Auditors paying more attention to IT woes

Editor's note: This is the first in a three-part series of op-ed pieces on corporate governance. The articles, part of WTN Media's Boardroom Perspectives column, are written by associates in the Madison-based public accounting firm Candela Solutions, LLC.

Which pieces of information systems do audit firms consider most important? To give you an idea, we recently completed an analysis of material weaknesses reported by approximately 400 public companies for fiscal years that ended in calendar year 2005. Of particular interest were findings related to information systems and technology (IT). There were 36 companies who reported IT-related material weaknesses.

Analysis of these results allow us to better understand audit firms and their priorities. The first major observation is that IT-related material weaknesses were always a combination of several significant deficiencies. In no case was there one problem that, by itself, elevated to the level of a material weakness.

PCAOB oversight

When measured and classified using the Public Company Accounting Oversight Board's four areas of IT controls, reporting companies provided the following reasons for their weaknesses: • 81 percent involved access to programs and data (includes segregation of duties).

• 31 percent were related to program changes.

• 19 percent were connected with computer operations (includes continuity planning).

• 17 percent involved program development.

These percentages, when added together, exceed 100 percent because companies had more than one area of deficiency contributing to the IT material weakness.

User access and security

What can we learn from these statistics? Without a doubt, user access controls and security are dominant trouble spots. Access-control problems took several forms, the most common being incomplete procedures for determining who needs access to which systems, and failures in faithfully executing these procedures. Inadequate segregation of duties, both within IT and the business, was also noted in several instances.

But there also were companies where too many IT staff had write access to key financial applications. After deeper study, we were pleased to see that audit firms seem to recognize the need for one or two IT people to have write access to financial systems in order to perform support activities such as a database administrator and a primary support person. This is realistic. The problem is not that an IT person has write access, but that too many people have write access and are not tightly regulated.

Backup and restore

Surprisingly, five companies had deficiencies in their backup and restore systems, the most common problem being that no one is checking to make sure the backup tasks are completed correctly. But another interesting problem was noted: there was an organization that didn't include financial spreadsheets in its backup routine.

Several companies had significant deficiencies related to the care and handling of spreadsheets. In fact, 31 percent of organizations reporting IT material weaknesses had issues with spreadsheet files. The nature of these findings was wide: change control, backup, segregation of duties, etc.

Vendors and SAS-70

Out of thousands of 10-K filings, we only know of one instance, just one, where an audit firm noted weaknesses in evaluating the controls at a vendor. There likely are more companies whose auditors had recommended improvements, but there was only one company who had this deficiency noted as part of a material weakness. Perhaps companies are doing a good job of evaluating IT vendors, or maybe the audit firms weight this relatively low.

We can all learn from the material weaknesses reported by public companies. The reality is that auditors are paying more attention to IT deficiencies.