Source LinkedIn, Author Jody Paterson
The corporate audit landscape is changing when it comes to managing access controls in ERP systems like SAP®. 2015 will be the first year where these changes will be most impactful and relevant in the audit season come October. Recently, we hosted a joint webinar with KPMG on this topic. It did so well, and connected with so many people in a timely fashion, that I am publishing this short article to summarize it.
The latest update to the widely-implemented COSO framework has updates that increase the reliance of controls on IT. This is to usher in the new computerized era we are in now. With this update comes a higher reliance on completeness and accuracy of the controls that support these large financial systems – access controls being a big part of that. This means that for a control to be effective, you must be able to prove the data extracted is complete, and that the data analysis is accurate. For companies managing segregation of duties, emergency access and provisioning using manual approaches, proving completeness and accuracy becomes close to impossible.
The Public Company Accounting Oversight Board (PCAOB), as one of its responsibilities, oversees how external auditing firms reach their conclusions on control effectiveness in their audits of organizations. In the case of IT audits, PCAOB is looking closer at manual and in-house developed field tools used to audit segregation of duties. They’re challenging the external audit companies on concluding an effective control when testing manual processes. The reason is largely due to the COSO 2013 updates mentioned before. At the same time, automated tools have become more prevalent, meaning using manual tools will no longer be considered a reliable way to audit segregation of duties any longer. Naturally – after having a tough review from the PCAOB, external audit firms will ensure not to have a repeat in 2015.
What does this mean for organizations? It leads to two outcomes:
Get ready because auditing will become much tougher. There will be higher expectations for controls over the processes and technology used to monitor access controls. Organizations will have to be aware of this. The ‘do nothing’ option is no longer acceptable. What makes it an even more dire situation is that an ineffective control finding in October will leave you with only a few months to address the findings before year end.
Say goodbye to homegrown databases and spreadsheets. Organizations will have to start leveraging technology that automates key processes and controls. External auditing firms will put the pressure on organizations to use automated tools for increased transparency, completeness and accuracy.
Organizations that are still managing their access controls manually should consider these factors and prepare to comply with current frameworks and expectations from external auditors. Not all external audit firms will have this sense of urgency, however this will be a growing trend in the coming years.