TSC Trusted Advisors’ Blog

I was one of the presenters for an ISSA e-Symposium, Risk and Compliance – Audit Fatigue, held on 8 July 2008. The e-Symposium was hosted by Mike Simons, Editor, ComputerWorld UK.  George Kurtz, Senior Vice President & General Manager, Risk & Compliance Business Unit, McAfee Inc. gave the Opening Keynote - Audit Fatigue, followed by Dorian Cougias, CEO, Network Frontiers with Harmonizing IT Controls to Reduce Audit Workload.  My topic was, Operational Challenges - Practical Limitations to Reducing the Audit Workload.

The audit burden has become increasing onerous in recent years, particularly with the mandates imposed by the Sarbanes-Oxley Act (SOX) in the United States.  The focus in the early years of the SOX era was passing the audit, “no matter what it might cost.”  As Ken Wilcox, CEO of the SVB Financial Group, observed in a 1 June 2007 article in the Wall Street Journal entitled Dealing With Sarbox, “My own company (SVB Financial Group, which trades on the Nasdaq) is likely indicative. In 2006 we paid over $20 million to the Big Four (including what is left of Arthur Andersen), for an average of about $17,000 per employee. This is more than five times as much as we paid them only three years ago.”  Now that most companies have gone through a number of SOX audits successfully, the focus has changed to how can audits be conducted more efficiently and minimize the impact on the business.  While there are a number of things which can be done to reduce the audit burden, I believe there are a number of operational challenges that make it difficult to significantly reduce the audit burden.  Understanding these realities can help one in developing solutions that reduce the audit workload.  These realities are often the “elephant in the room” that no one wants to talk about.  These realities consist of both communication and process issues, and technology issues.  When these realities are addressed effectively, the impact of these practical limitations can be reduced significantly.
 

I discussed the following Operational Challenges:

• Lack of standard, explicit criteria for determining SOX critical applications
• Lack of effective ownership of IT controls by the business owners
• Lack of consistent IT control frameworks and sampling methodologies among business users, internal auditors and external auditors 
• Duplicate testing of the same IT controls by business owners, internal auditors and external auditors
• Limited or no automated reporting on IT controls from enterprise applications and infrastructure components
• Difficulties in managing controls for distributed, user generated files such as Excel spreadsheets and Access databases that are part of SOX critical applications

Because of these Operational Challenges, there are some practical limitations to reducing the audit workload.  However, when these realities are addressed effectively, the impact of these practical limitations can be reduced significantly.  Many of these practical limitations are communications and process issues.  Building strong and effective partnerships between the business owners, IT, internal auditors and external auditors is key to reducing the audit workload

There was a question & answer time after each of the presentations and a roundtable discussion at the end.  I was pleasantly surprised by the international interest in SOX issues.  I received thoughtful questions from individuals in Berlin, Germany; Dublin, Ireland; and London, UK as well as from various U.S. locations.

The e-Symposium is available online at issa.brighttalk.com.