SOX and the IT Risk Factor


(Page 1 of 3)

Sarbanes-Oxley may require every CPA to learn about technology controls.

By Richard McCausland

Ron Klein, vice president in charge of claims for Camico Mutual Insurance, tersely explains why CPAs require professional liability protection: “Bad stuff happens, people get blamed.”

The Scope of 404 Services

Partner Insights

A public accountant can offer clients a broad range of SOX 404-related services. According to John McFadden, CPA, risk control consulting director for CNA, in an article entitled “Are Sarbanes-Oxley Section 404 Consulting Services for You?” these services include:

• Assisting the client in planning and monitoring its compliance project;
• Reviewing, analyzing, and documenting the company's internal control systems and processes;
• Advising the company on the selection and use of “compliance software”;
• Designing an internal audit process;
• Performing the internal audit function on an outsourced basis;
• Providing staff to assist the client in testing internal controls; and
• Attesting to some level of assurance about the existence, effectiveness, and design of the company's internal controls.

Source: The Practicing CPA newsletter published by Aon Insurance Services, national administrator of the AICPA Insurance Programs

However, it’s not nearly so easy to explain why accountants who are providing technology services now need to be certain that they are properly insured against all the potential risks posed by the Sarbanes-Oxley Act of 2002. Enacted in response to the recent spate of corporate governance scandals, SOX requires that management of public companies file with the Securities and Exchange Commission a fiscal year-end report that outlines the establishment and maintenance of adequate internal controls over financial reporting.

Of course, since internal controls are inextricably tied up with the company’s automated business management software packages and the hardware platforms they run on, it follows that these reports must consider Information Technology-related risks and controls. But there’s more. Section 404 of SOX specifically mandates that the company’s independent auditor attest to, and report on, the client’s assessment of these controls.

IT processes affected by Section 404, according to Protiviti, an internal audit and risk consulting firm, include security administration, application-change control, data management and disaster recovery, data center operations, and asset management. The last relates to the proper accounting for hardware and software acquisition, deployment, and retirement.

For the CPA/consultant, the good news is that Sarbanes-Oxley “clearly shifts” the legal risks of faulty internal controls onto management, notes Anthony Ghosn, principal with Dynamic Performance Metrics, a Claremont, Calif.-based consulting firm specializing in business intelligence and corporate governance solutions.

That said, however, “Treating Sections 404 and 302 [dealing with quarterly SEC filings] as ‘business as usual’ internal controls documentation and certification is very dangerous” on several fronts. Ghosn explains, “The financial risk can bear out in duplicate work efforts during future compliance work; operational risks can develop when policy does not monitor process or if proper mapping of processes to key accounts in the GL are not conducted and implemented; and market/competitive risks can develop when market analysts and other institutional investor segments don’t see the substance in the quarterly 302 certifications and annual 404 reports.” To the extent that the CPA or IT consultant is implicated in these shortcomings, they could be sued by an unhappy client seeking restitution for damages.

New York-based CNA Global Specialty Lines, which underwrites the Accountants Professional Liability component of the American Institute of CPAs insurance programs, insures approximately 24,000 accounting firms. For all the risks attendant to 404 consulting and attest work, these comprise “ordinary exposure” that are protected by existing policy provisions, says Joseph Wolfe, CNA assistant vice president for risk control.

Tools for Mending Their SOX

With the deadline for Sarbanes-Oxley 404 compliance approaching in November, middle-market accounting software developers are seizing the initiative to ensure that customers have the information and tools they need to bring their business processes up to snuff.

For instance, Microsoft recently launched its Office Solution Accelerator for Sarbanes-Oxley, designed to assist public companies with documenting and reviewing their internal financial controls to ensure they comply with SOX sections 302 and 404. Among other groups, Microsoft is reaching out to CPAs and Microsoft Business Solutions resellers, with their accounting domain expertise, to help public clients set up a compliance infrastructure that embodies best-practices guidelines.

