In the ever-evolving landscape of information technology and Sarbanes-Oxley Act (SOX) compliance, IT tools are increasingly getting more attention and being included in the scope of SOX audits by external auditors. It is now critical for management and internal audit to understand the IT tools being used and how they are being used, in order to evaluate the impact on SOX scoping. Once a tool is in scope for SOX, the next step is to determine the appropriate level of SOX testing based on the level of risk.
Traditionally, the scope for SOX IT General Control (ITGC) testing has been defined through risk assessment procedures that consider whether a system captures data that could impact financial reporting. Recently, external audit risk assessment procedures are being expanded to evaluate tools used to support ITGCs. Management and internal auditors should take inventory of the tools used in their IT environment and meet with the IT stakeholders to understand each tool’s purpose and how the company is using the tool.
Once the tools are identified and understood, the auditor needs to assess the role of the tool and determine whether it has an impact on the accuracy, completeness or integrity of financial data. Any tools that play a critical role in these aspects should be included in the SOX ITGC scope. Tools to consider for scoping include tools used to: manage user access to financial systems, to manage changes to IT systems, monitoring system and user activity and generating audit trails.
Specific tools and how they are used may vary from one organization to the next based on their unique processes and technologies in use. If a ticketing system is used to maintain requests for support, it may not be in scope; however if a ticketing system has an automated workflow to approve requests for access or program change, it may be considered in scope.
For in-scope tools, management and internal audit should evaluate the level of risk associated with the tool. Based on the level of risk, management and internal audit may choose to apply all ITGCs to the tool or limited controls based on how the tool is being used and what controls would be sufficient to mitigate the risk to financial reporting.
The trigger for the increased focus on IT tools by external auditors is likely feedback that external audit firms have received from Public Company Accounting Oversight Board (PCAOB) inspections. The PCAOB is the organization that regulates audits of publicly traded companies. Registered public accounting firms undergo PCAOB inspections on an annual basis and once the inspection is completed, firms often communicate the high-level findings internally to ensure their staff are knowledgeable about the issues and focused on implementing procedures to mitigate the risks associated with the PCAOB findings. Each firm’s inspection has different results and, therefore, each firm can have different areas of focus each year.
Collaboration between management, internal audit and external audit can help in defining the appropriate scope and approach to testing and lead to successful audits.
#tools #ITGC #SOXscope #riskassessment #ITGCtesting