Statutory Audit and IT Governance

Intey - Isaca

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

5 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Intey
Nombre de lectures	91
Langue	English

Extrait

Copyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Statutory Audit and IT Governance
“The IT audit profession, with its capabilities and standards, is part of the solution.”
Erik Guldentops, CISA, CISM
There are some immediate relations one can draw withen years ago there was frankly not much talk about
statutory audit requirements when we look at some of thecorporate governance. Neither, to be truthful, was audit
1major drivers for IT governance (see figure 1) , including:T discussed much. Today the reverse is true. The reason
• Trust—With investors willing to pay significantly more foris because we tend to operate in a “plugging holes” mode,
shares of well-governed enterprisesas the recent flurry of emerging audit and governance
• Value—When considering the majority of enterprise marketstandards illustrates.
value is in intangible assetsThese recent developments (IAASB, COSO II, Sarbanes-
• Survival—When trust can vanish overnight when based onOxley, etc.) focus strongly on the system of internal control in
intangibles and governance practicesresponse to recent scandals that have damaged the public trust
• Assurance—With its increasing requirements for riskin financial information and corporate disclosure. It is now
transparency and increasing focus on internal controlsmandatory for the CEOs of public corporations quoted either
The enormous value of information for most enterprisesin New York or London to perform a review of internal control
increases the priority of the statutory audit requirement to lookat least annually and to publicly disclose their formal
at how management exercises its custodianship over theseevaluation. This is an important and burning driver but not
intangible assets.the only one influencing the role of IT in governance and
Equally, when considering the dependence on intangiblesstatutory audit.
and the speed with which trust can be lost (e.g., Enron and This article will attempt to illustrate the importance of IT to
the ensuing demise of Arthur Andersen), the statutory auditenterprise reporting systems and, hence, to internal control,
requirement to warn when there is an issue with the and thereby to corporate officers and auditors responsible for
going concern cannot be ignored. There is now such certification. At the same time, the relevance of IT and IT
corporate reliance.governance will be shown. They are relevant to the processes
Trust and assurance depend on the integrity of theby which financial information is produced, and most
information reported and on the system of internal control thatimportantly, they are essential to survival and growth of the
an enterprise operates. Good governance and a sound systementerprise as a whole. Ultimately this increases the importance
of internal control are the responsibilities of management andof the role of IT auditors in IT governance, corporate
the board. Where they exist, the task of external auditors—inreporting, internal control and statutory audit.
terms of statutory opinion and attestation of the evaluation of
internal control—is made a lot easier.
Figure 1—IT Governance Drivers The US Sarbanes-Oxley Act is undoubtedly the most far-
reaching piece of legislation to affect the governance of US
and international corporations. The act puts strong
Value
requirements on management and auditors for the
(Brookings)
establishment, evaluation and reporting on internal control (see
figure 2). In addition, it goes well beyond the financial
controls traditionally associated with statutory audits, with the
ITTrust introduction of “disclosure controls and procedures,” whichAssurance
(McKinsey) Governance (Turnbull) are more in line with the compliance and operational controls
of COSO (Committee of Sponsoring Organisations of the
Treadway Commission). To exercise that responsibility,
management and the auditors also need to look at:
Survival • IT’s role in the integrity of information
(Greenspan)
• The system of internal controls over IT
• The support IT provides to the overall system of internal controls
I NFORMATION S YSTEMS C ONTROL J OURNAL,V OLUME 5, 2003Figure 2—Internal Control Requirements, Sarbanes-Oxley Act
Section 302 Section 404
Requires the company’s CEO/CFO to certify that: Requires the SEC to prescribe rules for internal control
• SEC reports filed have been reviewed, are accurate and do reports which:
not omit material fact. • State the responsibility of management for establishing and
• Financial statements fairly represent the financial position. maintaining an adequate internal control structure and
• Disclosure controls have been designed, established, procedures for financial reporting
maintained and evaluated. • Contain an assessment of the effectiveness of this structure
• Internal control and fraud issues are disclosed to audit and procedures
committee and auditors. • Require external auditors to attest to the assessments made
by management
• The management of IT risks With these differences, it would be foolish to deny that
However, none of these responsibilities can be exercised strong IT governance has no impact on the integrity of
without considering the enterprise information and the systems information, the system of internal control or audit risk.
that capture, process, store and distribute it. From a statutory audit perspective, strong IT governance
This is where IT audit competencies and practices need to reduces audit risk from, for example:
be applied—more extensively than in the past—to support • Poor security over business transaction capture, transfer,
management’s and external auditors’ responsibilities relative to analysis and reporting
the integrity of information, the appropriateness of risk • Poor management controls over completeness and integrity of
management and the adequacy of internal control. The business transaction capture, transfer, analysis and reporting
complexity and widespread deployment of IT systems in terms • Misdirected or poor financial transparency of IT investments
of organisational structures and resources, as well as • Fraud or wilful manipulation or concealment of business
technologies used, has created the need for highly specialised information
IT auditors who—as experts in IT governance best practice— While noting that most external auditors truly appreciate the
can opine on these issues. importance of IT, it is disappointing to see that statutory audit
Enterprise governance relates to the rules and processes standards appear to restrict themselves to those aspects which
through which business opportunities and risks are recognised strictly relate to the preparation of financial statements, while
and managed to ensure enhanced and sustainable stakeholder there is a much larger array of risks that enterprises need to
2value. IT governance covers the management processes address. The good news is that IT governance issues are in
which ensure the delivery of the expected benefits of IT fact becoming integrated into the audit procedures of major
in a controlled manner so that it supports current operations audit firms which are evolving from financial audit to a more
and helps enhance the long-term sustainable success of performance assurance perspective, including IT.
the enterprise. But even a strict financial audit process needs to start with
There is a significant difference between strong and weak understanding the business environment. The pervasiveness of
IT governance, as illustrated in figure 3. The difference has a IT and the importance of information as an enterprise asset
profound impact on trust and assurance. imply that the enterprise’s IT governance processes need to be
identified and assessed, with special focus on the going
concern, intangible assets and custodianship over these assets.Figure 3—Strong and Weak IT Governance
This analysis needs to occur in the first step of the statutory
audit process (see figure 4).Strong IT Governance W
Recognising the importance of IT in understanding the
IT governance disciplines are IT governance disciplines are
business and its subsequent role in internal control will reduce
more likely to lead to the more likely to lead to
audit risk. Therefore, auditors can no longer avoid considering
effective use of technology ineffective or incomplete use
up front:to enable and support the of technology, thus increasing
• The organisational structure of information processingbusiness, resulting in higher the risk of poor control and
• The complexity of information processinglevels of control and security, security, and reducing the
• The significance of information processing in eachgreater integrity of financial integrity and reliability of
accounting application and management information, management and financial
Even more fundamental, the extensive processing ofand therefore reduced audit information, therefore
information that occurs from the creation of the businessrisk. increasing audit risk.
transaction until the ultimate recording of that transaction in
the financial statements is rife with information processing. As
such, all of the steps, processes (operational, managerial and
I NFORMATION S YSTEMS C ONTROL J OURNAL,V OLUME 5, 2003

how to deal with it on anything other than a partial basis. The
Figure 4—Statutory Audit Process IT Governance Instit