“Impact of Computer-Assisted Audit Techniques on Sarbanes-Oxley Act
Sections 404 and 409”
Scarlett Choi
ACC 626
INTRODUCTION
In order to restore the declining investors’ confidence in the capital markets due to series of
highly-publicized fraudulent activities of corporations and alleged audit failures, the
Sarbanes-Oxley Act (the “Act”) was passed as law in July 2002. The Act significantly
expanded the rules for corporate governance, disclosure, and reporting by highlighting the
responsibilities of corporate executives and directors, lawyers, and accountants. Moreover, it
created a broad oversight regime for auditors of public companies along with the emphasis on
the critical role of internal control over financial reporting (ICFR), which is a “process
designed and maintained by management to provide reasonable assurance regarding the
reliability of financial reporting and the preparation of the financial statements for external
purposes with GAAP”. The purpose of implementing such controls is to support the integrity
and reliability of the company’s external financial reporting processes.1
With an increasing employment of sophisticated and complex information technology
(IT) in all levels of corporations, auditors encounter many firms with its financial reporting
processes wholly dependent on the IT systems. Hence, auditors must determine how the firm
uses its IT systems to initiate, record, process, and report transactions or other financial data.
This understanding is necessary to plan the audit and to determine the nature, timing and
extent of tests to be performed to gain a sufficient understanding of internal controls.2 In light
of the implementation of the Act and the increasing demand on auditors to make the audit
more effective and efficient, major initiatives have been put in place toward development and
proliferation of computer-assisted audit tools and techniques (CAAT).3
This report focuses on the two key provisions of the Act that are associated with IT,
Section 404 – “Enhanced Financial Disclosures, Management Assessment of Internal
Control” and Section 409 – “Real Time Issuer Disclosures”. It delves into the specifics of the
CAAT and explores the background of the two key provisions. The report serves to
determine the role and the implications of CAAT with the implementation of the Act, and to
outline the most prominent type of CAAT that is available to comply with the provisions.
COMPUTER-ASSISTED AUDIT TECHNIQUES
While CAAT are any technology that is used to assist in the completion of an audit, it can be
1
Deloitte & Touche, Ernst & Young, KPMG, PricewaterhouseCoopers. “Perspectives on Internal Control Reporting – A Resource of
Financial Market Participants.” AICPA. December 2004.
2
Cerullo, Michael J. and Cerullo, M. Virginia. “Impact of SAS No. 94 on Computer Audit Techniques.” Information Systems Control
Journal. 1 (2003). ISACA - Information Systems Control Journal. 10 June 2008.
3
Braun, Robert L. and Davis, Harold E. “Computer-assisted audit tools and techniques: analysis and perspectives.” Managerial Auditing
Journal. 18.9 (2003): 725-732. ProQuest. University of Waterloo Lib. 14 June 2008.
Page 1 of 13
more specifically defined as “tools and techniques used to directly examine the internal logic
of an application as well as to draw indirect inferences upon an application's logic by
examining the data processed by the application”4. CAAT can be used in achieving the goals
of audit5 by performing various audit procedures including test of details of transactions and
balances, analytical review procedures, compliance tests of IS general and application
controls, and penetration testing6.
CAAT play a significant role in enhancing the effectiveness and efficiency of riskassessment procedures. Through the use of software, auditors can improve the quality of
audit evidence. By automating procedures, CAAT removes subjectivity and bias in
performing financial analysis and auditors save time. As well, CAAT provide comprehensive
analysis (i.e. identification of both inherent and control risks; supplementation on trend
analysis with data from multiple sources) in order to assist in performing preliminary
analytical reviews in risk-assessment process where its result drives overall audit approach.7
Moreover, CAAT can be successfully employed in enhancing the effectiveness and
efficiency of the audit procedures. With the use of CAAT, complete verification covering all
doubtful cases with inadequate validations is possible with minimal effort and time and with
guaranteed accuracy. As well, the use of CAAT increases credibility for substantive testing to
provide total assurance or clear pinpointing of errors and frauds.8
There are six different types of CAAT that are available in achieving the objectives of
financial statement audits:
1) Test Data: Uses auditor-prepared input data to test the current version of a client-supplied
copy of application within the client's system. Once auditor’s data is processed, the systemgenerated results are compared to auditor expectations. Any departure from the expected
results would indicate logic or control problem.9
2) Integrated test facility: Requires auditor to be involved in the system design. Creates audit
modules within the system that allow "dummy" test data to be segregated from actual "live"
data in the system. Once established, test data can be placed in the normal transaction stream
4
Ibid.
