Some beginner's questions... 2503

  • Hi, I’m a UK external IT auditor who is just starting out on some US SOX attestation clients and I would really appreciate some answers to the following questions (I’ve tried researching this stuff on the web but have struggled to find anything written in comprehensible English.):

    • does the external auditor express an opinion on both the client’s internal controls AND management’s own documentation / testing of their controls (I have a feeling this has changed recently, but am not sure)?
    • when it comes to scoping IT systems, is this management’s job? What if I, as an external auditor, feel that the scope is insufficient? E.g. a client I’m due to start work on soon has not scoped in their Payroll system. Is this likely to be due to payroll costs being immaterial? The same client appears also not to have included many controls regarding the Windows domain-layer (e.g. security) - I’m assuming this should be in-scope?
    • what are the rules on relying on management’s work? A client has had an audit firm in to document and test their IT controls (i.e. readiness work). Am I required to re-test all of these controls, or can (some) reliance be placed on the work already performed?
      I appreciate these are fairly novice questions but any answers would be very gratefully received.

  • As a first port of call you need to read Auditing Standard #5 from the PCAOB. This can be accessed here:
    This should answer all of your questions.

  • Hi Zbigwy,
    Let’s answer your questions first:

    1. Starting with the financial year ending on 31 december 2007, the external auditor (i.e. the registered public accounting firm) only expresses an opinion on the effectiveness of internal control over FINANCIAL REPORTING. Before 2007, the external auditor expressed one opinion on management’s asessment on the effectiveness of internal control over financial reporting (i.e. whether management’s assessment was fairly stated) and a second opinion directly on the effectiveness of internal control over financial reporting.
    2. Only controls over areas with at least a reasonably possible likelihood that a fraud or error that has a material impact on the consolidated financial statements could occur are in scope (see PCAOB Auditing Standard No. 5 on under standards). General IT controls have a pervasive impact on the financial statements due to their general nature, but let’s face it, how high is the likelihood that somebody has the knowledge to hack a system or use keystroke grabbers on the client or network listening to get unencrypted passwords from network traffic in order to make unauthorized transactions in the accounting system? I would not spend too much time on generic IT security stuff. Rather spend it directly on access security in the ERP sytem that is used for financial reporting. Management decides its own scope for management’s assessment, but the auditor may have a different opinon about the scope. It’s good to discuss scope and coordinate the two. Are payroll expenses material to the consolidated financial statements? Are the processes in payroll complex so that there is a high risk of errors? Is there a lot of staff turnover? Is there a material amount of accrued or paid overtime that would have an impact on the financial statements? What about management and director compensation and stock options? If senior management is involved and if there is fraud or tax evasion even small amounts are considered material or at least a significant deficiency that should be reported to the board of directors. In a lot of companies payroll can get quite complicated so that the risk of error is high.
    3. Check PCAOB AS No. 5 on the rules for relying on management’s work. There is a separate section in the auditing standard on that.

  • More on getting started can be found in this thread to compliment the good sharing above:

Log in to reply