My previous article in this series described how to prepare your organization for auditing. Now we'll delve into the audit itselfwhat's involved, and how to survive it.
What To Audit
The Sarbanes-Oxley Act of 2002 (hereafter simply Sarbanes-Oxley) is designed to ensure the following within a business:
There are sufficient controls to prevent fraud, misuse, and/or loss of financial data/transactions.
There are controls to enable speedy detection if and when such problems happen.
Effective action is taken to limit the effects of such problems.
In many companies, most of these controls are IT-based.
Not only must controls be in place; they must be effective, and it must be possible to note exceptions caught by the controls and follow audit trails in order to take appropriate action in response to those exceptions. This requirement puts a new pressure on IT that until now few IT departments have faced.
Ultimately, Sarbanes-Oxley makes executives responsible for ensuring that these controls are in place and effective, and this fact is making Sarbanes-Oxley a high priority on most companies' agendas: Executives are aware that they could go to jail if these processes are not in place and/or are ineffective. Suddenly, executives are very interested in what's going on in the murky depths of the IT department!
For detailed guidance on IT auditing, many have chosen to use the ISACA subset of COBIT to ensure that the key IT aspects related to Sarbanes-Oxley are being tested and ISO 17799 for guidance on which security aspects to audit.