IT Auditors Seek SOX GuidanceThe biggest challenge in meeting the deadline for documenting internal IT controls as required under the Sarbanes-Oxley Act is lack of clarity regarding which controls should be documented and the best ways to do it.
The Public Company Accounting Oversight Board hasn't told companies to use a specific methodology for documenting IT controls, such as COBIT, COSO or ISO 17799. That has made it difficult for accounting firms and other external auditors to give advice on which IT controls need to be documented.William Powers, associate director of the accounting oversight board's inspections division in New York, said the regulatory body plans to devote a lot of attention this year to the IT controls assessment work done by public accounting firms. That work includes the risk-assessment process as well as the documentation and testing of general and application controls. In turn, accounting firms are expected to monitor the IT risk-assessment procedures and information systems audit work that's done by their clients to meet Sarbanes-Oxley mandates. But when asked if the oversight board plans to recommend the use of a single IT controls standard, he said, "Absolutely not." Help on the Way The Rolling Meadows, Ill.-based Information Systems Audit and Control Association, said it plans to roll out a Web-enabled version of the COBIT standard within a few weeks. The new release of COBIT, which is formally called Control Objectives for Information and related Technology, is designed to help IT auditors browse for best practices, do benchmarking and obtain other guidance as part of Sarbanes-Oxley compliance efforts.
"It's hard for us to do this when no one is able to tell us exactly what needs to be documented," said an IT auditor who works at a New York-based investment bank.
In addition to the lack of guidance from regulators, IT auditors said they're also struggling with other issues as part of Sarbanes-Oxley projects. The challenges include identifying a hornet's nest of controls and interfaces among decentralized business units and trying to manage the efforts with scarce resources. Read More >>>>>