关于萨班斯—奥克斯利法案ERP系统能告诉我们什么[外文翻译]

外文翻译
What ERP systems can tell us about
Sarbanes-Oxley
Material Source: Information Management&Computer Security Vol,13 No.4, 2005 Author: William Brown Frank Nasuti Key sections of SOX compliance that directly involve IT include Sections 302, 404, 409, and 802 (PCAOB, 2002). Section 302 requires the officers of the company to make representations related to the disclosure of internal controls, procedures, and assurance from fraud. Section 404 requires an annual assessment of the effectiveness of internal controls. Section 409 requires disclosures to the public on a “rapid and current basis” of material changes to the firm’s financial condition. Section 802 requires authentic and immutable record retention. As a change agent, the Securities and Exchange Commission (SEC) is very effective and will assert itself in the future if these four sections or other sections require additional compliance measures (Mead and McGraw, 2004).The SEC has effectively imposed requirements for SOX on senior management and simultaneously aligned the same requirements on the CIO and the IT organization.
The scope of impact is not limited to the CEO, CFO, and auditor, nor is it limited to SEC registrants (i.e. public companies). More and more of SOX’s provisions are becoming applicable to private companies as well (Heffes, 2005). More and more lenders and states are asking private companies about the status of their internal control environments.
While the CEO and the board of directors are accountable for overall corporate management, SOX also impacts on the IT administration, including organization governance, the responsibilities of CIOs, budgets, vendors, outsourcers, and business continuity plans. Among the most widely hyped, in terms of impacts, are reporting content and the timeliness of reports (Garretson, 2003; Marlin, 2003). CEOs and CFOs require their IT organizations to provide them with proof that automated portions of financial processes have appropriate controls, computer generated financial reports are accurate and complete, and any exceptions are being captured and reported to them in a timely manner (Kaarst-Brown and Kelly, 2005).
Section 404, in conjunction with the related SEC rules and Auditing Standard
No. 2 established by the Public Company Accounting Oversight Board (PCAOB) (2005), is driving pervasive change in the internal controls of the enterprise and requires the management of a public company and the company’s independent auditor to issue two new reports at the end of every fiscal year (PCAOB, 2002). These reports must be included in the company’s annual report filed with the SEC. The internal control report must include:
٠A statement of management’s responsibility for establishing and maintaining adequate internal control.
٠Managem ent’s assessment of the effectiveness of the company’s internal control.
٠A statement identifying the framework used by management to evaluate the effectiveness of the company’s internal control.
٠A statement that a registered public accounting firm audite d the company’s financial statements included in the annual report.
٠An attestation report on management’s assessment of the company’s internal control over financial reporting.
Under Section 404, management must also disclose any material weaknesses in internal control. If a material weakness exists, management may not be able to conclude that the company’s internal control over financial reporting is effective (PCAOB, 2002). These management statements are not enough, however; the company’s auditor must also attest to the truthfulness of these management internal control assertions.
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission recommended the enterprise risk management – integrated framework (ERM) to manage and reduce risks, to be applicable to all industries, and to encompass all types of risk (COSO, 2005). Moreover, the ERM framework recognizes that an effective enterprise risk management process must be applied within the context of strategy setting. ERM is fundamentally different from most risk models used in that it starts with the top of the organization and supports the organization’s major mission (COSO, 2005; Louwers et al., 2005).
The COSO framework describes five interrelated components of internal control in Section 404. The CEO and the CFO in concert with the CIO are responsible for (Ramos, 2004):
٠“tone at the top” that positively influences the attitude of the personnel;
٠identification of risks, objectives, and the methods to manage the risks;
٠activities and procedures that are established and executed to address risks;
٠information systems to capture and exchange the information needed to conduct, manage, and control its operations; and
٠the monitoring of and responses to changing conditions as warranted.
COSO creates a framework that divides IT controls into two types (Ramos, 2004):
(1) general computer controls; and
(2) application-specific controls.
General controls include:
٠data center operations (e.g. job scheduling, backup and recovery);
٠systems software controls (e.g. acquisition and implementation of systems);
٠access security; and
٠application system development and maintenance controls.
Application controls are designed to:
٠control data processing;
٠ensure the integrity of transactions, authorization, and validity; and
٠encompass how different applications interface and exchange data.
The ERM framework, a cornerstone of Section 404 and COSO, requires ongoing feedback of information from throughout the company. This information must be current and accurate and must be sufficiently robust to support the analysis of different risk responses (COSO, 2005). ERP systems and integrated systems must have the highest levels of integrity and controls. Enterprise risk management cannot be effective if the technology that provides the data used to manage the enterprise risk are flawed, corrupted, or not available. Many firms are implementing risk management applications to assist with internal control and assessment processes (Decker and Lepeak, 2003). A main objective of these tools is to lower external audit verification costs. Consistent with that objective, tools that have more automation and tighter integration with ERP processes are favored.
