Uploaded by kris oey

CIS FinalPaper

advertisement
The Role of IT
Audit in Financial
Statements
CIS 433 – INFORMATION SYSTEMS AUDITING
Professor Dan Manson
By Kris Oey
12/2/2015
BACKGROUND
All major company need to issue financial statement to look at how the company is currently doing and
what kind of steps the company must take to make its financial situation flourish. Financial Statement is
defined as a collection of reports about an organization’s financial results, financial condition, and cash
flows; if a business plans to issue financial statements to outside users (such as investors or lenders), the
financial statements should be formatted in accordance with one of the major accounting frameworks
(“Financial Statements”). An external auditor is then performs an audit to verify whether the financial
statements in questions are in conformation with the accounting frameworks of a particular country. In
the United States, one of the most important frameworks is the Sarbanes Oxley Act of 2002; the Act
mandated a number of reforms to enhance financial disclosures and combat corporate and accounting
fraud (“Sarbanes-Oxley Act of 2002”). On top of that, the Act prohibits all registered public accounting
firms from providing audit clients, contemporaneously with the audit, certain nonaudit services,
including internal audit outsourcing, financial information system design and implementation services,
and expert services (Gallegos, 2005). However, the Act requires the publicly held companies to assess
and report on the effectiveness of their internal control structure and procedures for financial reporting.
Sarbanes-Oxley section 404, Management Assessment of Internal Controls, specifically, focuses on IT
internal control. This particular section suggests organizations registered as US Securities and Exchange
Commission (SEC) filers annually report management’s responsibility to establish and maintain adequate
internal control over financial reporting, the framework used as criteria for evaluating the effectiveness
of internal control over financial reporting, and management’s assessment of the effectiveness of
internal control over financial reporting and disclosure of any material weaknesses. In addition, an
organization’s independent auditors need to attest management’s assessment of internal control over
financial reporting, including IT controls reporting. Directly related to enabling management’s
responsibility to maintain adequate internal control over financial reporting is the Committee of
Sponsoring Organizations (COSO) of the Treadway Commission’s Internal Control-Intergrated
Framework (Chaudhuri, Chaudhuri, & Davis, 2009, p.1).
EXTERNAL AUDITOR, INTERNAL AUDITOR, & COMPARISONS
Before we continue further into the importance of IT audit in financial reporting, first we have to look at
some definitions of external and internal auditors, and major similarities and differences between them.
EXTERNAL AUDITOR
External auditors are independent audit professionals who audit the financial statements of a company,
legal entity or organization. They are expected to express an opinion on whether an entity’s financial
statements are free of material misstatements and are a true and fair representation of actual financial
position. In addition, external auditors need to test the effectiveness of internal control over financial
reporting (“Grant Thornton - Planning the External Audit”, 2015). External audit has two main purposes:
the company believes an outside party will be more efficient at the work and because the companies are
Page 2 of 15
required by the government to have their reports “blessed” by these independent professionals
(Wilkinson, 2013, para. 1).
INTERNAL AUDITOR
According to Davis and Schiller (2011), internal auditors were formed by the company’s audit committee
(a subset of the board of directors) to provide the committee with independent assurance that internal
controls are in place and functioning effectively. Internal auditors usually report directly to the chairman
of the audit committee. Another duty of internal auditor is to improve the state of internal controls at
the company by promoting internal controls and by helping the company identify control weaknesses
and develop cost-effective solutions for addressing those weaknesses.
EXTERNAL AUDITORS VS. INTERNAL AUDITORS
Similarities
According to Putra, both auditors are similar in terms of their duties. Both auditors carry out testing
routines and this may involve examining and analyzing many transactions. Both tend to be deeply
involved in organization’s systems of internal control, in particular, information system since this is a
major element of managerial control as well as being fundamental to the financial reporting process.
Both are based in a professional discipline and operate to professional standards. Both are concerned
with the occurrence and effect of errors and misstatement that affect the final accounts. Lastly, both
produce formal audit reports on their activities.
Differences
One of the main differences between external and internal auditors is the employment status of both
auditors. External auditors are independent contractors; this means that they are not the employees of
the companies that they audited. On the other hand, internal auditors are the employees of the
companies that they audited. Putra also stated external auditors have different objectives than internal
auditors. The external auditors seek to test the underlying transactions that form the basis of the
financial statements; they seek to provide opinion on whether the accounts show a true and fair view.
