January 15, 2013
Protiviti Misguides on IT Key Controls and SOX
It is very unfortunate that Protiviti, who was one of the leaders and great contributors to the development of IIA guidance on IT General Controls and SOX, has gone so wrong in their
Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition).
The IIA guidance I am referring to, which is referenced briefly by Protiviti, is the highly-acclaimed
GAIT Methodology (a free download for IIA members).
Of course, this is just my personal opinion, but the evidence is, I suggest, conclusive. For example:
- It focuses only on automated (IT) controls and IT general controls (ITGC), instead of the
combination of controls that are relied upon to address financial reporting risks. It assumes that there is
always a reliance on IT controls and ITGC by every organization, regardless of the nature of the risks to the financial statements and the manual controls in place. While true in principle, this assumption will lead to including more IT and ITGC controls in scope than necessary to address financial reporting risk. (See the payroll example below)
- While it references GAIT, it has lost the key message in that guidance: that the key controls should be identified based on the presence of a risk of material misstatement of the financial statements, and that the identification of ITGC key controls should be a
continuation of the top-down and risk-based approach used to identify the combination of manual and IT controls relied upon within business processes. I call the approach taken in this document
middle-down instead of
top-down, because it does not start with risk to the financial statements, but with generic IT risk and controls.
- It also ignores another key lesson in GAIT, echoed in the SEC SOX guidance, that only the functionality in critical applications that is relied upon to prevent or detect material misstatement of the financials represents a risk for which you need to assess related ITGC. Only ITGC controls that, should they fail, would cause IT business controls to fail to prevent/detect a material misstatement need to be in scope.
- This document covers a wide variety of important ITGC controls that are necessary to operate the business with confidence, but are not all necessary to prevent or detect material misstatements. The latter is how you define the scope for SOX. For example, if there are high-level controls where fluctuations in account balances are reviewed (such as payroll costs) and that is sufficient to detect a material misstatement in that account (payroll rarely fluctuates so much that a material error would not be a highly-visible red flag), there is no reliance on the payroll system — nor on the related IT and ITGC controls.
- The (sorry, guys) blind focus on IT instead of looking at the larger picture of what controls are required to prevent/detect a material misstatement has resulted in the error (refer to PCAOB guidance) of saying that you need controls over data backup and recovery. This is specifically
excluded from the scope of SOX because, as the SEC explained to me, a failure to recover will not result (except in rare cases) in an error in the financial statements, only a delay in filing. That delay is not a SOX deficiency.
I have a lot of good friends at Protiviti, whom I respect and admire. It is distressing to see the firm get this so wrong, even as they reference GAIT.
I recommend reading the following instead:
I welcome your comments.