Constructing a methodology for implementing and maintaining Sarbanes-Oxley 404 IT controls within KLM FIM

(1)

Constructing a methodology for

implementing and maintaining

Sarbanes-Oxley 404 IT controls within

KLM FIM

F.M. van der Schroeff University of Groningen

(2)

Title: Constructing a methodology for implementing and maintaining

Sarbanes-Oxley 404 IT controls within KLM FIM

Author: F.M. van der Schroeff

Student Nr: 1273957

Supervisors: Dr. P.E.A. Vandenbossche (University of Groningen) Prof. dr. ir. J.C. Wortmann (University of Groningen) I. Azir (KLM FIM)

Date: June 2007

(3)

controls within KLM FIM Preface

In the Spring of 2006, I started looking for an internship in order to complete the last phase of my Technology Management studies. A friend of mine, who had conducted his graduation internship at KLM Cargo on the Sarbanes-Oxley Act, told me he found the internship very interesting and highly enjoyable. His enthusiasm caught me and I decided to apply for an internship at KLM too. Luckily, he still had some connections within the Project Management Office (PMO), KLM’s department responsible for company-wide implementation of the Sarbanes-Oxley Act. Eventually, my CV ended up at the desk of the management of KLM Financial Information Management (KLM FIM), the business division managing KLM’s broad shared financial related systems.

During the first meeting with KLM FIM management, three possible research proposals were discussed. With the proposals, I went to the Faculty of Management and Organization to discuss them with a supervisor. Piet Vandenbossche, the lead supervisor for this research, directly showed interest for the Sarbanes-Oxley related research proposal. Taking KLM FIM’s need of advice into account, we jointly prepared a final research proposal. Eventually, in August 2006, the internship commenced.

After seven months, right after KLM FIM had achieved initial Sox compliance, the internship period came to an end. Seven months, in which I have had the chance to learn a lot about finance- and IT related processes within KLM, about the Sarbanes Oxley Act and, most specifically, about the consequences for a business division to comply with all the requirements of the Act.

This research could have never been conducted, without the support of a few people who I’d hereby like to thank. First of all, my supervisor within KLM FIM, Indra Azir. Especially during the initial weeks of the internship, Indra invited me to a lot of Sox related meetings throughout the company, which directly showed me what Sox was all about. Moreover, despite his tight schedule, he always made time to answer my trivial questions, for which I cannot thank him enough. Next, I want to thank Ron de Vries, the business analyst responsible for KLM’s Sox compliance tool. He provided me with a lot of information on the subject, and explained the basic and more advanced functions of the tool. Furthermore, I would like to thank the primary supervisor from the University of Groningen, Piet Vandenbossche, for the thorough quality checks on the thesis he provided in the course of the research period. He very closely monitored the progress of this research, and always came up with useable suggestions. Finally, I thank Hans Wortmann, the secondary supervisor from the University, for putting effort in the quality checks on the thesis during the last phase of the research.

Although many experts have different opinions on the subject of Sarbanes-Oxley compliance, there is agreement on one point: Sox is here to stay. Hopefully, the results of this research can aid companies in achieving a sustainable approach towards ongoing Sox 404 business testing.

Thijs van der Schroeff Amsterdam, June 2007.

(4)

Summary

In 2004, Air France – KLM management was faced with the issue of implementing the Sarbanes-Oxley Act of 2002 (Sox), a corporate governance code created as a direct consequence of accounting scandals that hit the United States in previous years. Adhering to all of the requirements set by the Act, or ‘compliance’, was a necessity, due to KLM’s New York Stock Exchange (NYSE) listing. The biggest challenge of complying with the rules set by the Act manifested itself in the form of the Sarbanes-Oxley Act Section 404 (Sox 404), which comprises management’s assessment of internal control over financial reporting. This requires the company to document the internal controls that affect the financial information it distributes to the investing public.

For KLM Financial Information Management (KLM FIM), the business division under consideration for this research, all internal controls thus had to be assessed and documented. At the start of the research, when the research objective had to be defined, the process of control documentation had just been completed. The completion of documenting internal controls, however, was only part of the total Sox 404 compliancy effort. To show that each and every control really works as it has been designed, it has to be tested to prove it is operating effectively. Since testing documented Sox 404 controls comprises various activities and little knowledge about the subject is apparent within KLM FIM, they asked the researcher to assist them in carrying out this process. Their primary need of advice can be described as follows:

KLM Financial Information Management, a department of KLM Corporate Control, wishes to receive advice on managing, testing and signing-off Sarbanes-Oxley 404 controls in an effective and efficient way.

The initial sign-off, however, is not the end of Sox 404 compliancy. Sox rules require companies to file a report on internal control over financial reporting every year. As testing will have to be performed repetitively, an effective and efficient approach towards ongoing control testing is desirable. Therefore, both the goal statement and key research question of this research have been formulated to take the ongoing compliance effort into account:

Goal statement:

To reduce complexity of Sarbanes-Oxley 404 IT control testing by developing a generally applicable methodology for implementing and maintaining a system of Sarbanes-Oxley 404 IT controls over time.

Key research question:

In which way is it possible to maintain a set of implemented Sarbanes-Oxley 404 IT controls over time?

Before an answer has been provided to the key research question, some theoretical constructs concerning internal control and Sox 404 compliancy have been discussed to exemplify the scope of this research. Among the theories discussed are the definitions of internal- and IT control, the COSO and CobiT frameworks and the support for Sox compliancy activities with specialized software.

(5)

controls within KLM FIM In order to formulate an answer to the key research question, three phases have been

distinguished:

1. Performing all activities required by the Sox 404 rules, between control documentation and sign-off

The first part of this research concerned an assessment of all activities required for KLM FIM, to eventually receive the external auditor’s sign-off for all twelve IT Control Objectives for Sarbanes-Oxley (IT General Controls or ITGC). These activities comprised the creation of test reports, the execution of a KLM FIM business test (including remediation on failed controls) and, finally, the execution of the independent test by KLM’s external auditor. Eventually, the external auditor acknowledged that all KLM FIM’s ITGC achieved full operating effectiveness and signed-off these controls accordingly. As application controls were not documented appropriately, there has neither been a business- nor an independent test on these controls.