The internal auditors, on the other hand, seek to advise management on whether its major operations
have sound systems of risk management and internal controls; they form an opinion on the adequacy
and effectiveness of those systems, many may fall outside the main accounting systems.
IMPORTANCE OF IT AUDIT IN FINANCIAL REPORT
Why is IT internal control important? According to Coe (2006), the explosive growth of IT capabilities
and the desire of businesses to utilize technology to meet business objectives have led to a dramatic
increase in the use of IT systems to originate, process, store and communicate. Today, employees at all
levels use IT systems in their daily activities. The PCAOB emphasizes the importance of IT controls in
Auditing Standard No. 2, which states that the nature and characteristics of a company’s use of
information technology in its information systems affect the company’s internal control over financial
Page 3 of 15
reporting; the effectiveness of the controls around the applications and systems directly impacts the
integrity of processing, including the data that is input into processing and the information that is
ultimately reported upon completion of processing (the output) (“Guide to the Sarbanes-Oxley Act: IT
Risks and Controls”, 2003, p. 4). Thus, IT audit and control are crucial to Sarbanes-Oxley compliance. In
addition, meeting Sarbanes-Oxley requirements within IT can help enhance overall IT governance and
increase executives’ understanding of IT and their ability to make better business decisions with higher
quality and more timely information (Coe, 2006, p. 1). IT also introduces risks unique to the IT
environment. Individuals develop, maintain, and have access to hardware, software, and other
components of the technology environment. Unauthorized actions of these individuals can directly
impact the integrity of the processing and data. Therefore, relevant risks arise from technology that
must be considered when evaluating internal control over financial reporting (“Guide to the SarbanesOxley Act: IT Risks and Controls”, 2003, p. 4).
RULES & REGULATIONS
As per mentioned in the “Background” section above, Sarbanes-Oxley Act of 2002 is legislation passed
by the U.S. Congress to protect shareholders and the general public from accounting errors and
fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures (Rouse,
2014). On top of that, the Act requires the publicly held companies to maintain certain standards on
their internal controls. In below sections, we will delve deeper into the Sarbanes-Oxley Act and some of
its provisions that have impact on information systems department.
THE SARBANES-OXLEY ACT OF 2002
The Sarbanes-Oxley Act of 2002 (formally known as the Public Company Accounting Reform and Investor
Protection Act) was a response from the U.S. government to a rash of notorious corporate scandals that
began with Enron and Arthur Andersen, followed closely by Tyco, Adelphia Communications, WorldCom,
HealthSouth, and many others. The Act, along with the Public Company Accounting Oversight Board
(PCAOB), were created to restore investor confidence in U.S. public markets. The primary goal was to
enhance corporate responsibility, enhance financial disclosures and deter corporate and accounting
fraud. As such, the required controls for compliance to SOX focus on key controls essential to ensuring
the confidentiality, integrity, and availability of financial data (Davis & Schiller, 2011, p. 417).
On top of the disclosures, adjustments during 2005-2006 on the Act extend the companies’
responsibility to have adequate internal controls for all areas with any impact on financial transactions
and reporting. SOX requires company executives to attest the adequacy and effectiveness of their
internal controls related to financial transactions and reporting, including IT controls. These controls
must be audited externally, and a statement of control must be included in the annual corporate report
filed with the Security Exchange Commission (SEC). Consequently, corporate CEOs and CFOs are now
being held accountable for the quality and integrity of information generated by their company’s
applications and communications, as well as the infrastructure that supports those applications (Davis &
Schiller, 2011, p.417).