Available to Office licensees at no extra charge, the Accelerator is built on Windows SharePoint Services and Microsoft Office InfoPath 2003, which means that managers at multiple locations within a company can collaborate online with regard to task management and reporting. MBS resellers have an opportunity to provide Accelerator customizations that will make it easier for individuals, divisions, or the entire corporation to access and manage needed compliance data.

Meanwhile, Epicor is telling the installed base, via Webcasts, that many SOX compliance issues can be addressed by implementing the basic control processes already built into Epicor Enterprise. For example, eProcurement can automate the rules associated with purchasing goods and services, and standardize the workflow for approvals and expense analytics.

On another front, Epicor has broadened its alliance with Altec, a Laguna Hills, Calif.-based provider of document management systems, whereby Epicor and its channel can sell Altec’s doc-link package integrated with Epicor Enterprise. Doc-link enables companies to capture, archive, and route structured and unstructured documents to customers, employees, and vendors. The product’s output management tool permits a variety of delivery options that include fax, email, or scanning.

Commenting on the partnership, Mark Duffell, Epicor executive vice president, says, “Given the emergence of compliance issues associated with Sarbanes-Oxley, integration of enterprise applications with document management technologies becomes even more vital, bringing greater visibility and accountability to the handling, recording, and auditing of business transactions.”

Rather, “What’s new here is that the client is dealing with a regulatory compliance issue,” which means heightened involvement by the SEC, the Public Company Accounting Oversight Board, and potentially even the courts, explains Wolfe. He counsels CPAs to do more of what they should already be doing. For instance, “It’s extremely important that there be a well-drafted engagement letter or contract” that outlines who’s responsible for what.

Wolfe also advises using what he calls the “funnel approach” for controlling communications between the CPA firm and others involved in the 404 engagement. All questions to the CPA staff need to be directed to a designated firm principal, especially if someone is seeking an opinion or recommendation about some aspect of the work or a particular product. As Wolfe explains, “In the CPA world, ‘assurance’ has a very different meaning; it implies this is an attest-level service.” Therefore, to help minimize exposure and in keeping with the funnel approach, “It’s important that IT professionals [who are affiliated with the accounting practice but] who are not CPAs understand these concepts” and not heedlessly dispense advice.

Faced with the vagaries of SOX 404, CPA firms with technology practices are taking an understandably cautious approach.

For instance, even though Templeton & Company remains a member of the AICPA SEC Practice Section, “we have stepped out of that [independent audit] arena for now,” says Steven Templeton, president of the West Palm Beach, Fla.-based firm. That leaves the way clear for his firm, a Microsoft Business Solutions reseller, to provide public companies with technology consulting, “all within the independent standard frameworks that are out there,” he notes.

Templeton observes, “There’s a real opportunity for us to do 404 work—to identify [the client’s] internal controls and deficiencies, and to use our technology skills to fix some of those problems.” He cites the market potential for Microsoft’s Office Solution Accelerator for Sarbanes-Oxley. (See sidebar, page 47.)

CPAs need to keep in mind that SOX is about a lot more than ensuring that a public company’s independent auditor is not also providing consulting services to that same company, which could compromise the objectivity of the assurance given regarding the client’s financial results.

Mark Cheffers, chief executive of, based in Manchau, Mass., fully expects “an inevitable transfer of SOX into the private audit world,” with all the attendant risks. He predicts that, confronted with charges of fraudulent or negligent conduct, juries aren’t likely to distinguish between public and private companies. He imagines a scenario where the plaintiff’s attorney asks the CPA consultant: “Isn’t it true that if you do X work for one of your publicly registered clients, it would be prohibited by law?” The implication is that this same scrupulousness should apply to all clients.

The CPA might reply, “Well, yes, but the law doesn’t require that those rules be applied to private companies.” However, in Cheffers’ view, “You end up sounding so bad that as a practical matter, justly or unjustly, the application of SOX will [be thought to] apply to private firms.”

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Register now for FREE site access and more