Auditors And ERPs – Can We Rest “Assured” ?

Dennis Howlett has been bugging me lately and bugging me good.  All the way from Spain, he Twitters and calls and now Skypes me into thinking about what’s next.

What’s next for the auditors?
What’s next for software?
What’s next if another firm fails?
And what does all this mean for ERPs?
(He’s always really only worried about himself, you see.)
I’ve never focused solely on Sarbanes-Oxley in this blog.  It’s only part of the story about how the Big 4 makes money, runs their firms, and takes advantage of the double edge sword which is government sanctioning and now regulation of their profession.  But with the potential for Sarbanes-Oxley to be repealed, as Broc Romanek and the Corporate.Counsel.Net gang has ably reported, a major revenue source for the firms and an ongoing burr in the sides of industry may disappear.  Many a blogger will have to find something else to write about.
It was about time I got back to technology.  I joined KPMG Consulting in 1993 because, after ten years of implementing new systems and technology as an accounting professional,  I wanted to manage projects in an organized, structured, professional environment, rather than managing by the seat of my pants.
Dennis’s column today in ZDNet warns of “Ticking Time Bombs in Enterprise Land.”  He makes liberal use of my recent post with the prediction of the imminent failure of one of the largest firms.  He also connected me with Vinnie Mirchandani, a member of the Enterprise Irregulars group, a group of bloggers blogging about ERP and they solicited a quote.
Vinnie’s specific question was this:
In growing world of SaaS multi-tenancy and virtualized/shared compute resources, how are SAS 70 issues getting resolved? Seems a bit out of date to just get a traditional data center certification when resources are being co-mingled across customers, and often hosted at a sub-contracted vendor…
Dennis has documented my response to this question in his post. My opinion was supported by inquiries to two of the smartest Risk Assurance/IT/Security partners that I know. These are folks who kick the tires on systems every day and, knowing them, kick those tires very hard.

Their comments supported my original educated gut feeling:

SAS70 issues are not getting resolved in the world of SaaS multi-tenancy and virtualized/shared compute resources.

Just take a look at one company’s approach.  I’ve found it to be pretty typical of companies that are still more worried about passing their financial Sarbanes-Oxley testing than about IT controls. As if those two were not joined at the hip in a modern, automated, multinational company…

Objective: To evaluate independent service auditors’ Statement of Auditing Standards (SAS) 70 provided to XXX Company’s third party service organizations for relevance and effectiveness in achieving Sarbanes-Oxley audit and compliance objectives.

Only those processes and controls which have been deemed key, critical, high-risk or otherwise significant to achieving the company’s Sarbanes-Oxley compliance objectives are considered including key controls supporting the following IT processes:

Change Management, Logical Access, System Development Life-Cycle (SDLC), Backup, Storage & Recovery, Job Scheduling and Batch Processing, Physical Security and Incident Management.

Since the assessment of the operating effectiveness of the company’s internal controls (and by proxy, those of their service organizations) is required to satisfy SOX compliance objectives, only a Type II SAS 70 report, which assesses both the design and operating effectiveness of the service organization’s controls is relied upon.

When management’s SOX compliance testing occurs more than six months after the SAS 70 report was issued, a bridge letter certifying that changes in the design and operation of their internal controls and supporting processes (including changes in key personnel reports, contracts or service level agreements or processing errors) have not occurred since the report was issued is sought from the service organization.

Source: There is no centralized listing of the SAS 70s required throughout the company and no centralized management of the requirements for the controls to be tested by and assurances required for each vendor. In other words, [Company XXX] accepts whatever SAS 70 report the vendor sends them and files it. Therefore, our Sarbanes-Oxley testing scope was limited to the SAS 70s evaluated in 2006 and business units were contacted to obtain the reports.

Conclusion: In each case, the vendor’s Service Auditor’s Opinion for all SAS 70 Type II reports evaluated was effective for both design and operating effectiveness. However, Management’s conclusions for design and operating effectiveness will be inconclusive in all cases since very few company required controls for these processes were mapped to the service organization controls and the company’s controls were not specifically required to be opined on.

Also, since there was no centralized listing and tracking of SAS 70 Type II reports to be provided by all service providers of the company the scope matrix may not be a complete listing of all SAS 70s required to be obtained for evaluation. Therefore, we cannot provide assurance that all control objectives at individual business units for which the Company relies on outside parties have been satisfactorily met.

SAS70s are only one part of the problem with how companies are or, rather, most often aren’t getting any real level of assurance that their ERPs have the controls needed to insure the integrity of financial reporting as well as support their complex business needs.

re: The Auditors will be talking more often in the future about Information Technology as the next frontier for the audit firms, both as they try to maintain and continue to grow audit fees with or without Sarbanes-Oxley and as they attempt to restart their consulting practices.

Photo Source

4 replies
  1. Anonymous
    Anonymous says:

    The failure to map CLC’s and not having a centralized list of all required SAS 70 reports are both common. As an external auditor I am not overly concerned about them though because we can perform our own mapping and identify all required SAS 70’s with proper scoping and understanding of the clients systems.

    To me, the real risks are:
    1) Defining roles and responsibilities via access rights (SOD)
    2) Improperly configured software allowing application controls to be bypassed
    3) Push back from the client and the audit teams, forcing the IT Auditor to only do a cursory review of the ERP
    4) Failure to identify certain application controls as key
    5) Competency of client ERP admins.
    6) Competency of IT Auditors


  2. Francine McKenna
    Francine McKenna says:

    @IJustWorkHere Thanks much. SAS 70 was just one area around ERP risks, specifically related to growth of SaaS/cloud computing, that I wanted to mention, based on some recent conversations. You raise several more really good ones.

  3. keystonesandrivets
    keystonesandrivets says:

    Hi Francine,

    You and Dennis Howlett put together a great series of posts on this topic.

    In your ‘Links to this Post’ section there is a link my post “Auditing IT systems” where I discuss them and add my take:

    “To be able to accurately assess risk of IT system failure, three things need to be clearly understood and easily communicable:

    1. Which IT assets or resources support a particular business process or service – allowing the question, “Which parts of the business will be directly affected should this IT System, or part thereof, fail?” to be answered.

    2. The value of those business processes to the company operation – allowing the question “What would be the financial impact should an IT system, or component thereof, fail?” to be answered.

    3. How data flows between the IT Systems that enable the business services to operate – which, critically, allows an assessment to be made of “Which parts of the business will be indirectly affected should this IT asset fail?” ”

    What do you think? Your feedback is very welcome.

    Paul Wallis

Trackbacks & Pingbacks

  1. […] challenges for the IT audit and risk teams within the audit […]

Comments are closed.