auditing information systems under sox l.
Skip this Video
Loading SlideShow in 5 Seconds..
Auditing Information Systems under SOX PowerPoint Presentation
Download Presentation
Auditing Information Systems under SOX

Loading in 2 Seconds...

play fullscreen
1 / 33

Auditing Information Systems under SOX - PowerPoint PPT Presentation

  • Uploaded on

Auditing Information Systems under SOX . A Practical Approach at the commencement of year 3. Yigal Rechtman, CPA, CFE, CITP, CISM. Presentation Objectives. Understand the effects of SOX information technology implementation and auditing. Risk based approach to IT audits

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Auditing Information Systems under SOX' - fay

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
auditing information systems under sox

Auditing Information Systems under SOX

A Practical Approach at the commencement of year 3

Yigal Rechtman, CPA, CFE, CITP, CISM

presentation objectives
Presentation Objectives
  • Understand the effects of SOX information technology implementation and auditing.
  • Risk based approach to IT audits
  • Understand the usages of SAS 70 reports
general observations
General Observations
  • Sarbanes-Oxley Act of 2002 (“SOX”) is rich with requirements that aim to strengthen corporate governance.
  • Three sections received immediate attention by corporate boards:
    • Section 302: Certification by CFO
    • Section 404: Attest on effectiveness of internal controls
presentation outline
Presentation Outline
  • Review of SOX requirements: 404
  • IT-specific issues
  • Integrating IT with company-wide SOX compliance
  • Examples in IT-controls
why did sox happen
Why did SOX Happen?
  • Enron, WorldCom, Tyco – all contributed to shareholder’s perception that management is fraught with fraud.
  • The SEC was called in to protect shareholders
  • Auditing standards were perceived as too limited, and so management had to take an active role in mitigating fraud
what types of fraud are there
What types of fraud are there?
  • Financial fraud: misstatement of results of operations or ending balances
  • Occupational fraud: theft or other types of misappropriation of assets
  • The Association of Certified Fraud Examiners estimates that occupational costs the average US corporation 6% of its revenues
more fraud facts
More fraud facts
  • Fraud lasts about 24-36 months on average
  • Employees who commit fraud have worked 8.2 years
  • 60% of fraud cases are found through anonymous hot-lines.
  • Continuous background checks (especially credit reports) are a good source indicating pressure to commit fraud.

Source: ACFE

section 404 internal controls
Section 404: Internal Controls
  • Section 404, “Management Assessment Of Internal Controls” is the most onerous of the SOX requirements, both in terms of internal work and external audit costs.
  • Management to report annually on their assessment of internal controls; and
  • External auditors to certify that the assessment is stated fairly in all material respects.
assessment of internal controls
Assessment of Internal Controls
  • Recently, the Public Company Oversight Board which carries out the enforcement of SOX issued Auditing Standard No. 5 which allows assessment to carry-forward from one year to the next
  • Assessment is a risk-based approach which requires management to identify key controls and test their operations.
what is a key control
What is a key control?
  • SOX definitions do not define “Key control”.
  • Key control is an internal control that is assessed by management (or certified by external auditors) to be important enough that without which the system of internal controls breaks down.
  • Ultimately, it’s a judgment call
it and sox
IT and SOX
  • The recommended procedure in understanding internal control and that they were placed in operation is a “walkthrough” (AS 2/5)
  • How do we perform a virtual walkthrough?
  • Test general or application control once qualifies as a walk through, even though this could be a very weak level of assurance that the control is in place
testing control
Testing Control
  • Testing the control at a given moment in time is Ok for paper-trail type evidence.
  • Electronic evidence can change values instantaneously and yet be the same evidence.
  • How do we resolve this inherit risk of obtaining misleading evidence?
testing it controls
Testing IT Controls
  • Test over time
    • Perform continuous auditing; cost can be prohibitive and there is an invasiveness to client systems.
    • Internal auditor can assist in implementing continuous auditing.
    • Make the case for internal audit protocol by showing management the $$$ saved.
  • Queasy continuous: interim testing
case study system development
Case Study: System Development
  • Although most software comes these days in some form of pre-package, modification on the VAR-level or user-level are common.
  • There is a case to be made for testing SDLC if this is a risk area and the application processes or reports on material amounts
sdlc testing general
SDLC Testing - General
  • Auditor should apply a frame work. Three frame work are commonly applied:
    • System Devlopment Life Cycle (SDLC) is a COBIT area which is covered by that framework.
    • COSO is mostly silent on IT in general, although recent COSO papers address IT specifically published in “IT Control For SOX”.
    • Guide to the Assessment of IT (G.A.I.T.) by the IIA is gaining traction in IT departments.
performing the work
Performing the work
  • The IT personnel need to understand risk. If they don’t the possibility of under/over auditing is significant.
  • Use a specialist if the IT department is overwhelmed or otherwise not capable to perform own testing
  • What we learned from Year 2 is that only so many controls can be considered “Key Control”
what is a key control18
What is a Key Control
  • SOX defines as “A key control is a control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be prevented or detected on a timely basis.”
  • Alternatively: “A Control that in its absence the entire set of internal control over financial reporting may as well be absent” [Yigal Rechtman, 2007]
example of a key control
Example of a Key Control
  • A list of controls over system life-cycle development (SDLC) can be:
    • User approves SDLC event such as code change;
    • Code is removed from library and developed;
    • Code is compiled and tested
    • User approves testing
    • Code is published
    • User approves post-publish implementation
example cont
Example (cont.)
  • Which of these controls are key control?
  • It depends on the risk tolerance of the application and the relation to a financial statement.
  • If the application is a critical piece of software, more than one control may be a key control
  • In a non-critical application, there may be no key control
example cont21
Example (cont.)
  • “User approves testing” could be considered a key control in a critical application SDLC.
external auditor
External Auditor
  • External Auditor will evaluate the design of internal controls overall and report on any design weaknesses;
  • External auditors will test the company assessed key controls and report on any weakness in the effectiveness of these key controls.
  • In the example above, such a weakness could be “user(s) do not authorize release of code to production”.
  • Weakness are generally for key controls.
s a s 70 reports

