Evaluating Deficiencies using PCAOB Categories? 875



  • We were first told to map our IT general controls to COSO and COBIT which we did several weeks back. Now the external IT audit partner wants us to categorize the controls into the 4 categories for the purpose of
    evaluating deficiencies.
    They want deficiencies evaluated at 3 levels:

    1. by individual control
    2. by category (from PCAOB)
    3. overall IT GC (aggregate level)
      The 4 areas/categories in paragraph 50 of the AS-2 from PCAOB that we found are:
      Program Development
      Program Changes
      Computer Operations
      Access to Programs and Data
      I’ve done a preliminary mapping of the general controls to these 4 areas.
      Everything does not map cleanly to these categories so there is some
      room for discussion. It got me to wondering if there is a standard
      already out there which maps cobit to these 4 areas mentioned by pcaob
      that I could double check against. Cobit is a better mapping for us but we have to comply with the external auditor’s request.
      The client is frustrated because the external auditor seems to keep
      changing the rules on us.
      is anyone having to take a similar approach?


  • The client is frustrated because the external auditor seems to keep changing the rules on us.
    Hmmm, never seen that before :evil:



  • Sounds as if the external auditor you are dealing with is Ernst and Young. That seems to be the methodology they want.


Log in to reply