Angsuman Dutta Unit Leader, Client Services Infogix

Joe Dupree Unit Leader, Market Development Infogix

Companies typically focus control efforts around security aspects of information technology.  From there application-centric views of IT processing yield controls that are, well, application-centric.  Major unchecked sources of risk exist between applications. These controls gaps will be increasingly discovered by top-down risk based reviews. This article discusses the significant information risk points found between applications and the characteristics of automated control systems that best mitigate the risks.

Despite the fact that a large number of material deficiencies reported in 10K statements are linked to deficiencies in inter-application controls; they are largely ignored due to lack of understanding of these controls and complexities associated with them. For most organizations, efforts to comply with the Sarbanes-Oxley Act) have proved to be onerous, time-consuming and costly. Most of the non-security related IT focus of SOX compliance efforts have resulting in control documentation and controls that have a somewhat limited span of view – around a specific IT application or IT process. 

Typically silo-structured IT organizations haven’t helped and it continues to be problematic to get IT analysts from separate silos to fully understand and communicate with each other – let alone have them fully “connect” with auditors. The resulting lack of controls implemented between applications eventually triggers audit exceptions, but only after tolerating years of something much more expensive: information errors. Continued corporate confusion and vague regulatory interpretive guidance have not managed to clarify things.  However, one can draw some conclusions from the corporate disclosures resulting from several years of SOX.
   
The Missing Controls

A review of studies on and direct observations of disclosures made by mid and large sized corporations over the span of SOX laws is telling of a poorly implemented (and in many cases missing) set of controls.

One particular study [1] on the various types of material weakness reported by hundreds of companies who made such disclosures found that nearly one quarter of disclosures were account specific deficiencies.  Typically, impacted accounts include AR and AP accruals, inventory, tax, expenses, and many others. Another nine percent of disclosures were related to material weaknesses in reconciliation. These include deficiencies such as problems with the reconciliation process and the procedures to review reconcilements. Note that reconciliation activities almost always involve comparing and matching details of information from one application to that of another.

Infogix has examined a number of material weaknesses disclosed between 2005 and 2007 and observed that a significant number of material weaknesses are due to lack of adequate controls to ensure accurate, complete, and timely information exchanges between major business applications and the general ledger system, and between various business applications both up and downstream of the general ledger.

The following table summarizes some of the reported disclosures in material weaknesses of internal control systems that are related to the lack of inter-application controls.

Weakest Links in Financial Statement Preparation Processes
The financial statement creation process is highly information driven. Several business applications within an organization constantly generate transactions for and exchange information with financial applications. Financial statement preparation involves exchanges of information between a series of applications. There is a need to ensure that an accurate and complete set of information is exchanged in a timely manner between each set of applications that are integrated. That is, along the processing path that information takes through a series of applications, controls must ensure that information (and all of the information) made it between each application. 
Over time, many applications have been fitted with controls to log input files and ensure that data ranges within each of the input fields are within a range that the application, itself, can handle.

This is normal human nature and typical of silo IT mentality. If you are responsible for one of the “cogs” in a larger (and often misunderstood) process, you will, at best, implement the necessary checks to ensure that the cog you support continues to serve the functions that the cog provides. And if “bad data” was sent to your cog you try to catch it before it crashes your cog. It is very important to note here that “bad data,” as defined by the application programmer is not necessarily inaccurate, incomplete, or inconsistent information, but rather something outside the range of information that the given application has been coded to handle. Hopefully, the error handling mechanism of the application, in these events, results in the timely alerting of the appropriate personnel who can best remedy issues. Much more troubling is that a large number of possible problems in information exchange between applications goes unchecked. 

There are a plethora of scenarios that give rise to less than perfect information exchanges between applications. Some of the underlying symptoms include these: truncation of transaction lists, duplication of transactions, yesterday’s file wasn’t picked up yet and was overwritten by today’s file, system time and date issues caused processing to proceed outside normal scheduled sequence, software/hardware updates caused a change in the sequence or formatting of information that the downstream application processed differently than expected, and the list goes on.

Five Key Questions
Auditors are increasingly asking questions to determine if inter-application controls have been implemented to independently and automatically detect problems that can occur between applications. Typical questions that application teams should expect include these:

1.    Was there a check to make sure that the total number of records that passed out of application A actually made it into application B?

2.    Does the total amount of record or transaction value sent from application A match the amount received by application B?

3.    In cases where differences occur, was there a consistent process by which each of the detailed line items between the two lists were reconciled?

