Sarbanes-Oxley IT

Audits

Sarbanes-Oxley 2002
Recommended audit firms place a high
priority on enhancing the overall
effectiveness of auditors work on internal
control, particularly with respect to the
depth and substance of their
knowledge about companies
information systems.

SOX Section 802

Fines of up to $25 million and/or 20 years
imprisonment against:

whoever knowingly alters, destroys,

mutilates, conceals, covers up, falsifies,
or makes a false entry in any record,
document, or tangible object with the intent
to impede, obstruct, or influence any
government investigation or official
proceeding.
3

PCAOB Auditing
Statements

AS2 - Financial auditors should perform a

walkthrough of the information system to
be satisfied with the design and operation
of the applicable controls
AS3 Extends audit documentation
requirements
Both address fraud issues

SAS 80 Evidential Matter

SAS 80 Where evidential matter is in
electronic form, it may not be practical or
possible to reduce detection risk to an
acceptable level by performing only
substantive tests. In such circumstances,
an auditor should consider performing
tests of controls to support an assessed
level of control risk.
5

SAS 94

Effect of Information
Technology on the Auditors
Consideration of Internal Control in a
Financial
Statement Audit

Requires consideration of the importance

of IT processes and controls in the
preparation of financial statements and
whether an IT specialist is required.
The presence of an IT auditor or specialist
on the engagement team does not free
the financial auditor from responsibility for
assessing the adequacy of IT controls.
6

SAS 99 Consideration of
Fraud in a Financial
Statement
Audit
Misstatements arising from fraudulent

financial reporting
Misstatement arising from
misappropriation of assets
Whenever evidence of fraud is found, it
should be brought to the attention of the
appropriate level of management
Increases extent of documentation
7

IT Audit vs Sarbanes-Oxley
IT Audit

Both are technical IT audits

Sarbanes IT audit has a narrowly defined focus
driven by Federal Law and is a system level
audit concentrated on the reliability and integrity
of the hardware, software and information of the
systems.
Sarbanes IT audit is typically part of a larger
financial audit and responds to the requirements
of the larger financial audit.
8

Governing Standards

Diverse standards allows for different

interpretations
Internal and external audits traditionally focus on
financial matters
Traditional IT audits focus on technology issues
In the past, these two audits rarely interacted
with each other
Sarbanes-Oxley changed this!

SOX-404 vs Traditional IT
Section 404 is designed to ensure that there are
audit.
sufficient controls to prevent fraud, misuse
and/or loss of financial data

Controls must be effective

Must be possible to note exceptions / follow audit trail
404 audit is invariably part of a larger financial audit

General purpose is to identify weaknesses or

deficiencies in the IT controls and resolve them
prior to the start of an outside audit
The IT Auditor verifies controls are in place and
working correctly.
10

Competing Governance
Organization
Organizations Standards
American Institute of Certified Public
Accountants (AICPA)

Statements on Auditing Standards (SAS)

Institute of Internal Auditors

Association (IIA)

Standards for the Professional Practice of

Internal Auditing (IIA)

U.S. General Accounting Office (GAO)

Government Auditing Standards and Title

2, Accounting (GAO)

Information Systems Audit and Control

Association (ISACA)

General Standards for Information

Systems Auditors and Statements on
Information Systems Auditing Standards

Institute of Internal Auditors Research

Foundation

Systems Auditability and Control (SAC)

11

COSO vs COBIT

COSO doesnt do enough to help identify,

document, and evaluate the IT controls necessary
to comply with SOXs legal requirements
COBIT is an interpretation of COSO from an IT
point of view
Established by IT Governance Institute (ITGI)

four domains, 34 IT processes and 318 detailed control

objectives

12

PCAOB Auditing Standard 2

An Audit of Internal Control Over Financial Reporting
Performed in Conjunction with an Audit of Financial
Statements.

establishes the requirements for performing an

audit of internal control over financial reporting
transactions flows commonly involve the use of
application systems for automating processes
and supporting high volume and complex
transaction processing
reliability of these application systems is in turn
reliant upon various IT support systems,
including networks, databases, operating
systems

13

Audit Risk

IT Auditor should also recognize that threat,

vulnerability and risk analyses have the goal of
risk mitigation and security and that the audit
should address and answer the following
questions:
Systems Risks
Systems Threats and Vulnerabilities
Probability of Occurrences
Risk Mitigation
14

Controls
Two broad classes of controls: Key Controls and
the General Controls. They are designed to
ensure that the controls are sufficient to:
prevent fraud, misuse, and/or loss of financial
data/transactions,
enable speedy detection if and when such
problems occur, and
promote effective action

15

Controls (cont.)
Section 404 Auditor can test the general quality of
the controls by determining if a policy,
procedure, or processes are:
standardized across the company
centrally administered
centrally controlled
repeatable

16

Key Controls

Generally defined in the literature as being the

controls that are fundamental to ensuring that
the values on the balance sheet are accurate
and reliable
All monetary transaction must be initialized,
authorized, implemented, documented,
controlled, reported, and validated using key
controls
Example: check that two separate systems tally
with one another
17

General Controls
These include
Physical Access and Security
Operational Control Processes
Logical Access Processes
Backup and Recovery
Disaster recovery policies
Service-level agreement policies
Application or Software development processes
Testing
Configuration and Change management
18

Preferable if Controls are

Automated
Automation makes it more difficult for individuals to

manipulate the control either in error or

maliciously. The centralized automation of
controls should include:
Centrally administration of IT processes by the
relevant MIS department
Centralized document version control of policies
and procedures
Backup and recovery procedures using scripts,
using clustering techniques,
19

Preferable if Controls are

Automated
RAID, etc. as well as fault tolerant systems

Intrusion prevention and detection processes

using centralized services
Antivirus processes using centralized software
such as McAfee or Symantec
A process for managing changes to IT assets or
objects exists and
documents that changes are reviewed and
authorized

20