ISACA. “Use of Computer-Assisted Audit Techniques.” IS Auditing Guideline. (1998):1-6. 8 June 2008.<http://www.isaca.org/Content/
ContentGroups/Journal1/20033/Using_CAAT_to_Support_IS_Audit.htm>
6
Coderre, David. “Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment.” Global Technology Audit Guide.
Institute of Internal Auditors. 25 July 2008. < http://www.theiia.org/guidance/technology/gtag/gtag3/>
7
Vuchnich, Alex. “Using CAATTs in Preliminary Analytical Review to Enhance the Auditor's Risk Assessment.” The CPA Journal. 78.5
(2008): 38-41. ProQuest. University of Waterloo Lib. 12 June 2008.
8
ISACA. “Use of Computer-Assisted Audit Techniques.” IS Auditing Guideline. (1998):1-6. 8 June 2008. <http://www.isaca.org/
Content/ContentGroups/Journal1/20033/Using_CAAT_to_Support_IS_Audit.htm>
9
Braun, Robert L. and Davis, Harold E. “Computer-assisted audit tools and techniques: analysis and perspectives.” Managerial Auditing
Journal. 18.9 (2003): 725-732. ProQuest. University of Waterloo Lib. 14 June 2008.
5
Page 2 of 13
and auditor can evaluate application controls during normal operations using the results.10
3) Parallel simulation: Auditor develops application designed to replicate the results of the
client's application using client-supplied data. Comparison of the results allows auditor to
evaluate quality of the process performed by the client's application.11
4) Embedded audit module (EAM): Auditor inserts audit module in the client's application
that will identify transactions that meet some pre-specified criteria as they are being
processed, reviewed in real-time or in batch. Particularly effective in identifying large
transactions for substantive testing or controls testing by identifying transactions processed in
a manner inconsistent with policies and procedures.12
5) Generalized audit software (GAS): Software allows data extraction and analysis. Relative
simplicity of use requiring little specialized IS knowledge and its adaptability to a variety of
environments and users. Facilitates greater coverage compared to other types of procedures –
achieved through queries that allow the auditor to analyze data and extract information from
the client's database. Several audit operations supported by GAS.13
6) Continuous auditing: Method used to perform control and risk assessments automatically14
and allows an on-going review and analysis of business information on a real time basis15.
More specifically, enables independent auditors to provide written assurance on a subject
matter using a series of auditors' reports issued simultaneously with, or a short period of time
after, the occurrence of events underlying the subject matter.16
GAS is most frequently used at present due to minimal disruption and reliance on
client as well as relative simplicity of use17. However, there are two major drawbacks to the
use of GAS due to the complex IT environment established in firms and the implementation
of the key provisions of the Act: 1) incompatibility of such software with the complex file
structures of database systems; and 2) inability to constantly monitor the information system
and provide timely warning when unusual transactions or patterns occur in the system. In
order to address these issues of GAS, audit and assurance services are leaning toward a
continuous model, which incorporates EAM, Extensible Business Reporting Language
10
Ibid.
Ibid.
12
Ibid.
13
Ibid.
14
Coderre, David. “Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment.” Global Technology Audit Guide.
