Web Services to Support Sarbanes Oxley Activities

Keywords: Web Services, XBRL, ICXML, Internal Controls, Financial Information, Compliance, Sarbanes, SEC, IT Controls, COBIT, COSO

Mr Nigel King
Senior Director of Development
Oracle Corporation
Redwood Shores
California
United States of America
nigel.king@oracle.com

Biography

Nigel King is Senior Director of Development in Oracle Applications Division. He has worked for Oracle for 10 years. In the applications division Nigel's roles have spanned Manufacturing, Logistics, Product Lifecycle Management and Business Intelligence Applications. He is co-author of the e-Business Manufacturing and Supply Chain Handbook, as well as a regular presenter at Industry Conferences. Nigel's contribution to instrustry XML standards include the definitions of Engineering Changes, Item Catalogs and Risk and Control Libraries for the Open Applications Group. Nigel's current role has been in the design and creation of Oracle's tools in the support of companys' Sarbanes' efforts

Abstract

Table of Contents

1. Communication Layers
2. Information Model Flows
3. Risk and Control Library
4. Risk and Control Library Details
5. Business Process Management
6. Chart of Accounts
7. Organization Structure
8. Procedure Documentation
9. Financial Statement
10. Ensuring Segregation of Duties
11. Providing Electronic Discovery Support
12. Conducting an Audit Project
13. Holding an Evidence Store
14. Conducting Tests of Controls
15. Ongoing Monitoring
Acknowledgements
Bibliography

1. Communication Layers

2. Information Model Flows

Entity Level Assessment

The Entity Level Assessment required under COSO means that the risk assurance application will have to request an enterprise structure from the enterprise systems Assurance Report The requirement to provide assurance on financial statements means that the risk assurance system needs to be able to request a financial statement, and publish and assurance report thereon. The vocabulary most used for describing financial statements is XBRL

Division Of Duties Testing

The division of Duties Testing means that the risk assurance systems will have to request if any user has access to a set of functions that are incompatible.

Electronic Discovery

The need to provide electronic discovery support means that the risk assurance applications need to request if any, documents, meeting minutes or email may be pertinant to a particular subject.

Evidence Store

The need to record samples of transactions to support an audit conclusion means that the risk assurance applications need to request a statistically valid sample of transactions from a system holding those transactions. These may be Journal Entries, Invoices, Payables Vouchers. The knowledge of what constitutes a statistically valid sample from a source system requires knowledge of that system, so it may require an intermediate broker to establish how to sample. The evidence store needs to be held in a format that cannot be changed and needs to be available for a very long time so archiving and retrieval of records becomes very important.

Control Testing

Testing the automated controls of an application system for a great deal of the work of risk assurance. The risk assurance system may have an expectation of how a control should be set to mitigate a risk in its library. The risk assurance application may need to verify a control setting that is in an application.

Monitoring The risk assurance activity is stating whether there is sufficient monitory occuring. The risk assurance system needs to be aware of measures that are in the enterprise system. An example of a measure might be Days of Sales Outstanding. The risk assurance system should be able to subscribe to and tolerance violations from within the enterpise systems that do the measurement. For example the risk assurance applications should be able to subscribe to notifications that Days of Sales Outstanding has reached 75 days.

Walkthrough Testing

The requirement to do walkthrough testing means that a process needs to be represented to the risk assurance system. The risk assurance system needs to request process definitions and subscribe to process changes.

3. Risk and Control Library

4. Risk and Control Library Details

1. The risk and control library brings together a number of pieces of information
2. • Process
   • Organization Process
   • Process Key Accounts
   • Risk
   • Control
   • Risk Mitigation
   • Test Procedure
   • Tested Control
   • Brought together in Risk and Control Matrix

There are three main concepts

1. The flow of the Risk and Control Library Between Parties
   
2. The Standard Information Model
   
3. Expressing the Standard Information Model in XML
   

5. Business Process Management

The requirement to perform walkthough testing couple with the "Process Orientation" of the COSO framework means that the processes of the organization need to be known to the Risk Assurance applications.

Much of the activity of Sarbanes has centered around the production and review of procedure documents.

