Posted September 14, 2006
It may be that an organization has complete faith in their people to not perform malicious acts. The people may all be long-term happy, highly trained employees who all have a vested interest in the long-term success of the company. What management must bear in mind is that those employees are still human. Errors can and will happen routinely that can impact the financial reports resulting in embarrassment, restatements, brand damage and perhaps even investor lawsuits.
Instead, organizations need to recognize that all processes have some degree of inherent variation and put controls in place to reasonably prevent errors and detect when they occur. In the world of IT, we have many controls to select from that can help, such as:
Standards Through the documentation and implementation of policies and procedures, organizations can communicate what is acceptable. Furthermore, as the variation in types of systems is reduced, the level of deep knowledge can increase as people learn and share knowledge.
System Development Life Cycle (SDLC) Can be used to identify how development projects are to be managed to minimize the introduction of error.
Project Management Can be used to implement a system per the SDLC to ensure that there is proper communication, that the right parties are involved, tasks are completed and so on. For example, it can monitor and report if testing is not being performed.
Change Management Can be leveraged to help identify the level of risk associated with a proposed change such that appropriate action is taken to reduce risks to an acceptable level.
Testing Can be used to identify if the system performs as expected. Business experts and IT personnel must be involved to determine the acceptability of results.
Training Personnel who have the proper formal training will understand their jobs better and are less apt to make mistakes based on erroneous information or assumptions
Continuous process improvement Formal initiatives should be in place to constantly monitor and look for means to improve.
Automation Technology is a tool that IT can leverage to reduce the introduction of error but it is not a silver bullet solution. Safeguards, such as an SDLC, change management and testing, should be used to validate that the automation will perform as expected.
Fraud and malicious activities gather a lot of attention in the popular media, trade press and board meetings. Statistically speaking, the greater threat is from human error and controls and processes that are put in place to safeguard financial reporting must take that into account.