Transcript SOX & IT Audits - University of South Florida St. Petersburg

Sarbanes-Oxley IT Audits
1
Sarbanes-Oxley 2002
Recommended “audit firms place a high
priority on enhancing the overall
effectiveness of auditors’ work on internal
control, particularly with respect to the
depth and substance of their
knowledge about companies’
information systems.”
2
SOX Section 802
Fines of up to $25 million and/or 20 years
imprisonment against:
“whoever knowingly alters, destroys,
mutilates, conceals, covers up, falsifies,
or makes a false entry in any record,
document, or tangible object with the intent
to impede, obstruct, or influence” any
government investigation or official
proceeding.”
3
PCAOB Auditing Statements



AS2 - Financial auditors should perform a
“walkthrough” of the information system to
be satisfied with the design and operation
of the applicable controls
AS3 – Extends audit documentation
requirements
Both address fraud issues
4
SAS 80 Evidential Matter
SAS 80 – Where evidential matter is in
electronic form, it may not be practical or
possible to reduce detection risk to an
acceptable level by performing only
substantive tests. In such circumstances,
an auditor should consider performing
tests of controls to support an assessed
level of control risk.
5
SAS 94
Effect of Information Technology on the
Auditor’s Consideration of Internal Control in a
Financial Statement Audit


Requires consideration of the importance
of IT processes and controls in the
preparation of financial statements and
whether an IT specialist is required.
The presence of an IT auditor or specialist
on the engagement team does not free the
financial auditor from responsibility for
assessing the adequacy of IT controls.
6
SAS 99 Consideration of Fraud in a
Financial Statement Audit




Misstatements arising from fraudulent
financial reporting
Misstatement arising from
misappropriation of assets
Whenever “evidence of fraud” is found, it
should be brought to the attention of the
appropriate level of management
Increases extent of documentation
7
IT Audit vs Sarbanes-Oxley IT Audit



Both are technical IT audits
Sarbanes IT audit has a narrowly defined focus
driven by Federal Law and is a system level
audit concentrated on the reliability and integrity
of the hardware, software and information of the
systems.
Sarbanes IT audit is typically part of a larger
financial audit and responds to the requirements
of the larger financial audit.
8
Governing Standards





Diverse standards allows for different
interpretations
Internal and external audits traditionally focus on
financial matters
Traditional IT audits focus on technology issues
In the past, these two audits rarely interacted
with each other
Sarbanes-Oxley changed this!
9
SOX-404 vs Traditional IT audit.

Section 404 is designed to ensure that there are
sufficient controls to prevent fraud, misuse
and/or loss of financial data





Controls must be effective
Must be possible to note exceptions / follow audit trail
404 audit is invariably part of a larger financial audit
General purpose is to identify weaknesses or
deficiencies in the IT controls and resolve them
prior to the start of an outside audit
The IT Auditor verifies controls are in place and
working correctly.
10
Competing Governance Organizations
Organization
Standards
American Institute of Certified Public
Accountants (AICPA)
Statements on Auditing Standards (SAS)
Institute of Internal Auditors
Association (IIA)
Standards for the Professional Practice of
Internal Auditing (IIA)
U.S. General Accounting Office (GAO)
Government Auditing Standards and Title
2, Accounting (GAO)
Information Systems Audit and Control
Association (ISACA)
General Standards for Information
Systems Auditors and Statements on
Information Systems Auditing Standards
Institute of Internal Auditors Research
Foundation
Systems Auditability and Control (SAC)
11
COSO vs COBIT



COSO doesn’t do enough to help identify,
document, and evaluate the IT controls necessary
to comply with SOX’s legal requirements
COBIT is an interpretation of COSO from an IT
point of view
Established by IT Governance Institute (ITGI)

four domains, 34 IT processes and 318 detailed control
objectives
12
PCAOB Auditing Standard 2
“An Audit of Internal Control Over Financial Reporting Performed in
Conjunction with an Audit of Financial Statements.”



establishes the requirements for performing an
audit of internal control over financial reporting
transactions’ flows commonly involve the use of
application systems for automating processes
and supporting high volume and complex
transaction processing
reliability of these application systems is in turn
reliant upon various IT support systems,
including networks, databases, operating
systems
13
Audit Risk





IT Auditor should also recognize that threat,
vulnerability and risk analyses have the goal of
risk mitigation and security and that the audit
should address and answer the following
questions:
Systems Risks
Systems Threats and Vulnerabilities
Probability of Occurrences
Risk Mitigation
14
Controls
Two broad classes of controls: Key Controls and
the General Controls. They are designed to
ensure that the controls are sufficient to:
 prevent fraud, misuse, and/or loss of financial
data/transactions,
 enable speedy detection if and when such
problems occur, and
 promote effective action
15
Controls (cont.)
Section 404 Auditor can test the general quality of
the controls by determining if a policy,
procedure, or processes are:
 standardized across the company
 centrally administered
 centrally controlled
 repeatable
16
Key Controls



Generally defined in the literature as being the
controls that are fundamental to ensuring that
the values on the balance sheet are accurate
and reliable
All monetary transaction must be initialized,
authorized, implemented, documented,
controlled, reported, and validated using key
controls
Example: check that two separate systems tally
with one another
17
General Controls
These include…
 Physical Access and Security
 Operational Control Processes
 Logical Access Processes
 Backup and Recovery
 Disaster recovery policies
 Service-level agreement policies
 Application or Software development processes
 Testing
 Configuration and Change management
18
Preferable if Controls are Automated
Automation makes it more difficult for individuals to
manipulate the control either in error or
maliciously. The centralized automation of
controls should include:
 Centrally administration of IT processes by the
relevant MIS department
 Centralized document version control of policies
and procedures
 Backup and recovery procedures using scripts,
using clustering techniques,
19
Preferable if Controls are Automated





RAID, etc. as well as fault tolerant systems
Intrusion prevention and detection processes
using centralized services
Antivirus processes using centralized software
such as McAfee or Symantec
A process for managing changes to IT assets or
objects exists and
documents that changes are reviewed and
authorized
20