|
Taking the Wind Out of the BCM Sails? Beginning with the passage of the Sarbanes-Oxley Act (SOA), management and auditors alike have struggled with defining the scope of business continuity as an internal control related to financial reporting. Some executive managers have advocated business continuity-related processes independent of SOA because they're viewed as good business practices. Others have stated business continuity is not an internal control consideration related to financial reporting, while some have adopted a "minimalist" view and developed IT disaster recovery strategies focused exclusively on the systems that consolidate financial data and generate financial reports. External audit firms have struggled as well, providing conflicting guidance mirroring management's struggles. Arguably, the confusion and struggle is behind us now that the Public Company Accounting Oversight Board (PCAOB) has elected to exclude business continuity and contingency planning from Section 404 compliance requirements. What will this mean for business continuity? With the exception of the "minimalist" organization that may now have to struggle for management support and funding for business continuity, the primary effect is the exclusion of the auditor's review of business continuity as a "current period" internal control over financial reporting. However, as a business issue and management priority, the importance of business continuity will not diminish. Reviewing the PCAOB standard
In sum, adoption of the standard fulfills the PCAOB's obligations under Section 404 of Sarbanes-Oxley. The standard has been submitted to the SEC and will become effective upon approval by the Commission (expected by May 2004 after a public comment period). Is the PCAOB position on business
continuity right or wrong?
James DeLoach, managing director for Protiviti and head of the firm's Sarbanes-Oxley consulting practice, stated in a report2 on the PCAOB Auditing Standard No. 2, "While the Board concluded that business continuity and contingency planning did not affect a company's current abilities to initiate, authorize, record, process or report financial data, it is important to recognize that systems which are vital to the sustainability of the business may also have significant financial reporting implications. Management has a responsibility to ensure that data needed to facilitate the initiation, authorization, recording, processing and reporting of financial information is available when needed, both now as well as in the future. The problem is, no one knows when events triggering the need for a disaster recovery plan will occur. If a significant, priority system goes down and a company loses large amounts of data that is critical to financial reporting because of the absence of effective disaster recovery capabilities, there will be a lot of explaining to do if the lost data results in missed reporting deadlines or causes the certifying officers to refuse to sign certifications because critical information isn't available. Perhaps these are extreme examples, but they can occur and, if they did, I wouldn't want to be the one facing the audit committee trying to explain why disaster recovery isn't important to financial reporting." * Source: Protiviti PCAOB Flash Report, "PCAOB Adopts Final Standard for Audits of Internal Control Over Financial Reporting." Has the PCAOB's position eliminated
confusion regarding business continuity? What are the implications for the
business continuity industry? These organizations moved beyond the "minimalist" approach and addressed critical business functions and IT assets. However, in most cases, spurred by a lack of time and resources, organizations concluded continuity planning was not a Section 404 issue, or executive managers elected to pursue a solution focused solely on systems supporting financial reporting and/or the people responsible for producing the financial statements. Thus, Section 404 has not been a primary driver for developing new business continuity solutions. The vast majority of organizations deploying enterprise-wide business continuity programs are doing so for a variety of reasons, including audit committee mandates, executive management liability concerns, shareholder/stakeholder protection, customer mandates and specific regulatory requirements. What's Next? However, perhaps surprisingly, many organizations (despite being aware of PCAOB guidance) continue the design and implementation process because Section 404 was only one of the drivers behind these efforts. Within these organizations, executive managers (and a growing number of boards) recognize their responsibility to protect the company through a vigorous business continuity planning effort. They realize that if they do nothing now to prepare for recovery from a business interruption or disaster, if or when one occurs, they won't be able to point to the PCAOB and pass the blame. According to DeLoach, "If an executive management team concludes that certain financial reporting processes are critical from a data recovery standpoint, I don't think the Board's decision has any affect on that conclusion. While we don't know for sure because there isn't a documented rationale supporting its thought process, I believe the Board intended to articulate the scope of the external auditor's review and did not intend to cast judgment on management's business case for exercising its prerogative to protect the company's information assets. Therefore, if management has decided to implement a business continuity plan and execute a business impact analysis because of a conclusion that it is the prudent thing to do based upon the criticality of IT assets to the business, I would be very surprised if the Board intended to question the merits of that decision." The degree to which management addresses continuity ultimately is a decision based on business risk, and not just for compliance with Sarbanes-Oxley, PCAOB standards or other regulatory requirements. A growing number of executives and their boards of directors, influenced by their external auditors who understand the potential risks of employing poor continuity strategies, are concluding they must have adequate business continuity programs. The PCAOB standard may influence some companies to cancel or postpone business continuity efforts, but likely it will do so only in those organizations that limit the focus of their continuity planning efforts to their financial reporting process and supporting systems. About the Author 1 PCAOB Release No. 2004-001,
March 9, 2004 |