2. Constructing a methodology for ongoing compliance business testing

Since controls have to be tested repetitively, business tests should be performed as efficient and effective as possible, because resources are limited. By evaluating the bottlenecks from initial compliance business testing, the researcher has created a methodology which covers all elements relevant for KLM FIM business testing. First, the extent of testing (the amount of samples to be tested to mitigate a specific risk) should be assessed by evaluating five control categories:

• Nature of the control • Frequency of operation • Importance of the control • Materiality

• Operating effectiveness of the control

Then, an ongoing compliance business testing approach has to be assessed. This can be done by asking the ‘4W’s’ question: who will test what when involving whom? The ‘4W’s’ generate the following questions:

• Who performs the test on the controls?

• What is the test activity, what does the test comprise?

• When is the control test executed, and with which frequency and sample size? • Whom: Which persons are involved in control testing?

When these questions are answered, they provide all the information necessary for conducting a business test.

3. Validate the practical usability of the ongoing compliance business testing methodology for use with a Sox registration tool

To structure the flow of documentation generated by business testing, KLM has purchased a Sox registration tool. Within KLM FIM, the tool can support ongoing control documentation, testing and remediation activities. Concerning the tool’s support for the ongoing compliance methodology, it can be concluded that all four ‘W’s’ are supported.

Considering the research results, the researcher recommends the following activities to KLM FIM management:

• Perform business testing periodically

(6)

• Eliminate controls covering the same risk • Automated as many manual controls as possible

• Let the test coordinator organize an information meeting in advance of the new fiscal year

• For control documentation purposes, company-wide use of Risk Navigator should be promoted

• Within KLM FIM, Risk Navigator’s ‘Self Test’ and ‘Issue Priority’ functionality should be implemented as soon as possible

These recommendations should be put to practice as soon as possible.

Two possibilities for further research within KLM FIM, regarding Risk Navigator, comprise a uniform Sox 404 documentation standard and support for automated application control testing.

(7)

controls within KLM FIM

Introduction

This research, conducted at the Financial Information Management (FIM) department of KLM Royal Dutch Airlines, focuses on the construction of a methodology for implementing and maintaining Sarbanes Oxley 404 IT controls over time. In this chapter, relevant subjects will be introduced briefly, to provide the reader some background information on the research problem at hand. First, KLM Royal Dutch Airlines will be introduced. Subsequently, the second section covers the introduction of Air France-KLM and SkyTeam. Then, the third section gives an overview of KLM Financial Information Management (KLM FIM), the department where the research will be conducted. Finally, in section IV, a brief description of the Sarbanes-Oxley Act will be given, with special attention to section 404 and its implications on KLM Financial Information Management.

I. KLM Royal Dutch Airlines

KLM Royal Dutch Airlines is an international airline operating worldwide. KLM forms the core of the KLM Group, other members being i.e. KLM Cityhopper and Transavia.

KLM’s mission statement (www.klm.com):

By striving to attain excellence as an airline and by participating in the world's most successful airline alliance, KLM intends to generate value for its customers, employees and shareholders KLM’s strategy is to achieve profitable growth that contributes to both its own corporate goals and the economic, societal and social development of The Netherlands. KLM wishes to play an active part in setting the criteria necessary to realize its objectives: growth opportunities at the Schiphol home base, access to all markets that add to the quality of the network, and a level playing field for all.

In fiscal year 2005 | 2006, KLM Group carried nearly 22 million passengers and 619.888 tons of cargo and provided engineering and maintenance service for airframes, engines and components to more than 100 airlines. KLM Group operates a fleet of 190 aircraft and had a workforce of 30.164 on March 31, 2006, of whom 26.191 were employed in The Netherlands and 3.973 outside The Netherlands. Operating revenues for 2005 | 2006 amounted to € 7.201 million and operating income to € 540 million (KLM annual report 2005/2006).

II. Air France –KLM

Air France merged with KLM in May 2004, resulting in the creation of Air France-KLM. Air France-KLM is incorporated under French law and its headquarters are located at Roissy-Charles de Gaulle Airport near Paris. Air France-KLM is the largest airline company in the world in terms of operating revenues, and the third-largest in the world (largest in Europe) in terms of revenue-passenger-kilometers (www.klm.com).

(10)

Under the Air France-KLM holding company, both KLM and Air France operate as network airlines: via hubs, or transfer airports, they maintain a worldwide network of services to European and intercontinental destinations. As an effect of Air France-KLM’s international operations, their New York Stock Exchange notation requires the companies to implement the Sarbanes Oxley Act, which will be covered throughout this thesis. KLM and Air France complement each other through the optimal alignment of their networks and through the coordination of their three core activities: passenger transport, cargo transport and aircraft maintenance.

The Air France-KLM cooperation offers passengers and airfreight shippers more than 250 destinations worldwide, either non-stop or via another airport. A key principle in the alliance is the dual hub strategy: KLM and Air France’s home bases of Amsterdam Airport Schiphol and Paris Charles de Gaulle respectively act as transfer airports in the shared network.

SkyTeam

KLM is a member of SkyTeam, one of the three global airline alliances (Star Alliance and One World Alliance being the other two). With ten members as of April 2006, SkyTeam is the second largest alliance by market share. SkyTeam offers 728 destinations in 140 countries, serving approximately 373 million passengers in 2005 (www.skyteam.com).

III. KLM Corporate Control

Within KLM, the Corporate Control business division is responsible for the internal and external reporting for KLM, the KLM group and Air France – KLM. Furthermore, its general objectives include the supporting and monitoring of strategy and decisions of business execution, the co-ordination of the financial planning process and guidance of administrative processes and internal control (internal KLM FIM memo, 2005a).

KLM Financial Information Management (FIM)

This research will be conducted at the department of Financial Information Management (FIM), a business division within KLM Corporate Control. The FIM department employs 43 Full Time Equivalents (FTE’s) and is situated physically at Schiphol-East. Its organizational positioning and hierarchical structure are visualized in Appendix A.