Page 4 of 15
PROVISIONS OF SOX ACT FOR INFORMATION SYSTEMS
Section 302
Section 302 pertains to ‘Corporate Responsibility for Financial Reports’, which specifies the legal
responsibilities of the company’s CEO and CFO; the management are responsible for all internal controls
and for reporting quarterly on any significant changes to internal controls that could affect the
company’s financial statement (Davis & Schiller, 2011, p. 418). They then need to sign off on financial
statement fairness and internal control effectiveness (Tim, 2004, para. 2). In regards to internal controls,
this means that the management must have knowledge of the design and have evaluated the
effectiveness of all internal controls, including their IT controls, and that these controls ensure that
complete and accurate information is reported to them. Significant changes to disclosure controls and
any deficiencies, weaknesses, or fraudulent acts that may compromise the accuracy of reporting must
be disclosed. Section 302 also defines the external auditor’s role over financial reporting. The external
auditor revaluates internal controls to determine whether modifications need to be made for accuracy
and compliance. The external auditor must attest that he or she has reviewed management’s
assessment of internal controls and has approved the process and evaluation of that assessment (Davis
& Schiller, 2011, p. 419). This section does not mandate any specific internal disclosure controls or
procedures. Each public company is given the flexibility to adopt procedures that best suit its corporate
infrastructure. However, the Section 302 Certification Release indicates that a company’s internal
disclosure controls and procedures should cover a broader range of information than is covered by a
company’s internal controls related to financial reporting. The Section 302 Certification does not require
either a CEO or CFO to separately inquire as to information not known to him or her as a prerequisite for
giving the Section 302 Certification. However, the Section does recognize that a CEO’s and CFO’s review
must be a critical one; this means that the review would have to include certain inquiries where
appropriate, such as questioning disclosure that they do not understand, or questioning the materiality
of information known to them. A CEO and CFO will have to rely on the information being provided to
them from other members of management and their subordinates. In that regards, the Section 302
Certification Release recommends that a company create a committee, which reports to management,
with responsibility for considering materiality of information and designing, establishing, maintaining,
and reviewing the disclosure obligations on a timely basis (“SEC Requires CEO and CFO Certification of
Quarterly and Annual Reports”, 2002).
Section 404
Under Section 404, “Management Assessment of Internal Control”, the CEO and CFO attest that internal
controls are in place, documented, and effective. Management assessment contains four parts:
responsibility of management for the existence and rigidity of internal controls, evaluation of the
effectiveness of internal controls, statement of the framework used to evaluate the effectiveness of
controls, and the company’s external auditor must separately attest that management’s statement
concerning the effectiveness of internal controls is accurate (Davis & Schiller, 2011, p. 419). This section
has the potential of being the single most important aspect of the Sarbanes-Oxley Act; its objective is to
provide comfort and provide assurance that the process is there to enable accurate, reliable financial
Page 5 of 15
reporting for the investor (Chan, Lee, & Seow, 2008). Internal controls, in this aspect is defined as a
process, affected by an entity’s board of directors, management and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives in the following categories:
reliability of financial reporting, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations (“Frequently Asked Questions Regarding the Sarbanes-Oxley Act
Executive Certification Requirements”, 2015, p. 7).How can the company design and maintain effective
internal controls? SEC does not provide the companies with specific rules; however, it recognizes several
other guidance from other sources such as the internal control framework set out by a private sector
organization called the Committee of Sponsoring Organizations of the Treadway Commission. COSO
published two of the most well known guidelines for internal controls: Internal Control-Integrated
Framework in 1992 and Enterprise Risk Management – Integrated Framework in 2004. Other useful
guidelines for internal controls are Control Objectives for Information and Related Technology (COBIT),
IT Infrastructure Library (ITIL), ISO 27001, and to some degree, NSA INFOSEC Assessment Methodology.
Section 409
Davis and Schiller (2011), in their book, state that Section 409, which is widely known as “Real Time
Issuer Disclosures”, states that the CEO and CFO will ensure rapid and current public disclosure of any
material event that could affect the company’s financial or operational performance. Material events
could include any type of company restructuring, changes in personage or duties of key personnel,
budget overruns on IT projects, and stock sales by corporate officers. It may even be necessary to
disclose a major new financial or operational application that is determined to “not work”. According to
Cunningham (2005), some of the operational risks with IT systems that can be considered as material
includes: major or extended system outages that jeopardizes company’s operation, loss of critical data,
security breach where personal information is stolen, Intellectual Property and Digital Rights
Management issues, major computer virus and worm attacks. Rapid and current disclosure essentially
requires near real time reporting. The disclosure includes trend and qualitative information and graphic
presentations. If an event happens that causes material changes to the financial or operational position
of an organization then this event must be reflected within 48 hours in a form that can be understood by
the public stakeholders and potential new investors of the organization (“The Effects of Section 409 of
the Sarbanes-Oxley Act of 2002 on the Integration of Financial Data”, 2005, para. 4). With the current
technology, this section is probably the easiest condition to follow. The companies would be able to
disclose any major events through their websites. There are also many product solutions that help
organizations meet SOX section 409 compliance.
