Professional Documents
Culture Documents
Audits
Sarbanes-Oxley 2002
Recommended audit firms place a high
priority on enhancing the overall
effectiveness of auditors work on internal
control, particularly with respect to the
depth and substance of their
knowledge about companies
information systems.
PCAOB Auditing
Statements
SAS 94
Effect of Information
Technology on the Auditors
Consideration of Internal Control in a
Financial
Statement Audit
SAS 99 Consideration of
Fraud in a Financial
Statement
Audit
Misstatements arising from fraudulent
financial reporting
Misstatement arising from
misappropriation of assets
Whenever evidence of fraud is found, it
should be brought to the attention of the
appropriate level of management
Increases extent of documentation
7
IT Audit vs Sarbanes-Oxley
IT Audit
Governing Standards
SOX-404 vs Traditional IT
Section 404 is designed to ensure that there are
audit.
sufficient controls to prevent fraud, misuse
and/or loss of financial data
Competing Governance
Organization
Organizations Standards
American Institute of Certified Public
Accountants (AICPA)
11
COSO vs COBIT
12
13
Audit Risk
Controls
Two broad classes of controls: Key Controls and
the General Controls. They are designed to
ensure that the controls are sufficient to:
prevent fraud, misuse, and/or loss of financial
data/transactions,
enable speedy detection if and when such
problems occur, and
promote effective action
15
Controls (cont.)
Section 404 Auditor can test the general quality of
the controls by determining if a policy,
procedure, or processes are:
standardized across the company
centrally administered
centrally controlled
repeatable
16
Key Controls
General Controls
These include
Physical Access and Security
Operational Control Processes
Logical Access Processes
Backup and Recovery
Disaster recovery policies
Service-level agreement policies
Application or Software development processes
Testing
Configuration and Change management
18
20