Institute of Internal Auditors. 25 July 2008. < http://www.theiia.org/guidance/technology/gtag/gtag3/>
15
AICPA. “Continuous Audit.” AICPA – Information Technology Centre. 25 July 2008. <http://infotech.aicpa.org/Resources/Systems
+Audit+and+Internal+Control/IT+Systems+Audit/Continuous+Audit>
16
Huang, Shi-Ming et al. “Developing A Continuous Auditing Assistance System Based On Information Process Models.” The Journal of
Computer Information Systems. 48.1 (2007): 2-14. ProQuest. University of Waterloo Lib. 25 July 2008.
17
Singleton, Tommie. “Generalized Audit Software: Effective and Efficient Tool for Today’s IT Audits.” ISACA – JournalOnline. 2 (2006).
10 June 2008. <http://www.isaca.org/Content/ContentGroups/Journal1/20067/Generalized_Audit_Software_Effective_and_Efficient_Tool_
for_Todays_IT_Audits.htm>
11
Page 3 of 13
(XBRL), database technology, data warehouse, and internet technology to help achieve the
dynamic, real-time auditing.18
SARBANES-OXLEY ACT SECTION 404 AND ITS IMPLICATIONS
One of the key provisions of the Act is Section 404 – “Enhanced Financial Disclosures,
Management Assessment of Internal Control”. In conjunction with the Auditing Standard No.
5 (AS5), which superseded Auditing Standard No. 2 (AS2) in 2007, the Section 404 of the
Act requires: 1) the management’s assessment on the effectiveness of ICFR as at the
company’s year-end; 2) external auditors’ opinion on the management’s assessment; and 3)
external auditors’ own assessment.
The AS5 replaced AS2 in order to increase the accuracy of financial reports while
reducing unnecessary costs, especially for smaller public companies. It was intended to make
Section 404 audits and management evaluations more risk-based and scalable to company
size and complexity, allowing the audit to be more effective and efficient. In turn, AS5 was
put in place to strengthen investor protection by refocusing resources on what truly matters to
the integrity of financial statements.19
The key elements of AS5 is consistent with AS2 in that it serves to achieve the
objective of improving the quality of F/S as it is a single standard based on providing
reasonable assurance on both the design and operating effectiveness of ICFR. The new
Standard is less prescriptive and more principles-based, and provides for greater use of
professional judgment by auditors by requiring the auditors to 1) take a top-down, risk-based
approach, focusing on the areas with the greatest risk of material misstatements; and 2)
include only the requirements necessary for an effective audit. 20 AS5 also promotes
flexibility by making audits scalable by allowing changes to fit the size and complexity of
any company.21
Moreover, AS5 adopted a definition of ‘significant deficiency’ as “a deficiency, or a
combination of deficiencies, in internal control over financial reporting that is less severe
than a material weakness, yet important enough to merit attention by those responsible for
18
Huang, Shi-Ming et al. “Developing A Continuous Auditing Assistance System Based On Information Process Models.” The Journal of
Computer Information Systems. 48.1 (2007): 2-14. ProQuest. University of Waterloo Lib. 25 July 2008.
19
U.S. Securities and Exchange Commission. “SEC Approves PCAOB Auditing Standard No. 5 Regarding Audits of Internal Control Over
Financial Reporting; Adopts Definition of "Significant Deficiency”.” 25 July 2007. U.S. Securities and Exchange Commission. 12 June
2008. <http://www.sec.gov/news/press/2007/2007-144.htm>
20
Brownlee, Elaine and O’Shea, Niall. “SOx s404: The New Guidance: What It Really Means.” Accountancy Ireland. 39.4 (2007): 32-35.
ProQuest. University of Waterloo Lib. 13 June 2008.
