In many ways, there is nothing new about the requirements that Sarbanes-Oxley imposes on technology audits. There is a need for internal controls, including segregation of duties. "The biggest issue I see is that IT people are not very good at IT controls," says Jan Koster, a principal with the 80-person Technology Assurance Advisory Services Group of UHY Advisors, a unit that is responsible for technology risk management services.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
Koster's group performs general controls and application reviews, along with penetration studies by themselves and as part of regulatory reviews under laws that include Sarbanes-Oxley and Graham-Leach-Bliley.
One of the problems with IT departments in mid-market companies is that many simply do not have enough personnel to handle many of the requirements of the recent legislation.
"The last thing they want to do is document their processes or put the monitoring procedures into place. They don't have the manpower to do it," says Koster.
For organizations lacking sufficient staff, UHY recommends more monitoring and controls, instead of real-time, hands-on work. "We are looking for reports on a monthly or bi-weekly basis."
IT Security Controls: A Shopping List|
The requirements of Sarbanes-Oxley span a wide range of financial systems, information security, and physical system controls.
Here is a list of the areas to be reviewed in the area of IT controls as outlined by Secnap Network Security, a Boca Raton, Fla.-based company that provides managed network services.
* Critical IT infrastructure controls, system change management, database security, operating system integrity, and network security.
* Technical policies and procedures for access control.
* "Need to know" and super-user access to financial systems. procedures for monitoring log-in attempts and reporting discrepancies. current password management policies. policies and procedures that address security incidents.
* Data back-up and disaster recovery plans to restore loss of data.
* Current system monitoring to prevent, detect, contain, and correct security breaches.
* Policies for identifying and tracking user identity, authentication alternatives, and authorization controls.
* Emergency access procedures.
* Policies and procedures for automatic log off.
* Assess technical security measures guarding against unauthorized access to electronically transmitted information.
* Encryption policies for transactions.
* Real-time disclosure event reporting on material changes in financial conditions or operations.
If SOX has been a blessing for many accounting firms, as the Big Four firms shed work that is being picked up by small organizations, the new era of regulation is also benefiting IT groups, including those at accounting firms and software reselling and consulting firms.
A number of control issues revolve around how accounting software functions. And it's often the case that the very simple things are not taken care of.
"You would think that people's financials are secure," says Helene Cole, CEO of Altara, a Bernardvsille, N.J.-based reseller of accounting software from Microsoft Business Solutions.
But controls are often lacking. Sometimes, all employees can gain access to the financials, instead of the client's using the security features in the software that can restrict access to different parts of financial records depending on an employee's role within the company. Often, when companies get a new software package, they forget to change commonly known default passwords.
"You wouldn't believe how many of our customers have never implemented the security measures that are in the software," she says.
One change that Altara brings to the engagement is to emphasize the importance of security. "Security has always been an afterthought," she says. The client and the VAR are often more concerned about getting the software up and running as quickly as possible. But that is no longer true.
"We are putting security front and center," she says. To ensure proper controls are in place, Altara does not give the client a pilot database until security has been implemented. Altara has also changed the assumptions it makes about existing systems.
"We used to assume that when we bring in three years of history that everything works," Cole says. Now, Altara consultants make sure that they test every process and get management to sign off on those results.
Controls cover more than just having the proper features invoked in the software. Management must "make sure that conversations around the steps that are taken are documented and signed off. It can't just be word-of-mouth," Cole continues.
Although such engagements are complex, the opportunity for resellers is broad.
"We are dealing with really large companies, but also a lot of customers that aren't public are asking for these services," she says.
From a competitive point of view, building the costs into a bid can be a handicap in a competitive market. Cole says she finds Altara can pitch a job for $100,000, while facing clients who are getting quotes of $40,000 from competing VARs.
"'How come you guys are so much more?' they ask," Cole relates. She says her answer is to stick to Altara's position and warn, "Go with the other reseller and call us when you have problems."
The Software Angle
A lot of companies are pitching tools to help ensure SOX compliance. Microsoft, for example, has the Sarbanes-Oxley Accelerator for Microsoft office. But that's mostly a document repository, some resellers say.
Much of the work is consulting brain power, not software capability. Even when software is being used, many firms have developed their own applications. Altara, for example, has developed templated discovery documents by industry.
The Vendor's No. 1 SOX Job?-Educating Customers|
The biggest issue with Sarbanes-Oxley regulations when it comes to accounting software vendors is not what their software does, but what it does not do, cannot do, and is not supposed to do.
"Our user base is misinformed and they expect the applications to solve this problem," says Geni Whitehouse, a CPA and vice president of product management for Accpac's Advantage Series. "People think the applications need to be SOX-certified."
First, there is no such thing as a SOX-certified accounting package. Second, vendors generally have documentation that shows that their applications support SOX. System integrity, database accuracy, and controls were in Best products before the SOX mandates were adopted. But that is not going to solve all of an end-user's problems or remove many of their responsibilities.
"We have things to support you, but there is nothing that is going to guarantee that you won't make an erroneous entry in your GL," Whitehouse says.
The major task for vendors is to educate resellers and end users about just what the wave of regulation requires. Still, Whitehouse notes that vendors have been surprised at the response from customers and prospects.
"We didn't think it would be a big hot button for our market place," she says. "People are looking at applications and expecting them to help in meeting their compliance concerns."
Moreover, many companies that are not required to adhere to SOX are demanding to have similar controls, partly because business people think that strong controls are a good idea and partly because they expect lenders to force the issue.
"The banks are used to dealing with people who are required to meet standards. They are going to start raising the bar," says Whitehouse.
"We have tools that track key controls," Koster says similarly. But UHY is developing its own software tools to monitor controls.
In general, accounting software vendors are emphasizing that they already have controls and security built into their packaged applications. One of the important elements, says Jeff Young, a vice president at Microsoft Business Solutions, is standardized reporting. Otherwise, the software's ability to help meet SOX requirements, starts with the core system and the audit trail.
Microsoft also uses the threat of SOX to encourage prospects who have multiple accounting systems to drop those in favor of installing a single Microsoft accounting platform.
"That significantly streamlines work," says Young. Doing so reduces the number of databases that need to be secured and backed-up. Young also defines the SOX Accelerator as more than just a document repository.
"It is a kind of specialized document repository, but it's a pre-populated document repository," he says. The system helps users set up a business process, with the ability to incorporate files from other Office applications such as Sharepoint, Word, and Excel, or to produce a step-by-step flow chart.
A major question is just how much business there will be once companies have gotten beyond the first wave of compliance-especially now that compliance with SOX has been delayed for a year.
"A lot of people are building big organizations around this," muses a CPA at a big firm. He wonders if the need for SOX services will repeat the experience that programmers went through in the build up to and aftermath of Y2K. "In 1999, if you were a Cobol programmer, you were looking at buying a mansion. After the roof fell in on Y2K, you were looking at a homeless shelter," he quips.
"For some of these VARs, these have to be the biggest projects they've ever seen. You can get $25,000 for delivering about anything," he continues.