Let's face it. Most people think that auditors are lifeless, unemotional drones who move with a single minded efficiency in reviewing financial records, controls and other sundry items to ensure that the financial statements of a company are free of material misstatements and that they are accurate. In fact, Andersen auditors were often referred to as "Andersen Androids". But for most people in a corporation, that was fine because they had no real need to worry about or understand accounting and business control concepts. Put an auditing textbook in front of them and you could watch their eyes glaze over.
Section 404 of the Sarbanes-Oxley (SOX) Act changes all of that, especially for line of business managers and information technology professionals. Every day I talk to people who are faced with trying to understand SOX and implementing systems to support SOX requirements. There is often frustration in their voices or emails as they lack an effective roadmap. In How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Controls (290 pages, John Wiley and Sons, Inc, 2004. 290 Pages), Michael Ramos sets out to provide an understanding of how Section 404 of SOX came to be, what it requires, what is not required, and a roadmap for assuring compliance.
It is not an easy task to present a comprehensive guide to aid with Section 404 compliance, but Ramos delivers in this book in ways that many others have tried and failed. Ramos is a CPA and an auditor by training and background. He starts from the explaining the responsibilities of an information systems auditor and very basic concepts of business controls, which allows every reader of the book to start with a common framework. His writing leads a reader to integrate, weave and understand what controls are and how they fit into the compliance process. He writes it in a way that does not talk down to the reader, but engages them in a thoughtful conversation as a good teacher would in a classroom.
The book is intended to be a guidebook and a reference and its utility for this purpose will not disappoint. After laying the groundwork, Ramos leads the reader through every step of the audit processes associated with Section 404 compliance. He helps the reader understand what the auditor will be looking for and reviewing. He examines the role of automated compliance tools, including the pros and cons of their use. He helps the reader to understand the different types of controls, the different kinds of risk and what "materiality"means when reporting deficiencies. In fact, if there is one lesson to take from this book for non-auditors, materiality is not based on what YOU think is a deficiency that will impact your view and acceptability of a system, but the view of the users of a system and/or any information generated by the system.
Who should read this book? It should be read by ALL C-level officers of an organization so they understand the concepts and the processes. It should be read by all members of an organization's audit committee so they too have an understanding. It should also be read by information systems managers so they understand that they are not operating in a silo that is independent of the rest of an organization, but that they are a fully integrated part of an ecosystem designed to support business objectives and sound corporate governance. They also need to be able to communicate with their staff about the importance of sound controls. And last but not least, it should be read by and incorporated into the toolkit of every IS Auditor.
This is not a cheap book (US$65.00), but as the best, most comprehensive guide to Section 404 compliance out there, it is worth every penny. The implementation and evolution of tools and processes associated with Section 404 of the Sarbanes-Oxley Act will bring about technical business and cultural changes in the way business is managed so that sound corporate governance is in place. This book will more than help you manage the change effectively.
The Business Controls Caddy Scorecard: Double Eagle on a long Par 5.
"The Business Controls Caddy"