In order to picture the context wherein this research is facilitated, some aspects of FIM are described below (internal KLM FIM memo, 2005b):

The organizational positioning of KLM FIM covers various aspects:

• KLM FIM hierarchically reports to the Corporate Controller, who reports to KLM’s Chief Financial Officer

• KLM FIM is responsible for the KLM broad shared financial related systems as well as the KLM broad shared procurement related systems

(11)

controls within KLM FIM The ‘market’ positioning of KLM FIM focuses on two aspects:

• Product aspects - three main types of products can be distinguished: process consultancy, process/product development and product maintenance

• Customer aspects - the products are provided for three types of segments and per segment for direct and indirect customers. Within the customer base, KLM FIM has a hierarchical- as well as a functional relationship with (internal) customers

The mission of KLM FIM focuses on two areas:

• process improvement and innovation in order to support mainly the management control framework within the KLM group, driven by ICT solutions.

• application management and support of ICT objects which have been developed to support the management control framework.

Derived from the mission, KLM Financial Information Management perceives the objectives as:

• act as a knowledge centre concerning financial and procurement processes/systems and management control framework

• act as a driving force by applying active market scans for business purposes

• act as an organizer and integrator to add value between the user organization and the suppliers, such as KLM Information Services (CIO IS).

• act as a pro-active participant to maintain and actualize the current installed base/shared service centre

As KLM FIM’s core business has now been defined, the next section will discuss the Sarbanes-Oxley Act.

IV. The Sarbanes- Oxley Act

The Sarbanes-Oxley Act (Sox) was signed into legislation in 2002 to improve the accuracy and transparency of financial reports and corporate disclosures, as well as to reinforce the importance of corporate ethical standards. The Act dramatically changed the relationship between publicly held companies and their audit firms. The Sarbanes-Oxley Act established the Public Company Accounting Oversight Board (PCAOB), appointed and overseen by the Securities and Exchange Commission (SEC). The PCAOB provides oversight for auditors of public companies, establishes auditing and quality control standards for public company audits, and performs inspections of the quality controls at audit firms performing those audits (Arens, 2005).

While the Sarbanes Oxley Act consists of 66 sections, only three key features of the Act require compliance for (dually listed, non-U.S.-based) public companies: section 302, 404 and 409. Section 302 covers Corporate Responsibilities for Financial Reports and requires chief executive officers (CEOs) and chief financial officers (CFOs) of companies to submit a certification with the submission of the required reports. Section 409, Real Time Issuer Disclosures, requires companies to make real-time disclosures of information concerning material changes in the financial conditions or operations of the company (PCAOB, 2004). All companies registered on U.S. stock exchanges have to comply with the Sarbanes-Oxley Act. Most foreign companies need to be Sox compliant by December 31, 2006. For KLM, this date will be March 31, 2007 because of its divergent fiscal year.

(12)

The biggest effort, concerning Sox, has to be made in complying with section 404 of the Act. The impact of this section on KLM will be covered next.

Section 404

Section 404 of the Sarbanes-Oxley Act requires chief executive officers (CEOs) and chief financial officers (CFOs) to evaluate and report on the effectiveness of the company’s internal control over financial reporting (Sarbanes-Oxley Act, 2002: p.789). Momentarily, Air France-KLM is working towards Sox 404 compliancy. This is a consequence of Air France-KLM being a registrant at the New York Stock Exchange. In an internal memo from the Board of Managing Directors to the Divisional Managers, dated late august 2004, the impact of the Sarbanes-Oxley Act on KLM was stated as ‘serious’ and ‘non-compliance to the Sarbanes-Oxley Act will have serious implications for Air France-KLM.’:

‘The ‘non-compliance’ will be public with probable effect on the share value, fines are possible and ultimately the CEO, CFO and responsible senior managers may be held personally accountable. Business priority is therefore essential and required. (KLM Royal Dutch Airlines, 2004a)

As the general context of the thesis has been defined by now, the next chapter will describe the foundation which will serve as the basis for this research: the research structure.

(13)

1 Research structure

1.0 Introduction

This chapter provides the elements making up the structure of this research. After reading this chapter, the reader will understand the goal and scope of this research, its positioning in a Sox 404 compliance approach, its practical and scientific relevance and the deliverables it aims to produce.

Section 1.1 covers the research design, comprising the project frame (which will describe the general context of the problem at hand for KLM FIM, the business division where this research will be conducted as explained in the introduction chapter), problem definition and sub questions. In section 1.2, previous research on Sox 404 testing will be addressed. Thereafter, section 1.3 covers the positioning of this research in the total Sox 404 compliancy program. In section 1.4, the research methodology will be thoroughly described. Subsequently, the research results will be discussed in section 1.5. Next, in section 1.6, the research design presents an aggregated view of the research report and discusses its contents briefly. Finally, section 1.7 sums up this chapter’s key concepts.

The research design will be assessed next. 1.1 Research design

Since this research covers only part of a much bigger topic, things will be put in perspective first. According to Verschuren and Doorewaard (2003: p.29), two objectives need to be addressed in a research design:

• describe a project frame

• extract an aspect from this frame which will be the goal of the research, in other words: formulate a goal statement

The project frame concerns a problem at hand in the organization where the research will be conducted. It gives the researcher the opportunity to delimit the research objective from a wider field of interest (the implementation of the Sarbanes Oxley Act) into useful research results. According to de Leeuw (2003b, p.22), research results are useful if

1. they are connected with the client’s (KLM FIM) concrete problem at hand 2. they are reliable.

Section 1.1.1 will address this first requirement, describing the project frame in a generic context. This will lead to a goal statement, which is discussed in section 1.1.2. In chapters three, four and five, the second requirement will be addressed.

(14)

1.1.1 Project frame

In 2004, Air France – KLM management was faced with the issue of implementing the Sarbanes-Oxley Act of 2002, a direct consequence of accounting scandals that hit the United States in previous years. Adhering to all of the requirements set by the Act, or ‘compliance’, was a necessity, due to KLM’s New York Stock Exchange (NYSE) listing. The biggest challenge of complying with the rules set by the Act manifested itself in the form of Section 404, which comprises ‘management’s assessment of internal controls’ (Sarbanes, 2002: p.45). This requires a company to document the internal controls that affect the financial information it distributes to the investing public. For KLM Financial Information Management (KLM FIM), the business division under consideration for this research, all internal controls thus had to be assessed and documented. . At the start of the research, when the research objective had to be defined, the process of control documentation had just been completed. The completion of documenting internal controls, however, was only part of the total Sox 404 compliancy process for KLM FIM. To show that each and every control really works as it has been designed, it has to be tested to prove its operating efficiency. Testing the documented controls comprises various activities, such as creating test reports, appointing business testers and consulting external auditors. Since little knowledge about these subjects is apparent within KLM FIM, they asked the researcher to assist them in carrying out this process. Their primary need of advice can be described as follows: KLM Financial Information Management, a department of KLM Corporate Control, wishes to receive advice on managing, testing and signing-off Sarbanes-Oxley 404 controls in an effective and efficient way (internal memo KLM Royal Dutch Airlines, 2006b).

