Who should audit IT and security controls? 140



  • I’m new to SOX, so I have what may be a very elementary question.
    At my company, the IT staff is responsible for auditing SOX IT internal controls. Essentially, we help to design the test, we select a tester, and we demonstrate the controls. For the most part, we are testing our own controls. Shouldn’t the testing of IT controls and security (for which we are responsible as well) be assigned to a more impartial auditor?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • You are exactly correct. Your company should employ an IT auditor who does not report to the IT staff in order to be impartial and have proper segregation of duties. The difficulty in this lies in the fact that most auditors are not specialized in the IT area limiting their ability to perform IT audits and currently those with the skillset are in such high demand it is extremly difficult for a company to find personnel with adequate experience. For your external firm to place any reliance on your testing it will need to be impartial, which will assist in decreasing your overhead when it comes to your external audit. If you have IT personnel perform the audit you, are compromising the audit so that the externals will not feel comfortable attesting that your work performed was unbias and will typically re-perform all testing. I would look into hiring an external internal audit consultant exclusively for testing of IT so that your company does not have to pay your external auditors to do the work when they come in and chance finding a significant deficiency or material weakness.



  • I will have to disagree with the above poster.
    The reason you are testing is to provide documention that your controls exist and that they are effective.
    If you want an independant review to ensure that your control design is suffience and your testing methods are adequate thats another matter entirely.
    Basically there are two types of testing Funcational and Compliance testing.
    Funcational testing is usually done by QA to ensure the program design is free of ‘bugs’. For example, if your strong password policy requires 8 charaters to login. They can test and DOCUMENT that 7 charaters will not work and 6 will not work and then show that 8 charaters does work.
    Documented funcational testing is one step in showing compliance.
    The other type of testing is Compliance testing. Here it is very nice to have a non-bias party review your work to catch any faults you might have before the external auditor comes in but it is NOT Required.
    Complaince testing will entail someone looking at your policy and procedures and make sure they are enough to ensure your objective – Using Strong Password again which is access control.
    If your policies / procedures say 5 charaters are enough and no forced changed passwords ever an independant auditor has more leeway comming in and telling people, ‘Hey this isnt enough’, whereas an employee doing the same review might be ignored or more hesitant to tell his bosses they are wrong.
    The above is a test of design. After the test of design compliance testing does a test of effectiviness. Basically the test is…are people using the controls as you have designed them. If not then there is a problem.
    Here is where they do walkthroughs, pull records, do interviews, and observe.
    So in short…
    I there is no need for an independant auditor or independant testing BUT its nice to catch mistakes you might make before your external auditor catches them.



  • Just a quick follow up after that LONG message above:
    According to Cobit objectives you should have an independant security assessment at least once a year.
    P09 Assess Risks
    This might catch many problems with security instead of hiring an independant auditor / tester.



  • Sorry about the spelling… I typed these answers really fast because I have to get back to my own SOX work.
    😛



  • Allen,
    I am in agreement with most of what you said with the exception that I would like to reiterate that in order for external firms to place reliance on testing of controls SOX requires the testing to be more independent. In the instance of the question above, independence is not there as the personnel testing are the same ppl who put the procedures in place. I agree that an independent review (either internally or externally) is not required, but it is one of the safest ways to ensure your company is in complete compliance. Someone who created a control has a bias to say it works.



  • I agree…
    Having someone unbiased will give a little more weight to your testing of controls.
    As long as the testing is fully documented though there is NO requirement that an unbiased source does the testing.
    Pro’s of unbiased testing:

    1. Adds weight to your assertion to the auditors that your controls are in place and tested.
    2. Verifies your that your controls are designed sufficently to meet your objectivies.
    3. Verifies that your testing methology is suffiecent to show proof your controls exist and work.
      Con’s:
    4. Large Cost
    5. Finding the resources (people with SOX relevant experience are in GREAT demand right now)
      Middle ground is that you do the testing yourself but you hire a consultant to review test design and test methodlogy.


    1. Evaluating the Competence and Objectivity of Others. The extent to which the
      auditor may use the work of others depends on the degree of competence and
      objectivity of the individuals performing the work. The higher the degree of competence
      and objectivity, the greater use the auditor may make of the work; conversely, the lower
      the degree of competence and objectivity, the less use the auditor may make of the
      work. Further, the auditor should not use the work of individuals who have a low degree
      of objectivity, regardless of their level of competence. Likewise, the auditor should not
      use the work of individuals who have a low level of competence regardless of their
      degree of objectivity.
    2. When determining how the work of others will alter the nature, timing, or extent of
      the auditor’s work, the auditor should assess the interrelationship of the nature of the
      controls, as discussed in paragraph 112, and the competence and objectivity of those
      who performed the work, as discussed in paragraphs 117 through 121. As the
      significance of the factors listed in paragraph 112 increases, the ability of the auditor to
      use the work of others decreases at the same time that the necessary level of
      competence and objectivity of those who perform the work increases. For example, for
      some pervasive controls, the auditor may determine that using the work of internal
      auditors to a limited degree would be appropriate and that using the work of other
      company personnel would not be appropriate because other company personnel do not
      have a high enough degree of objectivity as it relates to the nature of the controls.
      http://www.pcaobus.org/documents/rules_of_the_board/Standards - AS2.pdf
      The ruling does specify how much the externals can place reliance on internal testing. Please read paragraphs 112-126.

Log in to reply