S.A.S. 70 Reports

Using a service organization

s a s 70
S.A.S. 70
  • Statement of Audit Standard No. 70 is promulgated by the American Institute of Certified Public Accountants.
  • There are two types of SAS70 reports:
    • Type 1: report on the design of internal controls
    • Type 2: report on the design and operation effectiveness of internal controls
sas 70 purpose
SAS 70: Purpose
  • SAS 70 reports are issued by an independent auditor who reports on a service organization’s assertion about the organization’s internal controls.
  • For example, a payroll processing company will issue statements about their internal controls
  • The auditor will issue a report on the internal controls and any weaknesses found.
sas 70 type 1
SAS 70: Type 1

Type 1 reports only concentrate on the design of internal controls.

Using the software development example, the design of the internal controls involve 4 stakeholders and 5 processes: a user (authorizing), a librarian (providing code), a developer (develops code) and a publisher who puts code in production

In the following example, there is appropriate level of segregation of duties between the stakeholders that Authorize, Execute and Retain.

sas 70 type 2
SAS 70: Type 2
  • Type 2 reports start with the operating design of internal controls and the effectiveness of that design
  • Auditors that provide a type 2 report also go ahead and test the effectiveness of these controls
  • The SAS70: type 2 report includes findings on both design and implementation.
practical approach sas 70
Practical Approach: SAS 70
  • SAS 70 Reports can be voluminous;
  • A Review of all findings is a good theoretical approach…
  • A practical approach is to map areas that the Company has identified as key controls within its own operation and search for findings in the SAS 70 report that corresponds to these areas.
  • SOX sec. 404 require management to take a pro-active role in implementing, assessing and reporting on internal controls.
  • SAS 70 are service-organization’s reports that are integrated with the SOX 404 requirements at the user-organization level.
review of outline
Review of Outline
  • Review of SOX requirements: 404
  • IT-specific issues
  • Integrating IT with company-wide SOX compliance
  • Examples in IT-controls
about the presenter
About the presenter

Yigal Rechtman, CPA, CFE, CISM, CITP is a programmer since 1984, served in the Israeli communication corps from 1986 to 1989 and worked as a computer consultant since 1990 in the United States. Rechtman graduated in 1994 from New York University with a B.A. in computer science, and in 2002 with an M.S. in accounting from Pace University. Rechtman’s articles in various professional publications cover topics on fraud, information technologies, internal controls, audit and accounting. Rechtman is a director and computer specialist at Buchbinder Tunick & Co. LLP (New York, NY).