IT Auditing AND Sarbanes-Oxley Compliance Key Strategies FOR Business Improvement IT Auditing AND Sarbanes-Oxley Compliance Key Strategies FOR Business Improvement Dimitris N Chorafas Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH BOOK Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2009 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S Government works Printed in the United States of America on acid-free paper 10 International Standard Book Number-13: 978-1-4200-8617-1 (Hardcover) This book contains information obtained from authentic and highly regarded sources Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint Except as permitted under U.S Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Library of Congress Cataloging-in-Publication Data Chorafas, Dimitris N IT auditing and Sarbanes-Oxley compliance : key strategies for business improvement / Dimitris N Chorafas p cm Includes bibliographical references and index ISBN 978-1-4200-8617-1 (alk paper) Information technology Auditing Auditing, Internal I Title HD30.2.C477 2008 657’.458 dc22 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com 2008014241 Contents Preface ix About the Author xv Acknowledgments xvii Part I Management Control Internal Control and Information Technology .3 1.1 Internal Control Defined 1.2 Internal Control and Service Science 1.3 The Proverbial Long, Hard Look .9 1.4 Classical and New Internal Controls .13 1.5 Deficiencies and Conflicts in Internal Control 16 1.6 Internal Control Is IT’s Current Frontier 18 1.7 The Audit of Advanced IT Operations .20 Case Studies on Internal Control’s Contribution 25 2.1 Internal Control and Operational Risk 25 2.2 Monitoring Functions of Internal Control .29 2.3 The Critical Role of Experimentation 31 2.4 Use of Threat Curves in IT 35 2.5 Design Review as an Internal Control Method 38 2.6 Internal Control and System Specifications .41 2.7 The Added Value of Prototyping 43 Auditing Functions .47 3.1 Purpose of Auditing 47 3.2 Qualification of Auditors and Audit Standards 50 3.3 Transparency in Financial Reporting .52 3.4 The Sarbanes-Oxley Act and Its Aftereffects 56 3.5 The Auditor’s Independence of Opinion 60 3.6 Auditing the Bank’s Internal Control: A Case Study .63 3.7 Audit Reports and Audit Trails 66 v vi  n  Contents Internal and External Audit 69 4.1 Auditing Responsibilities Prescribed by Regulatory Agencies 69 4.2 Structure and Standards of Internal Audit .72 4.3 Internal Audit Functions 75 4.4 Failures in Auditing Internal Control 77 4.5 Outsourcing Internal Audit .80 4.6 External Audit Functions 82 4.7 Unqualified and Qualified Reports by External Auditors 84 4.8 Challenging the Dominance of the Big Four 88 The Board’s Accountability for Audit 91 5.1 Membership of the Board of Directors 91 5.2 Legal Responsibilities of Board Members and Senior Management 93 5.3 Committees of the Board 96 5.4 The Corporate Governance and Nominating Committee 98 5.5 The Audit Committee 100 5.6 Situations That Escaped the Audit Committee’s Watch 102 5.7 Cultural Change 105 Part II Case Studies on Auditing a Company’s Information Technology Auditing the Information Technology Functions 111 6.1 Snapshots of IT Audits 111 6.2 Tuning the IT Audit to Regulatory Requirements 114 6.3 Procedure of an IT Audit 117 6.4 Why IT Audit Impacts a Firm’s Technology 119 6.5 Auditing Fraud Cases 122 6.6 Auditing Technology Risk .124 6.7 Auditing the Overall System Concept 127 6.8 Testing Existing Auditing Procedures 128 6.9 Auditing IT’s Legal Risk 131 Strategic IT Auditing: A Case Study 135 7.1 Goal of a Strategic Audit .135 7.2 Strategic Analysis of the Bank’s Business .138 7.3 Snapshot of IT’s Status Quo 143 7.4 What Bank Executives Thought of IT Support They Received 145 7.5 High Back-Office Costs, Low Marketing Punch, and Treasury Department Woes 148 7.6 Conversion Problems Created by Legacy IT 150 Contents  n  vii 7.7 Database Culture and Software Development 153 7.8 Conclusion: A Lopsided System Design 155 A Constructive View: Suggestions for IT Restructuring 157 8.1 Capitalizing on the Strengths of the Institution 157 8.2 Opportunities and Problems of Strategic Planning 160 8.3 A New Technology Strategy 162 8.4 Bringing High Tech to the CEO and the Professionals 165 8.5 Improving Internal Control over IT 168 8.6 Instituting a Risk-Management System 171 8.7 Return on Investment and the Technology Budget 174 8.8 Profit Center Organization and Internal Billing 176 A Broader Perspective of IT Auditing .181 9.1 IT Projects That Never Reach Their Goals 181 9.2 Why Has the Project Not Been Completed? 184 9.3 The Fall of a State-of-the-Art Project in Transaction Management 188 9.4 Mismanagement of Client Accounts Revealed by an Audit 191 9.5 Wrong Approach to Risk Control: Too Much Manual Work 194 9.6 Auditing the Models for Market-Risk Exposure 198 Part III Technical Examples in Auditing IT Functions 10 Auditing IT Response Time and Reliability 203 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 Qualifications for Auditing Specific Technical Issues 203 System Response Time 206 System Expansion Factor 208 User Activity and the Cost of Turnaround Time 210 Auditing Interactive Systems 214 Auditing System Reliability 217 The Investigation of Reasons for Unreliability 219 Auditing Operational Readiness 221 11 Auditing the Security System 225 11.1 11.2 11.3 11.4 11.5 11.6 11.7 Information Security and the IT Auditor 225 Auditing Security Management .227 Physical Security 230 Logical Security .231 How Safe Is Network Security? 