IT auditing and Sarbanes-Oxley compliance : key strategies for business improvement

Information technology auditing and Sarbanes-Oxley compliance have several overlapping characteristics. They both require ethical accounting practices, focused auditing activities, a functioning system of internal control, and a close watch by the board's audit committee and CEO. Written as a contribution to the accounting and auditing professions as well as to IT practitioners, IT Auditing and Sarbanes-Oxley Compliance: Key Strategies for Business Improvement links these two key business strategies and explains how to perform IT auditing in a comprehensive and strategic manner.

Based on 46 years of experience as a consultant to the boards of major corporations in manufacturing and banking, the author addresses objectives, practices, and business opportunities expected from auditing information systems. Topics discussed include the concept of internal control, auditing functions, internal and external auditors, and the responsibilities of the board of directors.

The book uses several case studies to illustrate and clarify the material. Its chapters analyze the underlying reasons for failures in IT projects and how they can be avoided, examine critical technical questions concerning information technology, discuss problems related to system reliability and response time, and explore issues of compliance.

The book concludes by presenting readers with a "what if" scenario. If Sarbannes-Oxley legislation had passed the U.S. Congress in the late 1990s or even 2000, how might this have influenced the financial statements of Enron and Worldcom? We can never truly know the answer, but if companies make use of the procedures in this book, debacles such as these - and those which led to the 2007-2008 credit and banking crisis - will remain a distant memory.

