Compliance for Nonaccelerated Filers
the Internal Control Puzzle
Sid M. Edelstein
legislation in recent history has elicited a broader range
of reaction among financial professionals than the Sarbanes-Oxley
Act of 2002 (SOA). While SOA clearly presents compliance challenges
for public companies of all sizes, for many smaller, nonaccelerated
filers these challenges can seem all but insurmountable. For
some, this perception can lead to willful denial that compliance
requirements extend to them. For others, it typically yields
token efforts at compliance that often fall short. Neither
is a good response. Unfortunately, many smaller companies
lack the internal resources and specialized expertise necessary
to successfully address all of the complexities associated
with comprehensive SOA compliance.
of the standard professional auditing literature and available
guidelines focuses almost exclusively on the objective analysis
of accounting system control activities that support the
financial reporting process. As a result, many auditors
may find themselves ill equipped to address some of the
more subjective and technically unfamiliar internal control
aspects of SOA compliance audits: internal control framework
development methodologies, the risk assessment activities
on which they depend, and the information technology (IT)
and business process automation systems that facilitate
business technology plays a major role in most companies’
internal control activities, IT-related aspects of SOA compliance
are not commonly addressed in typical accounting literature.
Such IT aspects include the COBIT IT internal control and
governance framework, as well as IT general controls than
can potentially impact the accuracy and timeliness of a
company’s financial reporting processes. The historical
development of COSO’s Internal Control–Integrated
Framework and an overview of its key elements form
the conceptual underpinnings of corporate internal control
Short History of Decay
is not the first time that government has tried to protect
the public from corporate malfeasance. A similar spate of
high-profile corporate scandals in the 1980s prompted the
establishment of the Treadway Commission, which laid the
foundation for a variety of meaningful accounting and financial
reporting reforms. Today’s SOA provisions are the
direct descendants of these reforms. They are also only
the first round in what is likely to become an ongoing legislative
effort to improve corporate governance and accountability.
Treadway Commission’s charter recognized the need
to improve corporate internal control over financial recordkeeping
and accounting practices. The task of addressing this issue
fell to a group of private organizations known as the Committee
of Sponsoring Organizations (COSO). COSO’s primary
contribution to the Treadway Commission’s efforts
was the development of an open, integrated framework for
analyzing and improving the effectiveness of internal controls.
Officially published in 1992, COSO’s Internal
Control–Integrated Framework has become the de
facto standard for internal control analysis and reporting.
While leaving the door open to other potential internal
control development frameworks, both the SEC and the PCAOB
have specifically sanctioned the COSO framework as an appropriate
guideline for SOA-compliant internal control analysis, development,
of the COSO Integrated Framework
conceptual underpinnings of the COSO framework are quite
simple and based upon the following observations:
Every business has numerous operational objectives that
it must accomplish in order to be successful.
operational objective contains various inherent quantitative
and qualitative risks to its achievement.
The potential consequences of these risks should be reduced,
wherever possible and practical, by instituting “integrated”
defines five key elements of an integrated, or comprehensive,
framework of internal control as follows:
environment. Executive management and corporate
governance bodies must ensure that appropriate corporate
ethics and values are established and enforced at the
executive level and effectively instilled throughout the
entire organization. If this “tone at the top”
is not successfully established, the entire system of
internal control can be easily undermined and susceptible
to fraud and inaccurate financial reporting.
assessment. Efforts must be made to analyze,
define, and document the qualitative and quantitative
risks for all key business units and processes involved
in achieving the organization’s business objectives.
Accurate risk assessment is perhaps the most critical
element in establishing an effective framework of internal
control. It serves to highlight and isolate those specific
business units and processes which present the greatest
risk to the organization’s operational goals, and
thereby helps focus and prioritize the creation of the
organization’s overall internal control framework.
activities. Once all internal control objectives
have been established and their risks have been accurately
assessed, specific safeguards, processes, and procedures
must be developed and implemented to reduce or mitigate
the defined risks to all critical internal control objectives.
