Video Screencast Help
Storage & Clustering Community Blog

A Risk Based Approach to SOX

Created: 05 Oct 2012 • Updated: 11 Jun 2014
dennis_wenk's picture
0 0 Votes
Login to vote

The Effectiveness of internal control systems is now an issue for public policy and formal law. Section 404 of the Sarbanes-Oxley law is aimed at helping companies prevent financial reporting mistakes and fraud. The rule requires companies to include in their annual reports:

  • A statement of management's responsibility for establishing and maintaining "adequate" controls over financial reporting
  • Management's assessment of the effectiveness of the company's internal controls
  • A statement identifying the framework used by management to evaluate the effectiveness
  • An auditor's report on management's evaluation of internal controls
  • Any material weaknesses identified in the internal controls review

While the rule only requires companies to disclose material weaknesses in their annual reports, many companies have begun alerting investors about deficiencies and potential problems. The rule is intended as a disclosure mechanism to alert investors about problems, but companies could face SEC action if they report serious deficiencies or if they fail to disclose serious shortcomings. "The internal control disclosure requirement has the potential to provide the greatest long-term benefit in financial reporting," said Alan Beller, SEC's director of corporation finance.

Good corporate governance will depend on the effective management of internal controls and on the availability, confidentiality, and integrity of information. Corporate reputation, brand preservation, and financial results all depend on the defense of business processes and on compliance. PCAOB current guidelines call for companies to develop internal controls based on risk management considerations. Moreover, the costs of protections should be proportionate to the consequences they prevent or other benefits they bring to the business.

The risk-based internal control system has become an increasingly significant regulatory object. Regulatory incentives exist to have ‘good’ internal controls in a wide variety of areas: solvency and capital adequacy, health care, safety, environment, business continuity, teaching, waste management and so on. Organizational internal control systems have been made public, codified and standardized and repackaged as a blueprint for extending the reach of risk management. To lack internal controls, or to have a defective internal control system, is to fail as a legitimate organization.

The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states: "The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting." IT controls are selected and implemented on the basis of the risks they are designed to manage. As risks are identified — through experience or formal risk assessment — suitable risk responses are determined, ranging from doing nothing and accepting the risk as a cost of doing business to applying a wide range of specific controls, including insurance.

Risk management applies to the entire spectrum of activity within an organization, not just to the application of IT. IT cannot be considered in isolation, but must be treated as an integral part of all business processes. Choosing IT controls is not simply a matter of implementing those recommended as best practices. They must add value to the organization by reducing risk efficiently and increasing effectiveness. Analyzing and assessing risk in relation to IT can be complex. The IT infrastructure consists of hardware, software, communications, applications, protocols (rules), and data, as well as their implementation within physical space, within the organizational structure, and between the organization and its external environment. Infrastructure also includes the people interacting with the physical and logical elements of systems.

In today’s global market and regulatory environment IT-controls are essential to protect assets, customers, partners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. A Risk Based Approach provides the foundation for Better More Informed Decisions in the Face of Uncertainty which increases Control & Governance of the Organization.

Blog Author:
Mr. Wenk is Principal Resiliency Architect for Symantec’s Storage and Availability Management Group. He has consulted worldwide with large Fortune 500 customers; Generating demand for Cloud Infrastructures and architecting private cloud solutions for technology-intensive organizations in over 20 different countries; tackling some very challenging, complex, and ambiguous problems. His experience includes developing architectures and strategies for highly available, resilient and secure infrastructures in heterogeneous IT environments. He has performed quantitative operational risk assessments that were used to justify the significant investments required to build, transform and maintain resilient infrastructures; he has performed technology assessments, IT consolidation and transition strategies, and developed site selection criteria for complex heterogeneous technology consolidations. In addition, he has developed charging methodologies, performed capacity planning and performance evaluations in large, complex IT environments. Dennis has developed a number of risk-based services that quantify the return on technology investments that increase resiliency and improve continuity programs. His background includes experience with EMC Consulting as Senior Cloud Architect and with Hitachi Data Systems as Principal Global Solution Architect for High Availability Solutions, IBM Global Network as an Outsourcing Project Executive; Comdisco where he was Western of Director Technology Consulting; KPMG where he was Senior Manager, Group Leader for IT Operations and Transformations, as well as Heller Financial where he served as VP/Information Processing. Dennis Wenk earned an MBA in Accounting and Finance, BS in Computer Science from Northern Illinois University. He is a certified Information Systems Auditor (CISA), Certified Data Processor (CDP), and Certified Systems Professional (CSP), certified in ITIL Service Management. He was awarded Best Management Paper by Computer Measurement Group, and currently he sits on the Advisory Board for Continuity Insights and Serves as their Technology Chair. He has held the Cloud Special Interest Group Leader for the Outsourcing Institute and the Business Continuity Focus Expert for Information Technology Infrastructure Management Group. He is an advisor to Business Continuity Services Group. Dennis has written award-winning professional articles, white-papers and has been published in Information Week, Computer Performance Review, Trends and Topics, Continuity Insights, Infosystems, Computer Measurement Group, and DR Journal. He is a regular speaker at world-wide industry conferences. Some current topical expertise include; ‘3 Simple Complexities of Data Protection’, ‘Think About Never Failing, Not How To Recover’, ‘Focus On The Largest Source Of Risk: The Data Center’, ‘Risk Economics’, ‘Gaining Competitive Advantage: The Myth of the Resiliency Paradox’, ‘Eco-Friendly Data Center’, ‘Virtualization, a Resiliency Enabler’, ‘Economic Impact of Interruptions’, ‘Risk-based Business Continuity’, ‘High-Stakes Business Impact Analysis’, ‘A Risk-Based Approach to Internal Controls’, and ‘Resiliency: Clearing the Five Nines Hurdle’.