Do you ever feel like just when you think you know what your external Sarbanes-Oxley (SOX) auditor is looking for, they change things? It has been happening since the inception of SOX. Just when management is getting comfortable with performing and documenting their controls, it seems like there is another obstacle to overcome.
A recent change we are seeing from some external auditors is an increased focus on user access reviews. External auditors are looking for documentation around system roles and permissions, training conducted for reviewers and documented analyses or risk assessments justifying why each role and associated permission is included or excluded from a review. In addition, some external auditors are performing interviews of a sample of reviewers to verify that reviewers fully understand the expectations of their review as well as their understanding of each role and associated permissions for the system access they review. There is also increased scrutiny on the completeness and accuracy of the user listing generated for the review. External auditors are documenting new deficiencies around user access reviews that have not been seen in the past, when nothing has changed in management’s process from previous years.
The trigger for the increased focus on user access reviews by external auditors is likely feedback that external audit firms have received from Public Company Accounting Oversight Board (PCAOB) inspections. The PCAOB is the organization that regulates audits of publicly traded companies. Registered public accounting firms undergo PCAOB inspections on an annual basis and once the inspection is completed, firms often communicate the high-level findings internally to ensure their staff are knowledgeable about the issues and focused on implementing procedures to mitigate the risks associated with the PCAOB findings. Each firm’s inspection has different results and, therefore, each firm can have different areas of focus each year.
We can expect further changes from external auditors in the future. Initially these changes can seem burdensome but with collaboration between management, internal audit, and external audit, companies can prepare for the changes and have successful audits.
#ITGCtesting #Useraccessreviews #UAR