Many internal control analysis, testing, and reporting
functions tend to focus almost exclusively upon control
activities, because they lend themselves to objective
analytical criteria. The danger, however, is that effective
control activities in and of themselves do not ensure
that the organization has implemented an effective system
of internal controls. All five COSO components must be
present to ensure that these control activities function
correctly and consistently over time.
and communication. Information and communication
channels that support internal control objectives must
be available and understood by all members of the organization
as well as all necessary external entities (e.g., boards
of directors, audit committees). Open internal and external
communications are vital to internal control because they
support the checks and balances that ensure the integrity
of the control environment as well as the effectiveness
and consistent application of control activities.
The organization must ensure that all internal
control objectives are continuously monitored, regularly
tested, and revised as necessary to support changing business
conditions. An effective internal control system must
be dynamic and adaptable. As business technology continues
to evolve, the pace of business grows exponentially faster
and becomes more difficult to control. If the organization
does not have a methodology in place for accurately measuring
and benchmarking the effectiveness of its internal control
procedures over time, these controls can quickly become
outdated and ineffectual.
affirms that an integrated internal control framework must
take all of these elements into account and include control
objectives that effectively address each of them. In other
words, the effectiveness of a company’s overall system
of internal controls could be severely compromised if any
one of these five key components is lacking in its design
also requires that the development of control objectives
incorporate a scope that encompasses the following three
Operations: Improved operational
reporting: Accuracy and timeliness of the
financial reporting process.
Adherence to all corporate legal and regulatory
COSO requires that control objectives based upon the guidelines
detailed above be developed for all business units as well
as all key business processes conducted within these units.
This ensures that the control framework is designed to encompass
both company-wide and process-specific operational control
1 and Exhibit
2 present a graphical representation of the COSO framework
and an example of typical COSO internal control documentation.)
most IT departments are actively engaged in supporting their
organization’s internal controls over financial reporting,
and many do so effectively, few are well versed in the disciplines
and procedures necessary to adequately substantiate or document
these activities in accordance with COSO or SOA requirements.
This presents a significant dilemma because, in most public
companies, IT departments bear a great deal of responsibility
for ensuring the accuracy, integrity, and availability of
the transactional data used in financial statements.
PCAOB has recommended that in making a determination regarding
which controls should be tested for Sarbanes-Oxley compliance,
auditors must consider “controls, including information
technology general controls, on which other controls are
dependent” (PCAOB Release 2003-17).
and large, most auditors already have some experience analyzing
IT “application-level” internal controls; analysis
of these controls has been included in standardized audit
procedural guidelines for a number of years and has already
been incorporated into the testing and walk-through procedures
typically conducted during the course of a normal audit.
Analyzing “general” IT controls, however, requires
a level of IT knowledge and technical expertise that goes
well beyond what most internal and external auditors have
been trained for.
IT controls can potentially encompass the entire spectrum
of an organization’s IT operations, and many of these
controls, along with the systems which support them, may
not be adequately documented for purposes of SOA compliance.
The auditor’s judgment and discretion must be applied
in order to segregate those general IT controls which could
potentially have a significant or material impact on any
given company’s financial reporting processes. Once
these high-risk controls have been successfully isolated,
auditors should be prepared to provide guidance to IT department
management and personnel in developing appropriate IT general
control documentation and testing procedures to support
ongoing SOA compliance activities.
Changing IT Environment
the COSO Internal Control–Integrated Framework
provides little guidance regarding general IT controls,
because IT environments have changed dramatically since
its publication. When COSO’s integrated framework
was initially released, the typical enterprise IT environment
was centralized and composed primarily of customized, legacy
business applications. The most significant risks these
systems represented to the integrity of financial data and
reporting related to internal controls over application
development, data entry, and system access.
the COSO framework example documentation itself, only a
handful of pages deal specifically with internal controls
over IT operations, and these are nearly exclusively devoted
to the aforementioned controls. While these IT internal
control issues still exist and are a key focal point in
any SOA control analysis, they represent only the tip of
the iceberg with respect to today’s financially relevant
general IT controls.
the introduction of COSO’s Internal Control–Integrated
Framework, enterprise IT environments have grown exponentially
more complex and decentralized. Sophisticated e-mail systems
and web-based technologies now handle much of the financial
information and corporate communications that were once
conducted manually and left paper trails. Generic accounting
software applications and integrated ERP systems have sophisticated
financial controls that can be configured to dynamically
ensure the security, availability, and integrity of financial
access security parameters and data-entry batch controls
is no longer enough to ensure the accuracy and integrity
of a company’s financial data. Modern business technologies
have enabled companies to conduct transactions in real time
on a plethora of disparate processing platforms. As companies
continue to leverage modern business technologies, both
the pace and the breadth of financial data processing continue
to increase. Corralling this financial data flow will be
critical to successfully controlling its accuracy and integrity
in the future.
