While SOX is aimed at regulated companies in the United States, many entities in the public sector (state and federal agencies) and private sector are complying to demonstrate effective financial reporting and control. Internationals with subsidiaries listed on the U.S. stock exchanges or public debt must comply. On the other hand, some companies are deciding not to have an IPO.

In 2003, the SEC issued final rules and formed the Public Company Accounting Oversight Board (PCAOB), with responsibility for new external audit standards, formerly by the AICPA's Auditing Standards Board (ASB). SOX sections of concern to auditors regard signed approval by top management of the financial statements and internal control attestations (Section 302) and new control documentation and testing by management and external auditors (Section 404).

On October 7, 2003, the PCAOB issued an exposure draft for comment and received 193 responses, many seeking to clarify how much external audit can rely on the work of others. on March 9, 2004, final audit standards and guidance were issued, along with a November 15, 2004, deadline for accelerated filers, and July 15, 2005, for others.

The PCAOB defines internal control over financial reporting as a process designed by, or under the supervision of, the registrant's principal executive and financial officers, board of directors, and management to provide reasonable assurance regarding the reliability of financial reporting and preparation of financial statements for external purposes in accordance with generally accepted accounting principles (GAAP). It specifically mentions the need for IT general controls.

Impact of IT general controls
IT has a critical role in integrity of information throughout any accounting cycle, from transaction to financial statements. Adequacy and effectiveness of internal control in information systems, where data is gathered manually or electronically, entered and manipulated by business rules criteria, with results stored and shared with other systems and people, depend in large part on the completeness, accuracy, authorization, and maintenance of application processing. All system processes are not controls, so skills are needed to determine which are which.

Both internal and external auditors have often not addressed IT controls during financial statement audits. Management may allow control documentation to remain informal, therefore unenforceable. Now, PCAOB audit standards focus attention on auditing key IT controls, making review of some IT components mandatory, without specifics. It states the auditor should identify each significant process over each major class of transactions affecting significant accounts:

• Understand flow, including how transactions initiated, authorized, recorded, processed, and reported.
• Identify points within the process where a misstatement—including due to fraud—related to each relevant financial statement assertion could arise.
• Understand how characteristics of IT systems affect internal control over financial reporting.
• Understand AICPA AU sec. 319 (Consideration of Internal Control in a Financial Statement Audit), which discusses the effect of IT on internal control over financial reporting.

External auditors are required to perform walkthroughs of key business processes to ensure their understanding of every point where misstatements related to relevant financial statement assertions could occur. Scoping objectives and risks, the auditor should perform at least one walkthrough for each major class of transactions, tracing from origination through information systems until reflected in the company's financial reports, including controls intended to address the risk of fraud. 

External auditors must perform walkthroughs due to the degree of judgment required, but additional evidence can be gleaned from others. The extent to which the auditor may use the work of others depends on their competence and objectivity; the higher it is the greater use the auditor may make. The auditor should not use the work of individuals who have a low degree of objectivity, regardless of their level of competence.

The auditor must perform enough testing so his/her own work provides the principle evidence for the opinion; the work of others—internal auditors, company personnel, and third parties under direction of management—can be used to alter the nature, timing, or extent of work performed. However, responsibility to report on the effectiveness of internal control over financial reporting rests solely with the auditor and cannot be shared.

Internal auditors are normally expected to have greater competence with regard to internal control over financial reporting and objectivity than other company personnel. Therefore, the external auditor may be able to use their work to a greater extent than other company personnel. This is particularly true in the case of internal auditors who follow the International Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors.

Control self-assessment (CSA) has grown in importance over the last decade. However, PCAOB guidance states that management may test the operating effectiveness of controls using a self-assessment process but because such an assessment is made by the same personnel performing the control, they do not have sufficient objectivity and the external auditor should not use their work.

Relationship of COSO objectives, risks, and controls
One internal control framework the PCAOB has accepted—stating it is not the only one—is COSO. Risk assessment should include all five control components, not just the control activities. (The following chart is from Miller's IT Audits)

Auditors consider the business objectives of the activity being reviewed; significant risks, and how potential impact of risk is kept to an acceptable level (controls); adequacy and effectiveness of the activity's management and control; and opportunities for improvements. Appropriate levels of control documentation should exist at both the entity and activity level to support the controls over financial reporting and disclosure. No specific type of documentation is mandated by the PCAOB.

Management is responsible for the organization's controls. Questions everyone needs to answer: Who will perform documentation and testing? How much is necessary? Who will perform control evaluation and process documentation? Internal audit can assist management, with cautions to maintain objectivity and independence. Internal auditors should review, not perform, the work. External auditors must perform their own reviews of management's performance.

Which IT controls should be included?
IT or general computer controls maintain the infrastructure, including: physical and logical security over networks, database management, and operating systems, IT operations (wherever they take place), system development, change management, and disaster recovery.

As processing evolves from using hard copy input and output to paperless, highly integrated applications, maintaining standards and documentation is challenge. Fully documented and disseminated policies and procedures, based on standards, such as COBIT, should exist. Identifying data origination, internal and external interfaces, feeds and linkages, plus the need to meet applicable regulatory or reporting requirements is not a simple matter; some examples:

• Reporting relationships for IT, users, management, others, including current job descriptions
• Separation of IT from user department functions to protect information and tangible assets
• Training to maintain skills, skills inventories and assessments, regular performance reviews
• Documentation—manuals, online help files, system flowcharts, operations manuals
• Infrastructure support, including a help desk, effective problem recording, and tracking
• Standardization of platforms to the extent possible for more efficient support
• Networking requirements and service level agreements
• Internet, privacy, and email usage policies
• Development standards, planning and budgetary controls
• Programming—standards and reusability, documentation of program steps 
• Change control process: program change requests and related change logs

Business continuity planning (BCP) – organization-wide, while disaster recovery is IT related – is not part of a Section 404 assessment. PCAOB Audit Standards, paragraph C5 state: "Management's plans that could potentially affect financial reporting in future periods are not controls. For example, a company's business continuity planning has no effect on the company's current abilities to initiate, authorize, record, process or report financial data. Therefore, a company's business continuity planning is not part of internal control over financial reporting."

While some might argue that point, remaining questions include whether security issues are a material weakness, such as IT staff and users with excessive access, IT staff with direct access to production, sharing passwords for critical functions, and weak authentication controls, along with poor security administration, inadequate change management, and preventing external people from accessing application systems or databases.

Application controls
Application controls address financial impact and management's reliance on applications to make decisions. They are designed to ensure completeness, accuracy, and authorization through input, processing and output and specific access security. Appropriate assignment of responsibilities, segregation of duties, user identification and authentication, security, keeping procedures and related skills current, budgetary controls, standardization, are all critical.

Auditors need to review both the IT infrastructure and applications to understand the entire business process and interfacing systems. Areas include the process, its risks, control objectives and related control activities, control evaluation, testing approach, and reporting and addressing control gaps or deficiencies. For example, when testing an automated control, one error is significant because computers perform a given activity the same way every time. In a manual system, one error might not matter. People make mistakes, so an acceptable error rate is defined before testing starts.

XENIA LEY PARKER, CISA, CFSA, author of Miller IT Audits (2004 CCH Inc.), is an IT auditor with over 23 years of experience. Principal of her own firm since April 2000, focusing on IT risk assessment and auditing, Parker provides IT audit and control training as a Senior Consultant to the MIS Training Institute. With Coopers & Lybrand for 14 years and Ernst & Young for three, in positions of increased activity, she served clients in telecommunications, financial services, retail, manufacturing, and nonprofit organizations.