Sarbanes-Oxley IT Audits 1 Sarbanes-Oxley 2002 Recommended “audit firms place a high priority on enhancing the overall effectiveness of auditors’ work on internal control, particularly with respect to the depth and substance of their knowledge about companies’ information systems.” 2 SOX Section 802 Fines of up to $25 million and/or 20 years imprisonment against: “whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence” any government investigation or official proceeding.” 3 PCAOB Auditing Statements AS2 - Financial auditors should perform a “walkthrough” of the information system to be satisfied with the design and operation of the applicable controls AS3 – Extends audit documentation requirements Both address fraud issues 4 SAS 80 Evidential Matter SAS 80 – Where evidential matter is in electronic form, it may not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests. In such circumstances, an auditor should consider performing tests of controls to support an assessed level of control risk. 5 SAS 94 Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit Requires consideration of the importance of IT processes and controls in the preparation of financial statements and whether an IT specialist is required. The presence of an IT auditor or specialist on the engagement team does not free the financial auditor from responsibility for assessing the adequacy of IT controls. 6 SAS 99 Consideration of Fraud in a Financial Statement Audit Misstatements arising from fraudulent financial reporting Misstatement arising from misappropriation of assets Whenever “evidence of fraud” is found, it should be brought to the attention of the appropriate level of management Increases extent of documentation 7 IT Audit vs Sarbanes-Oxley IT Audit Both are technical IT audits Sarbanes IT audit has a narrowly defined focus driven by Federal Law and is a system level audit concentrated on the reliability and integrity of the hardware, software and information of the systems. Sarbanes IT audit is typically part of a larger financial audit and responds to the requirements of the larger financial audit. 8 Governing Standards Diverse standards allows for different interpretations Internal and external audits traditionally focus on financial matters Traditional IT audits focus on technology issues In the past, these two audits rarely interacted with each other Sarbanes-Oxley changed this! 9 SOX-404 vs Traditional IT audit. Section 404 is designed to ensure that there are sufficient controls to prevent fraud, misuse and/or loss of financial data Controls must be effective Must be possible to note exceptions / follow audit trail 404 audit is invariably part of a larger financial audit General purpose is to identify weaknesses or deficiencies in the IT controls and resolve them prior to the start of an outside audit The IT Auditor verifies controls are in place and working correctly. 10 Competing Governance Organizations Organization Standards American Institute of Certified Public Accountants (AICPA) Statements on Auditing Standards (SAS) Institute of Internal Auditors Association (IIA) Standards for the Professional Practice of Internal Auditing (IIA) U.S. General Accounting Office (GAO) Government Auditing Standards and Title 2, Accounting (GAO) Information Systems Audit and Control Association (ISACA) General Standards for Information Systems Auditors and Statements on Information Systems Auditing Standards Institute of Internal Auditors Research Foundation Systems Auditability and Control (SAC) 11 COSO vs COBIT COSO doesn’t do enough to help identify, document, and evaluate the IT controls necessary to comply with SOX’s legal requirements COBIT is an interpretation of COSO from an IT point of view Established by IT Governance Institute (ITGI) four domains, 34 IT processes and 318 detailed control objectives 12 PCAOB Auditing Standard 2 “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” establishes the requirements for performing an audit of internal control over financial reporting transactions’ flows commonly involve the use of application systems for automating processes and supporting high volume and complex transaction processing reliability of these application systems is in turn reliant upon various IT support systems, including networks, databases, operating systems 13 Audit Risk IT Auditor should also recognize that threat, vulnerability and risk analyses have the goal of risk mitigation and security and that the audit should address and answer the following questions: Systems Risks Systems Threats and Vulnerabilities Probability of Occurrences Risk Mitigation 14 Controls Two broad classes of controls: Key Controls and the General Controls. They are designed to ensure that the controls are sufficient to: prevent fraud, misuse, and/or loss of financial data/transactions, enable speedy detection if and when such problems occur, and promote effective action 15 Controls (cont.) Section 404 Auditor can test the general quality of the controls by determining if a policy, procedure, or processes are: standardized across the company centrally administered centrally controlled repeatable 16 Key Controls Generally defined in the literature as being the controls that are fundamental to ensuring that the values on the balance sheet are accurate and reliable All monetary transaction must be initialized, authorized, implemented, documented, controlled, reported, and validated using key controls Example: check that two separate systems tally with one another 17 General Controls These include… Physical Access and Security Operational Control Processes Logical Access Processes Backup and Recovery Disaster recovery policies Service-level agreement policies Application or Software development processes Testing Configuration and Change management 18 Preferable if Controls are Automated Automation makes it more difficult for individuals to manipulate the control either in error or maliciously. The centralized automation of controls should include: Centrally administration of IT processes by the relevant MIS department Centralized document version control of policies and procedures Backup and recovery procedures using scripts, using clustering techniques, 19 Preferable if Controls are Automated RAID, etc. as well as fault tolerant systems Intrusion prevention and detection processes using centralized services Antivirus processes using centralized software such as McAfee or Symantec A process for managing changes to IT assets or objects exists and documents that changes are reviewed and authorized 20