With this problem and scientific requirements in mind, a goal statement can be formulated to set the goal of this research. The goal statement is part of the problem statement, which expresses ‘what you want to create, why and for whom’. De Leeuw (2003b, p.85) distinguishes a specific, design type of problem statement which should be used when the primary research deliverable is a design. Since the primary outcome of this research is the design of a method for effective and efficient Sox 404 control testing, this problem statement type will be used.

The design type problem statement consists of three elements (de Leeuw, 2003b: p.85): • goal statement

• specification • preconditions

The goal statement addresses the why question in the problem statement: what is the relevance of the chosen research subject? Tuning the method-to-be-created to the client’s need is done in the specification, making apparent which functionalities the method should comprise. These functionalities are limited to the context of their usability, described in the preconditions. The goal statement is discussed in sub section 1.1.2; specification and preconditions are addressed in sub section1.1.4.

Furthermore, de Leeuw (2003b, p.85) states that a problem statement should be relevant and feasible. Research is only relevant if the research deliverables add value for the client. This will be assessed insection 1.1.2.A problem statement is feasible if it is possible to conduct the

(15)

controls within KLM FIM research within the preconditions set. When discussing the preconditions insection 1.1.4,this will

be taken into account.

1.1.2 Goal statement and key research question

The goal statement describes the goal with which intention this research is conducted. Therefore, this section describes the relevance of the chosen research subject. It will be discussed next. In August 2002, the United States Congress accepted the Public Company Accounting Reform and Investor Protection Act, better known as the Sarbanes-Oxley Act. From that moment on, American companies had to follow much stricter rules of corporate governance. Foreign companies with a registration on a U.S stock exchange were granted an extra fiscal year to fulfill the requirements of the Act.

One of the main objectives of the Act is the yearly evaluation of the system of internal control. Every year again, a report on internal control has to be filed with the outcome of the yearly evaluation. However, merely evaluating controls does not say anything about the well functioning of controls in the business. Hence, it has to be validated that reality (i.e. the actual work being performed by the control) corresponds with expectation (the control as documented in the Sarbanes-Oxley control documentation). This is done in the testing phase, and in case deficiencies are discovered during testing (when reality does not agree with expectation), these have to be reported directly to the Audit Committee and the external auditor.

Especially in organizations with many internal controls (such as Air France – KLM), the test phase can be a costly process. Some controls exist within a single business division, affecting just a single person, whereas others operate within multiple layers of the company, enabling high financial risks in case of deficient controls. An efficient and effective approach to testing the system of internal control can thus save many resources, in terms of both money and manpower. The need for an efficient and effective testing approach is expressed in KLM FIM’s need of advice:

KLM FIM wishes to receive advice on managing, testing and signing-off Sarbanes-Oxley 404 controls in an effective and efficient way.

Managing, testing and signing-off comprise the last three phases of Marchetti’s (2005: p.41) six-step ‘Path to Compliance’, which will be used as a benchmark and is further discussed in section 2.2. Since all three preceding phases have to be completed before entering the test phase, this will be validated in chapter three. Subsequently, all of the objectives stated in the fourth (test-) phase will need to be adhered to. The researcher will take an active role in the test phase at KLM FIM. An initial testing round will be conducted during the researcher’s internship, enabling him to closely follow Sox 404 compliance progress and find out what goes wrong and what does not. After the initial testing round, the internal- and external auditors will also conduct tests, both activities described in the fifth (certify) phase. If KLM FIM haves all its controls in place, auditor attestation will be given and they are proven to be ‘Sox 404 compliant’ for the current fiscal year.

(16)

merely resemble a trial-and-error case study. Therefore, information gathered during the initial testing round will be used as input for subsequent testing. When failures from the initial round are taken into account, the same mistakes will not have to be made again and effectiveness and efficiency can be reached. This requires the goal statement not only to comprise Sox 404 compliance for the current fiscal year (as demanded by KLM FIM), but also for subsequent years. To realize effective and efficient ongoing compliance, controls should be monitored on their performance accordingly. With this research, the researcher aims to develop a methodology, which should be generically applicable to all public companies’ business divisions, with similar operating characteristics as KLM FIM. This leads to the following goal statement:

To reduce complexity of Sarbanes-Oxley 404 IT control testing by developing a generally applicable methodology for implementing and maintaining a system of Sarbanes-Oxley 404 controls over time.

By formulating a key research question, it is possible to gather the necessary information to reach the goal statement. According to Verschuren (2003: p.65), a key research question is useful if it is both efficient and directional. Efficiency refers to the degree the research question adds value in reaching the goal statement, while the direction is assessed by which sources of information have to be used for the research. Considering these requirements, the key research question will be:

In which way is it possible to maintain a set of implemented Sarbanes-Oxley 404 IT controls over time?

While formulating the key research question, the same structure has been used as in formulating the goal statement. The outcome should therefore match the research goal closely, satisfying the demand of efficiency. The degree of direction, however, is not sufficient. Therefore, additional questions can be asked to formulate an answer to the key research question. These are called sub questions, and will be discussed next.

1.1.3 Sub questions

To reach initial Sox 404 compliance, several steps need to be taken. Firstly, the test phase must be completed, previously described in section 1.1.1. When the (internal) auditor is satisfied, the tests results can be archived. If no remediation is necessary, the control is ready for sign-off.