Section 802
Section 802, “Penalites for Altering Documents”, mandates the protection/retention of financial audit
records (Beaver, 2004, para. 1). The section contains three rules that effect the management of
electronic records. The first rule deals with the destruction, alteration or falsification of records, and the
resulting penalties. The second rule defines the retention period for records storage. Best practices
indicate that corporations securely store all business records using the same guidelines set for public
accountants. The third rule refers to the type of business records that need to be stored, including all
Page 6 of 15
business records and communications, including electronic communications (Rouse, 2014, para. 4). The
records includes company’s e-mail, e-mail attachments, and documents retained on computers, servers,
auxiliary drives, e-data, websites, as well as hard copies of all company records. Since e-mail is
considered as business record, there are four key components that the company must follow: e-mail
must be tamper proof, which means that it must be password protected, read-only and non-deletable,
encrypted ad digitally signed; e-mail must exist in a closed system both on and off-line; e-mail must
follow the defined policies of the business such as how it is archived, what the retention period for the
content, and how e-mail is protected; e-mail must follow audit ability of access and movement; and, email must be fully indexed and provide full search capability (Balovich, 2007, para. 6).
Section 906
Section 906, “Corporate Responsibility for Financial Reports”, addresses criminal penalties for certifying
a misleading or fraudulent financial report (“Section 906: Corporate Responsibility for Financial
Reports”, para. 1). Section 906 consists of three parts. First is that every periodic report with financial
information must be accompanied by a written statement by the CEO and CFO. The second part
specifies that the content of this report fairly represents the financial condition of the company. The last
section lays out the fines and imprisonment penalties for either knowingly or unknowingly submitting a
false statement. It also sets criminal penalties for failure of corporate officers to certify financial reports
in a timely manner (Davis & Schiller, 2011, p. 420). Section 906 overlaps significantly with Section 302.
The difference is that Section 302 certification is subject to civil enforcement by the Commission, where
as a fraudulent Section 906 certification carries criminal penalties enforceable by the Department of
Justice. The comprehensive evaluations and assessments required of the certifying officers under
Section 302 also should enable these officers to sign the certification required by Section 906 (“Guide to
the Sarbanes-Oxley Act: Internal Control Reporting Requirements – Frequently Asked Questions
Regarding Section 404”, 2015).
OTHER REGULATIONS IN IT AUDIT
Public Company Accounting Oversight Board – Auditing Standard No. 2
The Public Company Accounting Oversight Board (PCAOB) is a private sector, nonprofit corporation
created by the Sarbanes-Oxley Act of 2002 to oversee accounting professionals who provide
independent audit reports for publicly traded companies (“Public Company Accounting Oversight Board
(PCAOB)”, 2013, para. 1). On March 9, 2004, the PCAOB approved Auditing Standard No. 2, “an Audit of
Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial
Statements”, which establishes the requirements for performing an audit of internal control over
financial reporting and provides some important directions on the scope and approach required of
corporation management and external auditors. It also provides guidance on the controls that should be
considered, including program development, program changes, computer operations, and access to
programs and data. PCAOB Auditing Standard No. 2 specifically addresses the financial reporting
controls that should be in place for a period before the attestation date and the controls that may
Page 7 of 15
operate after the attestation date (Davis & Schiller, 2011, p. 419). In short, this standard is an extension
of SOX Section 404.
Public Company Accounting Oversight Board – Auditing Standard No. 5
On May 24, 2007, the PCAOB issued Auditing Standard No. 5, “an Audit of Internal Control over Financial
Reporting that is Integrated with an Audit of Financial Statements”. This standard supersedes Public
Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2; the reason behind the
replacement is because of the costs of compliance with Auditing Standard No. 2 have been significant.
Auditing Standard No. 5 is intended to improve the efficiency of the audit of internal control over
financial reporting without reducing its effectiveness by focusing the auditor on the most important
matters. Although Auditing Standard No. 5 supersedes Auditing Standard No. 2, it retains most of the
core concepts included in the earlier standard. The key changes in Auditing Standard No. 5 includes:
emphasis on a top-down risk-based approach to evaluating and testing controls, including evaluation of
fraud risk and anti-fraud controls; more reliance on entity-level controls before testing controls specific
to objectives at the transaction, account balance or presentation and disclosure level; focus on
understanding and testing controls related to risks threatening significant accounts and disclosures to
ensure the auditor is addressing accounts or disclosures where there is significant risk; greater ability of
auditors to rely on the work of others; changes in the definition of material weakness and significant
deficiency; and, simplification of the auditor’s opinion by eliminating the report on management’s
assessment of internal control (Arens, Elder, & Beasley, 2007).