The procedure documents have been reviewed for "control activities" that are executed in the process so there are some extensions to the standard business process notations that will be needed.

Auditors generally construct Audit Diagrams. Process Engineers generally construct activity diagrams, flow diagrams etc. There are standard vocabularies to describe a business process (BPML), describe it in execution (BPEL) and provide a standard way of representing it graphically (BPMN).

6. Chart of Accounts

For the Risk Assurance System to be able to produce an Assurance Report over a financial statement it needs to know what are the accounts that a process effects.

The true requirement of the act is for management to assert the effectiveness of internal controls over financial reporting. The information requirements for management to be able to see the information presented to them in the format of the financial statements are as follows:

1. • To be able to review the residual risks for each financial statement line
   • To be able to review the internal controls for each financial statement line
   • To be able to view the effectiveness of the controls that back each of the financial statement assertions that they are implicitly making about the values in the financial statement line.

Some parts of the chart of accounts need to be reflected into the risk assurance applications. There are some vocabularies that already exist for exchange of chart of account information.

1. • UBL Financial Account Core Component
   • OAGIS Sync Chart of Accouns

7. Organization Structure

For the Risk Assurance System to be able to produce an "Entity Level Assessment" , or an assessment for each legal entity and the enterprise as a whole, the risk assurance systems need to understand some of the enterprise structure. The COSO framework also requires having a Business Unit level assessments that may overlap and cross the legal structure of an enterprise.

Management is under obligation to give a breakdown of their results by "Segment" where a "segment" represents more than 10% of the revenue. It is likely that the Enterprise structure definition has both Chart of Account elements as well as Organization unit elements to it. Some level of the organization structure will have to be reflected in the risk assurance applications.

There are some vocabularies that already exist for exchange of chart of organization information.

1. • OAGIS Sync Organization Unit, Institutional Party
   • UBL Core Components Organization Details, Party Details

8. Procedure Documentation

A great deal of the early effort in most company's Sarbanes Oxely program was to establish or update procedure documentation for the accounting and financial reporting areas. Some of the established Risk Assurance methodologies include review of such documentation to

1. • Verify procedures are in place
   • Highlight control activities
   • Confirm the adequacy of the design of controls
   • Confirm procedures are understood and executed

While this does tend to focus companies on manual controls, this methodology has been very easy to digest and many companies have followed it.

At least the location of the Procedure Documentation will have to be reflected in the risk assurance applications.

There are some vocabularies that already exist for exchange of document reference information.

1. • OAGIS Attachment
   • UBL Document Reference

9. Financial Statement

As has been mentioned before in this paper, the spirit of Sarbanes is for management to take responsibility for the internal controls over financial reporting.

In the opinion of the author, the most direct way for the information to be presented to management is in the form of the financial statements that they will be certifying.

Auditors also have new responsibilities. They have to pass three audit opinions.

1. • That the accounts represent a true and fair view of the financial affairs of the company.
   • That the internal controls over financial reporting were effective in the financial reporting period.
   • Management was correct in their assertion of the effectiveness of internal controls over financial reporting.

The signing officers for a company will need to understand

1. • The assertions from managers of processes that feed the financial statement.
   • Any independant testing effort to confirm the sub-certification from process owners.
   • Any changes in the processes, risks and controls that effect a financial statement.

Ideally the financial statement can be seen from the Risk Assurance systems..

There are some vocabularies that already exist for exchange of financial Statement information.

1. • Financial Statement Structure (XBRL - FR)
   • Financial Statement Lines (XBRL - FR)
   • Relation between Significant Account and Financial Statement Line (XBRL – GL)

10. Ensuring Segregation of Duties

One of the most important controls is having adequate segregation of duties.

A method of working whereby tasks are apportioned between different members of staff in order to reduce the scope for error and fraud. For example, users who create data are not permitted to authorise processing; Systems Development staff are not allowed to be involved with live operations. This approach will not eliminate collusion between members of staff in different areas, but is a deterrent. In addition, the segregation of duties provides a safeguard to your staff and contractors against the possibility of unintentional damage through accident or incompetence - 'what they are not able to do (on the system) they cannot be blamed for'

If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities they have generally been assigned or allowed access to incompatible duties or responsibilities . Some examples of incompatible duties are:

1. • Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction
   • Receiving checks (payment on account) and approving write-offs.
   • Depositing cash and reconciling bank statements.
   • Approving time cards and having custody of pay checks.
   • Having unlimited access to assets, accounting records and computer terminals and programs. For instance having access and using checks as the source documents to post to accounting records rather than using a check log or receipts.