The first sub question addresses these steps:

1. Before a sign-off can be given, what has to be done to take a control into use?

Once all controls are in place, an attestation by the external auditors will be given. When this is completed, KLM FIM has reached initial Sarbanes-Oxley 404 compliancy. However, this is just the first step in the Sox 404 compliancy process. Testing takes places periodically and should therefore be manageable every time a test is conducted. Hence, to stay Sox 404 compliant in

(17)

controls within KLM FIM subsequent fiscal years, a framework need to be developed to address changing control objectives

as effective and efficient as possible. Thus, the second question can be formulated:

2. Once in production, how will ongoing tests be realized?

Since every control is documented thoroughly both before and after the test phase, this will lead to several thousands of control documents company-wide. To structure the flow of control documentation, a Sox registration tool will be used by KLM. The framework constructed to facilitate testing for ongoing compliance, should be compatible with the Sox registration tool: 3. If a registration tool is available, does it support the ongoing compliance business testing

methodology for managing Sox 404 IT controls over time?

When these three sub questions have been answered, all aspects of the key research question will be sufficiently addressed, thereby fulfilling the requirement of achieving the goal statement.

1.1.4 Specification and preconditions

The functionality of the methodology to be developed will be discussed in this section. It assesses who will test what when involving whom. These variables will be assessed in combination with the extent of testing, and are explained thoroughly in chapter four. Furthermore, two preconditions apply to this research:

• The methodology to be developed is designed using data acquired at KLM FIM, but can be used by all departments of public companies which have similar operating characteristics.

• The methodology will support the CobiT framework, as this framework is used to describe control objectives within KLM FIM.

This concludes the scoping of this research. The following section discusses previously conducted research on the subject.

1.2 Previous research on Sox 404 testing

When considering the use of previous conducted research as an input for newly conducted research, McCall states that ‘familiarizing oneself with the work that has already been done in a research area is helpful in systematically gathering and organizing existing substantive knowledge about the topic’ (McCall, 1998). Therefore, this section will cover previous conducted research on Sox 404 testing.

In the United States, many companies have already been fully Sox 404 compliant for a year now, resulting in ‘Year One SOX compliance’- research reports describing both positive and negative experiences with Sox 404 implementation. Since Air France-KLM is not fully Sox 404 compliant yet, these ‘best practices’ from other companies can be useful inputs for conducting this research. However, since best practices differ significantly for each industry, these have to be assessed carefully on compatibility with best practices in the aviation industry. For this research, best

(18)

contractors) will be included where available.

Within the faculty of Management & Organization, currently fivei_{theses address the subject of}

Sox 404. However, they all discuss the Sarbanes Oxley Act in a generic way, without specifically addressing Information Technology in relation to the Act. Using IT to enable effectiveness and efficiency in the compliancy process has not been a subject of research at the faculty before, let alone the creation of a Sox 404 IT testing methodology.

As a reference for Sox-compliancy within KLM, a thesis (Goedegebuur, 2005) written on behalf of KLM Cargo could be a relevant source of information on company specific Sox information. It covers the degree of effectiveness of business control within KLM Cargo and the expected influence of Sox 404 on this business control effectiveness. The results of this research can, to a certain extent, be used as an input for this thesis. Furthermore, another graduation thesis (Winkel, 2005) could be relevant, as it discusses efficient testing within Shell Exploration and Production in Europe.

(19)

controls within KLM FIM 1.3 Positioning the research within a Sox 404 compliancy approach

For KLM, complying with Sox 404 is a company-wide effort. Each business division has to document and test its controls, and report its findings to the Project Management Office (PMO). Since testing and signing-off each internal control within KLM would take quite some time, the scope of this research has been limited to Sox 404 controls within KLM FIM. In Appendix B, an end-to-end KLM Cargo process is presented which clearly shows where the KLM FIM related controls are situated. This gives an idea about the total effort involved with achieving KLM-wide Sox 404 compliancy. Moreover, besides organizational scoping, the research scope is delimited by work already done in earlier stages of compliance. In section 2.2, Marchetti’s (2005: p.41) six-step Sox compliance program will be used to address the phases which can be distinguished in a Sox 404 compliancy process. The research scope is visualized in figure 1 corresponding to the six steps described by Marchetti:

Time Figure 1 Positioning the research within a Sox 404 compliancy approach

Research scope

Within the research scope, the model distinguishes three phases:

• Evaluation (bridging the gap between current situation and sign-off)

• Design (developing a methodology for effective and efficient ongoing Sox 404 testing) • Validation (validating the methodology for use with the web-based Sox tool)

current situation ongoing compliance methodology validate methodology documented controls tool Review Plan Improve Test Certify Monitor 1) Plan 2) Document 3) Test 4) Remediate 5) Report SOX Research

(20)

These three phases assist the researcher in mapping the research problem at hand to a generic Sox 404 compliance framework and are discussed in three separate chapters. The third chapter of this thesis is devoted to addressing the current situation, the fourth to creating an ongoing compliance business testing methodology and the fifth to validating the methodology with a web-based Sox registration tool. It can be noticed that the tool is not placed within the research scope. This does not mean that the tool will not be addressed in the research; it emphasizes that the focus of the research is on the creation of a method for efficient and effective control testing for ongoing compliance, instead of creating a mere manual for the registration tool.

1.4 Research methodology

For this research, methodology is necessary to describe the way how the research will be conducted (de Leeuw, 2000). This will be outlined below.

“Research never solves a problem, but it can generate knowledge for solving the problem” (de Leeuw, 2000). This statement is mirrored in the research. The problem at hand, an effective and efficient approach to ongoing Sox 404 business control testing, is addressed by the goal statement: the development of a methodology for implementing and maintaining the system of Sarbanes-Oxley 404 controls over time.

In order to describe the way in which the research will be conducted, the research process ‘onion’ (Saunders, 2000) is introduced in figure 2. It consists of five layers, which have to be addressed from the out- to the inside, concerning research philosophy (1.4.1), research approach (1.4.2), research strategies (1.4.3.), time horizons (1.4.4) and data collection methods (1.4.5). Saunders’ method helps the researcher to stick to the research scope formulated in section 1.1. Finally, in section 1.4.6, the contingency theory emphasizes that a pragmatic approach should be used when complying with Sox 404.

(21)

controls within KLM FIM 1.4.1 Research philosophy

The research philosophy depends on the way the researcher thinks on the development of knowledge. According to Saunders (Saunders, 2000), two views about the research process are relevant here: positivism and phenomenology. Positivism characterizes the development of knowledge in a highly structured methodology to facilitate replication (Gill and Johnson, 1997). Phenomenologists argue that rich insights are lost if the complexity of the business situation is reduced to generalizations.