Statement on Auditing Standards No. 70
Many companies use outside service organizations to process financial data; the third party service
organization need to have strong controls in place. The companies would also need to have an
understanding on the level of controls surrounding the third party service providers. These controls
should ensure that roles and responsibilities of third parties are clearly defined, adhered to, and
continue to satisfy requirements. Control measures are aimed at reviewing and monitoring existing
contracts and procedures for their effectiveness and compliance with organization policy (Davis and
Schiller, 2011, p. 421). Moreover, service organizations or service providers must demonstrate that they
have adequate controls and safeguards when they host or process data belonging to their customers.
This is where Statement of Auditing Standard (SAS) No. 70 comes into play; a service auditor’s
examination performed in accordance with Statement of Auditing Standard No. 70 (also commonly
referred to as a “SAS 70 Audit”) represents that a service organization has been through an in-depth
examination of their control objectives and control activities, which often include controls over
information technology and related processes. In short, SAS No. 7 is the authoritative guidance that
allowed service organizations to disclose their control activities and processes to their customers and
their customers’ auditors in a uniform reporting format (“SAS 70 Overview”, 2015).
Statements on Standards for Attestation Engagements No. 16
The Statements on Standards for Attestation Engagements No. 16 (SSAE No. 16), “Reporting on Controls,
at a Service Organizations”, supersedes SAS No. 70. SSAE No. 16 was drafted and issued with the
Page 8 of 15
intention and purpose of updating the US service organization reporting standard so that it mirrors and
complies with the new international service organization reporting standard (“SSAE 16 Overview”). One
of the key changes is that management of the service organization must provide a written assertion
regarding the effectiveness of controls, which is now included in the final service auditor’s report (“What
are SSAE 16 and ISAE 3402? What happened to SAS 70?”).
Statement on Auditing Standards No. 80
Statement on Auditing Standards No. 80, “Evidential Matter”, is designed to help the auditor focus more
on electronic evidence. The standards provide guidance to auditors in handling engagements in an
electronic world. This standard was created due to the fact that entities in any size use information
technology or have information in electronic form (“SAS no. 80”, 1996).
Statement on Auditing Standards No. 94
Statement on Auditing Standards No. 94, “The Effect of Information Technology on the Auditor’s
Consideration of Internal Control in a Financial Statement Audit”, provides guidance on the effect of IT
on internal control and on the auditor’s understanding of internal control and assessment of control
risk. Some of the important aspects of this standard are: how IT affects internal control, the auditor’s
consideration of IT, types of IT controls that are important to the audit, the auditor’s use of individuals
with specialized skills, the auditor’s understanding of the financial reporting process (Tucker, 2001, para.
2). The standard recognized that companies have been depended on technology in processing, storing,
and communicating information. Electronic records have replaced traditional paper documents. One of
the important concepts of the standards is that control standards must correspond to the increased
volume and complexity of transactions (Porter, 2001, para. 2). Note that the presence of an IT auditor
on the engagement team does not free the financial auditor from responsibility for assessing the
adequacy of IT controls (O’Donnell & Rechtman, 2005, para. 10).
Statement on Auditing Standards No. 99
Statement on Auditing Standards No. 99, “Consideration of Fraud in a Financial Statement”, emphasizes
on the decisive steps that need to be taken by the external auditors in combating fraud. Opportunity to
carry out fraud can arise from significant related party transactions outside the normal course of
business; financial statements that include many significant accounting estimates, subjective judgments,
and/or uncertainties; significant, unusual, or complex transactions. All of these could be avoided when
there is an effective internal control in place, in particular the organization’s IT control (Casabona &
Grego, 2003, para. 8).
