IT Audits -- Internal Controls -- Sarbanes-Oxley Compliance

It is imperative that corporations manage their projects to comply with Section 404 efficiently and effectively if they hope to avoid the costs projected earlier and meet the deadline of December 31, 2006. This is no easy accomplishment because of the monumental challenges that they face. The larger and more geographically spread a corporation the challenges increase in scale and number.

Challenge: Mental Models

Most people do not think from a controls perspective and do not consciously think about them during their daily activities. This mental circumstance gets even more challenging when people must also be knowledgeable about other models and methodologies, e.g., ISO 9000, Capability Maturity Model, Committee on Sponsoring Organizations (COSO) Model, and Generally Accepted Accounting Practices (GAAP). Such shifts do not come easily, however, and occurs usually after a significant event. Hence, taking on this challenge requires overcoming learning curves, sharing information, and having patience. Unfortunately, the tight SOX deadline provides little opportunity to deal with such matters with aplomb.

Challenge: Unprecedented

While this may not initially seem people oriented, a little thought reveals otherwise. Most people prefer the familiar and enjoy working with "proven" approaches. SOX, however, is not proven and corporations are still developing their approach to suit their unique environment and satisfy the Feds. This situation can lead to rework and exploration, something for some people to handle; the routine that often accompanies their normal work is nonexistent. Dealing with this challenge becomes further complicated because few people see compliance as a reward, e.g., positive re-enforcement, and more as a potential punishment for failure, e.g., negative re-enforcement. Furthermore, regulatory requirements, albeit getting clearer, remain vague, leaving for rework as rulings evolve from PCAOB.

Challenge: Many Stakeholders

For a SOX project to succeed many different categories of people must participate for a good reason. Successfully executing controls often cuts across multiple organizations and involves many processes. Naturally, this breadth touches many people and organizations. Affected internal stakeholders include executives, management, professionals who are involved in accounting, finance, law, audit, security, governance, and procurement. Affected external stakeholders include consultants who provide support to comply with SOX and external auditors who provide guidance and eventual certification on the effectiveness of internal controls.

Challenge: Changing Business Environment

Nothing remains static for a public corporation, internally or externally. Market forces coupled with political and social ones create an environment that requires flexibility, adaptation, and risk tolerance. For corporations and people used to stability this situation can wreak havoc on your daily operations. SOX, being an unstable regulatory requirement and moving many corporations into a new realm, makes adaptation to change very challenging, especially when the regulatory requirements are vague and changing.

Challenge: Lack of Commitment

As mentioned earlier, many people view SOX in terms of negative re-enforcement, that is, failure to comply will result in severe penalties Failure to attest and certify controls, relating to accountability, responsibility, authority, and disclosure can have, indeed, a devastating market impact by causing a dramatic drop in stock value. For many people, however, attestation and certification are akin to death and life insurance; they are abstractions that cannot be readily understood and appreciated until the moment of truth approaches. Also, many people view SOX as a consequence of bad actions on the part of executives with other firms, e.g., Tyco, and really do not have relevance to them.

Challenge: A Potentially Unrealistic End Date

The December 2006 due date is already a slide date by PCAOB; the original one was in June 2003. There is hope that the current end date will slide also. This false hope makes establishing a reliable schedule very difficult. If a corporation does develop a schedule and works towards achieving significant milestones, the end dates may change again, resulting in re-planning and, worse, causing a lull in the project causes a loss in momentum.

Challenge: Complexity of the Organizational Structure

An organizational structure often reflects a corporation's history and culture as well as its response to market conditions. The larger the corporation in terms of geography and people and its longevity the more difficult it will be to gain agreement to even a high level schedule. SOX is extremely challenging in this regard because it involves inter-business, multi-disciplinary, and cross-functional stakeholders, each with different interests and perspectives.

Challenge: Rework

Because PCAOB's direction on SOX continues to evolve in the midst of a tight deadline, rework is inevitable. Redefining scope as well as deleting and adding content in documentation will likely occur. Naturally, this circumstance can cause "stop and go" behavior and increase the learning curve. An additional effect is the difficulty in determining whether to hire additional people.

Challenge: Tools

Eventually, all the documentation related to SOX must be considered "final" after certification and updated periodically. Unfortunately, automated tools are gradually being released; their number is limited and the existing ones require extensive training. Whatever tool is adopted it will also likely require modifying it to suit the unique needs and requirements of a corporation. Such modifications take time and are frequently complex. Under a tight deadline and evolving requirements, this challenge can become seemingly insurmountable.

Challenge: Fear of Auditing and Auditors

Most employees perceive auditing and auditors as threatening. As internal and external auditors get increasingly involved, people's guard rises, thinking that the review of compliance with SOX requirements will likely expose control weaknesses that, in turn, reflect poorly on their organization and themselves. This situation becomes acute where historically auditing has been viewed with suspicion. People become reluctant to share information and tend to not accept responsibility for the effectiveness of controls that do, or should have, existed.

Challenge: Disparate Information Systems

This challenge is especially directed towards IT, especially in large corporations where legacy systems tend to have a life of their own. Some of these systems may lack adequate controls because plans in the past were made to retire these systems, though not necessarily before the end of December 2005. As a result, documentation and knowledge about the system may be incomplete, thereby making it difficult to answer SOX queries. Coupled with people having more advanced skills working on more state-of-the-art systems, this circumstance makes it extremely difficult to document SOX requirements due to the shortage of people having the requisite knowledge about these systems