21
U.S. Securities and Exchange Commission. “SEC Approves PCAOB Auditing Standard No. 5 Regarding Audits of Internal Control Over
Financial Reporting; Adopts Definition of "Significant Deficiency”.” 25 July 2007. U.S. Securities and Exchange Commission. 12 June
2008. <http://www.sec.gov/news/press/2007/2007-144.htm>
Page 4 of 13
oversight of the registrant's financial reporting”. This definition is used in the context of
evaluating the required communications under the Section 404 of the Act.22
In properly assessing the effectiveness of a firm’s ICFR which is embedded in
complex IT systems, Statement on Auditing Standards No. 94 (SAS 94) – “The Effect of
Information Technology on the Auditor's Consideration of Internal Control in a Financial
Statement Audit” provides specific guidance to auditors by stating that CAAT are needed
when a significant amount of financial information supporting one or more financial
statement assertions is automated by complex electronic IT. In these situations, the auditor
must assess control risk by performing tests of controls, regardless of firm size.23
There are three broad categories of CAAT in which the types of CAAT described
above can be classified under:
1) Auditing around computer: Test reliability of computer generated info by calculating
expected results and compare to output. Adequate when automated systems are simple and
straightforward. Major weakness is that it doesn’t determine correctness of program logic.24
2) Auditing with computer: Draw indirect inferences upon an application's logic by
examining the data processed by the application25. GAS is frequently employed to audit with
the computer by performing substantive tests and limited test of controls For example, GAS
can be used to test the functioning of complex algorithms in computer programs, but it
requires extensive experience in using the software.26
3) Auditing through computer: Test automated processing steps, programming logic, edit
routines and programmed controls. Assumed that if programs are functioning as designed,
errors and irregularities would be detected and outputs can reasonably be accepted as reliable.
Appropriate for testing controls in complex IT systems. Techniques include test data
technique, parallel simulation, integrated test facility, and embedded audit module.27
SAS 94 and firms’ dependence on complex IT systems with regards to its financial
reporting signal the diminished likelihood that "audit around the computer" and the “audit
with the computer” approaches will be appropriate. As a result, auditors must begin to
incorporate state-of-the-art auditing software applications in the audit process. This will
22
Ibid.
Cerullo, Michael J. and Cerullo, M. Virginia. “Impact of SAS No. 94 on Computer Audit Techniques.” Information Systems Control
Journal. 1 (2003). ISACA - Information Systems Control Journal. 10 June 2008. <http://www.isaca.org/Content/ContentGroups/Journal1
/20033/Impact_of_SAS_No_94_on_Computer_Audit_Techniques.htm>
24
Ibid.
25
Braun, Robert L. and Davis, Harold E. “Computer-assisted audit tools and techniques: analysis and perspectives.” Managerial Auditing
Journal. 18.9 (2003): 725-732. ProQuest. University of Waterloo Lib. 14 June 2008.
26
Cerullo, Michael J. and Cerullo, M. Virginia. “Impact of SAS No. 94 on Computer Audit Techniques.” Information Systems Control
Journal. 1 (2003). ISACA - Information Systems Control Journal. 10 June 2008. <http://www.isaca.org/Content/ContentGroups/Journal1
/20033/Impact_of_SAS_No_94_on_Computer_Audit_Techniques.htm>
27
Ibid.
23
Page 5 of 13
enable the audit process to be more effective because the scope of the transactions being
analyzed can be increased at a minimal marginal cost.
In addition, economic forces at work in capital markets appear to be signaling the
demand for more timely assurance on financial information reported annually, quarterly, and
throughout the year. 28 However, for real-time financial information to have value, the
decision makers (i.e. investors) need real-time assurances from an independent third party (i.e.
auditors) that the information is secure, accurate and reliable.29
SARBANES-OXLEY ACT SECTION 409 AND ITS IMPLICATIONS
The Section 409 – “Real Time Issuer Disclosures” of the Act requires all SEC-registered
companies to report any event that may cause a material effect on their financial or
operational results within 48 hours in a form that can be understood by the public
stakeholders and potential new investors of the organization30. Hence, the responsibilities of
C-suite executives, particularly CFOs, of publicly held companies that trade on US exchanges
have extended beyond the scope of historic expectations. In essence, this Section has also
expanded the responsibilities of the auditors to the extent that they are required by law to look
for material events such as fraud.
Section 409 created new challenges for organizations in regards to data integration.