This research includes elements of both: on the one hand, one of the deliverables of this research is the construction of a method for ongoing testing, thereby reducing the complexity of the (ongoing) test phase. This goes hand in hand with the definition given for positivism. On the other hand, the implementation of the Sarbanes Oxley Act is unique for each organization. Although the PCAOB sets out guidelines, the approach has to be made contingent to the needs of the specific organization. Each empirical situation should hence be treated accordingly, in line with the phenomenology philosophy.

1.4.2 Research approaches

As with research philosophies, research approaches tend to come in two different types: a deductive and an inductive approach. The first enables the researcher to develop a theory and hypothesis and design a research strategy to test the hypothesis, while the latter emphasizes on collecting data and developing theory as a result of data analysis. The inductive approach is appropriate here: data is collected through the testing phase of initial compliance; the results can then be used for the development of a framework for ongoing compliance.

1.4.3 Research strategies

The research strategy is a general plan which will formulate answers to the research questions set in section1.1. The following research strategy will be used in this research:

Case study. ‘A case study is a history of a past or current phenomenon, drawn from multiple sources of evidence. It can include data from direct observation and systematic interviewing as well as from public and private archives’ (Leonard-Baron, 1990). As the case study approach will prove to be functional in answering the research questions, its importance justifies a further explanation of case study methodology. Below, a classification for case studies will be made contingent for this research, in order to specify which case study type is appropriate for this research.

Case studies can be described along several dimensions, including (Scholz & Tietje, 2002): Design

A design can be classified by a single or a multiple case study. Yin (2003: p.40) notes that single-case study is an appropriate design under several circumstances, and gives five rationales for describing these. One of the rationales justifying single-case study is the representative or typical case: ‘Here the objective is to capture the circumstances and conditions of an everyday or

(22)

commonplace situation. The case study may represent a typical ‘project’ among many different projects’… ‘The lessons learned from these cases are assumed to be informative about the experience of the average institution.’ This description exactly matches the research context: Air France – KLM is just one out of tens of thousands of public companies which has to comply with the regulations of Sox 404. Moreover, it is a European company listed at a U.S. stock exchange, being one of the many non-U.S. public companies which has to comply with American corporate governance.

Furthermore, a crucial distinction can be made between holistic and embedded case studies (Yin, 2003: p.42). When the same case study involves more than one unit of analysis, it can be said that these units are embedded in one case study. In contrast, if a case study only examines the global nature of a subject, a holistic design should be used. While KLM FIM’s Sox 404 compliancy can be seen as an embedded unit within the KLM Sox approach, it should be wrong to design this research as an embedded case study. Since the scope is narrowed to KLM FIM, and no subunits can be identified within this department, a holistic design can be justified.

Purpose

A case study may be used as a method of research, teaching, or action/application. Here, the case study will be used for research purposes.

Format

In terms of case study format, this research resembles an unstructured case. That is, the research context is complex (multiple processes and actors, relatively new scientific subject), no best solution can be found (there is no optimal Sox compliancy solution), although a preferred practice or theory may exist. The framework to be obtained will most definitely not be the ultimate tool for reducing every existing Sox 404 control set for ongoing compliance, but it can be helpful as a generic tool to reduce the complexity of control testing in the future.

1.4.4 Time horizons

Since this research is conducted in a limited timeframe, it can be considered an example of a cross-sectional study, meaning the study of a particular phenomenon (the implementation of Sox 404 within KLM FIM) at a particular time (August 2006 – March 2007). Furthermore, the research can be described in terms of purpose of the enquiry. It can both be characterized as an exploratory and a descriptive study. Exploratory research is characterized by literature study (in this case, the use of research- and Sox literature) and conversation with experts in the subjects. For quality assurance of the research, both university supervisors and the KLM supervisor will be frequently consulted. KLM Sox experts and (external) auditors will be consulted to obtain the required KLM Sox 404 information.

This research will not only serve as an advice on Sox 404 implementation to KLM FIM, but contains also a descriptive part on ongoing compliance, relevant for multiple business divisions within KLM. This descriptive research can be seen as an extension to the exploratory research.

(23)

controls within KLM FIM 1.4.5 Data collection methods

In principle, each case study should use multiple sources of information. All methods should employ observations, structured interviews, and surveys, and they can also include experimental design, focused interviews, open-ended interviews, archival records, documents, and scientific data from field and laboratory. For this research, data will be collected from multiple sources. Firstly, KLM experts will be interviewed to get insight into the context of the research and to acquire relevant information for answering the research questions. Secondly, observations and inquiries will be used to perform extended control testing, if a standard examination or re-performance is not sufficient. Thirdly, ample documentation is available on KLM’s Sox approach through the Project Management Office (PMO), the central Sox office for KLM. Finally, general Sox 404 guidelines from the Public Company Accounting Oversight Board (PCAOB) will be incorporated in the research, by referencing reports, scientific journals and books.

1.4.6 The contingency theory

In 1975, it was already apparent that in defining business strategy, ‘there exists no strategy or set of strategies which are optimal for all businesses...’ (Hofer, 1975). This is certainly true for defining Sox 404 strategy within a company. The guidelines set out by the PCAOB are very generic, leaving enough room for the organization to design a specific approach. KLM’s PMO has chosen a decentralized approach towards Sox 404 compliancy. Each business division has appointed a Sox champion, responsible for achieving Sox compliancy in time for a specific business division. While executing the phases embedded in the research, the researcher has been given a lot of authority to help achieving Sox 404 compliancy for the FIM business division.

