Foolproof Compliance For Your IT Systems

Sarbanes-Oxley's requirement that external auditors test key controls in financial systems makes the finance-IT relationship more important than ever before.

In the context of Sarbanes-Oxley compliance, IT really does matter. Systems access, security and change management controls within IT's domain can make or break compliance efforts. Yet many CIOs and CFOs remain confused about how Section 404 applies to their company's information technology infrastructure.

In Auditing Standard No. 2, its lengthy interpretation of the Sarbanes-Oxley Act, the Public Company Accounting Oversight Board (PCAOB) indicated that it will be strict in monitoring external auditing firms' approach to examining and reporting on the technological aspects of their corporate clients' financial reporting processes. That decision, audit experts say, pushes external auditors, IT managers and finance executives to cultivate a deeper understanding of the data that courses through financial systems.

CFOs now confront much larger IT challenges than figuring out whether the CIO is overspending on technological bells and whistles. They need to know that the data which flows into IT's labyrinth of systems and applications emerges securely and accurately. Sound corporate governance increasingly depends on policies and procedures that demonstrate, document and communicate that knowledge.

A Divided Island

For years, internal and external auditors essentially worked around IT. "That has been standard operating procedure for most, if not all, the public accounting firms that I'm aware of," says Dwayne E. Jorgensen, director of Sarbanes-Oxley services for CTG, an IT staffing, software and services provider headquartered in Buffalo, N.Y.