SOX AND THE IT AUDITOR controls framework for its Sarbanes-Oxley program. Sarbanes-Oxley Act Section 404 mandates that all publicly traded companies must establish internal controls

1/12/2018

1

SOX AND THE IT AUDITOR

15 Years Later, Has Life Changed or Does It

Just Drone on and on and on and …

Ross E. Wescott MA CISA CIA CCP CUERME

Wescott & Associates

The Conference that Counts, Albany New York

Monday March 19, 2018

ROSS WESCOTT is Principle of Wescott and Associates, established in 2016 to provide IT audit, risk,

governance, and control consulting to a variety of industries and government. He has experience in

• IT audit program development and implementation using leading standards including Cobit5

• IT governance

• Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance

• Risk identification and assessment

• Controls identification, design and evaluation

• Data analytics

• End-to-end IT audit management and execution

• IT SOX program development and operation

• Disaster recovery plan development and review, scenario/exercise development and testing

• Recruiting, team building, development, teaching.

Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science.

He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal

Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise

Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the

Information Systems Audit and Control Association. He has been published in the major Internal Auditing

publications and has been a speaker at conventions and conferences on many Internal Audit topics.

2

Wescott & Associates. Copyright 2018. All rights reserved.

1/12/2018

2

IT Audit has always had a role in SOx evaluations. They have not

always been the primary focus as IT controls are generally

secondary to their financial control counterparts. Much has changed

in the organizational world since Sarbanes-Oxley came out in 2004

especially that there is more integration of financial processes with

IT systems than there was in 2004. In this session, you will learn:

• where we have been and where we are – the short history,

• handling the debate – is SOx beneficial enough to continue?

• old principles still apply – what should we focus upon?

• IT Audit’s continuing role,

• the future – is it as clear as the past

3


4


This publication provides CIOs, IT

managers, and control and assurance

professionals with scoping and

assessment ideas, approaches and

guidance in support of the IT-related

Committee of Sponsoring

Organizations of the Treadway

Commission (COSO) internal control

objectives for financial reporting.

1/12/2018

3

5


Every organization is required to use a recognized

internal controls framework for its Sarbanes-Oxley

program. Sarbanes-Oxley Act Section 404 mandates

that all publicly traded companies must establish

internal controls and procedures for financial reporting

and must document, test, and maintain those controls.

Norman Marks shows readers how to:

Design a scope of work for their Sarbanes-Oxley

assessment that is top-down and risk-based.

Understand the relationship between Sarbanes-Oxley

Sections 302 and 404.

Appreciate the alternative methods, including the use of

technology, to test key controls.

Improve the overall efficiency of their internal controls

systems, not just the controls relied on for financial

reporting.

Where We Were – At The Beginning

• Fifteen years ago, IT was not a direct part of SOX legislation

• It became quickly clear that it should

• Then, nearly every IT general control was a key control and IT

became the area with the highest number of deficiencies!

• To make the corrections, IT needed a standard to follow to

bring consistency to an area that had no consistency.

6


1/12/2018

4

Where We Were – At The Beginning

• CobIT became the default IT standard alongside

COSO

• Costs to correct were high with long-term

consequences

• It was not much fun

7


8


What We Have Become

• The realization that financial controls heavily relied

on IT controls has resulted in an increased focus on

IT controls

• With AS5 and subsequent improvements, IT is now a

formal part of the consideration of transaction flow

• Top down risk-based assessments have reduced the

number of key controls.

1/12/2018

5

9


What We Have Become

• CobIT still de facto IT governance standard

• Cost of compliance for many was high but IT is now

stronger.

• But it is not time to relax, improvements still to be

made.

10


What We Have Become

The main improvement: financial control automation

through integrated systems.

1/12/2018

6

11


What We Have Become

And this has put a brighter spotlight onto the IT

Auditor as their role has come from the not initially

thought of to the cannot live without.

I am not sure if it’s an enviable position.

12


• Organizations now must

understand how the financial reporting process works and identify the areas where technology plays a critical part, and

distinguish which IT controls have a direct vs. an indirect impact on the financial reporting process.

• For instance, IT application controls ensure completeness and accuracy of transactions, integrated systems ensure no manually induced errors, and quarterly application access reviews reduce segregation of duties problems.

• These can all be directly related to financial assertions.

1/12/2018

7

• The key has been for over a decade to distinguish IT controls

that are associated with a significant account or related

business process and mitigate specific material financial risks.

• This focus on risk enables management to significantly has

reduced the scope of IT general control testing relative to the

first few years.

13


The last 15 years has not always been smooth

sailing.

14


1/12/2018

8

15


• A December 21, 2008 Wall St. Journal editorial stated, "The

new laws and regulations have neither prevented frauds

nor instituted fairness. But they have managed to kill the

creation of new public companies in the U.S., cripple the

venture capital business, and damage entrepreneurship…

Cooked up in the wake of accounting scandals earlier this

decade, [SOx] has essentially … hamstrung the NYSE and

Nasdaq (while making the London Stock Exchange rich),

and cost U.S. industry more than $200 billion by some

estimates."

16


Despite its enactment in 2002 (most of the Sarbanes

Oxley Act's provisions came into effect as early as

2003), SOX was still unable to prevent the financial

crisis of 2008, which was precipitated by the Lehman

Brothers Holdings financial scandal!

1/12/2018

9

But that was then and this is now. We no longer find

detractors to the legislation as it has become

everyday life for public companies in the United

States and their subsidiaries.

17


• From an August 2016 article in The Audit Board, John Kim has said

that SOx has improved the reliability of financial reporting and

auditing.