1.5 Research results

This section discusses the deliverables of this research. According to de Leeuw (2003: p.83), management research can be defined by describing its deliverables, thereby distinguishing scientific- and practical research results: scientific research deliverables contribute to the total amount of scientific management knowledge, whereas practical research satisfies specific customer centered knowledge (KLM FIM being the customer in this situation, in need of Sox 404 testing guidance). First, the research is relevant from a practical perspective. Already mentioned in the second section of this chapter, best practices are very valuable for companies complying to Sox 404 since they do not have to make the same mistakes their (U.S.) predecessors did. They require an efficient approach towards (ongoing) Sox 404 compliance; the framework constructed in this research can be considered a useful tool for this purpose. Second, as it is a generically applicable methodology based on case study research, it can be said to be scientifically relevant. The scientific relevance of this research can be found in the construction of a method, since this has not been the subject of research before, and should be considered useful input for future studies on ongoing Sox 404 compliance. Moreover, it combines knowledge from two disciplines: on one hand, Sox 404 can be seen as an accounting matter, designed to restore shareholder confidence in publicly traded securities following a series of corporate scandals. On the other, it can be seen as an Information Technology (IT)-matter, since PCAOB’s Accounting Standard No. 2 addresses the mapping of IT control objectives for Sarbanes-Oxley specifically. This research will address the problem at hand from both points of view.

(24)

1.6 Report structure

This section shows the coherence of the research report, establishing linkages between the chapters and explaining their importance for the structure of the report. The chosen structure is benchmarked against the ‘six-step research process’ by Polonsky and Waller, a variation on a basic research process (2004: p.81). The research flow is addressed in figure 3.

Basic research structure Chosen report structure (Polonsky & Waller, 2004)

Figure 3 Research Design (Polonsky & Waller, 2004)

The chosen report structure will now be explained and its relation to the basic research structure. The 1) problem definition defines the main problem that needs to be answered through research. In this research, the introduction creates the broad research context and the research structure chapter narrows it down to a defined problem. The problem definition is stated in chapter one, section 1.1.1. Clear, measurable 2) research objectives should be established to assist the researcher in answering the defined problem. In sections 1.1.2 and 1.1.3, the goal statement and research questions have been formulated for this purpose. The 3) research design decides in which way the research is carried out. The current section addresses this requirement. During the 4) data gathering phase, all data necessary for the research is obtained.

2) Research objectives 1) Problem definition

3) Research design

5) Data analysis and interpretation 4) Data gathering

6) Presenting the results

Introduction

Chapter 1: Research structure

Chapter 3: Testing and certifying Sox 404 IT

controls

Chapter 2: IT implications on Sox 404 related matters

Chapter 4: Constructing a methodology for ongoing

business testing

Chapter 6: Conclusion Chapter 5: Validate the

(25)

controls within KLM FIM The data to be gathered can be roughly split in two types, primary data (newly gathered data, i.e.

data collected while executing Sox 404 tests) and secondary data (data already collected and analyzed, i.e. Sox literature). In chapter two (IT implications on Sox 404 related matters), secondary data will be explored to get a solid background understanding of the problem at hand. The gathered primary data will then be explored in chapter three (Testing and certifying Sox 404 IT controls). Once primary data has been gathered, it needs to be interpreted to generate an answer to the sub questions, the research objective and the overall research problem. This will be done during 5) data analysis and interpretation in chapters four (constructing a methodology for ongoing business testing) and five (validating the ongoing testing approach with Sox compliance software). Finally, the 6) research results have to be presented. Chapter six (conclusions and recommendations) will evaluate these research findings and present recommendations for further research.

1.7 Conclusion

In this chapter, the underlying structure of the research has been discussed. Section 1.1 covered the research design, comprising the project frame, goal statement, research questions and the specification and preconditions. Subsequently, section 1.2 discussed previous research on Sox 404 testing, whereas section 1.3 positioned the research in a generic Sox 404 compliancy approach. Then, in section 1.4, research methodology has been thoroughly addressed. In section 1.5, research results were discussed, and finally, in section 1.6, the structure of the report was explained.

As the goal of the research, its deliverables and scope should be clear by now, the first three phases of Polonsky and Waller’s framework (2004: p.81) have been addressed. Before the main deliverable of this research, a method for implementing and maintaining Sox 404 controls over time, can be established, a few relevant key theories will be discussed. Theories relevant for this research include Sox 404 methodology, an analysis on internal control frameworks (COSO, CobiT) and Sox tooling terminology as they will give the reader insight to activities associated with testing and monitoring Sox 404 controls. The next chapter will be dedicated to describing these theories and, after reading it, the reader should have sufficient knowledge to understand the research problem.

(26)

2 IT implications on Sox 404 related matters

2.0 Introduction

In the previous chapter, the goal statement of this research has been defined as ‘to reduce complexity of Sarbanes-Oxley 404 IT control testing by developing a generally applicable methodology for implementing and maintaining a system of Sarbanes-Oxley 404 controls over time’. This will be done by creating a methodology, which aims to reduce the complexity associated with evaluating operating effectiveness of Sox 404 IT controls, also known as testing. As the proposed methodology is aimed at a specific part of Sox (the test, sign-off and monitor phase within a company’s IT-department), these elements need to be addressed in detail before the activities in the upcoming chapters can be understood within the bigger (Sox-) picture. Hence, this chapter does not formulate an answer to the first research question, but emerges the reader in IT implications on Sox 404 related matters. The first research question will be addressed in the next chapter.

Verschuren and Doorewaard (2003, p.83) describe a method to extract concepts from the key research question to formulate sub questions. In the same way, the elements which describe test, sign-off and monitor phases can be extracted from the key research question to pick subjects relevant in the scope of this research. By examining the key research question (‘in which way is it possible to maintain a set of implemented Sox 404 controls over time?’), three main concepts can be distinguished: 1) control, 2) Sox (404) and 3) maintaining & implementing. Each of these concepts will be defined in this chapter in relation to its impact on KLM FIM:

1. Internal control frameworks which evaluate the effectiveness of internal control over financial reporting

The Sarbanes-Oxley Act requires a company to assess the effectiveness of internal control. Internal control effectiveness can be measured using an internal control framework, preferably the COSO framework. For assessing IT internal control effectiveness, the CobiT framework can be used. Both COSO and CobiT are adopted by KLM.

2. The Sarbanes-Oxley Act and its manifestation within KLM FIM

Although the Public Company Accounting and Oversight Board (PCAOB) offers generic guidelines for implementing the Sarbanes-Oxley Act within public companies, each company has to make these guidelines contingent to its specific needs. Since Sox is a prolific corporate governance code and impacts KLM FIM only through certain (sub) sections, a tailored approach is required.

3. Sox registration tools which enable monitoring of Sox 404 controls

For Sox compliance purposes, KLM has selected a web-based Sox registration tool. To a certain extent, these kinds of tools can enhance monitoring of signed-off Sox controls.

