Where great minds meet Honeycomb Connect
Home | My Cell | Help | Contact Us
Select Hive/Cell
Corporate Information Technology (CIT50)
March 18, 2018  
Corporate Information Technology (CIT50)
Corporate Information Technology
Executive Member Profiles
CIT50 Executive Reports
Solutions Exchange Gallery
About Honeycomb Connect
Contact Us
Corporate Information TechnologyCIT50 Executive Reports
SOX Compliance for Small and Medium Sized Businesses
April 1, 2007
...back to list

Broadly speaking, small public companies are subject to the same Sarbanes Oxley requirements as larger ones and with fewer resources to spend on compliance the stakes are that much higher. Jim Herzfeld, VP and CIO at the Milwaukee Journal Sentinel Inc. says one way of making sure your internal controls are up to scratch is by partnering with the Finance department. Speaking at a Honeycomb web conference Herzfeld shared his IT department's experience of addressing SOX and 404. In his presentation Herzfeld provided an overview of 404 requirements and what smaller organizations have to do.

Journal Sentinel Inc., publishers of the Milwaukee Journal Sentinel the most popular newspaper in Wisconsin, went public in 2003 which meant Herzfeld and his team had to start preparing for SOX 404 compliance. The company uses around 11,000 computers, 250 servers and has 40 IT staff who, as well as developing software, support the entire operation around the clock.

Herzfeld says IT was quickly dragged into meeting the requirements for 404 compliance, which include, accepting responsibility for the effectiveness of the company's internal control over financial reporting, evaluating the effectiveness of the company's internal controls using suitable control criteria, performing procedures to develop sufficient evidence and maintain documentation to support assessments of the effectiveness of the company's internal controls, and presenting a written assessment of the effectiveness of the company's internal controls as of the end of the company's most recent fiscal year.

How does IT fit into this? Linkage of IT controls to Financial Assertions.

IT Process

Related Financial Statement Assertion

Access to programs and data (security)

Existence, completeness, Valuation, Presentation and Disclosure

Change Management

Existence, completeness, Valuation, Presentation and Disclosure

Program development and maintenance

Existence, completeness, Valuation, Presentation and Disclosure

Computer operations

Completeness and Valuation

Source: SOX Compliance for SMBs, Honeycomb Xtalks Web Conference, January 24, 2007

He explains that as an IT professional the first step in compliance was building a plan. For the project to work, he says, there were two other crucial requirements. The first, executive level buy-in, meant that the whole process was driven from the top-down. The next essential requirement, in Herzfeld's experience, was a cultural change within the organization. People within the IT department may not be familiar with SOX terminology so making sure everyone understands definitions is vital. “Culture is the hardest thing to change,” he says.

404 requirements-Auditor's responsibility
Attest to and report on the assessment made by the company's management
Obtain an understanding of internal control over financial reporting including performing walkthroughs

Identify significant accounts and relevant assertions

Test and evaluate the effectiveness of the design of controls
Test operating effectiveness
Update testing performed prior to year-end
Use the work of others
Evaluate the results and testing
Identify significant deficiencies
Form an opinion and report
Follow same disclosure model as management's assessment
Test controls intended to prevent or detect fraud
Source: PCAOB Release 2004 in SOX Compliance for SMBs, Honeycomb Xtalks Web Conference, January 24, 2007
“Typically IT doesn't understand what a control is,” comments Herzfeld. “Some of the older generation who are used to programming on mainframes may be more familiar with controls than the new generation.” Another big challenge was making sure everyone understood what it meant to sign papers and get the proper approvals. The type of language used in reports had to be clearly comprehensible by the auditors, this is where Finance can help out says Herzfeld, “using technical terms doesn't help the process, it's important to break things down into items that the auditors can understand.” Managing the change within his organization was another challenge, “by putting in measures for monitoring, the IT department believed that we didn't trust them.” External clients as well often wouldn't understand why the organization suddenly required testing and authorization paper work.

Having said this, Herzfeld goes onto explain that there were some significant benefits that were soon recognized, principal among these was the overall strengthening of processes. “We implemented tight change control and the managers resisted, but after 30 days one of the managers stood up in a meeting and said this is the best thing since sliced bread because his phone no longer rang when he was at home.” Herzfeld's organization was able to implement best practices and get into a situation where IT received fewer service calls. An important element for success here was focusing the organizations efforts in the right places. Therefore defining the scope of the project was essential, considering size limitations, and Herzfeld ensured that the project focused only on the computer systems, programs, databases, operating systems, networks and processes which had an impact on the accuracy of financial reporting and therefore SOX compliance.

Eliminating redundant processes and unwanted activity was another vital step, here Herzfeld recognises two types of control. Preventative controls, where a process is set up that requires certain signatures before somebody has access to a system. The signatures therefore give a person security rights to a given application. And, detective controls (or monitoring) the idea being that at each level more and more possible gaps in the system are removed so that finally control deficiencies can be listed on the audit report. Herzfeld says its important to have some physical activities that prove something has been reviewed, in order to show that there was a positive test of that control. Making sure controls have dual layer authentication is considered good practice. Segregating of duties is also considered good practice but this is not always possible with limited numbers of personnel so Herzfeld suggests, implementing increased monitoring, strong manual business process controls, creating alignment of job responsibilities, sharing resources with sister companies and outsourcing some activities. However, even though something is outsourced the outsourcing organization is still responsible for the process, one useful tool for assuring the process is by using a SAS70 report. Compensating controls help organizations to compensate for their inability to perform the primary control. These are internal controls that are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated.

The top 10 control deficiencies.
Unidentified or unresolved segregation of duties issue
Operating system supporting financial application or portal not hardened
Database supporting financial application not hardened
Development staff can run business transaction in production
Large numbers of users with access to 'super user' transactions in production
Terminated employees or deported consultants still have access
Posting periods not restricted within GL application
Custom programs, tables and interfaces unsecured
Procedures for manual processes do not exist or are not followed
System documentation does not match actual process
Source: SOX Compliance for SMBs, Honeycomb Xtalks Web Conference, January 24, 2007
Documenting processes, policies and controls is fundamental to compliance, says Herzfeld. “When you get to an audit point, if something is not documented then it doesn't exist. You need to be sure that what you draw out are specifically the processes that you're following, its very important to take the documentation seriously.” As a general rule, the who, what, where, when and how questions are central to good documentation.

A recent ruling by the PCAOB states that if good quarterly testing is performed then the external auditors can depend on these provided good guidelines have been followed. “You must test your controls in a reasonable manner,” says Herzfeld, “In our case we developed control matrices.” He lists four basic testing techniques: inquiry, observation, examination and reperformance.

Herzfeld ended his presentation by listing some of the red flags that came up in his organization. These included, end users with security administration capabilities, end users with direct database access, passwords known by more than one individual, individuals with the capability of performing an entire transaction and controls which had not been performed.

In the end, he says, every organization has its deficiencies, managements responsibility is to ensure there are no material weaknesses, no significant deficiencies and no repeat deficiencies from the previous audit.

Printer-friendly version
E-mail this to a friend
Comment on this story
...back to list
Member Site Tour
User Name:


Forgot password?
My Cell | Help | Contact Us Privacy Policy | Legal disclaimers
Copyright © Honeycomb Connect