During the yearly audit cycle, companies are sure to provide a substantial amount of information to their auditors. This is referred to as Information Provided by the Entity (IPE) and is considered to be all types of information used by an auditor to arrive at conclusions that are used to form the audit opinion.
This could include the testing of internal controls or performing other substantive procedures. For companies that undergo Sarbanes Oxley (SOX) testing, a key piece of the information provided to the auditors is financial reports. Since reports are so vital for testing, companies that undergo SOX testing need to ensure they are using controlled and independently tested applications to generate financial reports instead of manually updated spreadsheets or applications that do not follow or are not compliant with the SOX information technology general controls (ITGC). ITGC controls become more important to ensure that those financial reports are complete and accurate. Within a company’s environment, auditors will usually group reporting IPE in the following categories:
- Standard Application Reports – These reports have been developed by the vendor who owns the application. The company has no ability to modify or edit these reports.
- Custom Reports – These are reports that are created by the company’s IT team, based on requirements that are set by the business team.
- Ad-hoc Reports – These are reports that business users create by themselves to use on an as-needed basis.
Some of the most important ITGC controls for companies to consider when using custom reports are the change management procedures that are performed over the reports. Effective change management should include:
- Identifying the in-scope SOX reports that are used in financial reporting.
- The in-scope reports should be baselined, which means the reports need to be tied back to the source system or another report/method if the report is in the source system during user acceptance testing.
- Changes to reports should be documented within a ticketing system.
- Business users should be performing user acceptance testing and baseline testing for each change.
- Approval from the business and IT teams should be performed and captured within the change ticket.
- Developers should not have the ability to migrate their own changes to the production environment.
- There should be separate environments for development, quality assurance (QA) and production.
- System-generated log of report changes should be available for the auditors.
When there are ineffective change management procedures in place over reports, such as no process to track changes, segregation of duties issues or lack of logging, companies may need to implement additional procedures to ensure that the in-scope SOX reports are complete and accurate and to ensure the auditors will rely on the reports. These additional procedures could involve recreating reports and tying the numbers back to the source system, to ensure they are correct. It could also involve performing a periodic review of the reports and changes that are made to ensure that the changes are appropriate.
Finally, ad-hoc reports should be used with caution for financial reporting. Ad-hoc reporting provides value to business users by being flexible and great for investigating issues. However, this flexibility usually is at the cost of control and auditability of the changes. If ad-hoc reports are used, the user should document parameters with the report each time the report is generated. Even with documenting these parameters, your auditors will most likely push for a more controlled environment for key financial reports.
Overall, companies need to have the necessary processes in place to ensure that all reports used in their environment are complete and accurate. This involves having the correct ITGC controls and specifically change management controls in place to monitor and track changes to these reports. Both the IT and business teams need to work together to make sure the correct controls are in place and the reports are accurate. The IT teams are responsible for setting up reports, ensuring the appropriate users have access, making sure the reports are run on the necessary schedule, and that the reports have the correct data within them. On the other hand, the business users are responsible for working with IT to set up all necessary reports and validating that the correct information is included in each of the reports. The involvement of both IT and business uses, along with strong change management controls over the in-scope SOX reports, ensures that companies will be providing accurate and up-to-date data to be used when generating financial reports.
For additional information please visit our dedicated Sarbanes-Oxley solutions page or contact us.
