A word on the pending PCAOB amendments

The Public Company Accounting Oversight Board (PCAOB) is proposing significant amendments to its existing standards, AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement, as well as conforming amendments to other related PCAOB auditing standards. These proposed amendments respond to the ever-increasing use of technology in audits and aim to enhance audit quality and investor protection. Specifically, the amendments will address the challenges and opportunities presented by technology-assisted analysis, enabling auditors to analyze information electronically using technology-based tools. Naturally, here at AudITech, we’re interested in these developments as developers of ITGC audit software.

Why make these amendments?

Throughout the last ten years, technological headways have changed the business landscape, with organizations progressing to computerized platforms and creating tremendous measures of electronic data. On balance, evaluators have embraced technological-assisted examination, utilizing tools like data analytics, machine learning, and artificial intelligence to gather, process, and decipher electronic information. This shift has empowered auditors to perform more precise investigations, recognize designs, distinguish peculiarities, and effectively reveal potential risks.

AS 1105, Audit Evidence, characterizes what comprises audit evidence and outlines prerequisites for planning and executing audit procedures to acquire adequate and fitting audit evidence. The audit evidence amendments intend to update this standard to unequivocally address parts of planning and performing audit procedures, including technology leverage investigation. By giving clearer rules and guidelines, auditors can improve the utilization of technology-based tools to accumulate review proof and guarantee its reliability.

AS 2301, The Auditor’s Response to the Risk of Material Misstatement, sets out prerequisites for auditors to plan and carry out proper responses to distinguished risks of material misstatement. The proposed revisions to this standard will line up with the extended utilization of technology-assisted examination in risk evaluation techniques. Auditors will be directed on the most proficient method to use technology to analyze and answer advancing risks, eventually improving audit quality.

What will these amendments do?

The proposed amendments will give clarity on recognizing analytical procedures and test of detail, which is currently ailing in the current PCAOB guidelines. Auditors will be better prepared to comprehend when and how to apply technology-assisted examination as a component of their audit techniques, prompting more productive and precise audits.

The proposed amendments aim to handle situations where examiners will direct multi-purpose procedures that include a technology-assisted examination. These methodologies serve different targets and require comprehensive documentation to guarantee their viability. Under the amendments, auditors will be expected to clearly report the reason, results, and evidence acquired for every procedure, lining up with the targets of the audit. This documentation will give straightforward clarity in the audit process, empowering auditors to show the reasoning behind their choices and conclusions. 

By expressly enumerating the reason for every procedure, auditors can guarantee that the systems are suitably intended to accomplish the expected results. Besides, by archiving the outcomes and evidence acquired, auditors can efficiently track and analyze the advancement of the audit, guaranteeing that the evidence gathered upholds the conclusions achieved. Adjusting the documentation to the targets of every method fortifies the overall audit quality, as it encourages consistency, precision, and dependability in the audit procedure. Eventually, these corrections advance more noteworthy responsibility and trust in audit practices, as auditors are constrained to stick to thorough documentation principles while utilizing technology-assisted examination in multi-purpose audit procedures.

The examination led by the PCAOB features the important role of external information kept by organizations and utilized by evaluators as audit evidence. The proposed amendments will determine examiner obligations regarding the dependability of this external data, stressing the significance of assessing the data’s source and the organization’s methodology for maintaining and handling it.

Why are these amendments necessary?

Due to the dependence on technology-based tools, the proposed amendments highlight the significance of controls over information technology. Powerful controls, including IT general controls and computerized application controls, improve the quality of audit evidence derived from organization-created and external data.

The proposed amendments make upgrading audit quality a possibility, bringing about more exact and reliable reporting. The clear direction of the technology-assisted investigation will empower auditors to direct more productive and viable audits, possibly prompting cost savings for audit firms and lower review expenses for organizations. Investors will profit from enhanced monetary data, giving them more certainty and effectiveness in making capital allocation choices.

The impending execution of the proposed amendments might involve a few adjustments to the audit approaches of firms, yet with generally hidden costs in contrast with the possible gains in audit quality. The PCAOB emphasizes striking the right harmony between embracing technological advancement and maintaining robust audit principles to guarantee the progress of these amendments. By recognizing the requirement for flexibility, the PCAOB empowers audit firms to successfully use technology-assisted investigation while keeping up with the respectability and thoroughness of audit processes. The changes are intended to direct auditors to perform more productive and successful audits, prompting expected cost savings for firms and diminished review expenses for clients. Moreover, investors stand to profit from the subsequent superior monetary data, imparting more noteworthy certainty and convenience in their capital allotment choices. By proactively exploring the difficulties of technological integration, the PCAOB means cultivating a consistent change toward a technologically progressed auditing climate, where audit quality and investor security stay at the front. Generally, the PCAOB’s obligation to maintain balance among development and thorough standards guarantees that these amendments will act as an impetus for positive change inside the auditing profession.

