• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    SOX SOX Presentation Transcript

    • Sarbanes-Oxley IT Audits
    • Sarbanes-Oxley 2002
      • Recommended “audit firms place a high priority on enhancing the overall effectiveness of auditors’ work on internal control , particularly with respect to the depth and substance of their knowledge about companies’ information systems.”
    • SOX Section 802 Fines of up to $25 million and/or 20 years imprisonment against: “ whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence” any government investigation or official proceeding.”
    • PCAOB Auditing Statements
      • AS2 - Financial auditors should perform a “walkthrough” of the information system to be satisfied with the design and operation of the applicable controls
      • AS3 – Extends audit documentation requirements
      • Both address fraud issues
    • SAS 80 Evidential Matter
      • SAS 80 – Where evidential matter is in electronic form , it may not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests. In such circumstances, an auditor should consider performing tests of controls to support an assessed level of control risk.
    • SAS 94 Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit
      • Requires consideration of the importance of IT processes and controls in the preparation of financial statements and whether an IT specialist is required.
      • The presence of an IT auditor or specialist on the engagement team does not free the financial auditor from responsibility for assessing the adequacy of IT controls.
    • SAS 99 Consideration of Fraud in a Financial Statement Audit
      • Misstatements arising from fraudulent financial reporting
      • Misstatement arising from misappropriation of assets
      • Whenever “evidence of fraud” is found, it should be brought to the attention of the appropriate level of management
      • Increases extent of documentation
    • IT Audit vs Sarbanes-Oxley IT Audit
      • Both are technical IT audits
      • Sarbanes IT audit has a narrowly defined focus driven by Federal Law and is a system level audit concentrated on the reliability and integrity of the hardware, software and information of the systems.
      • Sarbanes IT audit is typically part of a larger financial audit and responds to the requirements of the larger financial audit.
    • Governing Standards
      • Diverse standards allows for different interpretations
      • Internal and external audits traditionally focus on financial matters
      • Traditional IT audits focus on technology issues
      • In the past, these two audits rarely interacted with each other
      • Sarbanes-Oxley changed this!
    • SOX-404 vs Traditional IT audit.
      • Section 404 is designed to ensure that there are sufficient controls to prevent fraud, misuse and/or loss of financial data
        • Controls must be effective
        • Must be possible to note exceptions / follow audit trail
        • 404 audit is invariably part of a larger financial audit
      • General purpose is to identify weaknesses or deficiencies in the IT controls and resolve them prior to the start of an outside audit
      • The IT Auditor verifies controls are in place and working correctly.
    • Competing Governance Organizations Systems Auditability and Control (SAC) Institute of Internal Auditors Research Foundation General Standards for Information Systems Auditors and Statements on Information Systems Auditing Standards Information Systems Audit and Control Association (ISACA) Government Auditing Standards and Title 2 , Accounting (GAO) U.S. General Accounting Office (GAO) Standards for the Professional Practice of Internal Auditing (IIA) Institute of Internal Auditors Association (IIA) Statements on Auditing Standards (SAS) American Institute of Certified Public Accountants (AICPA) Standards Organization
    • COSO vs COBIT
      • COSO doesn’t do enough to help identify, document, and evaluate the IT controls necessary to comply with SOX’s legal requirements
      • COBIT is an interpretation of COSO from an IT point of view
      • Established by IT Governance Institute (ITGI)
        • four domains, 34 IT processes and 318 detailed control objectives
    • PCAOB Auditing Standard 2 “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.”
      • establishes the requirements for performing an audit of internal control over financial reporting
      • transactions’ flows commonly involve the use of application systems for automating processes and supporting high volume and complex transaction processing
      • reliability of these application systems is in turn reliant upon various IT support systems, including networks, databases, operating systems
    • Audit Risk
      • IT Auditor should also recognize that threat, vulnerability and risk analyses have the goal of risk mitigation and security and that the audit should address and answer the following questions:
      • Systems Risks
      • Systems Threats and Vulnerabilities
      • Probability of Occurrences
      • Risk Mitigation
    • Controls
      • Two broad classes of controls: Key Controls and the General Controls . They are designed to ensure that the controls are sufficient to:
      • prevent fraud, misuse, and/or loss of financial data/transactions,
      • enable speedy detection if and when such problems occur, and
      • promote effective action
    • Controls (cont.)
      • Section 404 Auditor can test the general quality of the controls by determining if a policy, procedure, or processes are:
      • standardized across the company
      • centrally administered
      • centrally controlled
      • repeatable
    • Key Controls
      • Generally defined in the literature as being the controls that are fundamental to ensuring that the values on the balance sheet are accurate and reliable
      • All monetary transaction must be initialized, authorized, implemented, documented, controlled, reported, and validated using key controls
      • Example: check that two separate systems tally with one another
    • General Controls
      • These include…
      • Physical Access and Security
      • Operational Control Processes
      • Logical Access Processes
      • Backup and Recovery
      • Disaster recovery policies
      • Service-level agreement policies
      • Application or Software development processes
      • Testing
      • Configuration and Change management
    • Preferable if Controls are Automated
      • Automation makes it more difficult for individuals to manipulate the control either in error or maliciously. The centralized automation of controls should include:
      • Centrally administration of IT processes by the relevant MIS department
      • Centralized document version control of policies and procedures
      • Backup and recovery procedures using scripts, using clustering techniques,
    • Preferable if Controls are Automated
      • RAID, etc. as well as fault tolerant systems
      • Intrusion prevention and detection processes using centralized services
      • Antivirus processes using centralized software such as McAfee or Symantec
      • A process for managing changes to IT assets or objects exists and
      • documents that changes are reviewed and authorized