Organizations need to know whether their key financial systems are capable of providing data
in real time, or if the organization will need to add such capabilities or use specialty software
to access the data. Moreover, the firms need to account for changes that occur externally –
changes by customers or business partners that could materially impact its own financial
positioning (e.g. key customer/supplier bankruptcy and default).31
In order to comply with Section 409, organizations face increasing need to support
market predictability with robust competitive intelligence tools and techniques for early
warning and analysis of potential scenarios that could impact the business32 in the financial
and operational aspects.
To avoid a hasty rip-and-replace of existing systems, IT control professionals are
recommended to assess the organization’s technology capabilities in the following categories
28
Ibid.
Sarva, Srinivas. “Continuous Auditing Through Leveraging Technology.” (2006). ISACA – JournalOnline. 10 June 2008.
<http://www.isaca.org/Content/ContentGroups/Journal1/20067/Continuous_Auditing_Through_Leveraging_Technology1.htm>
30
Johnson, Arik. “Definitely Maybe.” Competitive Intelligence Magazine. 7.6 (2004): 37. ProQuest. University of Waterloo Lib. 25 July
2008.
31
Chan, Sally and Lepeak, Stan. “IT and SARBANES-OXLEY.” CMA Management. 78.4 (2004): 33-37. ProQuest. University of Waterloo
Lib. 25 June 2008.
32
Johnson, Arik. “Definitely Maybe.” Competitive Intelligence Magazine. 7.6 (2004): 37. ProQuest. University of Waterloo Lib. 25 July
2008.
29
Page 6 of 13
to secure a smooth transition in compliance with Section 409:
1) Quality of financial modeling capabilities: High quality of financial modeling capabilities
help organizations anticipate and possibly avoid awkward reporting situations and help them
adapt to rapidly changing situations.33
2) Availability of internal and external portals: Portals help route and identify reporting issues
and requirements to investors and other relevant parties. These capabilities address the need
for rapid disclosure.34
3) Breadth and adequacy of financial triggers and alerts: Financial triggers and alerts act as
the defense line in order to comply with the Section 409 disclosure event.35
4) Adequacy of document repositories: Repositories play a critical role both from the
standpoint of event monitoring to assess disclosure needs as well as providing a mechanism
to audit disclosure adequacy.36
5) Adequacy of captured document audit trails: This is a critical element in establishing
adequate disclosure processes and records of that disclosure.37
Once these factors have been identified and assessed, the organizations should search
to determine whether sufficient technologies are available in order to accomplish integration
of data and hence be in compliance with Section 409. The following major vendors of
business systems, information, and software provide solutions for their clients by catering to
their regulatory compliance needs (i.e. Section 409 of the Act):
1) Oracle: Provides solutions in providing organizations access to a complete and accurate
financial data that are timely, relevant, consistent, and available in real-time. Business
systems help streamline the transparency of policies and procedures, enforce them, reduce the
risk of malfeasance and errors, and improve confidence in business data.38
2) SAP: SAP ERP Financials feature the following SOX compliance functions: project
organization for documentation, testing, and sign-off for internal controls; test procedures
based on the risk management framework defined by the Committee of Sponsoring
Organizations of the Treadway Commission; risk mitigation and remediation; real-time drilldown analysis and reporting; management reporting and much more.39
Furthermore, the company’s capacity to be an early adopter of XBRL should be
33
Chan, Sally and Lepeak, Stan. “IT and SARBANES-OXLEY.” CMA Management. 78.4 (2004): 33-37. ProQuest. University of Waterloo
Lib. 25 June 2008.
34
Ibid.
35
Ibid.
36
Ibid.
37
Ibid.