ISSUES THAT ARISE FROM REGULATIONS
COST
The major issue concerning these newly established regulations is the cost. The cost has put an extra
burden on to the companies. Many companies, in fact, have rejected the regulations during its
Page 9 of 15
implementation. The management feels the need to pressure internal and external auditors to contain
their costs, as they do not want to be seen as making an exception, for the functions for which they are
responsible. However, if auditors are to be effective, they must have the resources necessary to do their
jobs. In theory, the audit committee usually approves the internal audit budget, but few chief audit
executives are able to overcome objections from either the CFO or CEO to increase the cost of IT audit
when they are trying to improve overall corporate profits (Gallegos, 2005). Another cost related issues is
the issue of changing priorities. The unintended consequence of corporate governance reform is the
diversion of internal audit resources and the change priorities to support Sarbanes-Oxley section 404;
too many chief audit executives have the added responsibility of managing the section 404, diluting
their attention and dedicating a large part of their staffing to section 404 at the expense of other risk
areas (Gallegos, 2005).
INCOMPLETE
SOX became a law in July 2002, just before Congress's summer recess, and not long before the
November 2002 Congressional elections. Congress passed SOX quickly; the last minute rush meant that
SOX was not as well written as might be hoped for such significant litigation. For instance, it is likely that,
given more time, the Section 302 and Section 906 certifications would have become a single
certification. The term “internal controls” is used a lot in SOX, and also elsewhere in the U.S. securities
laws, and at times the expression seems to have conflicting meanings. So the SEC came up with a
separate term, “disclosure controls and procedures”. Unfortunately, there is not much guidance as to
what the term means. The definition provided in the SEC rules is relatively generic, and is broadly similar
to the definition of “internal controls” set forth in Statement on Standards for Attestation Engagements
No. 10, published by the American Institute of Certified Public Accountants, which applies only to
financial data. However, the rules essentially expand the universe of information for which controls
must be implemented from financial data only to all information required to be submitted to the SEC
under the 1934 Act. The rules define disclosure controls and procedures as “controls and other
procedures of an issuer designed to ensure that information required to be disclosed by the issuer in the
reports it files or submits under the [1934] Act is recorded, processed, summarized and reported, within
the time periods specified in the [SEC's] rules and forms…[and] include, without limitation, controls and
procedures designed to ensure that information required to be disclosed by an issuer in the reports that
it files or submits under the [1934] Act is accumulated and communicated to the issuer's management,
including its principal executive officer or officers and principal financial officer or officers, or persons
performing similar functions, as appropriate to allow timely decisions regarding required disclosure.” So,
while many companies may already have similar controls in place for financial data, these procedures
will need to be expanded to cover other information as well (“The Sarbanes-Oxley Act of 2002, Section
302: What are good disclosure controls and procedures?”).
MAINTAINING STATUS QUO
Some companies may assert that they can comply with the certification requirements while maintaining
the status quo on the basis that the processes and controls they have always had in place have been
performing, and are continuing to perform, effectively. In effect, the certifying officers place trust in the
Page 10 of 15
people of the organization that they will do what’s right and get the job done. While there is nothing
wrong with trusting people, a status quo approach may not always be appropriate. In this environment,
it could be criticized as non-responsive and does not provide sufficient concrete evidence to outsiders if
something goes wrong. The certifying officers should realized that when they sign their certifications,
they are representing that they possess or have access to the collective knowledge of the company
regarding any and all information that is material to investors. The days of ad hoc disclosure activities
are over. What is needed is a more formal process. That is why companies need to take a fresh look at
their processes and controls to ensure that they are effective in capturing material information timely,
reliably, and completely (“Frequently Asked Questions Regarding the Sarbanes-Oxley Act Executive
Certification Requirements”, 2015, p. 15).
RELYING ON EXTERNAL AUDITORS
While the work of external auditors provides another checkpoint for management, it should not be the
basis for management’s evaluation. The external auditors’ responsibility is limited to reviewing the
company’s internal controls over financial reporting. However, management’s responsibility to evaluate
disclosure controls and procedures is broader. Some certifying officers may assert that they can rely on
the external auditor when formulating their assertions that the internal controls are well designed and
operating effectively. However this is not the primary role and responsibility of the external auditor.
Management has the primary responsibility to design and evaluate the effectiveness of disclosure
controls and procedures, while the external auditors has the responsibility to assess and (if they choose
to rely upon the controls) test the adequacy of the controls and procedures for purposes of establishing
the scope of the external audit. When the SEC issues its guidance on Section 404 of Sarbanes-Oxley, the
independent auditor will also be required to issue an opinion that attests to and reports on
management’s assertion in the internal controls report that the internal controls over financial reporting
are operating effectively. This assertion is one that management must support with appropriate
documentation. Because the external auditor will rely on management’s supporting documentation, it
would be circuitous logic for the external auditor’s work to be the basis for management’s assertions
(“Frequently Asked Questions Regarding the Sarbanes-Oxley Act Executive Certification Requirements”,
2015).