• Preface p. ix
• About the Author p. xv
• Acknowledgments p. xvii
• Part I Management Control
• 1 Internal Control and Information Technology p. 3
• 1.1 Internal Control Defined p. 3
• 1.2 Internal Control and Service Science p. 6
• 1.3 The Proverbial Long, Hard Look p. 9
• 1.4 Classical and New Internal Controls p. 13
• 1.5 Deficiencies and Conflicts in Internal Control p. 16
• 1.6 Internal Control Is IT's Current Frontier p. 18
• 1.7 The Audit of Advanced IT Operations p. 20
• 2 Case Studies on Internal Control's Contribution p. 25
• 2.1 Internal Control and Operational Risk p. 25
• 2.2 Monitoring Functions of Internal Control p. 29
• 2.3 The Critical Role of Experimentation p. 31
• 2.4 Use of Threat Curves in IT p. 35
• 2.5 Design Review as an Internal Control Method p. 38
• 2.6 Internal Control and System Specifications p. 41
• 2.7 The Added Value of Prototyping p. 43
• 3 Auditing Functions p. 47
• 3.1 Purpose of Auditing p. 47
• 3.2 Qualification of Auditors and Audit Standards p. 50
• 3.3 Transparency in Financial Reporting p. 52
• 3.4 The Sarbanes-Oxley Act and Its Aftereffects p. 56
• 3.5 The Auditor's Independence of Opinion p. 60
• 3.6 Auditing the Bank's Internal Control: A Case Study p. 63
• 3.7 Audit Reports and Audit Trails p. 66
• 4 Internal and External Audit p. 69
• 4.1 Auditing Responsibilities Prescribed by Regulatory Agencies p. 69
• 4.2 Structure and Standards of Internal Audit p. 72
• 4.3 Internal Audit Functions p. 75
• 4.4 Failures in Auditing Internal Control p. 77
• 4.5 Outsourcing Internal Audit p. 80
• 4.6 External Audit Functions p. 82
• 4.7 Unqualified and Qualified Reports by External Auditors p. 84
• 4.8 Challenging the Dominance of the Big Four p. 88
• 5 The Board's Accountability for Audit p. 91
• 5.1 Membership of the Board of Directors p. 91
• 5.2 Legal Responsibilities of Board Members and Senior Management p. 93
• 5.3 Committees of the Board p. 96
• 5.4 The Corporate Governance and Nominating Committee p. 98
• 5.5 The Audit Committee p. 100
• 5.6 Situations That Escaped the Audit Committee's Watch p. 102
• 5.7 Cultural Change p. 105
• Part II Case Studies on Auditing a Company's Information Technology
• 6 Auditing the Information Technology Functions p. 111
• 6.1 Snapshots of IT Audits p. 111
• 6.2 Tuning the IT Audit to Regulatory Requirements p. 114
• 6.3 Procedure of an IT Audit p. 117
• 6.4 Why IT Audit Impacts a Firm's Technology p. 119
• 6.5 Auditing Fraud Cases p. 122
• 6.6 Auditing Technology Risk p. 124
• 6.7 Auditing the Overall System Concept p. 127
• 6.8 Testing Existing Auditing Procedures p. 128
• 6.9 Auditing IT's Legal Risk p. 131
• 7 Strategic IT Auditing: A Case Study p. 135
• 7.1 Goal of a Strategic Audit p. 135
• 7.2 Strategic Analysis of the Bank's Business p. 138
• 7.3 Snapshot of IT's Status Quo p. 143
• 7.4 What Bank Executives Thought of IT Support They Received p. 145
• 7.5 High Back-Office Costs, Low Marketing Punch, and Treasury Department Woes p. 148
• 7.6 Conversion Problems Created by Legacy IT p. 150
• 7.7 Database Culture and Software Development p. 153
• 7.8 Conclusion: A Lopsided System Design p. 155
• 8 A Constructive View: Suggestions for IT Restructuring p. 157
• 8.1 Capitalizing on the Strengths of the Institution p. 157
• 8.2 Opportunities and Problems of Strategic Planning p. 160
• 8.3 A New Technology Strategy p. 162
• 8.4 Bringing High Tech to the CEO and the Professionals p. 165
• 8.5 Improving Internal Control over IT p. 168
• 8.6 Instituting a Risk-Management System p. 171
• 8.7 Return on Investment and the Technology Budget p. 174
• 8.8 Profit Center Organization and Internal Billing p. 176
• 9 A Broader Perspective of IT Auditing p. 181
• 9.1 IT Projects That Never Reach Their Goals p. 181
• 9.2 Why Has the Project Not Been Completed? p. 184
• 9.3 The Fall of a State-of-the-Art Project in Transaction Management p. 188
• 9.4 Mismanagement of Client Accounts Revealed by an Audit p. 191
• 9.5 Wrong Approach to Risk Control: Too Much Manual Work p. 194
• 9.6 Auditing the Models for Market-Risk Exposure p. 198
• Part III Technical Examples in Auditing it Functions
• 10 Auditing IT Response Time and Reliability p. 203
• 10.1 Qualifications for Auditing Specific Technical Issues p. 203
• 10.2 System Response Time p. 206
• 10.3 System Expansion Factor p. 208
• 10.4 User Activity and the Cost of Turnaround Time p. 210
• 10.5 Auditing Interactive Systems p. 214
• 10.6 Auditing System Reliability p. 217
• 10.7 The Investigation of Reasons for Unreliability p. 219
• 10.8 Auditing Operational Readiness p. 221
• 11 Auditing the Security System p. 225
• 11.1 Information Security and the IT Auditor p. 225
• 11.2 Auditing Security Management p. 227
• 11.3 Physical Security p. 230
• 11.4 Logical Security p. 231
• 11.5 How Safe Is Network Security? p. 234
• 11.6 Information Security in Cyberspace-The Small Fry p. 236
• 11.7 Information Security in Cyber Warfare-The Big Stuff p. 239
• 11.8 The Auditor's Target in Network Security p. 241
• 11.9 Auditing Software Security p. 244
• Part IV Can it Help in Compliance? The Case of Sox
• 12 Sarbanes-Oxley Compliance and IT's Contribution p. 251
• 12.1 Compliance Defined p. 251
• 12.2 Beyond Compliance with the Sarbanes-Oxley Act p. 254
• 12.3 Both Regulation and Management Watch Should Be Proactive p. 257
• 12.4 SOX Is a Friend of Business, Not a Foe p. 259
• 12.5 The Fear of the Policeman Is Greater than the Fear of IT p. 262
• 12.6 Contribution to Compliance of the Corporate Memory Facility p. 265
• 12.7 The Contribution of Knowledge Engineering p. 268
• 12.8 Why Knowledge Artifacts Are a Major Advance in IT p. 271
• 13 What If: Backtesting Sarbanes-Oxley p. 275
• 13.1 The Concept Underpinning Case Studies and What-If Scenarios p. 275
• 13.2 Replaying the Enron Scandal under SOX p. 277
• 13.3 The Worst Continued to Worsen p. 279
• 13.4 Ignorance as a Way of Running a Big Firm p. 281
• 13.5 Modern Financial Alchemy: Prepays p. 284
• 13.6 Credit Insurance, Surety Bonds, and Out-of-Court Settlement p. 288
• 13.7 Sarbanes-Oxley and the WorldCom Scandal p. 291
• 13.8 The Contribution of the Sarbanes-Oxley Act to the American Economy p. 293
• Index p. 297