These three concepts will be discussed in this chapter, thereby clarifying the key research question. After reading this chapter, the reader should possess enough background knowledge to understand the issues discussed in subsequent chapters.

In section 2.1, internal control and its relevance for Sox 404 will be discussed. Section 2.2 describes Sox and its manifestation within KLM FIM. Subsequently, Sox tooling will be

(27)

controls within KLM FIM addressed in section 2.3. Finally, section 2.4 brings it all together and summarizes the concepts

addressed in this chapter.

2.1 Internal control and its relevance for Sox 404

The importance of internal control for Sox 404 compliancy is emphasized by the Public Company Accounting and Oversight Board (PCAOB). According to PCAOB Auditing Standard No.2, which sets forth standards for public companies complying to Sox 404, one element the auditor's report on management's assessment of the effectiveness of internal control over financial reporting must include is:

An identification of management's conclusion about the effectiveness of the company's internal control over financial reporting as of a specified date based on the control criteria (PCAOB, 2004: p61).

These control criteria refer explicitly to the criteria established in Internal Control – Integrated framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which will be discussed in this section.

This section consists of three parts. First, in section 2.1.1, characteristics of internal control will be discussed to emphasize its significance for Sox 404 compliance. As Air France – KLM also uses the COSO framework to assess its effectiveness of internal control over financial reporting, it is relevant for this thesis and will be covered in section 2.1.2. The third section (2.1.3) covers an internal control framework specified for Information Technology (IT) controls, the Control Objectives for Information and related Technology (CobiT). This framework is particularly relevant for this research, as it is used by KLM FIM to assess its internal controls.

2.1.1 Defining internal control

The definitions of internal (or business) control and IT control will be given below to illustrate their difference in focus. In the scope of this thesis, it is relevant to distinguish between these two types of controls, since the research is conducted at a department where all controls are related to IT, while processes of other KLM business divisions (which eventually ‘hand-off’ their controls to FIM) are managed with generic business controls. Subsequently, this sub section will cover the various levels at which controls can operate within an organization, illustrated by graphical representations. Finally, the highly Sox- relevant subject of materiality will be introduced and discussed.The section consists of five subsections, which have been numbered appropriately.

A) Internal control

As internal control can be defined in a number of ways, two definitions (PCAOB, 2006: p.7; COSO, 1994: p.13) have been selected to define the meaning of internal control for this thesis. PCAOB AS2 defines internal control as ‘a company’s process, including policies and procedures that reasonably assure the reliability of financial reporting as well as the integrity of the financial statement preparation process’. COSO broadly defines internal control as a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of

(28)

operations, the reliability of financial reporting and the compliance with applicable laws and regulations. When comparing these two definitions, it can be noticed that the PCAOB definition narrows internal control down to financial reporting only, while the COSO definition also considers operations- and compliance activities as functions of internal control. In the scope of this thesis, internal control is only relevant in combination with Sox 404. Therefore, when the term ‘internal control’ is used, it refers solely to financial reporting.

B) IT control

In order to define IT controls relevant to the context of this research, it is important to note where they relate to the financial reporting process. In today’s environment, financial reporting processes are driven by IT systems. Such systems are deeply integrated in initiating, authorizing, recording, processing and reporting financial transactions. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important processes, for compliance with Sox 404 (ITGI, 2006: p.12). The information obtained from IT systems is the result of a combined use of IT-related resources, which have to be managed via IT processes. IT controls are needed to manage and control these processes, in a way that the organization can depend on the quality of the information processed by the systems. An IT control consists of procedures, practices and organizational structures, which ensure that an acceptable guarantee can be given that organizational objectives are reached and that undesirable effects do not occur or will be detected and correctedii_{(Van Grembergen & de Haes, 2006a: p.48-49).}

C) IT control within organizations

According to the IT Governance Institute (ITGI), IT controls can be found at three different levels within an organization (2006, p.13):

1. Entity-level controls 2. Application controls

3. IT General Controls (ITGC)

Figure 4 gives a schematic overview of all three types of IT controls. They will be discussed next.

1. Entity level controls. The purpose of entity-level controls is to gain an understanding of the culture and operating style of the organization. (ITGI, 2006b: p.57) Entity-level controls are those that have a pervasive effect on the company and can influence the effectives of internal control in many areas. Within KLM’s organizational structure, entity-level controls can be found at the operating level of the Board of Managing Directors. Since the only entity in scope for this research is KLM FIM, entity-level controls are not applicable and hence will not be discussed in this thesis.

2. Application controls. At the business process level, controls are applied to specific business activities to achieve financial objectives. Within KLM FIM, many business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as automated application controls. Automated application controls apply only to the business processes they support and are designed within the application to prevent or detect unauthorized transactions and support financial objectives including completeness, accuracy, authorization and existence of transactions.

(29)

Figure 4 IT controls in an organization (ITGI, 2006: p.13)

For example, a built-in check in Financial Manager (KLM’s accounting package) verifies that for each imported credit post, a debit post is created. The ‘completeness’- objective is thereby fulfilled. Besides the automated type, application controls exist as manual and IT – dependent controls. The former are performed without the assistance of applications or any other technology systems (which do not exist within KLM FIM), while the latter are essentially a combination of manual and automated controls: a manual control based on an application output validation. An example of an IT – dependent manual control could be:

Application A offers functionality to create error reports.

Manual control: check on errors on the report and see to resolving the errors.

Valid application output: creating the error report with correct and complete content (KLM internal memo, 2006a: p.2).

3. IT General Controls are embedded within IT processes that provide a reliable operating environment and support the effective operation of application controls, including objectives at the entity- and business process level. As mentioned before, only controls at the business process level are relevant for this thesis. The challenge with IT general controls is that they rarely impact the financial statements directly. Similar to generic entity-level controls, IT general controls have a ‘pervasive’ effect over all internal controls. That is, if a key IT general control fails (for example, a control restricting access to programs and data, as will be discussed in section 2.1.3) it has a pervasive impact on all systems that rely on it, including financial applications. As a result, without being assured that only authorized users have access to financial applications, companies are unable to conclude that only authorized users

Constructing a methodology for implementing and maintaining Sarbanes-Oxley 404 IT controls within KLM FIM