Sarbanes-Oxley As a Driver for Business Continuity

By Brian Zawada, Nick Benvenuto, Ed Hill an Brett Williams.

How does Section 404 address business continuity and/or IT disaster recovery?

An important aspect of managing a company’s overall risk, including its continuation as a going concern, is its ability to effectively address business continuity and IT disaster recovery. A company must have a responsive business continuity plan, including an IT disaster recovery plan, addressing the findings from a Business Impact Analysis (BIA). The purpose of the BIA is to identify recovery objectives for critical business processes and IT assets, as well as continuity-related risks to which the organization may be vulnerable. Once an adequate BIA is completed, the company can evaluate whether changes are needed in its business continuity and disaster recovery plans. These plans must be kept up to date and periodically tested to maintain their adequacy in ensuring that the company can fulfill its obligations to shareholders and under SOA.
Specific to SOA, a company’s processes, systems and controls must make available all material information needed for fair presentation and disclosure, including the update of accounting estimates with current and reliable information. On a more strategic scale, an organization’s business continuity methodology and approach must be agreed to by management as the foundation for mitigating financial and reputational risk posed by business interruption.

What does the Section 404 compliance project team look for when evaluating data management and IT disaster recovery?

Data management is critical to the effective and efficient workings of a technology organization. For discussion purposes, “data management” relates to the processes around the backup, recovery and restoration of data. Data may need to be recovered for any number of reasons, most of which arise from a hardware or software failure where data has been corrupted or lost. The company must have the ability to restore or restart the processing in a manner such that it does not lose the integrity and completeness of transactions or data. The loss of the transactions and data obviously could affect the accuracy and completeness of processing.

Data management also includes the considerations around the criticality of the application, and the appropriate timing and frequency of the back-up process. The frequency and reliability of this process often reflect a cost/risk/benefit judgment around how much data (or transactions) a company can afford to lose without negatively impacting the business (in many different ways).

The process and procedures around disaster recovery are related to data management. For purposes of compliance with Section 404, business continuity and IT disaster recovery relates mainly to the company’s abilities to continue to accurately and timely file its required financial and other filings with the SEC under the Commission’s rules and regulations. As discussed in Question 35 related to the business impact analysis and continuity planning, the disaster recovery related to Section 404 of SOA needs to be responsive to those plans.

There are some who argue that Section 404 of Sarbanes-Oxley now requires companies to have a full business continuity and disaster recovery plan in order to meet the “going concern” assumption inherent in the financial reporting model. The “going concern” issue was not modified under Sarbanes-Oxley. If a company had a “going concern” issue before Sarbanes-Oxley, it would have one now and vice versa. However, that said, we strongly believe prudent companies should have appropriate business continuity and disaster recovery plans based on a comprehensive business impact analysis. As noted in Question 35, this practice is an important aspect of managing business risk.

Impact on the Financial Reporting Assertions

1. The ability to completely and accurately report transactions and financial reporting data is impacted by the data management and disaster recovery process.
   
2. Access to assets could be impacted if inappropriate access is granted through the data management process to production or backed-up data.
   
3. The company’s ability to meet its obligations to file timely, complete and accurate reports with the SEC could be impacted if the business continuity and disaster recovery plans are not comprehensive and up-to-date.

Impact of Strong Controls

1. The data management process preserves the completeness and accuracy of data; thus subsequent processing following restoration and recovery can be relied upon.
   
2. Access is properly restricted, assuring data is not altered or deleted through the data management process.
   
3. The risk of not being able to meet the filing requirements of the SEC is adequately mitigated.

Impact of Weak Controls

1. There is no assurance that the data management process has not adversely impacted data. There is a need to document and evaluate mitigating controls designed to detect potential errors or omissions. These procedures and controls would most likely include procedures that inform users when data has been restored or when an attempt to restore data has occurred. The mitigating controls should include specific detective controls designed to determine inappropriate changes to data upon a restoration or recovery incident.
2. When considering the company’s ability to comply with the SEC filing requirements, management determines there is not an adequate business impact and/or disaster recovery plan. In such instances, the company should consider what procedures are needed to implement both a short- and long-term solution. This situation would then become a potential disclosure issue under Sarbanes-Oxley Sections 302 and 404. Therefore, the choice as to the steps to take must be carefully considered and appropriate action taken.

