Skip to main content

Technology delivering technology

It has been every organization's goal, the industry where they operate included, to have a technology and help run and facilitate every, if not particularly the high-value, area of business.  Sounds just what technology is for almost everything that humans do, including their businesses. Right? It's what the technology team must do and they did.  However, some of the actions they are emulating doesn't seem to be true at all. It's still about technology for the sake of technology. This is not only wrong, it is breaking the very notion that technology is helping people and it is always there whatever they do. When technology arrives and they use it, what happens is the usual messy experience that they already had from the past, and to think they are now on the new ones and still encountering the same problem. Imagine why some organizations can do it better and had been always ahead. Meaning, problems are contained that people didn't even notice there was any, no matte

SOX ACT 2002 Section 404 and ISO/IEC 38500

Sarbanes-Oxley Act 2002 is a U.S. law. The passage of the bill is to improve quality and transparency in financial reporting and independent audits and accounting services for public companies in the U.S. including companies that are non-U.S. but being traded in any of the U.S. stock exchanges. The SOX during its early days perceived by many it is not reasonable, in some unexpectedly high even to large publicly-traded corporations. It creates even more burden for smaller reporting companies. With the incarnations being made by concerned regulatory organizations, in this instance the SEC and Public Company Accounting Oversight Board (PCAOB), issues mentioned have been continuously addressed and the law become more relevant for organizations to comply (and even adapt in other cases) to make financial reporting accurate as well as reliable and secure information technology for internal control. Since after the 2007 reforms, which is referred to the released of the new PCAOB Accounting Standard 5, the SOX Act Section 404 study in 2009 reported by members of the Office of Economic Analysis, SEC, confirms that compliance costs vary with company size (increasing with size), compliance history (decreasing with increased compliance experience), and compliance regime (lower after said reforms).

The PCAOB is created along with the enactment of the bill to oversee the auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair and independent audit reports. While Securities and Exchange Commission, like any other SEC's in other countries, oversees the key participants in the securities world, which is also has the oversight authority over PCAOB including the approval of Board's rules, standards and budget. SOX mandates appropriation for SEC to improve resources and oversight.

The Section 404 of the bill is management assessment of internal controls. Which the SEC, shall prescribe rules that state the responsibility of the management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and contain an assessment, as of the end of the fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
The PCAOB Accounting Standard number 5 (AS5) which supersedes AS2 receives lots of comments including broad discussion of material weaknesses and deficiencies on internal control over financial reporting (ICFR) and suggestions to make alignment to the standards being used or available to SEC. AS5, accordingly, establishes requirements and provides direction that would be integrated with an audit of the financial statements. That ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements and the auditor’s objectives is to express opinion on the effectiveness of the company's ICFR. It is also noted that if one or more material weaknesses or deficiencies exist the internal control cannot be considered effective.

In its proposed rule released in 2002, a disclosure required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act of 2002, SEC mentions: "The Sarbanes-Oxley Act does not explicitly state who at the company should determine whether any of the audit committee members is a financial expert. Management is responsible for preparing the financial statements. Therefore, it seems inappropriate for management to assess the qualifications of audit committee members. Similarly, it does not seem appropriate for the members of the audit committee, alone, to assess their own qualifications. We believe that the board of directors in its entirety, as the most broad-based body within the company, is best-equipped to make the decision."

SOX2002 ISO IEC38500 As to how the corporate governance of IT or ISO/IEC 38500 is relevant to such law (maybe including similar laws like J-SOX of Japan, CLERP9 of Australia, Bill 198 of Ontario, Canada, et al) particularly provisions in Section 404 is how board taking on ICT, in general, to underpin companies' requirement to do business including compliance on government regulations and directives. Which in the case of ISO/IEC 38500, its application is international in nature and one of its functions is to promote effective, efficient and acceptable use of IT in all organizations by assuring stakeholders that if the standard is followed, they can have confident in the organizations corporate governance of IT, or in its simplest term, the delivery and use of IT. That includes the security and reliability of information systems and infrastructure. It also informs and guides directors in their organization's use of IT. Directors mean the board of directors including owners of company. In OECD's principles of corporate governance, there are two types of board of directors and they are: supervisory (or non-management) board and management board. In some cases, the management board usually constitute in the person of the chief executive officer. By making them, either supervisory or management board, aware of the standard they would have a better approach to their IT which is usually being facilitated if not solely directed by an IT able bodied in an organization. The board, or senior managers in other cases, would also realize that their efforts in IT if not done as it is directed or aimed to be, it would not only implicates them considering they are accountable to stakeholders but also could impact negatively how their organization as whole function and operate business.