The COSO of IT
dizzying array of modern business technology available can
differ dramatically in its potential impact on a given company,
but the technology itself only represents part of the equation.
What about the IT control environment is necessary to successfully
manage and maintain these sophisticated IT systems?
IT environments often require teams of highly skilled management
and technical personnel to operate efficiently. Are there
enough personnel qualified to perform these duties effectively?
Is their training maintained on an ongoing basis in order
to ensure continuous support for the company’s growing
IT systems? Are effective change-management policies and
procedures in place to coordinate ongoing system enhancements?
Does the high-level system access to financial applications
and databases that IT personnel need present a significant
internal control issue?
and countless other issues with respect to IT governance
also break new ground for auditors that must now, for SOA-compliance
attestation, form an opinion as to the effectiveness of
the general IT controls upon which other financial internal
IT Governance Institute has published a discussion document,
“IT Control Objectives for Sarbanes-Oxley,”
which provides what may be the only comprehensive methodology
for assessing both general and application-level IT controls
in support of SOA compliance (available from www.isaca.org).
The work is based upon COBIT, a detailed set of professional
guidelines for establishing effective IT governance, auditing,
and internal control objectives. It identifies generic internal
control objectives for the financial reporting process and
modifies them accordingly to specifically address SOA compliance
specialized subset of COBIT is then mapped to the components
of the COSO framework. The end result is a detailed IT internal
control checklist that can be used to thoroughly assess
both IT general and application-level controls for purposes
of SOA-compliance analysis.
addition to this checklist, this document also provides
IT management with a comprehensive road map for coordinating
all aspects of their department’s support for the
company’s overall SOA compliance activities. Beyond
being an excellent guideline for educating IT management
and personnel, it is also a valuable resource for auditors
that wish to achieve a greater understanding of modern IT
internal controls and their relevance to SOA compliance.
3 and Exhibit
4 illustrate COBIT’s relationship to the COSO
internal control integrated framework. Using COBIT as a
foundation for an SOA IT internal control analysis methodology
is logical because its open framework encompasses an integrated
approach to enhancing enterprise IT governance and internal
control that is similar to COSO’s. COBIT
was designed to provide a consistent set of guidelines and
best practices for maintaining an enterprise IT environment,
not specifically to support the accuracy and integrity of
the financial systems operating within this environment.
COBIT and the “IT Control Objectives for Sarbanes-Oxley”
discussion document derived from it provide an excellent
foundation, these reference documents alone cannot solve
all of the problems auditors will face in determining how
the numerous IT general and application-level internal controls
detailed in this documentation may affect a specific organization’s
financial reporting processes.
the COBIT IT controls are exhaustive and often focused exclusively
on IT-related issues, not all will have relevance to a particular
company’s financial reporting processes. In general,
when COBIT is the reference, auditors should be prepared
to make a strong case for how and why a particular IT general
control chosen for analysis or testing could potentially
uncover a deficiency that could have a significant or material
impact on the company’s financial statements. An informed
determination about the IT general controls to focus on
will be critical to the successful completion of an SOA
illustrate how to isolate modern IT general controls that
could have relevance to corporate financial statement processing
functions, consider the following characteristics of a typical
The company maintains multiple national offices and distribution
centers linked via WAN and VPN connections.