In Summary

 The proposed amendments to PCAOB norms, AS 1105 and AS 2301, address a huge step in adjusting audit practices to the technological age. By addressing the difficulties and opportunities introduced by technology-assisted examination, these revisions will upgrade audit quality, investor security, and the general proficiency of audits. The PCAOB empowers dynamic commitment and cooperation with stakeholders through the amendment process to guarantee that the final principles stay relevant and versatile to the consistently changing landscape of innovation in auditing practices. Through these amendments, auditors will be better prepared to use innovation and encourage more noteworthy simplicity, responsibility, and trust in financial reporting to assist all stakeholders in the monetary landscape.

At AudITech, we’re no strangers to adjusting audit practices to the technological age. Don’t get left behind. Contact us for a demo today.

How SPACs Can Avoid SOX Compliance Surprises

Compared with traditional initial public offerings (IPO), special purpose acquisitions companies (SPACs) have rocketed in popularity in recent years as a faster route to going public.

According to Grant Thornton’s research, SPACs raised more than $26 billion in investment capital in January 2021 alone.

After going public, the SPAC (created for acquisition as a legal entity with no commercial operations) must seek a suitable target to acquire. Once the SPACs have taken over the privately-held company, the SPAC entity fulfilled its purpose.

Despite their utility in simplifying the process of going public, SPACs come with potential hidden risks when complying with regulatory Sarbanes-Oxley Act obligations (SOX).

SPACs vs Traditional IPO: SOX Compliance Risks

Typically, SPACs face SOX compliance risks that IPOs are better prepared to handle. Traditional IPOs take a longer route to initial public offerings that involve greater financial due diligence before achieving the required investment.

Consequently, SPACs companies going public can be surprised with urgent SOX compliance requirements they’re not prepared for.

To summarize

Despite the differences in the routes for going public, SPACs and traditional IPOs are subject to the exact SOX compliance requirements.

 SPACs Management must be cautious not to let the perceived ease and convenience blind them from personal regulatory mandates that the Sarbanes-Oxley act places on them.And the surprises don’t end there—once SPACs discover their SOX compliance obligations, another little surprise may lay in store—IT General Controls (ITGC).

SPACs, ITGC and IT Audits

ITGCs are ongoing processes designed, implemented, and monitored to ensure the integrity of financial information sourced from a company’s information technology systems and environment.

SOX compliance is dependent on SPACs being able to produce the right ITGC documentation generated through an internal IT audit.

Your ITGC obligations won’t wait; you shouldn’t either

Unless you’re using ITGC automation, designing, implementing, and monitoring ITGC doesn’t come easily, so leave plenty of time.

Doing the basic groundwork and preparing ITGC for successful SOX IT audits requires fundamental changes in mindset and culture.

CFOs and CISOs of SPACs going public must ensure this culture change is consistently advocated for so that it trickles down into relevant teams and remits.

If you’re starting your SOX audit and ITGC journey:

Study the Sarbanes-Oxley act: Sections of specific importance and relevance include sections 302, 404, and 906, though we recommend not limiting your research only to these sections.

Build a relationship with SOX industry insiders: This may be an external auditor registered with the Public Company Accounting Oversight Board (PCAOB), or it might be us—before we automated ITGC, we used to be Big 4 auditors, so we’re ideally positioned to share a detailed insider perspective on what you need to do.

Build and educate your IT & MIS teams: Don’t assume the Accounting department will care for things. SOX compliance and ITGC responsibilities run deep into an organization—from Payroll to Sales, IT and beyond.

Closing Advice for SPACs Seeking SOX Compliance

Don’t panic. Automate what you can: Don’t rush the process if you discover your SOX and ITGC requirements late. Gather the correct information to share with the right stakeholders to raise awareness and make a case for automating ITGC.

Create a coherent plan: If you decide not to automate ITGC, you’ll have much work to be completed quickly. Even if you already have a reasonably healthy control environment. Once you’ve built your IT audit team and strategy, work backward from your compliance deadlines—ensure time to fill ITGC gaps identified and allocate the right resources to fix them.