38
Oracle. “Governance and Compliance.” Oracle. 26 July 2008. <http://www.oracle.com/solutions/corporate_governance/sarbanes.html>
39
SAP. “SAP ERM Financials – Compliance Solutions.” SAP. 26 July 2008. <http://www.sap.com/usa/solutions/businesssuite/erp/financials/sox.epx>
Page 7 of 13
determined 40 as its use has placed a substantial footing in the worldwide business
community 41 . XBRL will be a key tool to integrate and interface transactional systems,
reporting and analytical tools, portals and repositories.42
IMPACT OF CAAT ON SARBANES-OXLEY ACT SECTIONS 404 AND 409
Perhaps a key to being able to meet the requirements of improved efficiency and increased
effectiveness in providing an audit opinion on a company’s ICFR lies with continuous
auditing. As well, given the constant demand for timely and reliable information,
implementation of continuous auditing techniques combined with more frequent reporting
can benefit those that rely on the published information. Furthermore, given the markets'
tendencies to strategically react to the released earnings announcements in advance of audited
financial results, continuous auditing may help in enabling detection of problems that
materially affect organizations’ financial results as they occur rather than at the end of a
reporting period.43
The question still lies: What is the most prominent CAAT that is available in order for
auditors to perform continuous auditing and for organizations to report on material financial
or operational triggers in order to comply with the Sections 404 and 409 of the Act?
The discussions on the implications of the Sections above lead to a CAAT that serves
the needs of both auditors and organizations: Extensible Business Reporting Language
(XBRL). XBRL is a platform and application-independent means of identifying, extracting,
and presenting financial data and other business information in any way the user requires.
Using XBRL, organizations can capture financial information at any point in the business
cycle. XBRL is also a specialized business reporting language for existing and emerging
financial and business reporting requirements. It makes the analysis and exchange of
corporate information easier to facilitate, as well as more flexible and reliable.44
The use of XBRL was driven by increasing investor demands and regulatory
requirements for more frequent and detailed financial reporting. Such demands were
primarily outlined in the two key provisions discussed in this report as they require high-level
executives to sign off on the accuracy of financial statements and require companies to
40
Ibid.
Coderre, Dave. “Are You Ready for XBRL?” The Internal Auditor. 61.4 (2004): 26-29. ProQuest. University of Waterloo Lib. 25 July
2008.
42
Ibid.
43
Braun, Robert L. and Davis, Harold E. “Computer-assisted audit tools and techniques: analysis and perspectives.” Managerial Auditing
Journal. 18.9 (2003): 725-732. ProQuest. University of Waterloo Lib. 14 June 2008.
44
Coderre, Dave. “Are You Ready for XBRL?” The Internal Auditor. 61.4 (2004): 26-29. ProQuest. University of Waterloo Lib. 25 July
2008.
41
Page 8 of 13
provide information on a timelier basis. Moreover, to decrease the public mistrust in the
capital market, the provisions mandate companies to provide information in form that is
easily understandable by public stakeholders and potential investors that supports evaluative
and trend analysis. 45
XBRL is also advocated as it solves the long-standing problems of difficulty in
communicating and employing information both within and outside an organization as a
result of using widely disparate and incompatible systems to process their business data. It
also solves the problems arising from inconsistent accounting terminology, principles,
practices, and jurisdictional regulations by creating a vocabulary to precisely describe the
information included in a report, taking regulatory, jurisdictional, and other variances into
consideration. It works in conjunction with extensible markup language (XML), an Internetbased language that serves as the universal format for data on the Web. XBRL allows
organizations to label or "tag" data in specific and meaningful ways for other potential uses
(e.g. export tagged financial data in Excel spreadsheet using XBRL to the balance sheet).46
These capabilities can improve the quality and quantity of financial reporting data,
which has led XBRL to be endorsed by the International Accounting Standards Board and
used by organizations in nations such as Australia, Canada, South Korea, Japan, Spain, the
United Kingdom, and the United States.47
XBRL is also a powerful and critical audit tool for auditors in reviewing their clients'
compliance with the Act, particularly the Sections 404 and 409. Auditors need reliable
information on a timely basis and in a reusable format such that it may be easily used for
analysis. Prior to the introduction of XBRL, auditors had to search and manually input data
into different software in order to reuse financial information for analysis and tests. XBRL
improves the quality and effectiveness of audits by allowing auditors to retrieve data more
easily and analyze it with greater accuracy. The data in XBRL format enables auditors to
perform more analyses of data, facilitates comparisons against external data, increases the
timeliness of reported information, and provides greater transparency.48
XBRL is now supported by most current accounting, financial management, and tax
software. This enables electronic exchange for importing and exporting data in an XBRL
format. XBRL's interoperability with financial and data analysis applications significantly
simplifies the preparation, dissemination, and analysis of financial and compliance reports.