234 Information Security in Cyberspace—The Small Fry 236 Information Security in Cyber Warfare—The Big Stuff 239 viii  n  Contents 11.8 The Auditor’s Target in Network Security .241 11.9 Auditing Software Security 244 Part IV Can IT Help in Compliance? The Case of SOX 12 Sarbanes-Oxley Compliance and IT’s Contribution 251 12.1 Compliance Defined 251 12.2 Beyond Compliance with the Sarbanes-Oxley Act 254 12.3 Both Regulation and Management Watch Should Be Proactive 257 12.4 SOX Is a Friend of Business, Not a Foe 259 12.5 The Fear of the Policeman Is Greater than the Fear of IT 262 12.6 Contribution to Compliance of the Corporate Memory Facility 265 12.7 The Contribution of Knowledge Engineering 268 12.8 Why Knowledge Artifacts Are a Major Advance in IT 271 13 What If: Backtesting Sarbanes-Oxley .275 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 The Concept Underpinning Case Studies and What-If Scenarios 275 Replaying the Enron Scandal under SOX 277 The Worst Continued to Worsen 279 Ignorance as a Way of Running a Big Firm 281 Modern Financial Alchemy: Prepays 284 Credit Insurance, Surety Bonds, and Out-of-Court Settlement .288 Sarbanes-Oxley and the WorldCom Scandal 291 The Contribution of the Sarbanes-Oxley Act to the American Economy .293 Index 297 Preface Written as a contribution to the accounting and auditing professions, this book brings under one cover two key strategies for business improvement: information technology (IT) auditing and Sarbanes-Oxley (SOX) compliance Superficially, these seem to be strange bedfellows, yet they belong together for several reasons, not the least being that they both require NN NN NN NN Ethical accounting practices, Focused auditing activities, A functioning system of internal control, and A very careful watch by the board’s audit committee and chief executive officer From the Bubble Act of 1720 to the Sarbanes-Oxley Act of 2002, the history of financial legislation is the child of crisis and of the inevitable complaints of those who were harmed by malfeasance When new laws are voted into effect, or when rules and regulations change, the impact is felt by both NN The accounting profession, because accounting is the gatekeeper of financial information, and NN Information technology, particularly that part of it addressing account keeping and financial reporting, hence the need for IT auditing The text has been designed to give the reader a practical knowledge of modern IT auditing, all the way to compliance issues The practical examples and case studies included in this book have been written with the hope that they may assist in raising the professional standards Therefore, not surprisingly, the readership is principally auditors, accountants, and information system specialists at large Because not all readers are necessarily versatile in internal control and audit prerequisites, Part I focuses on those issues that are needed to provide a level playing field Chapter introduces the reader to the concept of internal control and explains how and why internal control and information technology correlate As the text ix What If  n  289 “disguised loans” could be read to a jury “If the jury accepts defendants’ view of what the e-mails are referring to (as the jury reasonably might), the term ‘disguised loan’ is highly relevant and precisely descriptive of what is involved,” Judge Rakoff wrote in a 10-page ruling.* JP Morgan vice chairman Donald Layton had described the transactions as disguised loans in one of the e-mails, and in another he had discussed the consequences should the bank’s internal records about the loans be subpoenaed That is a very interesting reference in connection with the Sarbanes-Oxley Act back play, because the records would have provided indisputable evidence that NN Chief executives signing the financial reports would have misstated such a transaction, and its balance-sheet impact, and NN Knowing in advance the personal accountability involved in such an act, I not think they would have signed the financial statements in the first place “We are making disguised loans, usually buried in commodities or equities derivatives (and I’m sure in other areas),” Layton wrote in one e-mail “With a few exceptions, they are understood to be disguised loans and approved as such But I am queasy about the process.” Subsequently, however, Layton told the court, outside of the jury’s presence, that none of the 1999 e-mails referred to transactions involving Enron JP Morgan Chase Mahonia transactions with Enron were being also investigated by the U.S DOJ, the Securities and Exchange Commission, the Federal Reserve Bank of New York, and Manhattan District Attorney Robert Morgenthau Morgenthau began a grand jury investigation of JP Morgan’s relationship with Mahonia, which handled billions of dollars of gas and oil trades with Enron (more on this later) During court hearings, JP Morgan stated the insurers knew the true nature of the transactions and went ahead with the surety bonds anyway The insurers had refused to pay after Enron defaulted on the trades after it collapsed “The bank has classified the contracts as nonperforming assets, and won’t write off the money unless it loses in court,” Vice Chairman Marc Shapiro said.