The ongoing assessment of Section 404 requirements requires a critical evaluation of legacy processes including ERP, operational and off-line management processes. An ERP SOX solution for financial and operational areas will be critical for a company that has moved to consolidated financial and operational processes (Decker and Lepeak, 2003). ERP centered risk management applications (e.g. Oracle Internal Controls Manager, PeopleSoft Enterprise Internal Controls Enforcer, SAP), as well as solutions that have effective integration with ERP (e.g. Movaris),
have pre-built diagnostic tools to test and continuously monitor configuration changes. The opportunities for corruption of transactional data include the timing of interface-validation tables, manual intervention, and overlap of security rights.Firms must continually assess operational processes such as SCM and CRM that drive financial transactions and the risks associated with those transactions. Self-assessment processes where managers can certify that the appropriate review/corrective actions are taken must be directed to the broken operational processes (e.g. SCM and CRM) that can correlate with broader financial risk for the enterprise.
Little academic literature has been published that investigates the utilization of COBIT (Ridley et al., 2004). COBIT and related sources are produced by the Information Systems Audit and Control Association (ISACA, 2005) and the IT Governance Institute (2005) and are not referred to by many academic authors. A handful of studies that benchmark the adoption or use of COBIT has been published by peer reviewed sources (Guldentops et al., 2002; Fedorowicz, and Ulric, 1998; Tongren and Warigon, 1997). The IT Governance Institute does provide the investigator an excellent source of case studies on COBIT outcomes. Case studies from the IT Governance Institute, as well as personal contacts in companies that are currently following COBIT, are two primary sources available to assist in the evaluation of the implementation of COBIT in an IT organization.
IT governance describes the selection and use of organizational processes to make decisions about how to obtain and deploy IT resources and competencies (Luftman et al., 2004). IT governance is about who makes these decisions (power), why they make them (alignment), and how they make them (decision process). Symptoms of ineffective IT governance include low project success rates and the ineffective IT alignment with business objectives. Overall IT project success rates have only recently improved to 34 percent while “challenged projects” still remain at 51 percent (The Standish Group, 2003). Potential alignment issues in IT governance for SOX compliance are indicated by two recent surveys. A survey of top Fortune 100 companies conducted by Worthen (2003) reports that most executives viewed compliance with SOX as a finance issue and that it was premature for the CIO to be involved. A Gartner survey of 75 senior compliance executives found that 37 percent of companies have no IT representation on SOX compliance teams (Leskeia and Logan, 2003). A consistent theme throughout the recent history of enterprise systems development is the lack of systematic
competencies in several related disciplines. Change management, project management, reporting procedures, process engineering, and prioritization of resources are among those skills that have been identified with underperforming ERP applications. Outsourcing of programming and services and enterprise architectural modeling requires effective execution of project management and related disciplines and is consistent with the themes cited by Deloitte & Touche (1999), Deloitte Consulting(1999), Benesh (1999), Somers and Nelson (2001) and Reich and Nelson (2003).
A linear extension of ERP history suggests that IT governance may be a roadblock in the adoption of SOX and COSO. Software and practice implementations to manage risk to comply with SOX require all of the ERP competencies described earlier plus the complete integration of SOX and COSO. As we move into the period following the first year of SOX compliance and as research identifies SOX compliance failures, we will begin to understand whether the same issues that plagued ERP systems continue unabated in a new environment. A significant incentive for SOX compliance is the punitive measures for the CEO and CFO specified in SOX and may play a role in the success rates.
COSO describes internal control as a process that is affected by people (COSO, 2005; Damianides, 2005). The IT organization must be able to support the internal controls of the organization on a systematic and repeatable level – the controls are integral to the operation of the enterprise. (Table III).
The ERP competencies cited by Deloitte & Touche (1999), Deloitte Consulting (1999), Benesh (1999), Somers and Nelson (2001), and Reich and Nelson (2003) are necessary to implement software and processes to support SOX, EA, outsourcing of programming or activities, enterprise security, and enterprise initiatives such as COBIT or the IDEAL model. Among all variables including technology, process, and personnel, Barry Boehm led the early discussion to demonstrate the dramatic differences that personnel and competencies have on performance (Boehm, 1981). Consistent with Boehm and ERP research cited in this paper, Xia and Lee (2004) identified the influence of organization and personnel in large IT projects. In their study of 541 large IT projects across several industries, organizational aspects, including the use of qualified personnel were the leading factor contributing to project success. CIOs should attend to organizational factors including the recruitment and retention of qualified personnel to establish competencies as a very high priority in the execution of SOX and subsequent compliance activities.
译文
关于萨班斯—奥克斯利法案ERP系统能告诉我们什么
资料来源:信息管理和计算机安全学作者：威廉·布朗弗兰克·纳苏缇萨班斯-奥克斯利法案的关键部分涉及第302、404、409和802 部分（美国上市公司会计监管委员会，2002）。

