Sarbanes-Oxley IT Audits

1
Sarbanes-Oxley IT Audits
2
Sarbanes-Oxley 2002

• Recommended audit firms place a high priority on
  enhancing the overall effectiveness of auditors
  work on internal control, particularly with
  respect to the depth and substance of their
  knowledge about companies information systems.

3
SOX Section 802
Fines of up to 25 million and/or 20
years imprisonment against whoever
knowingly alters, destroys, mutilates, conceals,
covers up, falsifies, or makes a false entry in
any record, document, or tangible object with the
intent to impede, obstruct, or influence any
government investigation or official proceeding.
4
PCAOB Auditing Statements

• AS2 - Financial auditors should perform a
  walkthrough of the information system to be
  satisfied with the design and operation of the
  applicable controls
• AS3 Extends audit documentation requirements
• Both address fraud issues

5
SAS 80 Evidential Matter

• SAS 80 Where evidential matter is in
  electronic form, it may not be practical or
  possible to reduce detection risk to an
  acceptable level by performing only substantive
  tests. In such circumstances, an auditor should
  consider performing tests of controls to support
  an assessed level of control risk.

6
SAS 94 Effect of Information Technology on the
Auditors Consideration of Internal Control in a
Financial Statement Audit

• Requires consideration of the importance of IT
  processes and controls in the preparation of
  financial statements and whether an IT specialist
  is required.
• The presence of an IT auditor or specialist on
  the engagement team does not free the financial
  auditor from responsibility for assessing the
  adequacy of IT controls.

7
SAS 99 Consideration of Fraud in a Financial
Statement Audit

• Misstatements arising from fraudulent financial
  reporting
• Misstatement arising from misappropriation of
  assets
• Whenever evidence of fraud is found, it should
  be brought to the attention of the appropriate
  level of management
• Increases extent of documentation

8
IT Audit vs Sarbanes-Oxley IT Audit

• Both are technical IT audits
• Sarbanes IT audit has a narrowly defined focus
  driven by Federal Law and is a system level audit
  concentrated on the reliability and integrity of
  the hardware, software and information of the
  systems.
• Sarbanes IT audit is typically part of a larger
  financial audit and responds to the requirements
  of the larger financial audit.

9
Governing Standards

• Diverse standards allows for different
  interpretations
• Internal and external audits traditionally focus
  on financial matters
• Traditional IT audits focus on technology issues
• In the past, these two audits rarely interacted
  with each other
• Sarbanes-Oxley changed this!

10
SOX-404 vs Traditional IT audit.

• Section 404 is designed to ensure that there are
  sufficient controls to prevent fraud, misuse
  and/or loss of financial data
• Controls must be effective
• Must be possible to note exceptions / follow
  audit trail
• 404 audit is invariably part of a larger
  financial audit
• General purpose is to identify weaknesses or
  deficiencies in the IT controls and resolve them
  prior to the start of an outside audit
• The IT Auditor verifies controls are in place and
  working correctly.

11
Competing Governance Organizations
Organization Standards
American Institute of Certified Public Accountants (AICPA) Statements on Auditing Standards (SAS)
Institute of Internal Auditors Association (IIA) Standards for the Professional Practice of Internal Auditing (IIA)
U.S. General Accounting Office (GAO) Government Auditing Standards and Title 2, Accounting (GAO)
Information Systems Audit and Control Association (ISACA) General Standards for Information Systems Auditors and Statements on Information Systems Auditing Standards
Institute of Internal Auditors Research Foundation Systems Auditability and Control (SAC)
12
COSO vs COBIT

• COSO doesnt do enough to help identify,
  document, and evaluate the IT controls necessary
  to comply with SOXs legal requirements
• COBIT is an interpretation of COSO from an IT
  point of view
• Established by IT Governance Institute (ITGI)
• four domains, 34 IT processes and 318 detailed
  control objectives

13
PCAOB Auditing Standard 2 An Audit of Internal
Control Over Financial Reporting Performed in
Conjunction with an Audit of Financial
Statements.

• establishes the requirements for performing an
  audit of internal control over financial
  reporting
• transactions flows commonly involve the use of
  application systems for automating processes and
  supporting high volume and complex transaction
  processing
• reliability of these application systems is in
  turn reliant upon various IT support systems,
  including networks, databases, operating systems

14
Audit Risk

• IT Auditor should also recognize that threat,
  vulnerability and risk analyses have the goal of
  risk mitigation and security and that the audit
  should address and answer the following
  questions
• Systems Risks
• Systems Threats and Vulnerabilities
• Probability of Occurrences
• Risk Mitigation

15
Controls

• Two broad classes of controls Key Controls and
  the General Controls. They are designed to ensure
  that the controls are sufficient to
• prevent fraud, misuse, and/or loss of financial
  data/transactions,
• enable speedy detection if and when such problems
  occur, and
• promote effective action

16
Controls (cont.)

• Section 404 Auditor can test the general quality
  of the controls by determining if a policy,
  procedure, or processes are
• standardized across the company
• centrally administered
• centrally controlled
• repeatable

17
Key Controls

• Generally defined in the literature as being the
  controls that are fundamental to ensuring that
  the values on the balance sheet are accurate and
  reliable
• All monetary transaction must be initialized,
  authorized, implemented, documented, controlled,
  reported, and validated using key controls
• Example check that two separate systems tally
  with one another

18
General Controls

• These include
• Physical Access and Security
• Operational Control Processes
• Logical Access Processes
• Backup and Recovery
• Disaster recovery policies
• Service-level agreement policies
• Application or Software development processes
• Testing
• Configuration and Change management

19
Preferable if Controls are Automated

• Automation makes it more difficult for
  individuals to manipulate the control either in
  error or maliciously. The centralized automation
  of controls should include
• Centrally administration of IT processes by the
  relevant MIS department
• Centralized document version control of policies
  and procedures
• Backup and recovery procedures using scripts,
  using clustering techniques,

20
Preferable if Controls are Automated

• RAID, etc. as well as fault tolerant systems
• Intrusion prevention and detection processes
  using centralized services
• Antivirus processes using centralized software
  such as McAfee or Symantec
• A process for managing changes to IT assets or
  objects exists and
• documents that changes are reviewed and authorized