† JP Morgan Chase claimed that Travelers Indemnity must pay $240 million and Travelers Casualty & Surety $25 million; Federal Insurance, $184 million; Lumbermens Mutual Casualty, $156 million; Fireman’s Fund, $154 million; and St Paul Fire and Marine Insurance, $135 million Other claims were Continental Casualty and National Fire Insurance of Hartford, $77 million; Safeco Insurance of America, $55 million; Hartford Fire Insurance, $41 million, and Liberty Mutual Insurance, $25 million—altogether a rich windfall at its time * Bloomberg Professional, December 23, 2002 † Bloomberg Professional, December 23, 2002 290  n  IT Auditing and Sarbanes-Oxley Compliance The foregoing list adds up to a whole bunch of CEO and CFOs who might well have been prosecuted under “Sarbanes-Oxley 1998,” even if they claimed that they had signed their insurance companies’ financial statements in good faith No wonder that so many senior executives are openly against SOX The violation of regulations might have been even more flagrant given that one of the picturesque aspects of these surety bonds, and the trades of natural gas and oil that they covered, were conducted through Mahonia Natural Gas—a curious nontransparent organization based in the tax haven of English channel islands The fact Mahonia was based in the Jersey Islands came to the public eye with unusual detail The plan was for Enron to sell the commodities to Mahonia Chase Manhattan Bank, the predecessor to JP Morgan Chase, had drawn up the transactions between June 1998 and December 2000, and it financed them In this way, the money for the commodities NN Came from Chase, NN Moved to Mahonia, and NN From the shell company it was transferred to Enron The insurers answered the bank’s request for coverage by saying that they did not know Enron was contracting to repurchase the exact same amount of natural gas and oil from a third entity called Stoneville Aegean, being allowed to pay for its purchases in the future They argued in court that the fact that Enron was simply NN Keeping Chase’s money while NN Getting its commodities back made this a disguised loan This case became even more colorful when it was revealed that the “trading” organizations of Mahonia and Stoneville Aegean were both set up by the same person They also had the same director and the same shareholders One of the names was a red herring, but being based in the Jersey Islands, both of them would have been beyond the reach of “SOX 1998”; however, this would not have been true for Enron and Chase Manhattan In his opinion, Judge Rakoff wrote: “Taken together, these arrangements now appear to be nothing but a disguised loan.” At the very least, he said, the case merited further investigation, particularly because the insurers uncovered a striking series of rather curious coincidences; and insurance companies could then obtain evidence from Enron and JP Morgan Chase The die seemed to be cast in favor of the insurance companies, but there was a final twist that changed the casting In Houston, Texas, an insurance agent who allegedly acted as a go-between for Chase and the insurers said the latter knew very well that these were disguised loans This led to an out-of-court settlement In the aftermath of this revelation, the probability that each party believed to have in winning the case can be judged by What If  n  291 the way the money was split: 60 percent in favor of the bank and 40 percent for the insurers The likelihood that what had happened behind the scenes at the negotiating table would have fallen like a hammer on all parties concerned, if SarbanesOxley were enacted in 1998, is in my judgment better than 90 percent 13.7 Sarbanes-Oxley and the WorldCom Scandal According to some estimates, in 2002, as money went down the drain through bankruptcies and near-bankruptcies of telecommunications companies and their suppliers, the telecoms’ bust became an order of magnitude bigger than the betterknown dotcom crash All counted, NN Telecommunications firms had run up total debts of $1 trillion, and NN This industry disgraced itself by using fraudulent accounting tricks in an attempt to conceal the scale of the disaster In retrospect, what the Sarbanes-Oxley Act might have had as an effect, had it been enacted four years earlier than 2002, would have been to trigger, at an earlier date, WorldCom’s and other telecom companies’ crisis and collapse They would have been under intense scrutiny for plenty of issues associated with their financial reporting, extravagant bonuses paid out to their executives, and unaffordable amount of debt There were plenty of dirty tricks For instance, to hide its huge losses, WorldCom had classified $3.8 billion in network-maintenance costs as capital spending This chapter alone represented about one-third of an $11-billion scam that, so far, was the biggest in American industrial history (Not long thereafter, it was eclipsed by the Parmalat scandal in Italy, which has contributed some of the better known names in U.S and European banking, with court cases against several banks still pending).