IT Auditors Seek Sarb-Ox Guidance

Computerworld - ROSEMONT, ILL. -- More than a dozen corporate IT auditors attending a conference here last week said they're struggling mightily to document the controls used within their IT departments in time to meet the Sarbanes-Oxley compliance deadlines that most large companies are facing late this year.
The biggest challenge in meeting the deadline for documenting internal IT controls as required by Section 404 of the Sarbanes-Oxley Act is a lack of clarity from the government entity that's overseeing compliance regarding which controls should be documented and the best ways to do it, attendees said.
They noted that the Public Company Accounting Oversight Board hasn't told companies to use a specific methodology for documenting IT controls, such as COBIT, COSO or ISO 17799. That has made it difficult for the Big Four accounting firms and other external auditors to give advice on which IT controls need to be documented, according to attendees.
"It's hard for us to do this when no one is able to tell us exactly what needs to be documented," said an IT auditor who works at a New York-based investment bank. Like almost all of the other auditors interviewed at the conference, she asked not to be identified.
William Powers, associate director of the accounting oversight board's inspections division in New York, said the regulatory body plans to devote a lot of attention this year to the IT controls assessment work done by public accounting firms. That work includes the risk-assessment process as well as the documentation and testing of general and application controls.
In turn, accounting firms are expected to monitor the IT risk-assessment procedures and information systems audit work that's done by their clients to meet Sarbanes-Oxley mandates, Powers added. But when asked if the oversight board plans to recommend the use of a single IT controls standard, he said, "Absolutely not."
Help on the Way
The Rolling Meadows, Ill.-based Information Systems Audit and Control Association, which hosted the conference, said it plans to roll out a Web-enabled version of the COBIT standard within a few weeks. The new release of COBIT, which is formally called Control Objectives for Information and related Technology, is designed to help IT auditors browse for best practices, do benchmarking and obtain other guidance as part of Sarbanes-Oxley compliance efforts.
In addition to the lack of guidance from regulators, IT auditors said they're also struggling with other issues as part of Sarbanes-Oxley projects. The challenges include identifying a hornet's nest of controls and interfaces among decentralized business units and trying