What processes should be in place with respect to business impact analysis and continuity planning?
It is the process owner who has the overall responsibility for the appropriateness of the business impact analysis and for the development and maintenance of the business continuity plan resulting from the impact analysis. It is the responsibility of the IT organization to develop a disaster recovery plan to interact with the business-continuity plan.

An important aspect of managing a company’s overall business risk, including its continuation as a going concern, is its ability to effectively address business continuity and disaster recovery. In light of the events of September 11, 2001, this is clearly an important business risk to be managed. The power outage of 2003 in the eastern United States points out the vulnerabilities of organizations dependent on their country’s critical infrastructure (i.e., telecommunications, utilities, water supplies, banking systems, transportation, etc.).

Sections 302, 404 and 906 of Sarbanes-Oxley require companies to design and maintain procedures and controls to identify in a timely manner all material information for action and disclosure, and provide fairly presented financial information and disclosure to the public in periodic and current reports. There is a presumption in financial reporting that public companies will be able to meet their reporting deadlines and have available all material information needed for fair presentation and disclosure, including the update of accounting estimates with current and reliable information. These requirements create obligations suggesting a need for companies to have an adequately documented business impact analysis, with management’s agreement and sign off, addressing the company’s broader business risks as well as its regulatory and compliance risks, including those risks relating to public reporting. Once an adequate business impact analysis is completed, the company can evaluate whether changes are needed in its business continuity and disaster recovery plans. These plans must be kept up-to-date and periodically tested to maintain their adequacy in ensuring the company can fulfill its obligations under Sarbanes-Oxley.

Additional Sarbanes-Oxley resources from Protiviti

CFOs Surveyed by Protiviti Name Top Sarbanes-Oxley Challenges

Protiviti recently completed a comprehensive survey of 300 chief financial officers with public companies nationwide. The results, detailed in a report titled, Insights on Today’s Sarbanes-Oxley and Corporate Governance Challenges, reveal the policies, opinions and concerns of publicly traded companies, and assess the degree to which Sarbanes-Oxley and other regulatory requirements are driving change in corporate governance practices. Protiviti’s survey was conducted in the second quarter of 2003 by an independent research firm. You can download a free copy of the survey report.
http://www.protiviti.com/knowledge/cfo_survey.html

Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements
Frequently Asked Questions Regarding Section 404 (Updated to reflect the SEC's final rules)

In response to the SEC’s final rules on Section 404 of the Sarbanes-Oxley Act as well as feedback from hundreds of clients, colleagues and industry professionals, Protiviti has updated its well-received Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements. The new edition contains 40 pages of new material, including 47 additional frequently asked questions and updates of many other questions reflecting the SEC’s revised rules pertaining to Section 404. Download a free copy.
http://www.protiviti.com/knowledge/sarbanes_oxley_404.html

Capitalizing on Sarbanes-Oxley Compliance to Build Supply Chain Advantage

Protiviti and APICS—The Educational Society for Resource Management, have co-produced a new book detailing how the Sarbanes-Oxley Act -- while focusing on corporate governance requirements such as executive certification and internal controls over financial reporting -- has a complementary impact on supply chain risks in infrastructure design, transaction integrity and reporting measures. As a result, executives should adopt a back-to-basics approach to understanding and prioritizing supply chain risks, capabilities, measures and controls, beginning with but expanding beyond their material impact on the company's financial statements. Download a copy.

http://www.protiviti.com/downloads/SupplyChain_SOA.pdf