* Bernard Ebbers, the CEO and guiding light of WorldCom, spent almost two decades building up his company into one of the biggest worldwide long-distance carriers and Internet pillars In so doing, he exploited the freedoms made available by U.S deregulation of the telecommunications industry, specializing in acquisitions, building capacity, but also paying attention to costs NN Through deal-making, Ebbers showed that it was possible to undercut AT&T in the long-distance market and still make profits NN But in doing so he got WorldCom overleveraged, entered into murky accounting practices, and brought himself down by wounds that, to large measure, were self-inflicted * If the subprimes are seen as scams, which they are, these numbers are eclipsed by the $165 billion so far lost by big banks, while the International Monetary Fund (IMF) estimates that the total bill will be nearly $1 trillion 292  n  IT Auditing and Sarbanes-Oxley Compliance While watching other costs, the company was very liberal in showering its founder with money When he resigned as CEO of MCI WorldCom, Ebbers personally owed the company more than $366 million for loans and loan guarantees to cover potential losses on his stock speculation, as the company’s share price plummeted Also, WorldCom became the subject of a continuing investigation by the Securities and Exchange Commission, which scrutinized NN Its accounting practices and NN Its financial relationship with its CEO and animator In a way fairly similar to the case of Enron, had the Sarbanes-Oxley Act been in force at the time of WorldCom’s wheeling and dealing—say, since 1998—its effect (in my judgment) would not have been substantial As subsequent events demonstrated, the CEO and CFO, who would have been required to sign the untruthful financial statements, would have found no difficulty in doing so Much more difficult to state is how wide the scam spread within the company Just two months prior to its collapse, WorldCom’s senior executives from around the globe gathered at its headquarters in Clinton, Mississippi There, they heard CEO Bernard J Ebbers reveal his grand vision for rescuing a company mired in NN Huge liabilities, NN Sluggish growth, and NN Rising controversy about its accounting practices In that meeting, Ebbers said that from then on his executives would follow a checklist of priorities referred to as “Bernie’s seven points of light.” One of them was to count coffee bags, another to make sure no lights were left on at the end of the day, and the like.* In short, WorldCom’s grand strategy was reduced to saving pennies at a time when its problem was not pennies but billions of dollars By 2002, in the telecommunications industry: NN Fast growth was gone NN Competition was driving down data service fees, dropping WorldCom group’s revenue growth from 19 percent in 2000 to practically zero in 2002 While revenue was flat, debt skyrocketed With its huge leverage, WorldCom featured $30 billion in debt, and it had to pay $172 million in interest and maturities in 2002 alone This was expected to rise to $1.7 billion in 2003 and $2.6 billion in 2004, well beyond the company’s ability to face its financial obligations * BusinessWeek, May 6, 2002 What If  n  293 The glut of network capacity, which was built by start-up companies fueled by easy financing during the stock market boom of late 1990s, further depressed pricing of telecommunications services Additionally, the bursting of the stock market bubble in 2000 NN Made it more difficult to raise money, and NN Put a temporary stop to deals such as WorldCom’s acquisition of MCI for $30 billion in 1998 After years of euphoric pronouncements that had found their way into its financial statements, the company had to admit that revenues in its WorldCom Group unit, which served business customers, would be flat in 2002 at $21 to $21.5 billion, down from previous expectations Also, with the consumer long-distance business shrinking, overall revenues were expected to slip percent in 2002 to $33 billion, while net income was projected to drop 40 percent, to $1.6 billion In parallel to this, the SEC was probing WorldCom’s take or pay contracts, whereby customers got a discount if they agreed to use a certain volume of service over a specific period of time If not, then they had to pay a penalty, and this was interpreted as a hard sale WorldCom’s pessimistic projections prompted Merrill Lynch, Crédit Suisse First Boston, and A.G Edwards to downgrade WorldCom to sell For their part, Standard & Poor’s and Moody’s Investors Service cut the company’s debt to two notches above junk status With that, its stock plunged 43 percent in two days, to $3.41 a share from a high of $64 in June 