You are on page 1of 47

SOX and IT Audit

Overview
Agenda

► Risks & Controls Recap
► SOX Background
► IT General Control Areas

Page 2
SOX Recap

Page 3
SOX or Financial Audit?

1. When a key control fails, the external auditors perform additional procedures
to confirm whether the failure presents risk to the financial statements. Once the
auditors are comfortable that risk to the financial statements is appropriately
mitigated, no additional procedures are performed.

Page 4
SOX or Financial Audit?

2. Control breakdowns are categorised as control deficiencies, significant
deficiencies, or material weaknesses.

Page 5
SOX or Financial Audit?

3. The Company’s external auditor must attest to the effectiveness of the
company’s internal controls over financial reporting.

Page 6
SOX or Financial Audit?

4. A quarterly user access review was not performed during Q3. The external
auditors performed additional procedures to confirm users and access are
appropriate. In addition, the external auditors obtained the Q4 user access
review to confirm it was performed timely.

Page 7
SOX or Financial Audit?

5.The Company’s external auditor tests key controls that prevent or detect error
to mitigate risk. Where controls are not in place or are ineffective, substantive
testing is performed to reach financial statement reliance.

Page 8
SOX or Financial Audit?

6. When a key control fails, a remediation plan is created, put in place, and the
control is retested.

Page 9
SOX or Financial Audit?

7. Entity-level controls, including policies and procedures, codes of conduct,
organisational structure, and “tone at the top” are in place and are reviewed by
the external auditors annually.

Page 10
SOX or Financial Audit?

8. Three terminated users were observed to have retained inappropriate access
during the first half of the fiscal year. The external auditor performs 100% testing
over terminations for the full audit period. No additional issues are observed.

Page 11
SOX Recap - Keys

Page 12
SOX or Financial Audit?

1. When a key control fails, the external auditors perform additional procedures
to confirm whether the failure presents risk to the financial statements. Once the
auditors are comfortable that risk to the financial statements is appropriately
mitigated, no additional procedures are performed.

FINANCIAL AUDIT

Page 13
SOX or Financial Audit?

2. Control breakdowns are categorised as control deficiencies, significant
deficiencies, or material weaknesses.

SOX AUDIT

Page 14
SOX or Financial Audit?

3. The Company’s external auditor must attest to the effectiveness of the
company’s internal controls over financial reporting.

SOX AUDIT

Page 15
SOX or Financial Audit?

4. A quarterly user access review was not performed during Q3. The external
auditors performed additional procedures to confirm users and access are
appropriate. In addition, the external auditors obtained the Q4 user access
review to confirm it was performed timely.

SOX AUDIT

Page 16
SOX or Financial Audit?

5.The Company’s external auditor tests key controls that prevent or detect error
to mitigate risk. Where controls are not in place or are ineffective, substantive
testing is performed to reach financial statement reliance.

FINANCIAL AUDIT

Page 17
SOX or Financial Audit?

6. When a key control fails, a remediation plan is created, put in place, and the
control is retested.

SOX AUDIT

Page 18
SOX or Financial Audit?

7. Entity-level controls, including policies and procedures, codes of conduct,
organisational structure, and “tone at the top” are in place and are reviewed by
the external auditors annually.

SOX AUDIT

Page 19
SOX or Financial Audit?

8. Three terminated users were observed to have retained inappropriate access
during the first half of the fiscal year. The external auditor performs 100% testing
over terminations for the full audit period. No additional issues are observed.

FINANCIAL AUDIT

Page 20
SOX vs. Financial Statement Audit

Financial Statement Audit SOX Audit
The purpose of a Financial Statement Audit The purpose of a SOX audit (an audit of
is to gain reasonable assurance about ICFR) is to express an opinion on the
whether the financial statements as a whole effectiveness of the company's internal
are free of material misstatement, control over financial reporting. A
whether due to fraud or error, thereby material weakness in internal control over
enabling us to express an opinion on financial reporting may exist even when
whether the financial statements are financial statements are not materially
prepared and presented fairly, in all material misstated.
respects, in accordance with an applicable
financial reporting framework.

Page 21
SOX vs. Financial Statement Audit

Financial Statement Audit SOX Audit
• Auditors test key controls or perform substantive • Auditors test key controls to gain comfort over the
procedures to gain comfort over the completeness and completeness and accuracy of financial statements, and to
accuracy of the financial statements. attest to the company’s internal controls over financial
• Control owners are responsible for owning and operating reporting.
control processes in place. Management must perform • Control owners are responsible for owning and operating
procedures to gain comfort over completeness and control processes in place. Management must perform
accuracy, and evidence sufficient levels of precision and procedures to gain comfort over completeness and
sensitivity in the performance of review controls. accuracy, and evidence sufficient levels of precision and
• Management sets the “tone at the top” through entity-level sensitivity in the performance of review controls.
controls. • Management takes ownership over the controls framework
• When control breakdowns occur, auditors perform within the organisation, and sets the “tone at the top”
additional procedures to gain comfort that there is no risk through entity-level controls, which are of increased
of material misstatement. Control exceptions may indicate audit focus.
a weak internal control environment, requiring more • When control breakdowns occur, they are classified as
substantive procedures to be performed for financial deficiencies, significant deficiencies, or material
statement coverage. weaknesses. They are reported up to the parent
company on the SOCD, and may be reported to the
Audit Committee or on financial statements,
depending on level of severity.