Test your ITGC before your auditor does: Your new ITGC may look great on paper, but it may also be inconsistently performed. Ensure to test and monitor ITGC standards over time before requesting an external opinion.

DO SOX IT Audits Faster and Automate ITGC Monitoring, With AudITech

Due to the complexity involved in manual ITGC audits, the processes implemented to overcome SOX compliance risk can create other increased risks of error and oversight.

By simplifying and automating ITGC, AudITech protects organizations from those increased risks while providing a fast track to confident SOX compliance readiness.

Request a demo and discover the fast, simple, valuable route to ITGC and SOX compliance peace of mind.

What Is SOX Reporting? (And Why CFOs Should Care)

Professionals and publicly listed companies facing new Sarbanes-Oxley Act requirements (SOX act) may be familiar with the basics of emerging SOX obligations. Getting to know SOX reporting duties in great detail requires deep background reading and a 2nd opinion from people in-the-know. Here we hope to condense the key points around ‘what is SOX reporting?’ and why it’s super important for new CFOs and CEOs especially.

The Sarbanes-Oxley Act, Section 302 and SOX Reporting

If you’re researching SOX reporting then you’ve likely achieved at least the basic grasp of why the Sarbanes-Oxley Act passed in 2002 in the wake of high-profile financial scandals in large corporations.

Following these scandals, the SOX Act was created to regain confidence from investors and protect shareholders from fraudulent financial reporting, particularly from public or newly-public companies, though SOX reporting requirements also apply to some private companies and non-profit organizations.

CEOs, CFOs and Section 302 of the SOX Act

Section 302 of the SOX Act is of special importance for CEOs and CFOs who must certify as part of the SOX reporting process the completeness and accuracy of financial records produced by their company or organization.

CEOs, CFOs and internal control responsibilities

CEO and CFO SOX reporting duties don’t end there. Besides formally validating the integrity of company finances, they must also be prepared to formally accept personal, legal responsibility for internal controls while also confirming that the internal controls environment has been reviewed in the previous 90 days.

If that wasn’t a big enough burden of responsibility to bear, company leadership must in addition report internal control deficiencies identified in the environment, plus any fraud detected involving the management of the internal audit committee.

Getting a professional 2nd opinion on SOX reporting

If you’re a CEO or CFO reading this, it’s no wonder you’re spending the time doing the deep research on SOX reporting. The company and personal risks of SOX reporting oversight are truly eye watering.

If you’re in any doubt about your obligations and SOX reporting requirements, get a 2nd opinion from former Big 4 auditors who know everything there is to know about SOX compliance, internal controls and ITGC.

SOX Reporting The SEC and Your IT Team

Although the buck ultimately stops with senior management when it comes to SOX reporting, the IT department also plays a critical role. In 2007 the U.S. Securities and Exchange Commission (SEC) issued SOX reporting guidelines defining the role IT teams must play. The guidelines lay out how IT Teams should support the SOX reporting process to minimize all identified risk.

To help IT departments fulfil this role effectively, senior managers must invest time and energy building strong relationships with IT teams based on open, transparent collaboration.

How Can Senior Managers Help IT Teams to Enable SOX Reporting Integrity?

To empower IT departments for SOX reporting, senior management must first understand the scope of their reporting responsibilities that unpack like this.

Giving senior management visibility

IT teams must deliver real-time reporting that gives CEOs and CFOs clear, accessible visibility of the health and status of financial reports.

Establishing ITGC that support SOX reporting

IT teams must identify key IT assets and processes involved in initiating, authorizing, processing and summarizing financial information. ITGC automation in this context can greatly assist IT team’s goal of ensuring internal control procedures support accurate and complete transmission of financial data.

Supporting timely disclosure of critical events

IT teams must ensure robust mechanisms for quickly alerting senior managers, shareholders and regulators of any risks and events that change or may change company financial statements and compliance.

Making Sure SOX Reporting Goes Smoothly Is All About Refining Process and Reducing Complexity

SOX reporting is a delicate balance of diligence, processes design and dedicated collaboration between key stakeholders to ensure processes are strictly followed. There is a lot to think about because there’s a lot at risk. And the reality is that complex SOX reporting processes (that aim to reduce financial risk) can create new, counterproductive risks and personal liabilities.

