Evaluating Deficiencies using PCAOB Categories? 875
-
We were first told to map our IT general controls to COSO and COBIT which we did several weeks back. Now the external IT audit partner wants us to categorize the controls into the 4 categories for the purpose of
evaluating deficiencies.
They want deficiencies evaluated at 3 levels:- by individual control
- by category (from PCAOB)
- overall IT GC (aggregate level)
The 4 areas/categories in paragraph 50 of the AS-2 from PCAOB that we found are:
Program Development
Program Changes
Computer Operations
Access to Programs and Data
I’ve done a preliminary mapping of the general controls to these 4 areas.
Everything does not map cleanly to these categories so there is some
room for discussion. It got me to wondering if there is a standard
already out there which maps cobit to these 4 areas mentioned by pcaob
that I could double check against. Cobit is a better mapping for us but we have to comply with the external auditor’s request.
The client is frustrated because the external auditor seems to keep
changing the rules on us.
is anyone having to take a similar approach?
-
The client is frustrated because the external auditor seems to keep changing the rules on us.
Hmmm, never seen that before :evil:
-
Sounds as if the external auditor you are dealing with is Ernst and Young. That seems to be the methodology they want.