Got the 404 on That?
SOX and other laws require greater care and protection for computer systems.
Read this article at webcpa.com
By Robert W. Scott
New York (June 5, 2005) – Accounting Technology – In many ways, there is nothing new about the requirements that Sarbanes-Oxley imposes on technology audits. There is a need for internal controls, including segregation of duties.
“The biggest issue I see is that IT people are not very good at IT controls,” says Jan Koster, a principal with the 80-person Technology Assurance Advisory Services Group of UHY Advisors, a unit that is responsible for technology risk management services.
Koster’s group performs general controls and application reviews, along with penetration studies by themselves and as part of regulatory reviews under laws that include Sarbanes-Oxley and Graham-Leach-Bliley.
One of the problems with IT departments in mid-market companies is that many simply do not have enough personnel to handle many of the requirements of the recent legislation.
“The last thing they want to do is document their processes or put the monitoring procedures into place. They don’t have the manpower to do it,” says Koster.
For organizations lacking sufficient staff, UHY recommends more monitoring and controls, instead of real-time, hands-on work. “We are looking for reports on a monthly or bi-weekly b If SOX has been a blessing for many accounting firms, as the Big Four firms shed work that is being picked up by small organizations, the new era of regulation is also benefiting IT groups, including those at accounting firms and software reselling and consulting firms.
A number of control issues revolve around how accounting software functions. And it’s often the case that the very simple things are not taken care of.
“You would think that people’s financials are secure,” says Helene Cole, CEO of Altara, a Bernardvsille, N.J.-based reseller of accounting software from Microsoft Business Solutions.
But controls are often lacking. Sometimes, all employees can gain access to the financials, instead of the client’s using the security features in the software that can restrict access to different parts of financial records depending on an employee’s role within the company. Often, when companies get a new software package, they forget to change commonly known default passwords.
“You wouldn’t believe how many of our customers have never implemented the security measures that are in the software,” she says.
One change that Altara brings to the engagement is to emphasize the importance of security. “Security has always been an afterthought,” she says. The client and the VAR are often more concerned about getting the software up and running as quickly as possible. But that is no longer true.
“We are putting security front and center,” she says. To ensure proper controls are in place, Altara does not give the client a pilot database until security has been implemented. Altara has also changed the assumptions it makes about existing systems.
“We used to assume that when we bring in three years of history that everything works,” Cole says. Now, Altara consultants make sure that they test every process and get management to sign off on those results.
Controls cover more than just having the proper features invoked in the software. Management must “make sure that conversations around the steps that are taken are documented and signed off. It can’t just be word-of-mouth,” Cole continues.
Although such engagements are complex, the opportunity for resellers is broad.
“We are dealing with really large companies, but also a lot of customers that aren’t public are asking for these services,” she says.
From a competitive point of view, building the costs into a bid can be a handicap in a competitive market. Cole says she finds Altara can pitch a job for $100,000, while facing clients who are getting quotes of $40,000 from competing VARs.
“‘How come you guys are so much more?’ they ask,” Cole relates. She says her answer is to stick to Altara’s position and warn, “Go with the other reseller and call us when you have problems.”
The Software Angle
A lot of companies are pitching tools to help ensure SOX compliance. Microsoft, for example, has the Sarbanes-Oxley Accelerator for Microsoft office. But that’s mostly a document repository, some resellers say.
Much of the work is consulting brain power, not software capability. Even when software is being used, many firms have developed their own app “We have tools that track key controls,” Koster says similarly. But UHY is developing its own software tools to monitor controls.
In general, accounting software vendors are emphasizing that they already have controls and security built into their packaged applications. One of the important elements, says Jeff Young, a vice president at Microsoft Business Solutions, is standardized reporting. Otherwise, the software’s ability to help meet SOX requirements, starts with the core system and the audit trail.
Microsoft also uses the threat of SOX to encourage prospects who have multiple accounting systems to drop those in favor of installing a single Microsoft accounting platform.
“That significantly streamlines work,” says Young. Doing so reduces the number of databases that need to be secured and backed-up. Young also defines the SOX Accelerator as more than just a document repository.
“It is a kind of specialized document repository, but it’s a pre-populated document repository,” he says. The system helps users set up a business process, with the ability to incorporate files from other Office applications such as Sharepoint, Word, and Excel, or to produce a step-by-step flow chart.
A major question is just how much business there will be once companies have gotten beyond the first wave of compliance-especially now that compliance with SOX has been delayed for a year.
“A lot of people are building big organizations around this,” muses a CPA at a big firm. He wonders if the need for SOX services will repeat the experience that programmers went through in the build up to and aftermath of Y2K. “In 1999, if you were a Cobol programmer, you were looking at buying a mansion. After the roof fell in on Y2K, you were looking at a homeless shelter,” he quips.
“For some of these VARs, these have to be the biggest projects they’ve ever seen. You can get $25,000 for delivering about anything,” he continues.