45
Ibid.
Ibid.
Ibid.
48
Ibid.
46
47
Page 9 of 13
Moreover, XBRL provides more relevant and reliable extraction and exchange of information
between organizations, because it is an open process, which is not based on any proprietary
technology, and requires minimal human involvement, resulting in fewer errors.49
With an automated analysis and identification of items by attached XBRL tag,
auditors benefit from being able to perform fast and accurate electronic searches and move
the data to analytical software or a spreadsheet with a click of a mouse. Functions of XBRL
also allow auditors to customize searches for multiple company data, making it easier to
perform trend analysis and continuous auditing, and to compare data with industry
benchmarks, other organizations, or different intracompany operations.50
Moreover, “XBRL facilitates the use of Web-enabled audit programs for standardsbased financial statement reviews. By integrating data analysis software programs into
accounting functions, XBRL allows auditors to extract, analyze, and interpret evidence and to
detect unusual transactions or patterns of transactions to deter fraud. Continuous auditing,
supported by the XBRL format of financial data, can increase the efficiency and effectiveness
of the audit process substantially, resulting in cost savings for auditors and their clients.” 51
CONCLUSION
With the implementation of two key provisions, Section 404 and 409, of Sarbanes Oxley Act
in 2002, to restore investors’ confidence in the capital markets, Section 404 required highlevel executives to sign off on the accuracy of financial statements. Section 409 then
mandated companies to provide information on a “real-time” basis and in way that is easily
understandable by public stakeholders and potential investors with support from evaluative
and trend analysis.
Hence, organizations must respond by implementing an effective and economical data
delivery mechanism to monitor, analyze and report functional, financial and operational
events, which include those that may obstruct organizations from achieving its business
objectives, increase the probability of risk, fraud, crime and other losses due to its material
nature. One of the most promising technologies being implemented in organizations today is
a real-time reporting solution.52 In addressing the needs of both organizations and its auditors,
the use of ‘Extensible Business Reporting Language’ is recommended in order to facilitate
the compliance of the Sections 404 and 409 of the Sarbanes-Oxley Act.
49
Ibid.
Ibid.
Ibid.
52
Cunningham, Michael. “Meeting Sarbanes-Oxley Section 409 Requirements.” Sept. 2005. Sarbanes-Oxley Compliance Journal. 25 July
2008. <http://www.s-ox.com/Feature/detail.cfm?articleID=1067>
50
51
Page 10 of 13
APPENDIX I
The Section 409 – “Real Time Issuer Disclosures” itself is geared more towards the C-suite
executives of organizations than towards a CA practitioner. This is due to the fact that the Act
requires all SEC-registered companies to report any event that may cause a material effect on
their financial or operational results within 48 hours in a form that can be understood by the
public stakeholders and potential new investors of the organization. While the report
addressed the responsibilities of C-suite executives, particularly CFOs, of publicly held
companies on how to comply with the Section, the report also addresses the assurance side of
the Section by recommending a CAAT that can be used in order to audit organizations’
compliance to the Act.
Page 11 of 13
REFERENCES
AICPA. “Continuous Audit.” AICPA – Information Technology Centre. 25 July 2008.
<http://infotech.aicpa.org/Resources/Systems+Audit+and+Internal+Control/IT+Systems+Au
dit/Continuous+Audit>
Braun, Robert L. and Davis, Harold E. “Computer-assisted audit tools and techniques:
analysis and perspectives.” Managerial Auditing Journal. 18.9 (2003): 725-732. ProQuest.
University of Waterloo Lib. 14 June 2008.
Brownlee, Elaine and O’Shea, Niall. “SOx s404: The New Guidance: What It Really Means.”
Accountancy Ireland. 39.4 (2007): 32-35. ProQuest. University of Waterloo Lib. 13 June
2008.