4.    Does the control system detect the presence of duplicate transactions? 

5.    Did all of the information that application A sent to application B make it into application B within an expected amount of time?

One can see that these kinds of questions require more and more profound understanding of the entire sequence of processing steps as opposed to cog-level understanding. End-to-end controls that track information flows along a longer series of systems provide additional levels of control. In aggregate, these kinds of controls assure the trustworthiness of the information and processes that map to material business processes and operations. Newer accounting standards such as AS5 provide a stimulus to consider risks from a top-down approach that companies should expect to lead to greater scrutiny of inter-application and end-to-end controls. 

Based on our observation of material weaknesses in controls reported between 2005 and 2007 we have identified the following specific inter-application information exchanges that are most frequently found to have inadequate controls:

1.    Asset Systems to General Ledger
2.    Liability Recording Systems to General Ledger
3.    Stock Administration Database to Financial reporting system
4.    Payroll register to General Ledger
5.    Inter-company account systems to the Financial reporting system
6.    Accounts Payable systems to the General Ledger
7.    Accounts Receivable systems to the General Ledger
8.    Inventory to Financial reporting system


Inter-Application Control Hurdles
The accuracy, completeness and timeliness of the information exchanged between two systems are too often held in question due to lack of appropriate controls and audit trails. In the past, applications that exchange information have been able to provide reasonable assurance to integrity of the information because they either had the time to inspect and correct risks. Operations personnel would execute batch jobs and manually record control data from reports and application logs into journals.

In addition, business processes were sufficiently isolated to prevent wide-scale contamination (due to the more loosely coupled and/or discontinuous and physical nature of then current business processes). Nowadays, the real-time information exchange, explosive growth of the volume and pace of data, and interconnectivity between systems in the business environment are dramatically limiting organizations’ ability to provide assurance of the integrity of information. This and the frequency and intensity of IT fire drills raises the seriousness of the problem and the urgency of finding new approaches. Organizations are faced with several challenges: Accelerating changes in the business environment, changing needs of the business users, increasing complexity of systems and technology, and an expanding array of regulations and compliance requirements.

Even though business systems are becoming more interconnected, the organizational “silos” are the ground reality of today’s corporate information processing. Organizational silos are a barrier to effective communication between business systems and, in turn, limit the effective information exchange between applications. In the earlier example, both business applications owners had a rigorous change management and communication process around their systems however, there was not sufficient process rigor to understand the impact of change in one system to the outcome of downstream applications, let alone the entire business process.

Information Integrity Requirements and Control Frameworks

Automated Control Capabilities

Based on our experiences with Fortune 500 organizations, we have identified the following as the basic characteristics of automated information controls that provide for robust and sustainable compliance requirements:

Control Types 

In order to achieve the control objectives that assure information integrity, a number of differing control types are needed.

•    Verification Controls validate information content and format, detect duplicates, verify internal and external files, and check cross-references.

•    Balancing Controls verify that the summary totals from two or more sources match. This sounds simple, but is made more complex by the variety of information sources and the formats each summary total lives in. Example sources include application reports, files, databases, applications flat files, and daily/weekly/monthly processing runs.

•    Reconciliation Controls match and validate detail-level information from multiple sources. For example, transactions, report line items, account numbers, and balances must be reconciled to appropriate sources both up and downstream.

•    Tracking Controls monitor information as it flows through applications and processes. For example, as the data moves from the source to financial statement process, it is imperative to monitor the movement of transactions to ensure timely processing and validation of the processing path and sequence of steps.

Conclusion
This article highlights a type of controls often found to be inadequate or missing in today’s corporate information processing environments. We recommend understanding the characteristics of controls that fulfill the gap in an independent and automated manner to enable sustainable and more effective compliance.  Implement the right controls that are best suited to address inter-application and multi-application control requirements. 

It is essential to have the proper control types at hand in order to face current and future control related requirements. Due to changing business and regulatory requirements and the increasing volume and pace of information that coincides with an increasingly integrated application set, you can expect the urgency and impact of this problem to intensify.


References

1.    Ge, Weili and McVay, Sarah. “The Disclosure of Material Weaknesses in Internal Control after the Sarbanes-Oxley Act” Accounting Horizons, September 2005.

2.    Fogleman, Peterson, Heninger, and Romney. “Opportunity Detected: New SEC Interpretive Guidance and AS5 …” Journal of Accountancy, December 2007.

3.    Montana, John, JD. “The SOX Act: Five Years Later” The Information Management Journal, December 2007.