Information technology controls
Encyclopedia
In business
and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control
. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls ITGC
and IT application controls. ITGC include controls over the information technology
(IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the United States
by the Sarbanes-Oxley Act
. The COBIT
Framework (Control Objectives for Information Technology) is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a Chief Information Officer
(CIO), who is responsible for ensuring effective information technology controls are utilized.
(CIO) or chief information security officer
(CISO) is typically responsible for the security
, accuracy and the reliability
of the systems that manage and report the company's data, including financial data. Financial accounting and Enterprise Resource Planning
systems are integrated in the initiating, authorizing, processing, and reporting of financial data and may be involved in Sarbanes-Oxley compliance, to the extent they mitigate specific financial risks.
is a widely utilized framework containing best practices for both ITGC and application controls. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which is enabled by specific IT control activities. It also recommends best practices and methods of evaluation of an enterprise's IT controls.
, risk assessment
, control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT
provide a similar detailed guidance for IT, while the interrelated Val IT
concentrates on higher-level IT governance and value-for-money issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT
objective domains-applying to each individually and in aggregate. The four COBIT
major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB and SEC state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's SOX 404 top-down risk assessment
. In addition, Statements on Auditing Standards No. 109 (SAS109) discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance.
IT controls that typically fall under the scope of a SOX 404 assessment may include:
Specific activities that may occur to support the assessment of the key controls above include:
To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as database
s, networks and operating system
s, are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a business process
that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years.
To comply with Section 409, organizations should assess their technological capabilities in the following categories:
In conjunction with document retention, another issue is that of the security of storage media and how well electronic documents are protected for both current and future use. The five-year record retention requirement means that current technology must be able to support what was stored five years ago. Due to rapid changes in technology, some of today’s media might be outdated in the next three or five years. Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media.
Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management
program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes email
s, instant messages, and spreadsheet
s that are used to analyze financial results), adequacy of retention life cycle, immutability of RM practices, audit trail
s and the accessibility and control of RM content.
Responsibility for control over spreadsheets is a shared responsibility with the business users and IT. The IT organization is typically concerned with providing a secure shared drive for storage of the spreadsheets and data backup. The business personnel are responsible for the remainder.
See also=
Business
A business is an organization engaged in the trade of goods, services, or both to consumers. Businesses are predominant in capitalist economies, where most of them are privately owned and administered to earn profit to increase the wealth of their owners. Businesses may also be not-for-profit...
and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control
Internal control
In accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls ITGC
ITGC
IT general controls are controls that apply to all systems components, processes, and data for a given organization or information technology environment...
and IT application controls. ITGC include controls over the information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
(IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
by the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
. The COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
Framework (Control Objectives for Information Technology) is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a Chief Information Officer
Chief information officer
Chief information officer , or information technology director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals...
(CIO), who is responsible for ensuring effective information technology controls are utilized.
IT General Controls (ITGC)
ITGC represent the foundation of the IT control structure. They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC usually include the following types of controls:- Control Environment, or those controls designed to shape the corporate culture or "tone at the top."
- Change managementChange managementChange management is a structured approach to shifting/transitioning individuals, teams, and organizations from a current state to a desired future state. It is an organizational process aimed at helping employees to accept and embrace changes in their current business environment....
procedures - controls designed to ensure changes meet business requirements and are authorized. - Source codeSource codeIn computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
/documentDocumentThe term document has multiple meanings in ordinary language and in scholarship. WordNet 3.1. lists four meanings :* document, written document, papers...
version control procedures - controls designed to protect the integrity of program code - Software development life cycle standards - controls designed to ensure IT projects are effectively managed.
- Logical Access policies, standards and processes - controls designed to manage access based on business need.
- Incident managementIncident managementIncident Management refers to the activities of an organization to identify, analyze and correct hazards. For instance, a fire in a factory would be a risk that realized, or an incident that happened...
policies and procedures - controls designed to address operational processing errors. - Problem managementProblem managementThis article is about Problem Management Process, as defined by ITIL.ITIL defines a problem as the cause of one or more incidents.Problem Management is the process responsible for managing the lifecycle of all problems...
policies and procedures - controls designed to identify and address the root cause of incidents. - Technical supportTechnical supportTechnical support or tech support refers to a range of services by which enterprises provide assistance to users of technology products such as mobile phones, televisions, computers, software products or other electronic or mechanical goods...
policies and procedures - policies to help users perform more efficiently and report problems. - HardwareHardwareHardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....
/software configuration, installation, testing, management standards, policies and procedures. - Disaster recoveryDisaster recoveryDisaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity...
/backup and recoveryBackupIn information technology, a backup or the process of backing up is making copies of data which may be used to restore the original after a data loss event. The verb form is back up in two words, whereas the noun is backup....
procedures, to enable continued processing despite adverse conditions. - Physical SecurityPhysical securityPhysical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
- controls to ensure the physical security of information technology from individuals and from environmental risks.
IT Application Controls
IT application or program controls are fully automated (i.e., performed automatically by the systems) designed to ensure the complete and accurate processing of data, from input through output. These controls vary based on the business purpose of the specific application. These controls may also help ensure the privacy and security of data transmitted between applications. Categories of IT application controls may include:- Completeness checks - controls that ensure all records were processed from initiation to completion.