All accounting, supply chain, and fulfillment operations
are fully integrated via a modern, distributed ERP system
that feeds financial information back to a centralized
mainframe in the home office for financial processing
The company has internally developed an e-commerce website
that generates most of its total sales orders. A high
percentage of its purchasing and EDI operations are also
conducted via secure trading-partner websites maintained
by vendors or independent third-party service providers.
company distributes the majority of its internal financial
reporting documentation electronically to all business
units in real time via secured intranet websites and e-mailed
PDF report attachments.
a company like this, above and beyond the standard IT security,
access control, and accounting process walk-throughs, attention
should also be paid to the following specialized IT general
and application level control areas:
infrastructure. In distributed IT environments,
particularly those utilizing remote-access technologies,
security considerations go well beyond analyzing basic network
and application-level user access parameters. A thorough
analysis of IT controls in this area would include a review
of firewall configuration parameters, network intrusion
detection and monitoring provisions, network performance
monitoring activities, network configuration and administration
functions, data classification and encryption standards,
e-mail and antivirus filtering provisions, business continuity
provisions, and critical third-party service provider reliability.
Because any weak link in the chain of a company’s
network infrastructure could jeopardize the company’s
financial data, a key deficiency in this area could ultimately
have a significant effect on the company’s financial
statement production process.
key issue is the role the network plays in supporting corporate
communications. Information and communication represents
one of the key COSO elements in establishing an integrated
framework of internal control. Any significant deficiencies
that could compromise reliable information exchange and
corporate communications could also represent a key internal-control
configuration and business continuity. Modern
ERP and accounting systems are capable of fully automating
and integrating many highly complex business processes and
centrally regulating and monitoring a broad array of financial
and accounting system controls. No two vendors’ ERP
or accounting applications are alike, and many can be extensively
customized to support specialized vertical industry requirements.
Detailed knowledge of the control, security, and workflow
configuration parameters particular to the specific ERP
and accounting software applications in use is critical
in analyzing how effectively these systems support the company’s
internal controls over financial processes and procedures.
the example above, all internal accounting operations are
being processed centrally via the home office’s mainframe.
This affects the company’s ability to produce accurate
financial reports on a timely basis should an unplanned
business interruption make this system unavailable for an
extended time. As a result, an IT internal-control review
should ascertain whether the company has performed a formal
business-impact analysis or risk-assessment study on its
mission-critical business systems, and whether adequate
business continuity provisions have been established.
application development considerations, and third-party
reliance. As companies continue to migrate
mission-critical business applications to the web and integrate
web-based applications with back-end accounting systems,
the technical sophistication necessary to effectively evaluate
and test related internal controls has grown considerably.
Companies employ dozens of different database and application
development tools in building their websites. Insofar as
these websites increasingly support critical financial operations
that could have a material impact upon the company’s
financial reporting processes, they represent a key point
analyzing web-based application development, auditors should
focus on the methodology the company is employing to monitor
and regulate website development and maintenance. Are these
activities being properly administered, tracked, and audited?
Are web-based applications tested thoroughly prior to introduction?
Are encryption standards implemented to protect sensitive
data? Are adequate reconciliation procedures in place to
ensure that online financial transactions are correctly
recorded on a timely basis in the company’s back-end
accounting systems? Are the underlying databases adequately
secured to prevent unauthorized access and manipulation
of data prior to their entry into the accounting system?
Are any key third-party service providers or business partners
utilized to support web-based business activities, and are
their systems secure?
Financial Reporting Systems
real-time financial management and paperless reporting systems
can dramatically enhance the efficiency of an enterprise’s
operations. While helping make companies more nimble, the
increasing adoption of these technologies has robbed auditors
of ready access to the paper trails that have traditionally
supported their analysis and testing of internal controls.
successfully analyze IT controls surrounding dynamic systems
and paperless environments, auditors must acclimate themselves
to specialized data extraction and analysis tools and work
directly with the live data that reside on these systems.
Walk-throughs of financial reporting functions will require
a detailed understanding of the underlying databases, scripts,
applications, and electronic reports generated by these
systems. Auditors must also analyze the automated internal
control procedures that have been programmed into these
applications to perform data integrity checks, including
exception handling, error tracking, and reconciliation functions,
as well as the e-mail and intranet-based workflow automation
processes utilized to streamline financial reporting.
by no means exhaustive, these illustration issues identify
various general IT controls that could have a material impact
on financial statements. It is necessary to have a clear
understanding of the relationship between these IT general
controls and the financial processes they support within
the organization’s overall framework of internal control.
M. Edelstein, CPA, is a principal and director of
IT services at Cornick, Garber & Sandler, LLP, New York,
N.Y. He would like to thank Malcolm Schwartz, one of COSO’s
original authors, for his review and comments.