1999; and it fell to around $1.20 after Moody’s downgraded WorldCom’s debt to junk status By the end of April 2002, the company’s debt indeed traded as junk The price dropped from 85 cents on the dollar in March 2002 to 67 cents following WorldCom’s latest profit warning The SEC inquiry also gave investors more reasons for concern, because it revealed that, in all likelihood, Ebbers beautified financial results through aggressive bookkeeping A short time thereafter, on July 21, 2002, WorldCom filed for Chapter 11 protection This was (at its time) the largest bankruptcy in U.S history, promoting congressional action that led to the SarbanesOxley Act 13.8 The Contribution of the Sarbanes-Oxley Act to the American Economy On August 1, 2002, 10 days after Enron’s collapse, Scott Sullivan, WorldCom’s former CFO (he was sacked by the firm after the $3.8-billion accounting fraud had come to light), and David Myers, the firm’s chief controller, were the first to be arrested among the company’s top brass, on criminal charges In Manhattan, 294  n  IT Auditing and Sarbanes-Oxley Compliance Sullivan and Myers surrendered to agents from the Federal Bureau of Investigation and were charged with NN Conspiracy to commit securities fraud and NN Five additional counts of false filings with the SEC It is not far-fetched to guess that, if the Sarbanes-Oxley Act had been enacted in 1998 (rather than 2002), it would not have changed these charges However, as in the case discussed in conjunction with Enron, it might have acted as a deterrent or, alternatively, as an early trigger of WorldCom’s debacle As it was, the arrests of Myers and Sullivan came amid a controversy over the billions of dollars in salary and share sales pocketed by executives of U.S companies before they collapsed into bankruptcy For his part, at the beginning, Ebbers feigned ignorance, even though he was a micromanager who endorsed the idea of saving money by scrapping free coffee for staff But he was not featured in the first lot of arrests John Ashcroft, then the U.S attorney general, said that the arrests were part of a stepped-up effort by the Department of Justice (DOJ) to move decisively against corporate wrongdoers In essence, SOX enabled the hand of the DOJ in pursuing this course As the investigation proceeded, it was revealed that Scott Sullivan was among the 25 most highly paid executives of companies involved in the largest U.S bankruptcies, between January 2001 and mid-2002 He had received a total of $49.4 million in salary, options, and other rich favors There was a similitude between Enron’s and WorldCom’s accounting scandals, and their synergy was an arrow at the heart of a standard bull-market assumption This states that the United States has the most well-regulated financial reporting system of all of the world’s free markets, and it is also characterized by the highest accounting standards A tandem of scams put that assumption in question Has Sarbanes-Oxley changed anything, steering senior management toward a more ethical behavior? If one believes the argument that SOX is the reason why global companies desert New York in favor of other more go-go financial centers, like London, then there may be truth in it But as we saw in Chapter 12, that argument is nuts There are other major reasons about why companies delist The WorldCom disintegration was instrumental in convincing the American public that this plethora of bankruptcies was not one of independent events It also played a role in convincing Congress that, with midterm elections looming, they would pay a political price if they did nothing “Sarbanes-Oxley wouldn’t have passed without WorldCom coming along,” claimed Mark Roe of Harvard Law School.* In mid-March 2005, two years and nine months after the bankruptcy of WorldCom, Bernie Ebbers, its former chief executive, was convicted for his part in the * The Economist, March 15, 2005 What If  n  295 $11-billion fraud, while Scott Sullivan, the company’s former chief financial officer, who had already pleaded guilty, NN Appeared as a government witness and NN Testified that Ebbers had told him to fiddle the accounts to prop up the firm’s share price Eleven former board members of the once powerful carrier agreed to pay $20.2 million out of their own pockets to settle a lawsuit related to the accounting fraud JP Morgan Chase also agreed to pay some $2 billion to settle a class-action lawsuit from investors suing the bank because it sold some $5.1 billion worth of WorldCom bonds just months before it went Chapter 11 (Indeed, the amount paid out by investment banks settling WorldCom cases eventually rose to some $6 billion.) After Ebbers’s conviction was made public, some people asked: NN Should he and other executives at former WorldCom have been the only ones on trial? NN Where were the financial analysts, other industrialists, and pundits, as well as the regulators who had oversight of the deals that brought down the firm? When Ebbers was building WorldCom in the 1990s, investors were thrilled at the prospect that he was producing a telecom challenger to AT&T and incumbents worldwide But why did the