Aiding the compliance effort: an audit director contemplates his team's participation in a companywide IT initiative, and its potential impact on audit independence

Internal Auditor, April, 2008 by Eelco R. van Wijk, Timothy R. Holmes

WEHAVEITALL INC. (WHIA) IS A PUBLICLY traded discount retailer based in the central United States, with 1,100 store locations and more than US $40 billion in annual revenues. In addition to its retail operations, WHIA maintains separate consumer financing and transportation divisions and is considered a major competitor in most areas of the country. While less known than its main competitors, the company experienced 13 consecutive quarters of revenue and profit growth and expects that trend to continue.

Mark is WHIA's director of IT audit and has served in that role during the last four of the 16 years he's worked for the company. He has two managers and 14 staff members to cover the company's extensive IT environment, which includes a robust online retail store and a fully integrated enterprise resource planning system that houses all financial and human resources transactions, including those at the store level. Mark has just returned from a meeting with the Information Assurance and Security Department (IASD), where team members explained their mandate for a compliance program focused on the company's IT resources. The program aims to consolidate all IT compliance efforts related to the U.S. Sarbanes-Oxley Act of 2002, payment card industry (PCI) standards, the U.S. Health Insurance Portability and Accountability Act (HIPAA), and several smaller initiatives. The group invited Mark to join the effort.

Mark has to decide what level of involvement, if any, he and his department should have in this program. Although he believes the initiative could benefit from internal audit expertise, he is concerned about how his participation might affect the department's independence. He also wonders how the new compliance program, once in place, should be evaluated by both external and internal auditors.

What should Mark keep in mind as he makes his decision? How can he add value to the program? Should he support this effort at all?

BOB GREEN

Assistant Vice President, Internal Audit

R.H. Donnelley

MATTHEW CLEAVER

Senior Audit Manager

R.H. Donnelley

Mark's IT team should be pleased to participate. As a public company subject to Sarbanes-Oxley, WHIA must ensure that controls over financial reporting of IT data are documented and operating effectively. The company needs to devote careful attention to systems access and authorization, data processing, and numerous other elements that support the integrity of IT controls. Examples of major risk areas include revenue recognition, access to master file price lists and customer information, and inventory control for both in-store and Internet-based sales.

PCI standards require companies to assess whether credit card processors maintain restricted and secured cardholder information; failure to comply can result in significant fines. Most likely, the standards' control environment requirements, such as those pertaining to customer billing data, overlap with requirements from Sarbanes-Oxley. An IT audit manager familiar with WHIA's technology-related Sarbanes-Oxley controls should be able to help prepare the required PCI questionnaire, identify possible internal control deficiencies and remediation plans, and complete the required attestation of compliance within the specified period.

HIPAA relates to the privacy of medical information, as specified under U.S. federal law. The act covers employee and customer medical information, both of which may be relevant to WHIA if it operates pharmacies or other health-related activities. HIPAA requires companies to restrict access to all health information, which must be accomplished via physical and logical access controls. To meet this requirement, and fulfill its other compliance obligations, WHIA needs to compare the roles and responsibilities of all current users of HIPAA, Sarbanes-Oxley, and PCI-related data against actual authorization and business needs. Access to unauthorized individuals should be removed at once, and a process should be in place to prevent future access by unauthorized users.

For both internal and external auditors, independence can be a concern when the internal auditors assist with systems implementations and then later audit those same systems. In the United States, external auditors can rely on the work of internal auditors only after evaluating the internal auditors' technical competence and independence. Mark can help mitigate independence concerns by ensuring that the IT auditors who participate on this project do not also conduct audits that examine its effectiveness.

KIMBERLY DE VRIES, CISA, PMP

Senior Audit Manager

Zurich North America

Mark should assign two people to participate on the project team in an advisory capacity. By involving his department in this effort, he can support an initiative that should result in better use of company time and resources and effective alignment across WHIA's numerous compliance efforts. Given the size of WHIA's IT audit staff, devoting two individuals to the project should not affect Mark's ability to deliver his audit plan. He should allocate 50 percent of their time to the initiative, which should yield a perspective that benefits not only the two individuals but the rest of his staff as well.