IT component of Sarbanes Oxley 90



  • I am an experienced IT auditor/Security auditor from the UK and am concerned because I am now working on a Sox project in the US and I am unsure of what the scope should be of the IT part of the audit.
    The company I am auditing relies on IT heavily for its core business, but the Audit team seem to believe that the Sox audit needs only to cover IT systems directly related to financial records. I thought for Sox IT audits, the whole of IT has to be audited if the IT systems are the core business of the company? As I am not a Sox expert, I dont know what to do - please let me know.
    Michelle



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Hi Michelle,
    I have to admit that it is a little bit irritating. But I try to make it a little more transparent. In parts both of you have the right view.

    1. IT is not in a SOX scope. That’s because IT itself is not a financial reporting process.
    2. Parts of the IT environment, espcially those directly involved in support the financial reporting systems are involved.
    3. There is a thing called generell IT controls on which all the other/application controls rely on (e.g. user authorization, access controls, archiving and so on). These are also within the SOX scope. You may referr to the www.itgi.org there is a document avialable called IT control objectives for sox.
      Enjoy…


  • Thanks for your take on things… however, my client could go out of business overnight if there was just a few hours of downtime of their IT systems so shouldnt I evaluate the viability of their systems as part of the SOX audit, as they are so key to the financial viability of the company?



  • Your concerns are reasonable. As far as Sarbanes is concerned, all key internal controls are part of the scope for 404 compliance.
    More obvious key controls are finannce related. However other key controls are some times operational and some time IT related.

    1. As long as your IT system contributes to Origination, Accuracy and Completenes of the Financial Reporting, those systems and related processes are under the scope of Sarbanes Audit.
    2. COSO is an endorsed standard for Sarbanes- As part of Risk Assesments within COSO guidlines, your critical systems and processes need to be audited evaluating the risk, exposure and the impact on the company to operate normally.
      I am an Internal Auditor with a large CPA firm and understand both sides -IT and Financials.
      Let me know if I can be of further help
      Madhav Vedula
      audit_pro_at_yahoo.com


  • Still - the downtime of an IT System, even if it is essential to the business represents ‘only’ an so called operational risk.
    The company can be bankrupt, as long as it is stated correctly in the fincancial records.
    But - for example, if the IT system represents or is collection data essential for the billing process and your’re losing billing data while the IT systems is down. You’ll have a SOX topic. That’s because if this is the case you’ll show you accounts recieveable incorrect.
    That’s why the both of you are somewhat right… ;o)



  • General IT controls are definitely in-scope for Sarbanes-Oxley compliance. The application controls that business processes depend on are, in-turn, dependent on general IT controls around software development, access controls for both applications and data, and operational controls around proper functioning of the applications, including the numerous interfaces that typically make up an application portfolio.
    I recommend you get ‘IT Control Objectives for Sarbanes-Oxley’ from the IT Governance Institute at isaca.org
    I am trying to put together a collaborative project on Sarbanes-Oxley compliance and would be happy to send your our project proposal.



  • Very interesting topic. Actually I have the same dilemma about IT part in SOX compliance.


Log in to reply