第302部分规定公司的官员要对相关的内部控制、程序、欺诈表示披露。

第404部分规定年度要评估内部控制的有效性。

第409部分规定，根据“迅速和当前依据”的原则，向公众披露公司财务状况的重大变更。

第802部分要求检验真实和不变的保存记录。

如果这四个部分或其他部分需要额外的执行措施（米德和麦克格劳，2004），作为变革推动者，证券和交易委员会（SEC）是非常有效的，且将维护自己的将来。

美国证券交易委员会在高层管理者对SOX上拥有有效的措施，同时对首席信息官和IT组织也有相同的要求。

这种影响范围并不局限于行政总裁，首席财务官和审计师，也不是仅限于美国证券交易委员会注册人（即上市公司）。

越来越多的萨班斯法案规定也正适用于私营公司（赫福斯，2005）。

越来越多的贷款人和州对各国私营公司内部控制环境也提出要求。

虽然首席执行官和董事会负责的是企业的整体管理，但萨班斯法案也影响IT的管理，包括组织管理，首席信息官的职责，预算，供应商，外包商和商业持续计划。

从影响来看，其中最广泛的是报告内容和报告的及时性（加瑞桑，2003；马林，2003）。

首席执行官和首席财务官要求IT组织提供他们与这份财务流程的自动化有适当的控制的证据，计算机生成的财务报告应该是准确和完整的，任何异常都会被捕获并要及时向他们报告（卡瑞士٠布朗和克里，2005）。

第404条，配合美国证券交易委员会的有关规则和上市公司会计监督委员会（PCAOB）（2005）建立的第2号审计标准，推动企业内部控制普遍变化和要求上市公司管理者与本公司独立审计，以此保证每年末的两个新报告（上市公司会计监督委员会，2002）。

这些报告必须包括该公司提交给美国证券交易委员会的年度报告。

内部控制报告必须包括：
٠为建立和维持适当的内部控制的管理者责任声明；
٠管理层对公司内部控制有效性的评估；
٠声明所确定的框架，管理层用来评价公司内部控制的有效性；
٠注册会计师事务所审计的公司财务报表列入年度报告的声明；
٠管理层评估公司内部控制财务报告的认证报告；
根据第404条，管理层也必须披露内部控制的任何重大缺陷。

如果存在一个重大缺陷，而管理层可能无法得出结论，这些管理层报表是不够的，然而，公司的审计师还是必须证明这些管理层内部控制的真实性。

那么该公司的财务报告中内部控制是还是有效的（上市公司会计监督委员会，2002）。

COSO委员会建议的用于管理和减少风险的企业风险管理——整合框架（企业风险管理），适用于各行业，并涵盖了所有类别的风险（COSO，2005）。

此外，企业风险管理框架认识到一个有效地企业风险管理过程必须应用到相应的战略背景下。

企业风险管理是最根本的风险模型，其不同之处在于它开始于该组织的顶部，并支持该组织的主要任务（COSO，2005；楼沃斯等，2005）。

COSO框架描述内部控制在第404部分五个交关组分。

首席执行官、首席财务官和首席信息官要对以下负责（洛马斯，2004）：
“语调在顶部”积极影响人员的态度；
风险鉴定，目标和方法来管理风险；
建立和执行来解决活动和风险程序；
信息采集和交换系统，其业务所需的信息来进行，管理和控制，以及
监测和响应不断变化的必要条件。