• SOX ended self-regulation by the audit profession and established an

independent oversight of the auditing process, the Public Company

Accounting Oversight Board (PCAOB)

• SOX strengthened and expanded audit committees by stipulating that

a) all listed companies must have an audit committee, b) members

must be independent of management, c) committees contain at least

one financial expert, and d) be directly responsible for appointing

auditors and ensuring their company’s financial reporting is correct.

18


1/12/2018

10

• SOX made executives more accountable and protected investors

by forcing them to demonstrate ownership of their companies’

financial statements through personally certifying the financial

reports.

• SOX enhanced auditor independence by ensuring that [external]

auditors remain independent by prohibiting them from providing

services such as bookkeeping, actuarial services, or management

functions to the companies they audit.

19


But, you may be asking, what has this got to do with

the IT Auditor?

Everything - because IT SOx is only a branch off of the

SOx family tree. What happens to the trunk will

happen to the IT SOx branch and the financial SOx

branch. They cannot be separated.

20


1/12/2018

11

Let’s look at some SOx family statistics before we get

more specific with the IT SOx branch.

21


22


Protiviti Surveys 2010 to 2016; Workiva, Moss Adams, SOx Pro Survey 2017

1/12/2018

12

23


Some interesting trends for the IT Auditor to note:

In 2017 , the total number of IT controls:

40% reported 0 to 25




1% reported over 250 IT controls

Workiva, Moss Adams. SOxPro Survey: 2017 State of the SOX /Internal Controls Market

24


Ranking

Compliance Challenge Executive Priority

2016 2017 Direction 2016 2017 Direction

Priority Priority Priority Priority

Replacement of Legacy Technology 5 3 + - 4 n/a

Increase Focus on IT and Cyber Security Controls 2 4 - 5 3 +

Workiva, Moss Adams. SOxPro Survey: 2017 State of the SOX /Internal Controls Market

Most Significant Challenge

1/12/2018

13

25


Protiviti Survey 2016

Does your organization use outside resources for

Sarbanes-Oxley compliance related to IT controls?

39%

15%

46%

Resources Used for IT SOx Compliance

Yes, Co-source Yes, Outsource No, Internal

46% 39%

15%

26


51% of surveyed

companies have

moderate to

significant plans

to automate IT

processes and

controls.

Average

percentage of all

controls that are

IT General

Controls – 32%

Protiviti Survey 2016

1/12/2018

14

So, what does this mean for the IT Auditor?

There will be much work to do in

• Pre-Implementation reviews for legacy replacements,

• Rework of former manual controls to be automated controls,

• Changing out old automated controls for new ones, and

• A renewed focus of the audit universe to add cyber security

coverage.

27


When reviewing all of these new controls (if you are to do it), here are the

questions to ask of each new or changed control and its particular place in a

business process:

• What is the most critical step in this process?

• What is the related control that ensures the step is performed thoroughly

and timely?

• If the control didn’t exist, would there be an increased risk of a material

misstatement?

• Is the control related to a significant or complex account review or

reconciliation?

• Is the control designed to prevent transactions from being changed after

management approval?

• The answers will help determine the level of testing (it’s sort of a risk assessment)

28


1/12/2018

15

Here are additional roles an IT Auditor can take in the SOx role.

• Use of CAAT software to automate financial sampling, where

applicable.

• Promote use of SOx central repository and control software

(GRC) for risk and control documentation, key control tests,

testing results, gaps, remediation's, and the status of all.

29


And, perform a QA on the IT SOx group of controls. Ensure that

they cover:

• SDLC – Covering the process of acquiring and developing in-scope

systems (including infrastructure)

• SDLC – Covering implementing in-scope applications and technology.

• Policies – Covering support for all business process activities in a

consistent and objective manner.

• Change Acceptance – Covering testing and validation prior to migration

to production.

30


1/12/2018

16

• Manage Change – Covering all functionality change to in-scope

technology.

• Service Levels – Covering how in-scope systems meet functional and

operational expectations.

• Vendor Management – Covers outside relationships that could impact

financial results.

• Systems Security – Covering access through physical and logical means,

including in-scope applications.

• Configuration – Covering performance of in-scope systems and

infrastructure over their lifetimes.

• Incidents and Problems – Covering identifying and responding to events.

31


• Data – Covering integrity, completeness, accuracy, authorization, and

existence of in-scope data.

• Operations – Covering the maintenance of in-scope systems in support of

the business.

• End User Computing and Data Configuration – Covering user-controlled

in-scope methods that relate to financial statement integrity,

completeness, accuracy, authorization, timeliness, and existence.

32


1/12/2018

17

• The goal of all previous steps is to have efficient and

effective testing based on more accurate documentation

to achieve the ultimate goal

• The ultimate goal:

• better conclusions as to the state of financial and IT general

and application controls

• better certifications by the CIO, CFO, and CEO

• greater reliability by the public accountant

• reduced costs, over time

• compliance

33


A Word of Cheerleading or Two

• Continue to use a well-known standard to measure against – CobIT

• Use risk-based identification of key controls

• Implement technology whenever possible to document controls,

risks, tests, and remediation's – steer away from the miles and

poundage of paper binders or disassociated Word and Excel

documents!

34


1/12/2018

18

35


THE END(BUT NOT REALLY, AS SOX IT WILL KEEP

GOING, AND GOING, AND GOING, AND…)

36

Any Final

Questions?


1/12/2018

19

37

If you have any questions, please feel free to call and have a meaningful conversation:

Ross Wescott MA CISA CIA CCP CUERME

Principal

Wescott and Associates

503-961-4780

[email protected]


38

Thank You!


Documents

SOX AND THE IT AUDITOR controls framework for its Sarbanes-Oxley program. Sarbanes-Oxley Act Section 404 mandates that all publicly traded companies must establish internal controls