markets never question what was going on behind the scene? Postmortem, it became known that some parties had their suspicions about an overachieving startup It was telling that British Telecom insisted on taking cash, instead of WorldCom stock, in exchange for surrendering its 20 percent stake in MCI An interesting hindsight in this case has been that Bernie Ebbers did not use e-mail, and few documents linked him decisively to the fraud But other companies with which he dealt had kept incriminating records Beside this lies the fact that, with the Sarbanes-Oxley Act and the precedents of convictions, company CEOs and CFOs should assume that they could be sent to jail for destroying their firm’s assets, even if there is no smoking-gun memo linking them directly to wrongdoing All things considered, instilling the fear of the policeman is one of the most significant contributions of the Sarbanes-Oxley Act, because it contributed to the good of the American economy Plenty of evidence suggests that white-collar crime of the worst variety found its origins at the very top echelons of financial organizations While signing unfaithful financial statements by CEOs and CFOs poses no problem to a small number of criminals, SOX is a shot in the arm for those executives who care to be in charge of their companies and want to know exactly what is happening with the company’s books Uncovering of big scams in regulatory financial statements is not done outright by Sarbanes-Oxley, but such scams can be 296  n  IT Auditing and Sarbanes-Oxley Compliance found by reading between the lines of that act Hopefully, said one of the participants in the research for this book, SOX will animate interest in NN Having a first-class internal control system, NN Implementing real-time technology for financial statements and risk management, and NN Establishing rigorous audit procedures that unturn every stone to uncover and report on malpractice There is, as well, another class of CEOs and CFOs that stands to benefit from the Sarbanes-Oxley Act These are the people who find themselves at the junction of right and wrong, being uncertain in their mind about which way to go The reality of statutory signing of their companies’ financial statements and of having their internal control inspected by external auditors may help to guide them to the right path In conclusion, SOX is a reminder that vicious actions are not harmful because they are forbidden; they are forbidden because they are harmful to everybody—the state, the economy, the company, the stakeholders, and the person who initiates such actions Take a look at Lay, Skilling, and Ebbers They would have been much better off by always rendering accounts and making remittances with greater clarity and punctuality “History is full of the errors of states and princes,” wrote Benjamin Franklin in his autobiography “Look round the habitable world; how few know their own good, or knowing it pursue.”* * Benjamin Franklin, The Autobiography of Benjamin Franklin (New York: Barnes & Noble, 1994) Index A B A.G Edwards, 293 ABN-Amro, 122 Access rights, 242 Adelphia Communications, 57, 71, 259 Administrative audit, 64 Adverse report, 86 Agents, 137 Algorithms, 167, 198 Allied Irish Banks, 15 Alternative investments, 192 Altschul, Frank, 32 Ambac, 58 American Airlines, 122 American Institute of Certified Public Accountants, 5, 74 AT&T, 159, 291 Analytical finance, 171 AOL, 57 AOL Time Warner, 260 Arthur Andersen, 71, 88, 281 Arthur Young, 162 Artificial intelligence, 268 Association of British Insurers, 88 Audit committee, 5, 72, 88, 100, 101, 104, 175 Auditing, 47 Auditing around the computer, 113 Auditing through the computer, 113 Auditor independence, 73, 74 Auditors, 47 Audit trail, 67 Availability, 218, 219 Back-office, 148 Balance sheet, 75 Banco di Roma, 122 Banking book, 53, 75, 119 Bankers Trust, 174 Bank Leu, 252, 269 Bank of England, 252 Bank of New York, 236 Basel Committee on Banking Supervision, 25, 28, 34, 42, 48, 53, 63, 67, 71, 80, 81, 84, 105, 158, 170 Basel II, 27, 28, 84 BAWAG, 261, 263 Bear Stearns, 10, 58 Bell Labs, 67 Board of directors, 72, 75, 76, 91, 100, 105 Board of management, 93 Born, Brooksley, 278 Borodovsky, Lev, Bush, George W., 251 Business architecture, 163, 164, 188 Business Week, 8, 283 Brandeis, Louis, 11 C Cable & Wireless, 255 Carnegie Tech, 271 Certified public accountants, 47, 49, 69, 82, 87, 88 Chapter 11 protection, 293 297 298  n  Index Chase Manhattan, 268 Chemical Safety and Hazard Investigation Board, 33 Chicago Board of Trade, 257, 258 Chief auditor, 51 Chief audit officer, 101 Chief executive officer, 93 Chief financial officer, 92, 112 Chief information officer, 8, 92, 112, 117, 136, 153, 178 Citibank, 141, 234, 235, 279 Citigroup, 58, 87, 286 Client servers, 19 Client server system, 156 Clock time, 215 Cobol, 271 Code of ethics, 99 Committee of Sponsoring Organizations of the Treadway Commission, 85, 86, 95 Commodities software, 152 Commodity Exchange Act, 258 Commodity Futures Trading Commission, 258, 278 Company bylaws, 99 Compensation committee, 97, 98 Compliance, 95, 150, 252 Consolidated financial statements, 53 