COSO创建了一个框架，将信息技术控制分为两类（洛马斯，2004）：
1．一般计算机控制；
2．应用程序特定程序。

一般控制包括：
数据中心业务（如作业调度，备份和恢复）；
系统软件控制（如购置和系统实施）；
访问安全；
应用系统开发和维护控制。

应用控制的目的是：
控制数据处理；
确保交易的有效性、授权和完整性；及
包括不同的应用程序接口以及如何进行数据交换。

企业风险管理框架是COSO和第404条的基石，公司始终需要不断地反馈信息。

这些信息必须是当前和准确的，必须足够强大，并支持分析不同风险的回应（COSO，2005）。

ERP系统和综合系统必须具有最高水平的完整性和控制。

如果该技术提供的数据用于企业风险管理有缺陷，损坏或者不可以用，企业风险管理会无效。

许多公司正在实施的风险管理应用，以协助内部控制和评估程序（德克和里皮克，2003）。

这些工具的一个主要目标是降低外部审计核查费用。

根据这一目标，工具有更多的自动化和更严格的整合与ERP流程的青睐。

资产评估404条款的要求客观评价资产流程，包括ERP、运作、离线管理环节。

萨班斯法案的ERP方面，财务和经营解决方案的关键地方是公司财务和经营的合并过程（德克和里皮克，2003）。

ERP集中风险管理应用程序（如欧莱克里的内部控制经理，皮泼索芙特的企业内部控制实施者，SAP），以及拥有有效的解决方案。

集成的ERP（如莫瓦里斯），用已预先建立的诊断工具来测试和持续监控配置更改。

有腐败机会的交易数据，包括介入时机接口验证表，手册，安全权利干预和交叠时间。

企业必须连续地评估操作过程，例如供应链管理和客户关系管理，这些会驱使金融交易和相关的交易风险。

自我评估进程证明，哪里的管理者可以向破碎的操作流程（如供应链管理和客户关系管理）适当的审查或采取纠正行动，可以更广泛地联系企业的财务风险。

很少有调查是可以利用COBIT的出版了的学术论文（里德利等，2004）。

COBIT的相关来源是由信息系统审计与控制协会（ISACA协会，2005年）和IT治理研究所（2005年）提供，并没有提到许多学术作者。

一些研究，采用标准或者使用COBIT已经通过文献综述发表了（古登托皮斯，2002；菲德威斯与由里克，1998；同葛里与瓦力功，1997）。

IT治理研究所确实提供了调查COBIT 案例研究成果的极好来源。

从IT管理研究所的案例研究，以及公司联系目前都证明了COBIT是可用的资源，是两个主要协助评价COBIT在IT组织的措施。

IT治理描述了选择和管理过程如何获得决定并实施资源和实践能力（路福特曼，2004）。

IT治理是关于谁作决策（能力），他们为什么让他们（对齐），以及他们如何让他们（决策过程）。

无效的IT治理的症状包括低成功率的项目和与无效的IT业务目标保持一致。

IT项目的整体成功率最近只有提高到34%，而“挑战项目”仍停留在51%（斯坦迪什集团，2003年）。

IT治理在遵守萨班斯法案上的潜在问题是由最近的两个调查发现显示的。

一份瓦森（2003）调查财富前100的公司的报告指出，多数高管认为SOX法案是一个金融问题，和让首席信息官过早的参与其中。

一项加特纳调查75名高层合格管理人员发现，37%的公司在SOX法案上没有IT代表（拉斯科尔和罗根，2003）。

一个与系统的发展相一致的主题贯穿了整个企业制度发展的近代历史，是几个相关的学科缺乏系统。

变更管理，项目管理，报告程序，工艺设计，应用和资源的优先次序已经确定了ERP系统中的技能与业绩不佳。

外包服务品质和企业规划和建筑造型需要有效地执行，需要项目管理与相关主题相一致，并引用了德勤会计师事务所（1999），贝尼序（1999），萨默斯与纳尔逊（2001）和瑞曲与尼尔森（2003）。

ERP的线性延伸历史表明，IT治理可能会成为通过SOX和COSO的障碍。

为了软件和实践的实现风险管理能力需要遵守SOX所有的ERP加上前面所述的COSO和萨班斯法案的全面整合。

当我们进入实施萨班斯法案的第一年，为了研究确定萨班斯法案的失败，我们将开始了解ERP系统在新环境是否有相同
的问题继续有增无减地困扰着。

遵从SOX的一个重要诱因是其在SOX规定的对首席信息官和首席财务官的惩罚性措施，这为成功的机率上发挥了作用。

COSO将内部控制描述成一个会受人影响的过程（COSO，2005；达曼尼德斯，2005）。

IT组织必须能够在组织系统和可重复的水平上支持内部控制的组织，对企业经营来说控制是必不可少（表三）。

被引用数次的德勤会计师事务所（1999），贝尼序（1999），萨默斯与纳尔逊（2001）和瑞曲与尼尔森（2003）的ERP是必要的执行软件和流程用以支持SOX执行，外包的编程或活动、企业安全、企业措施，如COBIT或IDEAL。

在所有变量之中，包括技术、工艺和人员优势，巴里·贝姆率领早期讨论，体现了人员和能力在表现上的剧烈区别（贝姆，1981）。

本文中引用的贝姆配合的ERP的研究，夏和李（2004）的定义是在大型IT中的项目影响和人员。

在他们的大型研究项目中，在541个交叉的若干学科的行业中，组织方面，包括人员使用合格资格的主导因素，这些都会使项目成功。

首席信息官们应注意遵守活动组织的因素，包括招聘和挽留人才，以此建立在SOX法案能力上优先执行和随后的合规管理活动。