SKILLS AND TRAINING
The last issue that might arise from the regulations is the skills and training of the auditors,
management, and IT personnel. External auditors, in general, lack the basic “know-how” needed to
understand the information system of a company. Although external auditors can use external IT
experts in determining the strength of IT controls, according to Statement on Auditing Standards No. 94,
the presence of an IT auditor on the engagement team does not free the financial auditor from
responsibility for assessing the adequacy of IT controls. Even from inside the company’s own
organization, the CEO and CFO might not understand the in-depth concept of IT internal control. Section
302 was created to minimize the risk of this issue; however, with many other complications that the
management has to face, IT control would become less of a priority. On the other hand, internal IT
personnel might lack the knowledge needed to understand the SOX requirements for internal control.
Page 11 of 15
They might not see the need for a certain controls to be applied to the IT process and application;
however, the controls might become important in later periods of business life. In addition, all of these
persons of interests need to have updated knowledge and skills on any new risks and issues of
technologies used by the business. The rate of technology advancement is increasing; if these persons
do not have the same level of understanding on this technology, internal controls would be jeopardized.
CONCLUSION
Although there are several issues concerning Sarbanes Oxley Act, the internal control regulations are
very important in maintaining the integrity and effectiveness of the internal control of the corporation.
The investors and lenders can depend not only on the financial statements of the company, but they can
have assurance that the company is doing its best in avoiding future risks. It might take time and cost to
implement these standards; however, once the system is up and running, the benefit can be felt by the
company itself.
Page 12 of 15
REFERENCES
Arens, A., Elder, R., & Beasley, M. (2007). Overview of PCAOB Auditing Standard No. 5, An Audit of
Internal Control Over Financial Reporting that is Integrated with an Audit of Financial
Statements. In Auditing and Assurance Services: An Integrated Approach (12th ed., global ed.).
Boston, MA: Pearson.
Balovich, D. (2007). Sarbanes-Oxley Document Retention and Best Practices. Retrieved November 29,
2015, from http://www.creditworthy.com/3jm/articles/cw90507.html
Beaver, K. (2014). Key Points of Sarbanes-Oxley. Retrieved November 28, 2015, from
http://searchsecurity.techtarget.com/news/1012393/Key-points-of-Sarbanes-Oxley
Casabona, P., & Grego, M. (2003). SAS 99. Retrieved November 28, 2015, from
http://www.cwu.edu/~atkinsom/sas_99.htm
Chan, K., Lee, P., & Seow, G. (2008). Why Did Management and Auditors Fail to Identify Ineffective
Internal Controls in Their Initial SOX 404 Review? Retrieved November 27, 2015, from
http://search.proquest.com.proxy.library.cpp.edu/docview/215633309?accountid=10357
Chaudhuri, A., Chaudhuri, D., & Davis, R. (2009). Managing Sarbanes-Oxley Section 404 Compliance in
ERP Systems Using Information Security Control Reports. Retrieved November 27, 2015, from
http://www.isaca.org/Journal/archives/2009/Volume-6/Documents/0906-online-managesox.pdf
Coe, M. (2006). SAS 70 for Sarbanes-Oxley Compliance. Retrieved November 27, 2015, from
http://www.isaca.org/Journal/archives/2006/Volume-5/Pages/SAS-70-for-Sarbanes-OxleyCompliance1.aspx
Cunningham, M. (2005, September 23). Meeting Sarbanes-Oxley Section 409 Requirements. Retrieved
November 27, 2015, from http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=842
Davis, C., & Schiller, M. (2011). IT Auditing Using Controls to Protect Information Assets (2nd ed.) New
York: McGraw-Hill
Financial Statements Definition – AccountingTools. (n.d.). Retrieved November 27, 2015, from
http://www.accountingtools.com/definition-financial-statemen
Frequently Asked Questions Regarding the Sarbanes-Oxley Act Executive Certification Requirements.