Mitigating the risk of manual SOX reporting

What great SOX reporting should aim for is to find simplified ways of providing auditors with credible SOX reports and ITGC documentation. Ultimately, the most effective way of achieving this to minimize the risks that manual SOX reporting creates is to automate the ITGC processes that underpin integral financial reporting and internal controls.

The 5-Step Guide to IT General Controls for SOX Compliance

As part of your overall corporate governance and SOX compliance objectives, designing, implementing and monitoring robust IT General Controls (ITGC) are key factors.

Once your ITGC standards have been comprehensively implemented, your internal audit serves as a measure of their effectiveness for ensuring the integrity of your financial and accounting information.

What We’ll Cover In This Guide to ITGC for SOX Compliance

In this 7-minute guide to ITGC for SOX compliance you’ll learn the process for creating robust ITGC standards that external auditors will smile about.

Here’s what we’ll cover:

  • Who is legally responsible for ITGC?
  • ITGC for SOX compliance checklist
  1. Establishing your controls environment
  2. Conducting an ITGC risk assessment
  3. Implementing controls activities 
  4. Implementing information & communications systems 
  5. Monitoring your ITGC
  6. BONUS STEP: Automating IT General Controls monitoring

Who Is Legally Responsible for ITGC?

Because SOX compliance requirements are ultimately assessed by external auditors, it’s easy for organizations to slip into a mode of complacent thinking that assumes ITGC are the responsibility of auditors and accountants.

The first step to establishing ITGC is to avoid such assumptions. Designed to protect investors from fraudulent financial reporting by companies, The Sarbanes-Oxley Act of 2002 (SOX Act) enforces that ITGC are very much the responsibility of senior management.

As such, it’s vital that newly-listed companies (or companies made public through merger or SPAC acquisitions) empower senior managers at all levels to integrate standards of ITGC responsibility into their daily roles. 

ITGC Checklist

For those doing SOX compliance and ITGC research on-the-fly over lunch, here’s an at-a-glance checklist of SOX compliance goals and actions for building ITGC standards.

1Prevent data tamperingImplement access tracking to detect suspicious login attempts to systems with financially sensitive data.
2Record timelines for key activitiesImplement methods for applying timestamps to financial and other data relating to SOX provisions. Store such data at remote, secure locations with encryption to prevent tampering.
3Build verifiable controls to track accessImplement systems able to receive data from any source. For example files, FTP, and databases. Track who accessed or modified these data.

1. Establishing Your Controls Environment

When we say ‘controls environment’ we’re referring to more than just a data or IT environment. Your controls environment also includes your organization’s values, culture and collective expectations.

How can you establish and cultivate a positive controls environment?

Set your mission: This should include ITGC goals and strategic planning so all stakeholders are clear on what they need to accomplish.

Advocate for the mission from the top: Senior management must become ITGC advocates who promote and maintain the ethical standards, integrity and policies that trickle down into teams.

Hire for compliance: Part of your HR and hiring process should include interviewing for at least base-level ITGC and SOX compliance awareness in candidates—gaps can always be filled.

Provide leadership & governance: Ensure leaders remain on top of operations and performance considerations relating to ITGC, correcting controls issues that are identified.

Promote accountability: Position ITGC and SOX compliance as inherent (not separate to) people’s daily roles, and integrate ITGC standards as part of performance appraisals.

It’s worth noting that sustaining a strong controls environment as part of an integrated culture of compliance diligence will bring many more benefits than SOX compliance readiness—ultimately, ITGC are also about maximizing business performance and cost-efficiency.

2. Conducting an ITGC Risk Assessment

Legacy thinking behind risk management has typically focused on financial threats. Modern Enterprise Risk Management (ERM) has in recent times shifted toward a risk assessment standard that factors for anything that could affect the organization.

When designing and implementing ITGC for SOX compliance, your more of thinking should follow this all-encompassing thinking.

Match risks to performance: Each control owner should be able to identify each risk they’re accountable for may negatively impact operations and perfor

Collaborate on risk assessment: Meet with ITGC stakeholders and identify potential external risks such as leadership gaps, HR gaps of inadequate hiring and training standards, potentially ignored or unresolved auditing and monitoring findings, emerging laws and legislations and poor safeguards of physical assets.

Rate and rank risks identified: Prioritize attention toward resolving critical risk, and strategize with ITGC collaborators how less immediate risks will be mitigated.

Develop corrective actions: Assign clearly defined actions to identified controls owners who’ll become accountable for implementation of controls standards that fall under their remit.

