Been through a Big 4 IT SOX audit? 419

  • I’m hoping to get some insight into what the process is like. All the documentation is ready but I’d really like to hear from some people who have been through one or more Big 4 IT SOX audits.
    In general:

    • What the process is like
    • General tips
    • What the auditors tend to focus on
    • Lessons learned

  • This post is deleted!

  • This post is deleted!

  • This post is deleted!

  • The ext. auditors tend to look at the documentation first to get a impression of it’s quality and to judge if they can and want to rely on that. Especially at the quality and work of the tester/testing.
    This influcences how deep they dig in. They’re ought to do some retesting anyway. If the outcome of restesting fit’s the management’s opinion and the ext. auditors opinion, than you’re fine.
    If not, you’ll get some additional comments to your SEC filings… 😉

  • We’re in the final stages here but it seems like the IT Audit is never going to end. Actually, while the process has been long and detailed it hasn’t really been that bad. Part of the reason for this is that we put in a lot of new controls. In most cases we tested against these new controls. The auditors really focused on 4 key areas: Access, Security, Change Control and Operations. If you use the CoBIT Guide for your controls framework and get critical controls in these areas then you should be ok.
    Oops, late for a meeting with the auditors.

  • What your auditors will do depends upon who your auditors are.
    The SOX regulations are vague at best and therefore much is left to interpretation. As such your auditors are out there first and foremost to protect their own interests.
    I’ve been involved with three of the Big Four in the SOX process. What I have seen is a consistency within firms, but inconsistency between firms. For instance one firm may be very detailed and looks at policies and procedures as key factors in establishing controls. Another firm on the may not be as detailed nor interested in policies and procedures.
    If your auditor (I’ll call it firm 1) is detailed and the firm you hired to assist (which I will call firm 2) in your SOX preparation is not: you will come up short in meeting your auditor’s requirements. If the roles are reversed you will be too detailed and your auditor will may tell you so. I’ve seen this exact scenario with the Big Four firms. The same two firms have been involved with two separate companies: one company has firm 1 as the auditor and firm 2 to assist and the second has firm 2 as the auditor and firm 1 to assist. Both processes have been a mess and it’s not the companies’ fault, but they pay for it.
    The first company has been beat up by their auditor for not having enough detail and for lacking policies and procedures. The second company is being criticized for having too much detail and too many controls.
    You need to get a sense of what your auditors are looking for from local companies that have already been through the process with that audit firm. From that point you need to select the company that is assisting based upon their ability to provide what your auditor wants. SOX is expensive enough without the cost of a battle between the two audit firms.
    The COBiT framework is the way to go, the big thing is selecting the appropriate control objectives and then defining the key activites.
    I’ve seen some big mistakes here. I had one organization that took the position that they would document the existing control activities currently in use. Sure enough they documented activities and received confirmation from department management that what they had documented was correct. Nothing could have been further from the truth. Testing demonstrated that few if any of the purported activities were actually being performed and even if they were there was no evidence to support the claim. The failure rate was astronomical and the remediation and retesting horrendous. 😞

  • :? On my previous assignment the ‘Big 4’ auditors only reviewed the work of internal audit - asking for more evidence in places but did not do any retesting of their own.
    On my current assignment I am expecting a different ‘Big 4’ to review my testing and then carry out some testing themselves.
    Basically it depends on who you get and how comfortable the internal testing documentation makes them feel.

  • I am happy to say that we used a external consulants to test the internal documentation, and Big 4 as external auditors for the year end certification.
    No big hurdles, no significant or material weaknesses, and not suffered all the issues that are posted in this forum.
    Just for your info, even within the same big 4, EU and US partners had a very different view point on what to documents and the scope of testing to implement for certifying the internal controls and processes. At the end, the US partner took over the full assignment responsibility because the EU partner was highly demanding and refused to perform the testing on the existing documentation we made.
    Then, I believe that it really most depends on the type of auditors and the instructions they did received on how to ‘tackle’ SOXA.

Log in to reply