Information Technology: SOX in a Box........................................................
In any company, the Information Technology (IT) group — the computer
geeks — plays a vital role in helping companies become compliant. When
processes are defined, automated, monitored, and corrected, maintaining
internal control and ensuring clean information is much easier. IT drives the
financial reporting processes by managing data, documents, and key opera-
tional processes. Therefore, the role of the Chief Information Officer (CIO),
who is responsible for the security, accuracy, and reliability of the systems
that manage and report the financial data, now plays a vital role in the certifi-
cation and compliance process. Far from being a dead-end job, the CIO is now
a powerful political role in a company.98 Part II: Diving into GRC
COSO’s Five Main Elements of Internal Control
Control environment:The foundation for all
other elements, influencing the control con-
sciousness of the people within the organization
and encompassing every aspect of how the
organization is structured and works.(Translation: This is the big picture. If your control
environment is healthy and is already functioning
well, then sowing the seeds of compliance will be
straightforward. If your control environment is
sick and needs help, you are probably looking at
a big change management project.)
Risk assessment:The identification and analy-
sis of risks to the achievement of the organiza-
tion’s business objectives.(Translation: In order to know your business, you
need to know your risks and know them well.)
Control activities:The policies and procedures
that help the board and management ensure
that their control decisions are carried out in
relation to identified risks.(Translation: You’ve identified your risks, your
control environment is good, and now you need
to set up the policies and procedures that will
help senior executives make their decisions.)Information and communication: This must occur
at two levels: first, the board must communicate
its control objectives to all employees; and
second, the IT system must capture and report
pertinent information in a time frame and format
that enables the organization’s board and man-
agement to carry out its responsibilities.(Translation: Both the head and the body need
to be working together. If the messages don’t
get to the brain, the body will die.)
Monitoring:The ongoing monitoring of internal
control systems includes regular and ad hoc
functional and management reviews. It should
be based on risk assessment, with serious defi-
ciencies being reported to the board.(Translation: Procedures are not always perfect.
They can have weaknesses or break down. You
need to monitor them to ensure that you know
when they are failing you. You are the master of
your processes; they are there to serve you and
not the other way around.)