Beginning with the passage of the Sarbanes-Oxley Act (SOA), management and auditors alike have struggled with defining the scope of business continuity as an internal control related to financial reporting. Some executive managers have advocated business continuity-related processes independent of SOA because they’re viewed as good business practices. Others have stated business continuity is not an internal control consideration related to financial reporting, while some have adopted a “minimalist” view and developed IT disaster recovery strategies focused exclusively on the systems that consolidate financial data and generate financial reports. External audit firms have struggled as well, providing conflicting guidance mirroring management’s struggles.
Arguably, the confusion and struggle is behind us now that the Public Company Accounting Oversight Board (PCAOB) has elected to exclude business continuity and contingency planning from Section 404 compliance requirements. What will this mean for business continuity? With the exception of the “minimalist” organization that may now have to struggle for management support and funding for business continuity, the primary effect is the exclusion of the auditor’s review of business continuity as a “current period” internal control over financial reporting. However, as a business issue and management priority, the importance of business continuity will not diminish.
Reviewing the PCAOB standard
What’s the PCAOB’s specific guideline? On March 9, 2004, the PCAOB released Auditing Standard No. 2, “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.”1 Within the 211-page document is a reference to safeguarding assets, and within that section (page A-135), the treatment of business continuity specific to Section 404 is addressed.
In sum, adoption of the standard fulfills the PCAOB’s obligations under Section 404 of Sarbanes-Oxley. The standard has been submitted to the SEC and will become effective upon approval by the Commission (expected by May 2004 after a public comment period).
Is the PCAOB position on business continuity right or wrong?
Based on our preliminary discussions with a wide variety of business managers and industry practitioners, the feedback is mixed. Many agree with the statement regarding future periods and controls. However, others point out that the failure of key financial applications, data sources and business functions related to the consolidation and generation of financial statements would impact the completeness, accuracy and availability of the financial report. Specifically, the key financial reporting processes that could be affected by a business interruption include:
- Capturing, authorizing and processing transactions
- Processing cut-offs
- Developing disclosure data
- Consolidation
- Fair-value information pricing
- Trading position and current market exposures
James DeLoach, managing director for Protiviti and head of the firm’s Sarbanes-Oxley consulting practice, stated in a report2 on the PCAOB Auditing Standard No. 2, “While the Board concluded that business continuity and contingency planning did not affect a company’s current abilities to initiate, authorize, record, process or report financial data, it is important to recognize that systems which are vital to the sustainability of the business may also have significant financial reporting implications. Management has a responsibility to ensure that data needed to facilitate the initiation, authorization, recording, processing and reporting of financial information is available when needed, both now as well as in the future. The problem is, no one knows when events triggering the need for a disaster recovery plan will occur. If a significant, priority system goes down and a company loses large amounts of data that is critical to financial reporting because of the absence of effective disaster recovery capabilities, there will be a lot of explaining to do if the lost data results in missed reporting deadlines or causes the certifying officers to refuse to sign certifications because critical information isn’t available. Perhaps these are extreme examples, but they can occur and, if they did, I wouldn’t want to be the one facing the audit committee trying to explain why disaster recovery isn’t important to financial reporting.” * Source: Protiviti PCAOB Flash Report, “PCAOB Adopts Final Standard for Audits of Internal Control Over Financial Reporting.”
Has the PCAOB’s position eliminated confusion regarding business continuity?
Based on industry feedback, the answer is no – confusion still exists in the market. Business executives generally have concluded business process-oriented continuity planning is excluded. However, since business continuity and contingency planning were not defined by the PCAOB, Sarbanes-Oxley compliance teams and their executive managers already are asking if IT disaster recovery is excluded, as well. Most executives and auditors have made the assumption that data backup remains a key internal control for financial reporting-related applications, and some consider it a component of, or strongly related to, IT disaster recovery.
What are the implications for the business continuity industry?
A significant number of continuity practitioners viewed SOA as the catalyst to push more and more organizations to design and implement continuity solutions. Was development of these solutions moving forward before the PCAOB meeting on March 9? In a number of firms, yes. Some executive managers and their auditors who were concluding Section 404-required formal continuity processes elected to implement enterprise-wide business continuity programs.
These organizations moved beyond the “minimalist” approach and addressed critical business functions and IT assets. However, in most cases, spurred by a lack of time and resources, organizations concluded continuity planning was not a Section 404 issue, or executive managers elected to pursue a solution focused solely on systems supporting financial reporting and/or the people responsible for producing the financial statements.
Thus, Section 404 has not been a primary driver for developing new business continuity solutions. The vast majority of organizations deploying enterprise-wide business continuity programs are doing so for a variety of reasons, including audit committee mandates, executive management liability concerns, shareholder/stakeholder protection, customer mandates and specific regulatory requirements.
What’s Next?
It’s only been a short time since the PCAOB’s release of Auditing Standard No. 2. From an audit perspective, most organizations are focusing on the key financial reporting controls within the scope of Section 404 and have eliminated business continuity from the controls assessment. For organizations that elected to begin the design and implementation of business continuity or IT disaster recovery strategies prior to the PCAOB March 9 meeting, they may postpone their efforts.
However, perhaps surprisingly, many organizations (despite being aware of PCAOB guidance) continue the design and implementation process because Section 404 was only one of the drivers behind these efforts. Within these organizations, executive managers (and a growing number of boards) recognize their responsibility to protect the company through a vigorous business continuity planning effort. They realize that if they do nothing now to prepare for recovery from a business interruption or disaster, if or when one occurs, they won’t be able to point to the PCAOB and pass the blame. According to DeLoach, “If an executive management team concludes that certain financial reporting processes are critical from a data recovery standpoint, I don’t think the Board’s decision has any affect on that conclusion. While we don’t know for sure because there isn’t a documented rationale supporting its thought process, I believe the Board intended to articulate the scope of the external auditor’s review and did not intend to cast judgment on management’s business case for exercising its prerogative to protect the company’s information assets. Therefore, if management has decided to implement a business continuity plan and execute a business impact analysis because of a conclusion that it is the prudent thing to do based upon the criticality of IT assets to the business, I would be very surprised if the Board intended to question the merits of that decision.”
The degree to which management addresses continuity ultimately is a decision based on business risk, and not just for compliance with Sarbanes-Oxley, PCAOB standards or other regulatory requirements. A growing number of executives and their boards of directors, influenced by their external auditors who understand the potential risks of employing poor continuity strategies, are concluding they must have adequate business continuity programs. The PCAOB standard may influence some companies to cancel or postpone business continuity efforts, but likely it will do so only in those organizations that limit the focus of their continuity planning efforts to their financial reporting process and supporting systems.
1 PCAOB Release No. 2004-001, March 9, 2004
2 Source: Protiviti PCAOB Flash Report, “PCAOB Adopts Final Standard for Audits of Internal Control Over Financial Reporting,” March 9, 2004 (available at www.protiviti.com).
Leave A Comment
You must be logged in to post a comment.