3. Implementing Controls Activities

Your ITGC risk assessment should have resulted in a comprehensive framework for implementing airtight ITGC standards that leave nothing to chance. Now, your controls activities implementations should aim to practically apply that framework.

Establish clear responsibilities: Assign each critical ITGC task to only a single person, and ensure structure and hierarchies are in place for effective reporting and delegation.

Apply separation of duties: Avoid making any one single stakeholder responsible for every part of any given process. Instead, diversify process ownership between individuals and use compensating controls, such as additional monitoring or secondary sign-offs when separation of duties isn’t possible.

Restrict access: Avoid allowing systems or data access permissions unless a clever ‘need-to-know’ purpose has been identified and authorized.

Create policies and procedures: These should be clearly written instructions and directives on how they should be followed.

Keep accurate records: Document all expenditures and their justifications.

All project expenditures in your company or organization should be backed by a clear statement of purpose and objectives as part of controls activities designed to leave a clear audit trail of transparency and accountability.

4. Implementing Information and Communication Systems

At this stage, your ITGC standards for SOX compliance should have taken shape. 

To ensure standards don’t regress and deteriorate, it’s now crucial that ITGC be maintained with the backing of quality information and dissemination of effective communication.

Establish reliable information systems: Information systems that track operations relating to ITGC progress should be available and secure. Don’t leave spreadsheets laying around on desktop hard drives, for example.

AudITech helps ITGC stakeholders automate IT General Controls and IT audits that make up a critical part of ITGC standards. Through a single, powerful dashboard you’ll run IT audits in minutes (instead of weeks), view alerts of control gaps, and cues on how to easily close them.

Distribute ITGC information throughout your organization: Ensure critical information is reaching the right compliance stakeholders in a timely way, and ask them what information they need but may not be receiving.

5. Monitoring Your ITGC

Congratulations! If you followed the guidance above diligently, then you just established and implemented a coherent framework for ITGC. But the hard work isn’t over—senior management teams need to continually verify their effectiveness.

Conduct ITGC performance reviews: These reviews should seek to compare your actual performance vs your defined goals and budgets to assess if controls are being followed.

Conduct independent management reviews: Further test your ITGC with the help of impartial management stakeholders able to offer objective perspective on whether controls are working as intended, or if they should be redesigned.

Arrange external audits, and respond to findings: Solicit the help of external auditors to vet your ITGC and your IT General Controls that are a subset of IC relating to the integrity of your IT environment and data systems.

Track all corrective actions: If controls gaps are identified, address them and document how you addressed them. Make sure also that the corrective actions were sufficient to close controls gaps that were spotted.

Monitor your ITGC continually: SOX compliance is part of a continual process of ITGC standards monitoring. This means you’ll need to find effective ways of linking corrective actions back to improvements in your Controls Environment and Control Activity standards to confirm that standards are actually being maintained and improved.

6. BONUS STEP: Automating IT General Controls Monitoring

One of the core pillars of ITGC are your IT General Controls that govern the effectiveness of your IT systems in maintaining the integrity of financial reporting. If your ITGC aren’t implemented and monitored, then ITGC will be judged as ‘weak’ by external auditors.

Once ITGC are implemented, your Internal Audit is the means by which their effectiveness is tested.

Imagine running IT audits in minutes from your browser

The good news is that you can use AudITech to automate away weeks of complex collaborations, human-error risk and IT department interventions usually involved in IT audits. Contact us and schedule an AudITech demo to discover the simple route to smarter, more valuable audits.

Read AudITech’s ITGC Guide for Newly Listed Companies CFOs and SOX Compliance Officers

For SOX compliance professionals, newly-public companies seeking SOX compliance and their CFOs, this guide will help improve your understanding of how to advocate for and maintain continual IT General Controls standards as part of your push for SOX compliance certification.

How SOX and ITGC Affect IT Teams and How to Make Their Life Easier

Maintaining oversight of IT General Controls (ITGC) for SOX compliance requires careful balancing of critical remits and control-owner responsibilities spread across departments. One such department is your IT team. Without them, other SOX compliance stakeholders and priorities would lack the right financial data, system access, security and assurances required for SOX readiness.

How SOX and ITGC Affect Your IT Team

The problem, though, is that your IT team performs numerous other business-critical functions. Their time is both precious and expensive. But the Sarbanes-Oxley Act is the law—one that commands certain duties that only the IT team are positioned to fulfill.

What demands does the SOX act place on IT departments? And how can senior managers innovate new approaches to ITGC  to reduce disruptive SOX requirements that pull IT teams away from key daily priorities?

