Trust Services: A Better Way to Evaluate I.T. Controls: Fulfilling the Requirements of Section 404

EXECUTIVE SUMMARY * SARBANES-OXLEY REQUIRES MANAGEMENT to include an assessment of internal controls over financial reporting, using a suitable framework, in the annual report. While a number of frameworks are available, some do not adequately assess technology controls. * SEC RULES SAY MANAGEMENT MUST BASE its evaluation of the effectiveness of internal controls over financial reporting on a recognized control framework issued by a group that followed due-process procedures. The framework must be free from bias, complete and relevant to the task at hand, and must permit consistent quantitative and qualitative measurements. * SEVERAL GROUPS, INCLUDING COSO, COBIT and AICPA/CICA Trust Services, have issued frameworks CPAs can use to evaluate internal controls, particularly controls over a system's IT aspects, in a survey of CEOs and CFOs, 28.4% said they used a model other than COSO to assess the effectiveness of their IT internal control structure. * A FIVE-STEP PROCESS ENABLES CPAs to use the Trust Services framework in conjunction with the COSO framework to evaluate the IT control aspects of the required internal control assessment. The process defers to Trust Services for a more detailed assessment of whether the IT systems used to support and create the financial reports are reliable. ********** It would be an understatement to say the Sarbanes-Oxley Act of 2002 has had a significant impact on every CPA working for or auditing a public company. Among other things, Sarbanes-Oxley requires management to include an internal control assessment using a suitable framework in the company's annual report. But how exactly are companies performing the required assessment? This has been a hot topic for professional associations such as the AICPA, the Institute of Management Accountants and the Institute of Internal Auditors. In response the AICPA created an ad-hoc task force to address management's responsibility under section 404 of Sarbanes-Oxley. The task force assembled a list of key issues, including the act's requirement to use suitable criteria for an effective internal control system. This article explains how I use the AICPA/CICA Trust Services framework in my work as an information systems auditor to evaluate internal controls, particularly controls over information technology. CFOs, internal audit executives and financial managers as well as external auditors will see how the framework can supplement some commonly used measures that do a good job of assessing overall controls but don't focus on technology controls. INTERNAL CONTROL ASSESSMENT Section 404 requires public companies to include in their annual reports an assessment by management of their internal controls over financial reporting. This includes a statement of management's responsibility for establishing and maintaining adequate internal control, an assessment of the effectiveness of those controls as of the end of the most recent fiscal year, a statement identifying the framework that was used to evaluate those controls and a statement that the external auditor issued an attestation report on management's internal control assessment. The final SEC rules say management must base its internal control evaluation on a suitable, recognized control framework established by a body or group that followed due-process procedures. The rules do not mandate the use of a particular framework but say a suitable one must * Be free of bias. * Permit reasonably consistent qualitative and quantitative measurements. * Include all relevant factors that might alter a conclusion about the effectiveness of the internal controls. * Be relevant to an evaluation of internal control over financial reporting. As a practicing information systems auditor charged with preparing the IT control aspects of the required internal control assessment, my search for an appropriate model uncovered three suitable ones: COSO (www. …