With the euphoria of going public comes the responsibility and reality of audit boards, SEC/SOX regulations, and public scrutiny of internal policies. When a privately held company goes public, it must comply with an abundance of regulatory requirements. Auditors are required to examine company practices across an organization, including information technology.
IT controls are crucial to protecting the integrity of an organization’s financial data, third party applications, and primary accounting systems. Failing an IT audit could result in reported significant control deficiencies or material weaknesses, directly impacting a company’s valuation, attractiveness to investors, and public perception.
To prepare IT to meet public company regulatory requirements, an organization must assess risk, put a recognized controls framework in place, and establish tone at the top. It's important to encourage compliance with controls and ethical practices throughout the organization.
Controls implementation begins with a top-to-bottom risk-based diagnostic of the current technology environment. This includes understanding employee attitudes and the use of technology as well as hardware and software capabilities. A risk assessment should result in clear understanding of each risk and include a formalized prioritization process. The prioritization process should be co-developed with the business leaders who own many of the risks.
While IT is responsible for maintaining the technology that supports the business objectives, each business unit owns the risks within its purview.
For example, if a company’s controller runs a consolidated financial statement and one of the legal entity’s data is not integrated, accounting is primarily responsible.
The heavy lifting required to perform a thorough and well-documented risk assessment pays dividends when it comes time to write detailed policies and process flows. IT controls and policies serve as the clear and direct solution to risks identified, and they are most useful when mapped to specific risks in the assessment.
IT audit frameworks have been updated in response to the ISACA (Information Systems Audit and Control Association) and the CISA (Certified Information Systems Auditor) technical standards and help clarify their meticulous technical specifications.
The scope of IT audit frameworks can overwhelm smaller organizations. Understand the purpose of each framework, select the relevant components, and build a fit-for-purpose solution to best match your company’s:
For instance, the COSO (Committee of Sponsoring Organizations) framework is strong regarding corporate governance. The ISO (International Organization for Standardization) has a stronger emphasis on risk. Neither framework is perfect for every organization. Depending on the organization’s issues and culture, selecting the right components from each framework should be a consideration.
A comprehensive approach to controls is a better long-term strategy than a rushed or provisional attempt to meet SOX standards. Ensure subject matter experts from the business are consulted, and appoint an IT project manager to supervise the rollout.
The CIO champions the IT governance process and appropriately engages peers on the management team and within their department to enable the process. The CIO’s actions, planning, and communications should be the link between technology and business strategy. IT staff should understand the controls framework, be able to communicate the governance model, and follow established polices.
When the business views IT governance as an enabler rather than a tollbooth, the organization can optimize the use of technology and minimize the control risks.
Implementing control frameworks may seem daunting. Properly implemented controls provide discipline, accountability, and a smooth audit process. Much like checking your tires and oil before a long road trip, IT controls can be a simple discipline leading to a safer and more efficient journey.