(2015). Retrieved November 27, 2015, from http://www.protiviti.com/enUS/Documents/Resource-Guides/SarbanesOxleyFAQs.pdf
Gallegos, F. (2005). IT Audit Basics: “Sarbanes-Oxley Status”. Retrieved November 27,2015, from
http://www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IT-Audit-Basics/Pages/ITAudit-Basics-Sarbanes-Oxley-Status-.aspx
Page 13 of 15
Grant Thornton - Planning the External Audit. (2015). Retrieved November 27, 2015, from
http://www.grantthornton.com/ ~/media/content-page-files/audit/pdfs/ACH-guides/ACHGuides-Planning-External-Audit-WEB1.ashx
Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements – Frequently Asked
Questions Regarding Section 404. (2015). Retrieved November 28, 2015, from
http://www.protiviti.com/en-US/Documents/ResourceGuides/Protiviti_Section_404_FAQ_Guide.pdf
Guide to the Sarbanes-Oxley Act: IT Risks and Controls – Frequently Asked Questions. (2003). Retrieved
November 28, 2015, from http://www.protiviti.com/en-US/Documents/ResourceGuides/ProtivitiSOA_ITRiskControls.pdf
O’Donnell, J., & Rechtman, Y. (2005). Navigating the Standards for Information Technology Controls.
Retrieved November 28, 2015, from
http://archives.cpajournal.com/2005/705/essentials/p64.htm
Porter, G. (2001). SAS No. 94: New Standards on Technology and Internal Control. Retrieved November
28, 2015, from http://www.garyportercpa.com/index.php/books/audit-articles/127-sas-no-94new-standards-on-technology-and-internal-control
Public Company Accounting Oversight Board (PCAOB). (2013). Retrieved November 28, 2015, from
http://www.sec.gov/answers/pcaob.htm
Putra, L. (n.d.). Difference and Similarities of Internal Auditor Vs. External Auditor. Retrieved November
27, 2015, from http://accounting-financial-tax.com/2008/08/differences-and-similarities-ofinternal-auditor-v-external-auditor/
Rouse, M. (2014). What is Sarbanes-Oxley Act (SOX)? Retrieved November 27, 2015, from
http://searchcio.techtarget.com/definition/Sarbanes-Oxley-Act
Sarbanes-Oxley Act of 2002. (n.d.). Retrieved November 27, 2015, from
http://www.sec.gov/about/laws.shtml#sox2002
SAS 70 Overview. (2015). Retrieved November 28, 2015, from http://sas70.com/sas70_overview.html
SAS no. 80. (1996). Retrieved November 28, 2015, from
http://www.journalofaccountancy.com/issues/1997/jan/sas80.html
SEC Requires CEO and CFO Certification of Quarterly and Annual Reports. (2002, September 4).
Retrieved November 27, 2015, from
http://www.mofo.com/resources/publications/2002/09/sec-requires-ceo-and-cfo-certificationof-quarte__
Section 906: Corporate Responsibility for Financial Reports. (n.d.). Retrieved November 28, 2015, from
http://www.sarbanes-oxley-101.com/SOX-906.htm
Page 14 of 15
SSAE 16 Overview. (n.d.). Retrieved November 28, 2015, from
http://sas70.com/FAQRetrieve.aspx?ID=33300
The Effects of Section 409 of the Sarbanes-Oxley Act of 2002 on the Integration of Financial Data. (2005,
July 29). Retrieved November 27, 2015, from http://it.toolbox.com/blogs/financial-data/theeffects-of-section-409-of-the-sarbanesoxley-act-of-2002-on-the-integration-of-financial-data5184
The Sarbanes-Oxley Act of 2002, Section 302: What are good disclosure controls and procedures? (n.d.).
Retrieved November 28, 2015, from
http://www.irglobalrankings.com/irgr2010/web/arquivos/SarbanesOxley_Act_2002.pdf
Tim, L. (2004, May 25). Distilling SOX 302, 404 & 906 | Compliance Week. Retrieved November 27, 2015,
from https://www.complianceweek.com/news/opinion/distilling-sox-302-404-906#.VlijnFirRdg
Tucker, G. (2001, August 31). IT and the Audit. Retrieved November 28, 2015, from
http://www.journalofaccountancy.com/issues/2001/sep/itandtheaudit.html
What are SSAE 16 and ISAE 3402? What happened to SAS 70? (n.d.). Retrieved November 28, 2015, from
http://sas70.com/FAQRetrieve.aspx?ID=33300
Wilkinson, J. (2013, July 23). External Audit Definition – The Strategic CFO. Retrieved November 27,
2015, from http://strategiccfo.com/wikicfo/external -audit-definito/
Page 15 of 15
Download