1 / 33

Auditing Information Systems under SOX

Auditing Information Systems under SOX . A Practical Approach at the commencement of year 3. Yigal Rechtman, CPA, CFE, CITP, CISM. Presentation Objectives. Understand the effects of SOX information technology implementation and auditing. Risk based approach to IT audits

fay
Télécharger la présentation

Auditing Information Systems under SOX

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Auditing Information Systems under SOX A Practical Approach at the commencement of year 3 Yigal Rechtman, CPA, CFE, CITP, CISM

  2. Presentation Objectives • Understand the effects of SOX information technology implementation and auditing. • Risk based approach to IT audits • Understand the usages of SAS 70 reports

  3. General Observations • Sarbanes-Oxley Act of 2002 (“SOX”) is rich with requirements that aim to strengthen corporate governance. • Three sections received immediate attention by corporate boards: • Section 302: Certification by CFO • Section 404: Attest on effectiveness of internal controls

  4. Presentation Outline • Review of SOX requirements: 404 • IT-specific issues • Integrating IT with company-wide SOX compliance • Examples in IT-controls

  5. Why did SOX Happen? • Enron, WorldCom, Tyco – all contributed to shareholder’s perception that management is fraught with fraud. • The SEC was called in to protect shareholders • Auditing standards were perceived as too limited, and so management had to take an active role in mitigating fraud

  6. What types of fraud are there? • Financial fraud: misstatement of results of operations or ending balances • Occupational fraud: theft or other types of misappropriation of assets • The Association of Certified Fraud Examiners estimates that occupational costs the average US corporation 6% of its revenues

  7. More fraud facts • Fraud lasts about 24-36 months on average • Employees who commit fraud have worked 8.2 years • 60% of fraud cases are found through anonymous hot-lines. • Continuous background checks (especially credit reports) are a good source indicating pressure to commit fraud. Source: ACFE

  8. “Internal Controls Over Financial Reporting” (ICFR) Section 404

  9. Section 404: Internal Controls • Section 404, “Management Assessment Of Internal Controls” is the most onerous of the SOX requirements, both in terms of internal work and external audit costs. • Management to report annually on their assessment of internal controls; and • External auditors to certify that the assessment is stated fairly in all material respects.

  10. Assessment of Internal Controls • Recently, the Public Company Oversight Board which carries out the enforcement of SOX issued Auditing Standard No. 5 which allows assessment to carry-forward from one year to the next • Assessment is a risk-based approach which requires management to identify key controls and test their operations.

  11. What is a key control? • SOX definitions do not define “Key control”. • Key control is an internal control that is assessed by management (or certified by external auditors) to be important enough that without which the system of internal controls breaks down. • Ultimately, it’s a judgment call

  12. IT and SOX • The recommended procedure in understanding internal control and that they were placed in operation is a “walkthrough” (AS 2/5) • How do we perform a virtual walkthrough? • Test general or application control once qualifies as a walk through, even though this could be a very weak level of assurance that the control is in place

  13. Testing Control • Testing the control at a given moment in time is Ok for paper-trail type evidence. • Electronic evidence can change values instantaneously and yet be the same evidence. • How do we resolve this inherit risk of obtaining misleading evidence?

  14. Testing IT Controls • Test over time • Perform continuous auditing; cost can be prohibitive and there is an invasiveness to client systems. • Internal auditor can assist in implementing continuous auditing. • Make the case for internal audit protocol by showing management the $$$ saved. • Queasy continuous: interim testing

  15. Case Study: System Development • Although most software comes these days in some form of pre-package, modification on the VAR-level or user-level are common. • There is a case to be made for testing SDLC if this is a risk area and the application processes or reports on material amounts

  16. SDLC Testing - General • Auditor should apply a frame work. Three frame work are commonly applied: • System Devlopment Life Cycle (SDLC) is a COBIT area which is covered by that framework. • COSO is mostly silent on IT in general, although recent COSO papers address IT specifically published in “IT Control For SOX”. • Guide to the Assessment of IT (G.A.I.T.) by the IIA is gaining traction in IT departments.