- Validity checks - controls that ensure only valid data is input or processed.
- Identification - controls that ensure all users are uniquely and irrefutably identified.
- Authentication - controls that provide an authentication mechanism in the application system.
- Authorization - controls that ensure only approved business users have access to the application system.
- Input controls - controls that ensure data integrity fed from upstream sources into the application system.
IT Controls and the Chief Information Officer/Chief Information Security Officer
The organization's chief information officerChief information officer
Chief information officer , or information technology director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals...
(CIO) or chief information security officer
Chief information security officer
A chief information security officer is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected...
(CISO) is typically responsible for the security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
, accuracy and the reliability
Reliability engineering
Reliability engineering is an engineering field, that deals with the study, evaluation, and life-cycle management of reliability: the ability of a system or component to perform its required functions under stated conditions for a specified period of time. It is often measured as a probability of...
of the systems that manage and report the company's data, including financial data. Financial accounting and Enterprise Resource Planning
Enterprise resource planning
Enterprise resource planning systems integrate internal and external management information across an entire organization, embracing finance/accounting, manufacturing, sales and service, customer relationship management, etc. ERP systems automate this activity with an integrated software application...
systems are integrated in the initiating, authorizing, processing, and reporting of financial data and may be involved in Sarbanes-Oxley compliance, to the extent they mitigate specific financial risks.
COBIT
COBITCOBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
is a widely utilized framework containing best practices for both ITGC and application controls. It consists of domains and processes. The basic structure indicates that IT processes satisfy business requirements, which is enabled by specific IT control activities. It also recommends best practices and methods of evaluation of an enterprise's IT controls.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) identifies five components of internal control: control environmentControl environment
Control environment also called "Internal control environment". It is a term of financial audit, internal audit and Enterprise Risk Management. It means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance to the entity...
, risk assessment
Risk assessment
Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat...
, control activities, information and communication and monitoring, that need to be in place to achieve financial reporting and disclosure objectives; COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
provide a similar detailed guidance for IT, while the interrelated Val IT
Val IT
Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards...
concentrates on higher-level IT governance and value-for-money issues. The five components of COSO can be visualized as the horizontal layers of a three-dimensional cube, with the COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
objective domains-applying to each individually and in aggregate. The four COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
major domains are: plan and organize, acquire and implement, deliver and support, and monitor and evaluate.
IT controls and the Sarbanes-Oxley Act (SOX)
SOX requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports (Section 302) and require public companies to establish adequate internal controls over financial reporting (Section 404). Passage of SOX resulted in an increased focus on IT controls, as these support financial processing and therefore fall into the scope of management's assessment of internal control under Section 404 of SOX.The COBIT framework may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB and SEC state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's SOX 404 top-down risk assessment
SOX 404 top-down risk assessment
In financial auditing of public companies in the United States, SOX 404 top-down risk assessment is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002 . The term is used by the U.S. Public Company Accounting Oversight Board and the Securities and...
. In addition, Statements on Auditing Standards No. 109 (SAS109) discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance.
IT controls that typically fall under the scope of a SOX 404 assessment may include:
- Specific application (transaction processing) control procedures that directly mitigate identified financial reporting risks. There are typically a few such controls within major applications in each financial process, such as accounts payable, payroll, general ledger, etc. The focus is on "key" controls (those that specifically address risks), not on the entire application.
- IT general controls that support the assertions that programs function as intended and that key financial reports are reliable, primarily change control and security controls;
- IT operations controls, which ensure that problems with processing are identified and corrected.
Specific activities that may occur to support the assessment of the key controls above include:
- Understanding the organization’s internal controlInternal controlIn accounting and auditing, internal control is defined as a process effected by an organization's structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives. It is a means by which an organization's...
program and its financial reporting processes. - Identifying the IT systems involved in the initiation, authorization, processing, summarization and reporting of financial data;
- Identifying the key controls that address specific financial risks;
- Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness;
- Documenting and testing IT controls;
- Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes; and
- Monitoring IT controls for effective operation over time.
To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
s, networks and operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a business process
Business process
A business process or business method is a collection of related, structured activities or tasks that produce a specific service or product for a particular customer or customers...
that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years.
|
|
|
302 | Corporate Responsibility for Financial Reports | Certifies that financial statement accuracy and operational activities have been documented and provided to the CEO and CFO for certification |
404 | Management Assessment of Internal Controls | Operational processes are documented and practiced demonstrating the origins of data within the balance sheet. SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. |
409 | Real-time Issuer Disclosures | Public companies must disclose changes in their financial condition or operations in real time to protect investors from delayed reporting of material events |
802 | Criminal Penalties for Altering Documents | Requires public companies and their public accounting firms to retain records, including electronic records that impact the company’s assets or performance. Fines and imprisonment for those who knowingly and willfully violate this section with respect to (1) destruction, alteration, or falsification of records in federal investigations and bankruptcy and (2) destruction of corporate audit records. |
Real-time disclosure
Section 409 requires public companies to disclose information about material changes in their financial condition or operations on a rapid basis. Companies need to determine whether their existing financial systems, such as enterprise resource management applications are capable of providing data in real time, or if the organization will need to add such capabilities or use specialty software to access the data. Companies must also account for changes that occur externally, such as changes by customers or business partners that could materially impact its own financial positioning (e.g. key customer/supplier bankruptcy and default).To comply with Section 409, organizations should assess their technological capabilities in the following categories:
- Availability of internal and external portals - Portals help route and identify reporting issues and requirements to investors and other relevant parties. These capabilities address the need for rapid disclosure.