Page 22
Risks & Controls Recap

Page 23
Financial Audit Overview

► What is a financial audit?
► What is the objective of a financial audit?

The purpose of a Financial Statement Audit is to gain reasonable assurance about whether the
financial statements as a whole are free of material misstatement, whether due to fraud or error,
thereby enabling us to express an opinion on whether the financial statements are prepared and
presented fairly, in all material respects, in accordance with an applicable financial reporting
framework.

Page 24
Financial Audit Scoping

Controls based Audit effort

Financial Controls
Risks, what IT general
statement Significant ► Automated
can go IT dependent Applications
controls
significant processes ►

wrong? Manual
accounts ►Manual

Substantive
Audit effort

Page 25
Risks & Controls

► What is a risk?
► Risks are measured by their likelihood and impact
► Situation involving exposure to…..(for example):
► Loss of market share / income (Business Risk)
► Misstatement of revenue (Audit Risk)
► Data loss (IT Risk)
► Information processing risks include those related to the completeness, accuracy, and validity of information

► What is a control?
► A process or an action designed to prevent or detect error to mitigate risk
► Control design and operational effectiveness

Page 26
SOX Background

Page 27
Background of SOX

► SOX was enacted as a reaction to a number of major corporate and accounting scandals
(including those affecting Enron, Tyco International, Adelphia, and WorldCom).

Page 28
Background of SOX

► SOX was enacted as a reaction to a number of major corporate and accounting scandals
(including those affecting Enron, Tyco International, Adelphia, and WorldCom).

Page 29
Background of SOX

► SOX was enacted as a reaction to a number of major corporate and accounting scandals
(including those affecting Enron, Tyco International, Adelphia, and WorldCom).

Page 30
Background of SOX

► SOX was enacted as a reaction to a number of major corporate and accounting scandals
(including those affecting Enron, Tyco International, Adelphia, and WorldCom).

Page 31
Background of SOX

► Sarbanes-Oxley act of 2002 was named after U.S. Senator Paul Sarbanes and U.S.
Representative Michael Oxley. The act was passed on July 30, 2002 by President George W.
Bush

► SOX was introduced and enforced for public companies beginning in 2004 to accomplish the
following objectives:
 Increase the accountability of management of public companies
 Improve corporate governance
 Increase the oversight of public accounting firms
 Restore investor confidence in the capital markets

Page 32
History of COSO and SOX

Committee of Sponsoring COSO released PCAOB releases Auditing Standard PCAOB releases Auditing COSO updates PCAOB released
Organisations of the Treadway Internal Control – No. 2 - focused on ICFR coverage Standard No. 5 - top-down, Internal Control Staff Audit Practice
Commission (COSO) formed to Integrated Framework of financial statements risk-based approach – Integrated Alert No. 11 –
address fraudulent financial Framework Considerations for
reporting audits of internal
controls over financial
► Sarbanes-Oxley Act signed reporting
► Established Public Company Accounting Oversight Board (PCAOB)
► Section 302 – Executive Management certification of financial information accuracy
► Section 404 – generated the need to assess internal controls over financial reporting
► Section 906 – penalties for fraudulent reporting

► American Institute of Certified Public Accountants (AICPA) ► Requires focus beyond just financial reporting to
include non-financial reporting
► American Accounting Association (AAA)
► Updated for impact of technology
► Financial Executives International (FEI)
► Codified 17 principles of internal control
► Institute of Internal Auditors (IIA)
► Institute of Management Accountants (IMA)

Page 33
What is Sarbanes-Oxley (SOX)?

► Purpose of SOX:
► In response to a series of corporate fraud cases in the late 1990s and early 2000s, which resulted
in great loss of stakeholder wealth and destroyed the public’s trust in corporate America,
Sarbanes-Oxley (SOX) was enacted by Congress in the U.S.
► SOX was put in place to help boost investor confidence and restore public trust in corporate
America.