Contingency planning, 82 Coune, Alain, 11 Counterparty risk, 103 Corporate cleptocracy, 252 Corporate governance and nominating committee, 98–100 Corporate memory facility, 40, 136, 251, 261, 265–267 Corrigan Committee, 13 Corrigan, Gerald, 12 Cost accounting, 51 Cost/benefit analysis, 112 Cost center, 176 Cost control, 144 Cost effectiveness, 113 Cost objects, 177 Cox, Christopher, 255 Creative accounting, 16, 80 Credibility test, 40 Credit insurance, 288 Credit risk, 9, 28, 34, 103, 106 Credit risk mitigation, 54 Crédit Suisse First Boston, 9, 232, 293 Creditworthiness, 17 Cultural change, 8, 105–107 Customer mirror, 147 Cyber crime, 227 Cyberspace insecurity, 236, 237 Cyber warfare, 239, 240 C++, 270 D Daewoo, 264, 265 DB2, 187 Dell, 37 Deloitte, 87, 88 Demosthenes, 277 Denial of service attacks, 228 Department of Commerce, 112 Department of Justice, 282, 294 Deregulation, 126 Derivative financial instruments, 10, 140, 161, 192 Design compliance tests, 121 Design reviews, 38, 40, 186, 195 Deutsche Bank, 87, 278 Digital signatures, 243 Disclaimer, 86, 87 Distributed data processing, 152 Distributed denial of service, 239, 240 Donaldson, William, 255 Dow Charles, Dow Jones & Co, Dynamic testing, 245 Dynegy, 263, 264 E EBITDA, 261 Effectiveness, 177 Efficiency, 177 Elapsed time, 209 Electromagnetic dominance, 241 Electronic funds transfer, 95 Encryption algorithms, 232 Enron, 57, 71, 80, 259, 264, 276, 279–281, 286, 287 Enterprise resource planning, 20 Ernst & Young, 88, 89 Estonia, 239 European Central Bank, European Commission, 89 European Monetary Institute, 4, 66 Equitable Life, 89 Index  n  299 Expected losses, 54 Expected shortfall, 199 Expert systems, 137 Exposure at default, 54 External auditors, 60, 70, 71, 82, 83, 86, 87, 94, 153, 158, 172 External audits, 47, 49, 138 F F.I DuPont, 253 Fazio, Antonio, 104 Federal Deposit Insurance Corporation, 93, 94, 111 Federal Reserve Bank of Boston, 115 Federal Reserve Bank of New York, 289 Federal Reserve Board, 4, 70, 95, 111, 236 Federal Securities Law, 69 Ferrari, 103 Fiat, 103 Finance committee, 96 Financial Accounting Standards Board, 261 Financial Executives International, 87 Financial Institutions Reform, Recovery, and Enforcement Act, 94 Financial reporting, 51, 85, 86 Financial Reporting Council, 89 Financial Services Agency, 79 Financial Services Authority, 89, 239, 256 Financial statement, 102 Financial Times, 282 Firewalls, 232 Fortran, 271 Franklin, Benjamin, 194, 296 G GAAP, 16, 55, 56, 74 GAAS, 74 Gates, Robert, 241 General accounting, 53 General Accounting Office, 77, 89, 95 General Motors, 103–105 Giuliani, Rudolph, 123 Global Asset Management, 239 Global Crossing, 71, 259 Globalization, 126, 131, 173 Goldman Sachs, 15 Goldschmid, Harvey, 255 Google, 7, 23 Gram, Phil, 278 Great Depression, 257, 259 Green Grid consortium, 38 Greenspan, Alan, 278 Griep, Clifford, 5, 117 Group of Ten, 71, 106 Grove, Andrew, 131 H Hackers, 227, 229 Harrison, Richard, 287 Harvard Business School, 275 Harvard Law School, 273, 294 Heuristics, 167, 198 High-frequency financial data, 35 High-frequency events, 33 High-impact events, 33 High-technology support, 41 Hong, Wei, 213 I IBM, 22, 122, 273 Identity theft, 229 IFRS, 16, 55, 56, 255 ImClone, 57 Income statement, 75 Informa Telecoms & Media, 243 Information technology risk, 226 I/O time, 209 Inside directors, 92 Inside breaches, 233 Intangible assets, 260 Interactive computational finance, 166, 167, 191 Interactive databases, 163 Interest rate risk, Internal accounting management information system, 261 Internal auditors, 62, 77, 117 Internal audit outsourcing, 80–82 Internal audits, 47, 49, 51, 72, 73, 76, 111 Internal control, 3, 7, 9, 13, 27, 30, 31, 41, 61, 66, 77–79, 111, 112, 124, 169–171 International Monetary Fund, 11 Internet, 7, 117, 165, 225, 235 Interstate Commerce Commission, 191 Institute of Internal Auditors, 4, 50 Intrinsic time, 215 300  n  Index IT audit, 21, 22, 114–116, 117, 118, 135, 136, 140, 151, 152, 154, 155, 157, 175, 176, 185, 186, 195, 196, 266, 276 IT auditing, 42, 111, 127–130 IT auditors, 52, 140, 162–164, 178, 203, 204, 213–216 IT budget, 145, 146, 172 IT costs, 178 IT projects, 181, 182 J J.P Morgan, 32, 122, 286 J.P Morgan Chase, 278, 285, 286, 288, 289 JDSU, 260 Jones, Edward, K Knowledge artifacts, 7, 118, 189, 195 Knowledge assets, 266 Knowledge engineering, 118, 143, 160, 268 Kozlowksi, Dennis, 87 KPMG, 88, 89, 255 Kredit Genossenschaften, 139 L Management audit, 63 Management control, 15, 112 Management information system, 165 Management intent, 14, 55, 56, 260 Management malfeasance, 60 Market risk, 9, 28, 34, 106 Market Risk Amendment, 84 Marking to market, 56 Marking to model, 149 Marsh & McLennan, 101 MBIA, 58 McDonough, William, 14 Mediobanca, 103 Mellon Bank, 174 Merck, 57 Merkel, Angela, 240 Merrill Lynch, 58, 293 Merritt, Caroline, 33 MicroFocus, 112 Microsoft, 22 Minimum time, 209 Misuzu Audit, 79 MIT, 271 Mitsubishi Bank’s Underwriter, 272 Mittal Steel, 126 Mizuho Securities, 183 Model risk, 199, 200 Models, 199 Moodys Investors Service, 293 Morgan Stanley, 58, 87, 123 Morgenthau, Robert, 289 MTBF, 217–219 MTBSI, 218, 219 