Part III: Auditing Accounting Statements and Enterprise Resource Planning Records
Chapter 14: The Auditor's Independence Is Critical to the Management of All Information Systems
14.3 How Can One Capitalize on the Concept of Limited Liability?
The concept of limited liability might provide a useful parallel to each business unit's responsibility in terms of technological leadership and associated auditing of IT. If one looks back in corporate history, one sees that only by the mid-nineteenth century a distinction began to be made between capital and revenue of a limited liability firm. This was necessary for the purpose of determining what was distributable as dividends. It was left to the British Companies Act of 1862 to establish the first legal recognition of the principle of freedom of incorporation, which redefined the notion of limited liability and provided direct accountability to shareholders.
The British Companies Act of 1862 also required that all associations of more than 20 persons must be registered. The organization of the Institute of Chartered Accountants in England and Wales, in 1880, was largely the result of requirements that developed under the Act of 1862 and its subsequent amendments. These amendments provided for better focus on the notion of personal accountability.
One can try to apply this notion to the implementation and follow-up on performance of bought software, taking ERP as an example. Chapter 1 outlined the functional applications areas of ERP and, as the reader will recall, these range from general accounting responsibilities to production planning and quality assurance (manufacturing) and human resources management (personnel).
A global organization will have many pyramids with ERP and CRM type information. A going concern, however, is one entity and the distinct pyramids must integrate together, as shown in Exhibit 14.4. Each of the departments cited in Exhibit 14.4 — marketing, manufacturing, procurement, and personnel (among others) — has a liability if the programming products perform less well than expected. This is a type of limited liability to that department because as a profit center, it will be penalized if computers and software performance are substandard. But at the same time, it is a broader, companywide liability that can hurt the bottom line and can snowball from one department to the next.
Exhibit 14.4: Each Independent Business Unit Uses ERP and CRM Software for Its Own Purposes but the Results Must Integrate at the Corporate Level
Something similar to this effect of underperformance was felt in the mid-nineteenth century with limited financial liability. As a result, the British Companies Act of 1862 led to provisions covering audits and the role of auditors. For the first time in the history of business, it was specified that at least once every year the accounts of the company should be examined and the correctness of the balance sheet ascertained by auditors.
The first auditors were to be appointed by directors, and subsequent auditors were to be elected by shareholders. After the Act of 1862 not only did auditing become a breakthrough in the prudential and rigorous internal control of an incorporated company, but it also helped to formalize the functions of corporate finance by establishing a means to ascertain whether accounting and financial reporting procedures were or were not dependable.
This is what I consider the missing act in IT auditing, as exists in the majority of cases. The old EDP stop/go inspection procedures continue to dominate. As a rule, members of the board do not feel co- involved in selecting IT auditors or in commissioning an IT audit under the board's authority. Although companies that have asked me to do an IT audit did so at the board's chairman or vice-chairman level, these were exceptions rather than the industry rule.
What is more, many line managers and some board members get very nervous if the IT audit reveals ineptitude and major discrepancies. In contrast, they behave in a totally different way with regard to bad
financial news because this is an issue whose twists they can understand. Many senior executives do appreciate that, fundamentally, corporate finance serves two important functions:
1. To provide the basis for continued operation
2. To provide a means of assessing the funds necessary to handle the business
But being computer illiterate, they fail to see that the message conveyed by either or both of these functions fully applies to IT. In accounting and finance, part and parcel of both functions is to provide the additional capital to cover the costs of operations, estimating income and cash flow, and generally synchronizing the many factors that comprise a going business.
The board appreciates that this financial responsibility must be audited. However, IT has not yet reached that level of comprehension and appreciation of the board and its members. Yet, the modern, globalized enterprise that works at Internet time is in essence information in motion. High technology is just as important to its well-being as financial staying power. Therefore, technology audits must be steady and performed by a qualified independent person or entity. Such audits should provide the basis for continuing operations of each business unit — and on a corporate basis.
A different way of making this statement is that under no condition should IT audits be boxed into one function, whether it be ERP, CRM, general accounting, or anything else. They should be cross- functional, cross-department, and cross-area of operations, along the concept of greater flexibility shown on the right-hand side of Exhibit 14.5. This, incidentally, is what is targeted today in engineering when one strives for a truly flexible design that can be adapted to the different markets of the company's operations.
Exhibit 14.5: The Design of ERP Auditing Should Reflect the Principle of Flexibility, which Today Characterizes Advanced Engineering Projects
Do not forget that IT audits should serve as the means of assessing the level of sophistication of the technology used to run the business. IT audits should look into deliverables and their timetables, evaluate the quality of IT personnel, propose training and other remedies when necessary, and be shielded from the political pressures that invariably exist in every organization.
Regular and rigorous auditing of accounting books and of IT is so important because accounting and the corporate database, in which accounts and statistics reside, stand in the interface between financial reporting and internal control. In the popular concept of corporate finance, stocks and bonds are instruments with which funds are raised. This is true, but it also raises some crucial queries:
What is the scope of management's responsibility for other people's money?
Is it possible to realize sufficient earnings to preserve assets and cover the ever-recurring capital needs?
The point has repeatedly been made that accounting, as such, does not answer these and similar queries. What it does is that it provides information that helps in documenting the answers that are given. The answers themselves must observe the rules that public responsibilities of corporate financial management are of a twofold nature: direct and indirect. Both apply equally well to information
technology; direct responsibilities are readily defined, although not always easily put into practice.
Hence the call for the exercise of prudence and care is required to operate on a sound, reliable basis.
This does not mean avoidance of reasonable and inevitable risks of business operation, but there should be evidence that exposure is kept within limits, that management is in charge, and that ethical standards are observed.
Indirect responsibilities are more general in character as well as being more difficult to define. For example, to what extent does corporate management have responsibility for the economy? For the community or communities in which the company's main facilities are located? For monopolistic conditions? For employment and unemployment? For inflation? For innovation? For the promotion of arts and sciences? And, most importantly, for conditions that allow the private enterprise system to continue to exist? The audit of accounts tends to target both types of responsibility. In contrast, ERP audits are closely linked to the direct type of managerial accountability.