Since companies began complying with the Sarbanes-Oxley Act, one common complaint about auditor scrutiny has been loud and clear: external auditors have spent too much time on technology systems that seem unrelated to financial statements.
It’s an issue that has been confusing for both sides. The problem: Information technology has an often indirect relationship with the final results in financial statements, and there’s little standard guidance to tell companies how to determine the strength and security of IT-specific internal controls.
With its newly released guidance, the Institute of Internal Auditors is hoping to end much of the anxiety and confusion surrounding the testing of IT controls. The methodology will help companies streamline their preparation for testing, help them defend themselves better when questioned by external auditors, and even possibly save money on compliance costs, according to the IIA.
If the new guidance does those things, it will certainly address a compliance sore spot for companies. Outdated IT guidance and internal-control regulations barely address IT’s role in attesting and assessing controls. Companies have referred to COBIT — the Control Objectives for Information and Related Technology — which was put out in the 1990s by the IT Governance Council as an IT-governance framework. They have also turned to guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). But for the most part, companies have had to decipher for themselves how the Securities and Exchange Commission and Public Company Accounting Oversight Board regulations apply to them and hope that their external auditors agree with their reasoning.
Recently proposed revisions from the SEC and the PCAOB to their internal-control standards encourage companies and auditors to concentrate only on those areas that could most likely lead to a material misstatement. Likewise, the IIA guidance — which the member association delayed releasing fully until it had looked over the SEC and PCAOB changes — could help companies decide which IT controls are worth testing by basically answering this question: Which IT controls’ failure could lead to a material misstatement? Like the PCAOB’s Auditing Standard No. 2 — whose proposed replacement standard is in a public-comment period — the IIA guidance uses a top-down, risk-based approach.
Without clarification, some audits have ballooned in scope and subsequent cost, according to Sarbox critics, because auditors have taken what some consider to be an overly conservative approach to their work, particularly with their testing of technology systems — leading to high auditing bills. The IIA guidance could actually put companies and their external auditors on the same page as to which IT controls are most important for the companies, according to Steve Mar, senior director of IT audit at Microsoft, who helped create the five-step methodology.
The IIA’s guidance could give companies leverage for pushing back on their external auditors if they believe questions related to the testing of IT controls have gone too far, according to Heriot Prentice, director of technology practices for the IIA. If your company properly used the guidance and documented why certain decisions were made, you can use that previous work to “challenge auditors,” Prentice told CFO.com. “And ask them ‘Why would this be in scope?’ or the IS department can call the auditors and say, ‘Why are you looking at this? We followed this methodology and this is not in scope.’”