There are many public domain, and proprietary matrices that describe the duties to be segregated, but very few of them will list the actual functions available within an application. These are really the things that need to be segregated.

Ideally the functions that users have been granted privileges to should be seen from the Risk Assurance systems.

There are some vocabularies that already exist for exchange of user and privilage information.

1. • LDAP Protocols for users
   • SAML (Security Assertion Markup Language) for available functions

11. Providing Electronic Discovery Support

1. Some useful terms to describe some of the responsibilities in electronic discovery.
   • Discovery - the methods used by parties involved in a legal action to obtain relevant documents and other information held by the opposing party.
   • Spoliation - the destruction, alteration, or mutilation of evidence.
   • Chain of Custody - the ability to guarantee the identity and integrity of documents, e-mails and other records from collection through delivery.

Sections 103 of Sarbanes refers to the storage of Audit Evidence. Section 802 describes keeping the evidence in ummutable format and sets out the penalties for changing documents.

Rule 26 of the Federal Rules of Civil Procedure (which regulate the production of evidence in litigation) explicitly requires that defendants provide "relevant" discovery information early in the litigation process — regardless of the information's format.

This evidence could be meeting minutes, email discussions or other documents.

With the exponential growth of e-mail as evidence,and the increasing sophistication of lawyers using electronic discovery as part of their litigation strategy. Over 90%of new corporate data is generated electronically, 70%of which is stored on disparate systems across the enterprise.

The WebDAV protocol does not provide any support for searching. There was a proposal named DASL for adding search capability to WebDAV but this has not caught on.

12. Conducting an Audit Project

1. • Create the Audit Engagement
   • Create the Audit Task
   • Create Audit and Test Procedures
   • Create Findings and Observations
   • Attach working papers and Audit Evidence

There are some XML Vocabularies that help with moving project information such as the OAGIS

13. Holding an Evidence Store

1. The requirements under section 103 of Sarbanes, talk about holding audit evidence.
   • Samples
   • Working Papers
   • Reviews
   • Approvals

Most of this data is likely to gathered in specialist sampling tools and stored in standard desktop formats for analysis.

This means that attaching documents is going to be the most common way of assembling this content.

There are however some candidate vocabularies for statistical sampling, but they appear to be focused on sensor data rather than auditing functions.Examples include:

• SensorML

14. Conducting Tests of Controls

1. The core requirement of Sarbanes is to test internal controls such that you can state their adequacy. It will be the majority case that this is happening with controls in many systems. The ICXML vocabulary that is moving in this space. The focus so far though has been in the Risk and Control Library itself.

15. Ongoing Monitoring

Subscribing to events being monitored in other systems. The monitoring really falls into 3 large categories

1. Monitoring for changes in controls
2. Monitoring for Occurrence of Risk Events
3. Monitoring for Out of Tolerance processes
4. Monitoring for things that are unlikely to be systematized but must be disclosed.

Acknowledgements

Bibliography

[COSO]

Internal Control — Integrated Framework .

[IIA]

Enterprise Risk Management: Trends and Emerging PracticesJerry A. Miccolis, Kevin Hively, and Brian W. MerkleyThe Institute of Internal Auditors Research Foundation , July 2001.

[AAS]

Estimating population size and densityAustralian Academy of Science , 1990.

[UTAH]

Statutes and Policies Governing Internal AuditUniversity of UTAH .

[PCAOB]

PCAOB Auditing Standard No. 2 AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING WITH AN AUDIT OF FINANCIAL STATEMENTSPERFORMED IN CONJUNCTIONWITH AN AUDIT OF FINANCIAL STATEMENTS

XHTML rendition made possible by SchemaSoft's Document Interpreter™ technology.