Net at Work, a New York-based Best Software reseller, is one of those companies building a SOX practice. There is a lot of money in those engagements, although the cost varies depending on the number of users, location, and servers, notes Adam Hirsch, senior security engineer.
The total engagement price can range from $25,000 to $50,000 per project, says Hirsch, who has been with the firm for three years, but who has been working with security compliance issues for just over a year. The audits performed by Hirsch and his growing group span a wide range.
Defining the roles of personnel is a critical part of ensuring that proper controls can be established.
“You want to make sure the person doing accounts payable data entry doesn’t have access to change the general ledger,” says Hirsch. “You must make sure the controls within the roles defined by the application are doing what they say they are doing.”
Net at Work is looking at audit trails to make sure that all changes can be accounted for. It wants to ensure that proper passwords are being used. The team will attempt to break security anywhere from 25 to 40 times.
Excel files can be a big problem, since many financial staff members use the spreadsheet for a variety of purposes and then email the files to others. Hirsch says companies need to make sure audit features are set up in the Microsoft application.
There needs to be operational controls so that management knows that power is available for the servers and that uninterruptible power supply system is in place and that there is documentation for all systems.
A back-up strategy is also part of the controls. And so is hiring the right people for the right job. Hirsch says companies must make sure they hire IT people who know how to implement the applications and how to handle them.
“Go over CVs and job responsibilities and job roles to ensure there is a proper separation of responsibility,” he advises.
The Net at Work team typically includes from three to five people, whether project managers or someone knowledgeable about a specific application. Hirsch works on general IT-level controls, “bringing in someone more accounting-focused if it’s an accounting issue.” In fact, such engagements often involve both the reselling firm and accounting firms that outsource the IT work.
UHY’s Koster also says that proper controls are often lacking in IT departments, particularly when it comes to segregation of duties.
“Usually there is one network administrator who has the rights to everything. That’s already a little risky,” notes Koster.
In most cases, control over access to data is established during the initial implementation of the accounting system. But the controls weaken as staff members leave the company, or take on new jobs.
“If someone is transferred from accounts payable to accounts receivable, the company gives them the rights to the new job, but doesn’t take away the old rights,” says Koster.
Organizations should periodically review those rights by printing out a list of all users for critical applications and having management make sure that the right people can get into the parts of the software that they are entitled to access.
While security is always important, it has become even more so under SOX. Companies must provide physical security, ensuring that financial data cannot be destroyed by accidents such as flood and fire and that an authorized person can’t enter the building and haul off a server with the company’s financial data.
Although that kind of theft was always possible with filing cabinets, portable computers introduce greater risk. “It’s difficult,” Koster acknowledges. “A laptop has a lot more data in it than filing cabinets did. I have seen plenty of client sites where you could walk in and take anything you want.”
There are also electronic security issues-the increasingly necessary steps that must be taken to prevent hackers and viruses from taking or destroying financial data. As with the security in accounting packages, the barriers to malicious attacks on email systems must be kept up to date, especially as outsourcing via the Web grows more popular.
“You will never be 100 percent secure. Hackers will break in if you give them enough time. But if you have a good monitoring system, you will catch them,” says Koster.
UHY deals both with public companies that need to be SOX-compliant and with semi-regulated industries. But the firm uses a similar approach and performs a similar kind of review.
Usually, a UHY team will include three levels of personnel: staff, senior staff, and a senior manager or partner, with two to three people sent into the field with mid-market companies. The unit has professionals such as CISAs, CPAs, and security experts.
How well are companies in the mid-market doing in measuring up to the tougher standards?
“If you measure them against Sarbanes, it’s a pretty poor job. The hard part is that Sarbanes puts down a benchmark which is difficult to do for small businesses and the mid-market,” says Koster.
Cohn Consulting, an arm of Roseland, N.J.-based J.H. Cohn put a big effort into corporate governance before SOX. It decided to be a big player because of its resources that include a number of IT auditors that were already on staff, notes Neil Babbington, a senior director who has an IT audit background. Big companies still have surprising weaknesses in the area of IT. “I’m a little amazed that we still have big companies with four-character passwords in use,” says Babbington.
Using the COSO Integrated Control Framework, Cohn produces documentation and a flow chart of internal controls. “We will work with clients to develop a remediation plan. We are often asked to help write policies and procedures since the clients don’t have the staff to do it,” he says. “The other thing that we do is to help the financial consultants with who has access to what and what is appropriate.”
Like many others, Babbington sees the non-accelerated filers, the companies with less than $75 million in market capitalization, asking for SOX-like controls even though they are not yet required to comply.
“We have more than 100 companies that we have helped with Sarbanes,” says Babbington. “The better-run companies that make a nice profit have good internal controls.”
Robert W. Scott is Editor of Accounting Technology and can be reached at Robert.Scott@sourcemedia.com.