About IT Audit and Internal Control Effectivity Report 1511



  • Hi all, I’m newbie in this forum… my name is albert… I have some questions, perhaps somebody could help me…
    I’m an undergraduate student in Accounting Dept, one of University in Indonesia. Now i’m working on my undergraduate thesis. My thesis is about the relation between IT Audit and Internal Control Effectivity Report in the company which is complying with section 404 of SOX.
    Since i’m not working yet, I don’t know for sure how IT Audit being done in any company. So to get information about how IT Audit being done, i’d like to use some questionare. Now i get confused on making questionare which is contain about IT Audit and SOX 404 and the relation with Internal Control Effectivity Report
    I’ve read the Sarbanes-Oxley-exposure-draft-30april06 which is made by ISACA in order to understand what question should i put in my questionare. But the more i read it, the more confused i am. And until now, it’s still uncleared for me, what question should i put in my questionare
    Could someone help me by giving me hints, article, links or something that I can use for making question for my questionare.
    Thanks for your help and sorry for my poor english…



  • Hi Albert and welcome 🙂
    I don’t know for sure how IT Audit being done in any company.
    All the companies I’ve worked in have their own company auditors (aka Internal Audit) and then periodically company executives contract with outside accounting firms to also take a fresh unbiased look at the company’s financials and controls (aka External Audit).
    With Internal Audit, they usually publish a quarterly schedule of systems they plan to audit with management and then a couple of weeks before an audit they will notify dept heads that they will be examining controls. They then conduct random samples to measure items, interview folks who are critical in the workflow, and issue their findings to first-line and senior management.
    External Audit’s approach is similar but they usually have to travel in and are there on site for one to two weeks. As a starting point, they usually review the past findings and recommendations by Internal Audit. They also interview system managers and business principals in the process. Their findings are targeted more executives and even the board of directors. You can look at External Audit as a ‘check-and-balance’ to ensure the Internal Audit function is complete.
    My thesis is about the relation between IT Audit and Internal Control Effectivity Report in the company which is complying with section 404 of SOX … making questionare which is contain about IT Audit and SOX 404 and the relation with Internal Control Effectivity Report
    Some quick sample questions to get you started …

    1. With SOX 404, what new standards have you implemented? Have network and security controls improved?
    2. Do you feel SOX 404 standards have led to improved IT security? Why or why not?
    3. How has your change mangement and workflows changed with SOX 404?
    4. Has the implementation of SOX 404 standards hindered productivity?
    5. If you had it to do all over again, what changes would you make in SOX 404 standards implementation?


  • ok mr harry, thank you very much for your help… it’s helping me so much 🙂 🙂


Log in to reply