  17. Performing the work • The IT personnel need to understand risk. If they don’t the possibility of under/over auditing is significant. • Use a specialist if the IT department is overwhelmed or otherwise not capable to perform own testing • What we learned from Year 2 is that only so many controls can be considered “Key Control”

  18. What is a Key Control • SOX defines as “A key control is a control that, if it fails, means there is at least a reasonable likelihood that a material error in the financial statements would not be prevented or detected on a timely basis.” • Alternatively: “A Control that in its absence the entire set of internal control over financial reporting may as well be absent” [Yigal Rechtman, 2007]

  19. Example of a Key Control • A list of controls over system life-cycle development (SDLC) can be: • User approves SDLC event such as code change; • Code is removed from library and developed; • Code is compiled and tested • User approves testing • Code is published • User approves post-publish implementation

  20. Example (cont.) • Which of these controls are key control? • It depends on the risk tolerance of the application and the relation to a financial statement. • If the application is a critical piece of software, more than one control may be a key control • In a non-critical application, there may be no key control

  21. Example (cont.) • “User approves testing” could be considered a key control in a critical application SDLC.

  22. External Auditor • External Auditor will evaluate the design of internal controls overall and report on any design weaknesses; • External auditors will test the company assessed key controls and report on any weakness in the effectiveness of these key controls. • In the example above, such a weakness could be “user(s) do not authorize release of code to production”. • Weakness are generally for key controls.

  23. S.A.S. 70 Reports Using a service organization

  24. S.A.S. 70 • Statement of Audit Standard No. 70 is promulgated by the American Institute of Certified Public Accountants. • There are two types of SAS70 reports: • Type 1: report on the design of internal controls • Type 2: report on the design and operation effectiveness of internal controls

  25. SAS 70: Purpose • SAS 70 reports are issued by an independent auditor who reports on a service organization’s assertion about the organization’s internal controls. • For example, a payroll processing company will issue statements about their internal controls • The auditor will issue a report on the internal controls and any weaknesses found.

  26. SAS 70: Type 1 Type 1 reports only concentrate on the design of internal controls. Using the software development example, the design of the internal controls involve 4 stakeholders and 5 processes: a user (authorizing), a librarian (providing code), a developer (develops code) and a publisher who puts code in production In the following example, there is appropriate level of segregation of duties between the stakeholders that Authorize, Execute and Retain.

  27. SAS 70: Type 2 • Type 2 reports start with the operating design of internal controls and the effectiveness of that design • Auditors that provide a type 2 report also go ahead and test the effectiveness of these controls • The SAS70: type 2 report includes findings on both design and implementation.

  28. Practical Approach: SAS 70 • SAS 70 Reports can be voluminous; • A Review of all findings is a good theoretical approach… • A practical approach is to map areas that the Company has identified as key controls within its own operation and search for findings in the SAS 70 report that corresponds to these areas.

  29. Summary • SOX sec. 404 require management to take a pro-active role in implementing, assessing and reporting on internal controls. • SAS 70 are service-organization’s reports that are integrated with the SOX 404 requirements at the user-organization level.

  30. Review of Outline • Review of SOX requirements: 404 • IT-specific issues • Integrating IT with company-wide SOX compliance • Examples in IT-controls

  31. Q&A

  32. About the presenter Yigal Rechtman, CPA, CFE, CISM, CITP is a programmer since 1984, served in the Israeli communication corps from 1986 to 1989 and worked as a computer consultant since 1990 in the United States. Rechtman graduated in 1994 from New York University with a B.A. in computer science, and in 2002 with an M.S. in accounting from Pace University. Rechtman’s articles in various professional publications cover topics on fraud, information technologies, internal controls, audit and accounting. Rechtman is a director and computer specialist at Buchbinder Tunick & Co. LLP (New York, NY).

More Related