- Breadth and adequacy of financial triggers and alert - The organization sets the trip wires that will kick off a Section 409 disclosure event.
- Adequacy of document repositories – Repositories play a critical role for event monitoring to assess disclosure needs and provide mechanism to audit disclosure adequacy.
- Capacity to be an early adopter of Extensible Business Reporting LanguageXBRLXBRL is a freely available, market-driven, open, and global standard for exchanging business information. XBRL allows information modeling and the expression of semantic meaning commonly required in business reporting. XBRL is XML-based...
(XBRL) – XBRL will be a key tool to integrate and interface transactional systems, reporting and analytical tools, portals and repositories.
Section 802 & Records retention
Section 802 of Sarbanes-Oxley requires public companies and their public accounting firms to maintain all audit or review work papers for a period of five years from the end of the fiscal period in which the audit or review was concluded. This includes electronic records which are created, sent, or received in connection with an audit or review. As external auditors rely to a certain extent on the work of internal audit, it would imply that internal audit records must also comply with Section 802.In conjunction with document retention, another issue is that of the security of storage media and how well electronic documents are protected for both current and future use. The five-year record retention requirement means that current technology must be able to support what was stored five years ago. Due to rapid changes in technology, some of today’s media might be outdated in the next three or five years. Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media.
Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management
Records management
Records management, or RM, is the practice of maintaining the records of an organization from the time they are created up to their eventual disposal...
program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes email
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
s, instant messages, and spreadsheet
Spreadsheet
A spreadsheet is a computer application that simulates a paper accounting worksheet. It displays multiple cells usually in a two-dimensional matrix or grid consisting of rows and columns. Each cell contains alphanumeric text, numeric values or formulas...
s that are used to analyze financial results), adequacy of retention life cycle, immutability of RM practices, audit trail
Audit trail
Audit trail is a sequence of steps supported by proof documenting the real processing of a transaction flow through an organization, a process or a system.....
s and the accessibility and control of RM content.
End-user application / Spreadsheet controls
PC-based spreadsheets or databases are often used to provide critical data or calculations related to financial risk areas within the scope of a SOX 404 assessment. Financial spreadsheets are often categorized as end-user computing (EUC) tools that have historically been absent traditional IT controls. They can support complex calculations and provide significant flexibility. However, with flexibility and power comes the risk of errors, an increased potential for fraud, and misuse for critical spreadsheets not following the software development lifecycle (e.g. design, develop, test, validate, deploy). To remediate and control spreadsheets, public organizations may implement controls such as:- Inventory and risk-rank spreadsheets that are related to critical financial risks identified as in-scope for SOX 404 assessment. These typically relate to the key estimates and judgments of the enterprise, where sophisticated calculations and assumptions are involved. Spreadsheets used merely to download and upload are less of a concern.
- Perform a risk based analysis to identify spreadsheet logic errors. Automated tools exist for this purpose.
- Ensure the spreadsheet calculations are functioning as intended (i.e., "baseline" them).
- Ensure changes to key calculations are properly approved.
Responsibility for control over spreadsheets is a shared responsibility with the business users and IT. The IT organization is typically concerned with providing a secure shared drive for storage of the spreadsheets and data backup. The business personnel are responsible for the remainder.
See also=
- Chief information officerChief information officerChief information officer , or information technology director, is a job title commonly given to the most senior executive in an enterprise responsible for the information technology and computer systems that support enterprise goals...
- Chief information security officerChief information security officerA chief information security officer is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected...
- Continuous AuditingContinuous auditingContinuous auditing is the independent application of automated tools to provide assurance on financial, compliance, strategic and operational data within a company. Continuous auditing uses a set of tools to assure the internal control system is functioning to prevent fraud, errors and waste...
- Data governanceData governanceData governance is an emerging discipline with an evolving definition. The discipline embodies a convergence of data quality, data management, data policies, business process management, and risk management surrounding the handling of data in an organization...
- Information technology auditInformation technology auditAn information technology audit, or information systems audit, is an examination of the management controls within an Information technology infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- IT risk managementIT risk managementThe IT risk management is the application of risk management to Information technology context in order to manage IT risk, i.e.:IT risk management can be considered a component of a wider Enterprise risk management system....
- Public Company Accounting Oversight BoardPublic Company Accounting Oversight BoardThe Public Company Accounting Oversight Board is a private-sector, non-profit corporation created by the Sarbanes–Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. Its stated purpose is to 'protect the interests of investors and further the public interest...
- Risk ITRisk ITRisk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...
- Sarbanes-Oxley ActSarbanes-Oxley ActThe Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...