International standards, whether mandatory or advisory, are not meant to replace legislations. However, careful considerations on adaptation of such can have significant effect, usually useful even uplifting in greater context, on any organization's strive on certain activity e.g. any or combination of ITIL, ISMS, environmental, et al. Legislations or laws have different purposes, it is not something of a choice or privilege, covered individuals and entities are all required to comply, on time, else the penalization would come next.

The ISO/IEC 38500 standard is also relevant to PCAOB particularly AS5 that notes that the identification of risks and controls within IT is not a separate evaluation. That is why AS5 is, an audit of internal control over financial reporting that is integrated with an audit of financial statement. Since corporate governance of IT is a high-level principles-based advisory standard, its aim is to help facilitate, aiming primarily at the board and senior management, just like in the case of SOX, to understand how IT is being carried out and utilized in a wider context and not on organization's individual processes. It did not mention how to address risk or any subject except for good corporate governance of IT, however it suggests that in order to benefit from the standard, adaption and application of other standards required to carry out particular objective is necessary in order for the organization’s use of IT, underpinning business needs, is effective and satisfactory.

The SEC, accordingly, endorsed the recommendations of its staff and directed its staff to focus on the four remaining work areas, one of which is: “Following a principles-based approach to determining when and to what extent the auditor can use the work of others.” In response to commenters’ suggestions that there remained too many instances of the use of the terms “should” and “must” in the proposed AS5, where accordingly, it might drive excessive documentation and possibly unnecessary work, the PCAOB, made modifications to make the final standard more principles-based, and found this approach to internal control auditing convincing, rather than some kind of detailed requirements. 

Not only that both PCAOB AS5 and ISO/IEC 38500 followed principles-based approach, AS5 also contained, though not specifically mentioned, the six principles available in ISO/IEC 38500. Not comprehensive as it is, the AS5, stated the responsibilities clearly of the company’s management, board of directors and auditors; the strategy, acquisition, performance and conformance forms part in the effectiveness of their internal control including management of risk whether or not it needs some improvement to have the financial reporting effective and compliant to the provisions made available for SOX Act Section 404 as enforce by SEC; and the human behavior maintains that the standard may require technical training and proficiency (as for the auditor), independence and exercise of due professional care and scepticism.

Comments

Popular posts from this blog

Philippine telcos blocking entire SMS text with internet addresses in it

If you are sending SMS texts to your friends, family or colleagues and they contain internet or web address including IP and email addresses, and even a period or dot separating, regardless of, your words and numbers, they are automatically blocked and not going to be received by your waiting recipient. Cooler heads must prevail here especially if an important message is urgently being expected. IP version 6 address is fine. However, an IPv4 including localhost address (given automatically to every computers and network interfaces as their own alone designed for troubleshooting purposes), and your money in the billion figure using dot as separators would be blocked.  If you send "local.business, naman.naman etcetera" or any words that made you use dot in between them, as part of the text, they will be blocked. There are some, that isn't blocked in this category. Like check.iclassed, some.ent, whatever.local etcetera, that is because they do not form any domain name at all

Philippine cyber campaign

Are Philippine institutions being targeted or simply being probed? We don't know for certain. It could be either or both. Whichever comes first? What we can understand, with the success of such attacks, is that they have found their way. Really.   How hard or easy? The attacker knows, but probably, also, those being attacked. Inclination should be there no matter how sophisticated our security systems are. In cybersecurity, we do a very focused job. Making sure we disappoint whoever is trying to gain access to any resource without permission and authority regardless of the environment we are in. What happened is that every asset deemed to have every variant of resource built-in, operating, that makes up the entire system working whatever it is trying to employ, in that case the primary purpose. Meaning, we have to know if we are running our system in a manner that is really secure, provisioned properly during design stage and managed continuously afterwards, post-implementation. No

iclassed privacy policy, unbelievable at first sight

Those who, before engaging us and was reading our business conduct, alerts and notices , could not restrain themselves asking, "can you really do your job without keeping any data at all? At the end of the day, you should still be looking at those information and make sure you did, and will, do well. I am expecting a lot from you here, you said so yourself!" Now, that last sentence is so loud. We keep them, not in our premises, but yours. If you've been our clients, you'll know how persistent we are when it comes to the reliability and security of your systems, data and credentials. That's our responsibility, as is made popular by cloud computing, and we don't need to be in a cloud.