MTOSI, 220, 221 Murakami Fund, 264 Lawrence National Laboratory, 37 Lay, Kenneth, 71, 277, 281, 282 Lazard Frères, 32, 98 Legacy IT, 113, 150, 151, 197 Legacy systems, 19 Legal risk, 30, 52, 106, 123, 131, 133 Levin, Carl, 286 Liquidity, 12 Liquidity risk, 106 Livingstone, Philip, 87 Logical security, 231–233 Logistics, L’Oréal, 193 Loss assessment records, 35 Loss given default, 53 Low-Frequency events, 33 Low-impact events, 33 N M O Maintainability, 219, 221, 222 Malware, 238, 244 Management accounting, 65, 165 Office of the Controller of the Currency, 111, 112, 116 Office of Thrift Supervision, 9, 15, 111 New York Fed, 12, 14 New York Stock Exchange, 253 Nikko Securities, 279 Nomadic computing, 116, 243 Noninterest budget, 174 Norwich Union, 132 Notre Dame Law Review, 255 Index  n  301 Old electronic data processing, 116 Olivetti, 272 On-demand services, 20 Online fraud, 235 Operational readiness, 221, 222 Operational risk, 25–30, 34, 106 Operating characteristics curve, 130 Oppenheimer, Robert, 271 Oracle, 186 Out of court settlements, 87 Outside breaches, 233 Outside directors, 91, 92 Overhead, 176 Over the counter, 66 P Pareto’s law, 222 Parmalat, 80, 87 Password, 232 Pasteur, Louis, 165 Pentagon, 241 Personal accountability, 15 Physical security, 230, 231 Poisson distribution, 222 Prepays, 284 PricewaterhouseCoopers, 87–89, 104 Privacy, 225 Probability of default, 53 Profit center, 141, 177 Project management, 135 Project planning, 38 Prototyping, 43, 44 Public Company Accounting Oversight Board, 59, 85 Q Qualified report, 86 Qualitative controls, 13 Qualitative information, 54 Quantitative information, 54 Quantitative measures, 13 R Rabobank, 139 Racketeer Influenced and Corrupt Practices Act, 93 Raiffeisen Kassen, 139 Rapid prototyping, 126 Real-time response, 149 Recoverability, 219 Referential integrity, 14 Reliability, 203, 217, 219 Renan, Ernest, 279 Repairability, 219 Reputational risk, 73, 106 Research and development, 39 Resource sharing, 207 Return on investment, 125, 143, 156, 174 Risk control, 30 Risk management, 77, 78, 104, 117, 140, 143, 149, 159, 169, 173, 195, 196, 198 Risk management committee, 101 Risk weights, 54 Robinson, David, 4, 95 Rocket scientists, 11, 149 Rohatyn, Felix, 254 Royal Bank of Canada, 38 Rubin, Robert, 278 S Safety-critical processes, 247 Salesforce.com, 23 Sarbanes-Oxley Act, 11, 30, 50, 56, 57–61, 74, 83, 89, 94, 102, 251, 254, 257, 259, 260, 262, 263, 272–278, 280, 282, 285, 288, 290, 292, 295, 296 Schön, Jan Hendrik, 67 Securities and Exchange Commission, 57, 59, 69, 70, 84, 100, 255, 256, 262, 278 Security, 225 Security auditors, 238, 243 Security companies, 226, 227 Security risk, 225 Security risk assessment, 242 Security risk management, 238 Securitization of assets, 54 SECURIM, 155 Service providers, 227 Service science, 6–8, 20 Shareholder value, 93 Siemens, 40 Simulation, 223 Simulators, 149 SK Group, 264 Software as a service, 22, 23 Sony, 79 Standard & Poor’s, 5, 117, 293 Standish, 181, 182 302  n  Index Statement of Financial Accounting Standards, 261 Statistical quality control, 44 Statistical testing, 246 Steering committee, 151, 152, 154–156 Stier, Timothy, Stonebraker, Michael, 213 Strategic audit, 135 Strategic planning, 138, 139, 160, 161 Stress tests, 200 Supply chain, 8, 20 Surety bonds, 288 Swaps Monitor, 278 Swiss Life, 104 Swiss Re, 33, 34 System expansion factor, 208–210 System response time, 203, 206, 207 System turnaround time, 212 T Tata, 126 Technology planning, 141 Technology risk, 124, 125, 128, 131 Threat curve, 36 Time deformation, 215 Tokyo Stock Exchange, 79, 183, 184 Toyota, 79 Trading book, 53, 75, 119 Turnaround time, 206, 207 Tyco, 87 Type I error, 130 Type II error, 130, 131 U UBS, 58, 87 Unexpected losses, 54 University of California, Berkeley, 212, 213 University of California Retirement System, 264 Uptime, 218 Unqualified report, 85 US Congress, 57 US State Department, 156 US Supreme Court, 58 User-active time, 211 User-generated content, 20 User ID, 232 User validation, 242 V Value at risk, 197, 199, 200 Values and human development committee, 96 Vendor risk, 129 Virtual balance sheet, 114, 160, 197 Virtual income statement, 114 Vodafone, 37 Volcker, Paul, 71, 72 Von Neumann’s automata theory, 271 W Wal-mart, 39, 174 Wall Street back-office crisis, 253 Wall Street Journal, 7, 279 Walton, Sam, 39, 174 Wang, Stephen Sui-kuan, 123 Web 2.0, 19, 20, 23 Weill, Sanford, 287 Westpac, 122 WorldCom, 57, 71, 80, 259, 276, 291–295 Wriston, Walter, 234 X XCON, 272 Xerox, 57, 267 Y Y2K, 131, 252 Yankee Group, 205 .. .IT Auditing AND Sarbanes- Oxley Compliance Key Strategies FOR Business Improvement IT Auditing AND Sarbanes- Oxley Compliance Key Strategies FOR Business Improvement Dimitris N Chorafas. .. than they used to be in previous centuries They include NN NN NN NN NN NN NN NN NN Strategic planning Product and market studies Business partners Technical skills Analysis and experimentation... used only for identification and explanation without intent to infringe Library of Congress Cataloging-in-Publication Data Chorafas, Dimitris N IT auditing and Sarbanes- Oxley compliance : key strategies