Cerullo, Michael J. and Cerullo, M. Virginia. “Impact of SAS No. 94 on Computer Audit
Techniques.” Information Systems Control Journal. 1 (2003). ISACA - Information Systems
Control Journal. 10 June 2008.
<http://www.isaca.org/Content/ContentGroups/Journal1/20033/Impact_of_SAS_No_94_on_
Computer_Audit_Techniques.htm>
Chan, Sally and Lepeak, Stan. “IT and SARBANES-OXLEY.” CMA Management. 78.4
(2004): 33-37. ProQuest. University of Waterloo Lib. 25 June 2008.
Coderre, David. “Continuous Auditing: Implications for Assurance, Monitoring, and Risk
Assessment.” Global Technology Audit Guide. Institute of Internal Auditors. 25 July 2008.
< http://www.theiia.org/guidance/technology/gtag/gtag3/>
Coderre, Dave. “Are You Ready for XBRL?” The Internal Auditor. 61.4 (2004): 26-29.
ProQuest. University of Waterloo Lib. 25 July 2008.
Cunningham, Michael. “Meeting Sarbanes-Oxley Section 409 Requirements.” Sept. 2005.
Sarbanes-Oxley Compliance Journal. 25 July 2008. <http://www.sox.com/Feature/detail.cfm?articleID=1067>
Deloitte & Touche, Ernst & Young, KPMG, PricewaterhouseCoopers. “Perspectives on
Internal Control Reporting – A Resource of Financial Market Participants.” AICPA.
December 2004.
<http://www.aicpa.org/cpcaf/download/Perspectives_on_Reporting-Appendix2C.pdf>
Huang, Shi-Ming et al. “Developing A Continuous Auditing Assistance System Based On
Information Process Models.” The Journal of Computer Information Systems. 48.1 (2007): 214. ProQuest. University of Waterloo Lib. 25 July 2008.
ISACA. “Use of Computer-Assisted Audit Techniques.” IS Auditing Guideline. (1998):1-6. 8
June 2008.
<http://www.isaca.org/Content/ContentGroups/Journal1/20033/Using_CAAT_to_Support_IS
_Audit.htm>
Johnson, Arik. “Definitely Maybe.” Competitive Intelligence Magazine. 7.6 (2004): 37.
ProQuest. University of Waterloo Lib. 25 July 2008.
Page 12 of 13
Oracle. “Governance and Compliance.” Oracle. 26 July 2008.
<http://www.oracle.com/solutions/corporate_governance/sarbanes.html>
SAP. “SAP ERM Financials – Compliance Solutions.” SAP. 26 July 2008.
<http://www.sap.com/usa/solutions/business-suite/erp/financials/sox.epx>
Sarva, Srinivas. “Continuous Auditing Through Leveraging Technology.” (2006). ISACA –
JournalOnline. 10 June 2008.
<http://www.isaca.org/Content/ContentGroups/Journal1/20067/Continuous_Auditing_Throu
gh_Leveraging_Technology1.htm>
Singleton, Tommie. “Generalized Audit Software: Effective and Efficient Tool for Today’s
IT Audits.” ISACA – JournalOnline. 2 (2006). 10 June 2008.
<http://www.isaca.org/Content/ContentGroups/Journal1/20067/Generalized_Audit_Software
_Effective_and_Efficient_Tool_for_Todays_IT_Audits.htm>
U.S. Securities and Exchange Commission. “SEC Approves PCAOB Auditing Standard No.
5 Regarding Audits of Internal Control Over Financial Reporting; Adopts Definition of
"Significant Deficiency”.” 25 July 2007. U.S. Securities and Exchange Commission. 12 June
2008. <http://www.sec.gov/news/press/2007/2007-144.htm>
Vuchnich, Alex. “Using CAATTs in Preliminary Analytical Review to Enhance the Auditor's
Risk Assessment.” The CPA Journal. 78.5 (2008): 38-41. ProQuest. University of Waterloo
Lib. 12 June 2008.
Page 13 of 13