► What did SOX do?
► SOX introduced major changes to the regulation of financial practices and corporate governance
including enhancing internal controls to:
► Protect against fraud
► Improve reliability of financial reporting

Page 34
Key sections of Sarbanes-Oxley

► Sarbanes-Oxley contains the following key provisions of legislation:

► Section 302: Management’s Responsibilities

► Section 303: Improper influence on conduct of audits

► Section 401: Disclosures in periodic reports

► Section 404: Management’s assessment of internal controls

► Section 802: Criminal penalties for influencing US agency investigation/proper administration

► Section 906: Criminal penalties for CEO/CFO financial statement certifications

► Section 1107: Criminal penalties for retaliation against whistleblowers

Page 35
Section 302

► SOX requires Management to:
► Take responsibility for internal controls
► Assess the design adequacy and operating effectiveness of internal controls
► Provide an assessment regarding control effectiveness

► Therefore, Management must:
► Develop documentation of design and effectiveness of internal controls
► Demonstrate control operations and design effectiveness
► Develop evidence to support its assertion of control effectiveness
► Support auditor’s assessment of management controls

The burden is on management to demonstrate
evidence of control design and effectiveness.

Page 36
Section 404

► The CEO and CFO are required to report annually on the state of internal controls,
including:
► The framework used to evaluate the effectiveness of ICFR
► Management’s assessment of the effectiveness of internal controls
► Any significant control deficiencies or material weaknesses

► Impact of Section 404:
► A structured framework is required (per Section 404) to meet the responsibility of maintaining and
evaluating a robust internal control environment.
► Management has chosen to use the framework created by Committee of Sponsoring
Organizations of the Treadway Commission, otherwise known as COSO.

► Additionally, the Company’s external auditor must attest to the effectiveness of the
company’s internal controls over financial reporting.

Page 37
Key Control Considerations Under SOX: IPE

► Information Produced by the Entity (IPE):
► Examples of IPE key for our audit procedures may include:
► Reports or data extracted from the system
► System screenshots, data files, or other system outputs used in the execution of controls
► Data provided by third-party service organisations

► When IPE is used in the performance of controls, the external auditor evaluates whether
the information is sufficiently reliable, including obtaining audit evidence about the
completeness and accuracy of the information

► Under SOX, Management must perform procedures to gain comfort over the completeness
and accuracy of IPE used in the execution of their controls. Steps may include:
► Obtaining and reviewing the query or parameters used to generate a report
► Ticking and tying report totals or row counts back to source data within the system
► Retaining evidence to show that data output from an IT application to the end user computing
(EUC) tool has not been modified or lost in the transfer

Page 38
Key Control Considerations Under SOX: Review Controls

► Precision & Sensitivity of Review Controls:
► Examples of review controls may include:
► Periodic application user access review (IT)
► Review of sub-ledger to general ledger reconciliation (financial)

► The external auditor will assess Management’s process and evidence of review:
► How precise and sensitive is the review process (i.e. what level of error would the review detect)?
► Is the review performed at the detail level, e.g. does the reviewer validate user access roles, or just
whether a user is an employee?
► What evidence of review is provided (e.g. email, Excel spreadsheet, annotations on PDFs and Excel,
sign-offs)?
► Is there a second level review?
► Are there conflicting roles for reviewer? If so, what is the mitigation or second level review?
► Is evidence of completeness and accuracy provided to the reviewer?

Page 39
IT General Control Areas

Page 40
IT General Controls

IT General Control (ITGC) procedures are performed to determine whether management has controls in place that can
be relied on to test application and IT-dependent manual controls.

ITGCs are broken down into three main categories:

Manage Change

Manage Access

Manage IT Operations

Page 41
Manage Change Controls

► Control Objective: To provide reasonable assurance that only appropriately
authorised, tested and approved changes (both routine and emergency) are
made to the applications, interfaces, and underlying infrastructure that support
key application and IT dependent manual controls within significant processes.

► Change control process (application, database and infrastructure changes)

► Change management segregation of duties

► Change monitoring

Page 42
Manage Access Controls

► Control Objective: To provide reasonable assurance that only authorised
persons and applications have access to critical data (including programs,
tables, and related resources), and that they can only perform specifically
defined functions (e.g., inquire, execute, update).
► Privileged user access
► User administration process
► New, modified, and transferred users
► Leavers process
► User access appropriateness reviews
► Password configurations
► Logical access segregation of duties

Page 43
Manage IT Operations Controls

► Control Objective: To monitor and control financially significant IT services for
applications and their underlying infrastructure, including job scheduling,
backup and restore activities, incident management, and routine maintenance.

► Data backups and failures

► Job scheduling and error handling

► Problem and incident management

Page 44
Impact of IT process conclusions on the financial audit

Substantive
Approach

Audit & Client Effort

Rely on
Controls

Page 45
Impact of IT process conclusions on the financial audit

Controls based Audit effort

Financial Controls
Risks, what IT general
statement Significant ► Automated
can go IT dependent Applications
controls
significant processes ►

wrong? Manual
accounts ►Manual

Substantive
Audit effort

Page 46
Page 47