco, was suspended earlier this month after his company announced a £240m accounting irregularity, it was a wake-up call to everyone involved in corporate compliance.

Not only has Bennett been charged with fraud, but Refco was also forced to admit its financial statements for the past four years "should no longer be relied upon". Part of the group was put into receivership and its core futures brokerage is being sold off.

The headlines proclaimed it the worst financial scandal since Enron and WorldCom, and its impact is likely to see a tightening of corporate governance regulations around the world.

Even before Refco, it was clear the clean-up of US financial reporting ushered in by the Sarbanes-Oxley regulations in 2002 would be mirrored elsewhere.

Sarbanes-Oxley covers firms with US stock market listings, but it has raised the compliance bar globally, with company shareholders and the financing banks now wanting to see firms managing their risks more effectively and transparently.

In the UK, Sarbanes-Oxley-inspired legislation may lie around the corner, with the UK Companies Bill likely to take the country down a path towards tighter auditing requirements and greater corporate transparency.

There is also the likelihood of European legislation, though nothing firm is yet on the table, according to Debra Curtis, research vice-president at analyst group Gartner.

With US firms having completed their first Sarbanes-Oxley annual audit, and European headquartered firms listed on US exchanges due to be compliant by the end of 2006, some trends and lessons are already apparent.

Many are highlighted in a paper on the IT implications of the act, published by the Business Application Software Developers Association (Basda) in association with PricewaterhouseCoopers.

Among the paper's findings was that, despite the billions of pounds spent globally on enterprise resource planning applications, many organisations rely heavily on basic spreadsheets for accounting and financial planning.

Gartner analyst Jay Heiser highlighted the issue in a recent paper. "Even though governance regulations such as the US Sarbanes-Oxley Act have resulted in higher levels of visibility and control for enterprise applications, spreadsheets remain a source of both inadvertent error and deliberate manipulation," he wrote.

Dennis Keeling, chief executive of Basda, said that in addition to these dangers, "The use of such spreadsheets is classed as a manual process under Sarbanes-Oxley, requiring testing on a yearly basis to prove their effectiveness."

The Basda paper said that in many firms literally thousands of manual processes were being used - all of which had to be documented and tested regularly under the terms of Sarbanes-Oxley.

Not surprisingly, the best way to keep down audit costs is to automate as many of these processes as possible, said Basda.

But Basda also warned that a move towards greater automation would demand a fundamental change of culture in many organisations. It called on chief information officers to get a grip on what it called "end-user computing" - the creation of quick-fix manual documents such as spreadsheets by senior managers, rather than using data from the organisation's enterprise systems.

If controls cannot be imposed, the process should be abandoned on the basis that it functions beyond company controls, is likely to contain errors, and is expensive to set up, maintain, use and audit.

Another issue was highlighted at the launch of the Basda paper by Anton Ruddenklau, a senior manager at PricewaterhouseCoopers. He said many global organisations found they had duplicated processes across different locations. Making the necessary changes to the IT infrastructure to enable the removal of that duplication could have a "massive" effect on audit efficiency.

"Automating controls has been a high priority in the US, but enterprise resource planning systems with great functionality are still not being properly utilised," Ruddenklau said.

Software suppliers are offering an increasing range of audit and compliance products, whether an organisation deploys new software or not.

Keeling said CIOs and company boards must remember that achieving compliance "is not a one-off" and keeping down audit fees every year will only be achieved by taking full control of the processes and architecture within the business.


Compliance challenges facing CIOs


Inadequate use of automated controls resident in IT systems

Companies' IT systems often fail to make the most of automated control capabilities. Automating the monitoring and enforcement of these controls can speed up time to compliance and cut costs.


Segregation of duties violations

These kinds of violations are common in IT systems. Organisations need to identify where there are possible duty conflicts among staff and address them, while developing systems to avoid future problems.


Too many roles

If a firm has more roles allocated than necessary, that can also easily create conflicts of duty. Again, organisations should automate role management where possible to prevent authorisation conflicts.


Manual user provisioning

Using manual processing to manage user access rights is another potential control issue. It is much better to use automated, workflow-driven solutions that incorporate risk analysis to prevent potential future audit issues.


Excessive time spent assessing the control environment

It is usually costly to spend a lot of time detecting and remediating, or mitigating any control deficiencies. Approaches that combine efficient remediation and mitigation with preventive risk analysis and automated reporting can substantially cut the costs of Sarbanes-Oxley compliance.


Choosing a governance framework

There are numerous IT governance frameworks that CIOs might consider adopting. Those charged with making the decision should take time to ensure they select the one that is the best match for their business - possibly by taking a lead from industry peers and enterprises of a similar size and nature. The three main frameworks are:


The least prescriptive in terms of IT, Coso has the benefit of being more flexible than the alternatives. Four key concepts underpin the framework:

  • Internal control is a process. It is a means to an end rather than an end in itself
  • Internal control is brought about by people at every level of the organisation - it is not just about keeping to the letter of rules laid out in policy manuals and forms
  • Internal control should be expected to provide only reasonable assurance rather than absolute assurance to an organisation's board
  • Internal control is designed to meet objectives in multiple separate, but overlapping, categories.


This framework offers more detailed control objectives than Coso. For some firms, however, it may prove too specific and cumbersome to operate effectively.

Cobit (Control Objectives for Information and related Technology) was originally released as an IT process and control framework designed to link IT and business requirements.

In 1998 management guidelines were added and Cobit is now used increasingly as a framework for IT governance, offering management tools such as metrics and maturity models to complement the control framework.


Unlike Cobit, which specifies actual controls required for different areas, ISO17799 flags key domains without being prescriptive. Although it goes into less detail than Cobit, it can still be challenging for some organisations.

ISO/IEC 17799:2000 is an international standard based on BS7799-1. It is presented as best practice for those responsible for implementing information security management in an organisation.

Read more on IT legislation and regulation