Here we’ll highlight key sections from the Sarbanes-Oxley Act of 2002 to discover the stresses and strains of duty that each places on your IT department.

We’ll also explore powerful time and cost-saving efficiencies for reducing the manual-process risk, cost and complexity of granular IT department interventions.

SOX Act Section 302: Providing Visibility

Section 302 of the SOX Act requires CEOs and CFOs to validate the accuracy of a company’s financial statements—they’re personally, legally liable. No pressure.

Your IT department’s role here is to mitigate senior managers’ liability by delivering methods for reliable, real-time reporting of financial data, ensuring that reports are produced in a compliance-friendly format that auditors will both recognize and sign-off on.

SOX Act Section 404: Establishing Controls to Support Accurate Financial Reporting

Section 404 of the SOX Act states that the integrity of company financial reporting must be moderated by a set of carefully designed, implemented and monitored internal controls.

In this context, the IT department must play a crucial role in identifying key IT systems and processes for initiating, authorizing, processing and summarizing financial report data. This will typically also involve application testing, security, verification of software integrations and so on.

SOX Act Section 409: Delivering Timely Disclosure of Critical Financial Data

Section 409 of the SOX Act addresses the need for senior management to monitor, declare and disclose in a timely way and information that may affect the company’s compliance and financial performance. For example, mergers and acquisitions, bankruptcy, the dissolution of a major supplier or a crippling data breach.

For this to happen effectively, your IT department must provide the tools for alerting managers, shareholders and regulators of any changes in the company financial statement, or any other event that may trigger the need for timely disclosures.

SOX Act Section 802: Ensuring Comprehensive Financial Records Retention

Even for digitally-savvy companies and organizations, financial record keeping can still involve a combination of paper and electronic copies of financially-sensitive information. Section 802 of the SOX Act requires that these be preserved and made available to auditors for a minimum of five years.

To achieve this, the IT team’s role is to ensure paper and digital records are both preserved and backed up while ensuring the correct functioning of document management systems. On top of all this, IT professionals must also keep these records available in the event of data and systems migrations.

The Compliance Risk and Cost of Complex IT Department SOX Interventions

As we’ve learned, SOX places important but also complex demands on IT teams that are a critical pillar of maintaining the ITGC environment for SOX compliance.

Each SOX Act section requires complex, granular work with countless moving parts that consume IT-department bandwidth—this is time that could be invested on other business-critical tasks.

The negative impact is business growth frustrated by conflicting IT-team priorities. Not to mention increased (rather than reduced) compliance risk thanks to the countless manual tasks involved in fulfilling SOX duties, plus the likelihood for human error.

How ITGC Automation Reduces Risk and Frees Your IT Team From Complex, Manual SOX Workflows

End-to-end TGC automation  is a powerful way of shielding IT departments from the granular, expensive and time-consuming demands of SOX compliance, without compromising on diligence or duty.

By empowering other SOX compliance stakeholders to configure, implement and monitor ITGC with greater independence, AudITech simplifies and streamlines the route to SOX compliance readiness, eliminating the complexity and risk of manual process and human error..

Join our team for an AudITech demo and we’ll show you how your CFO, CISO and SOX compliance officer can implement and monitor ITGC for all cloud and IT assets from a single browser—without the delay and cost of IT department SOX interventions.

The ITGC Guide for Newly Listed Companies CFOs and SOX Compliance Officers

All you need to know in 10 simple steps

When implementing Internal Controls as part of SOX compliance readiness, taking risk with ITGC just isn’t something companies can afford to gamble on. That’s why we created this ITGC guide for SOX compliance.

We’ll explore step-by-step how compliance stakeholders of newly-listed companies can become the SOX leaders advocating for continual ITGC monitoring. If you’re new in your compliance role, or have just joined a newly-listed company, it’s natural to have unanswered questions about ITGC. In 2021 alone, there were almost 1000 newly-listed public companies facing critical ITGC and SOX compliance obligations. Add to that company mergers that also result in SOX compliance needs and it’s clear that defining and continually monitoring ITGC is a common challenge in many industries. Let’s dive right into it.

1. Do you really need ITGC?

Even if your company is not public yet, keeping internal controls in place is very important for the organization’s safety and performance. Moreover, the transition towards ITGC readiness will be much smoother when the day comes. These are the situations in which ITGC requirements will apply:

Mergers: When one of the merging companies becomes public.

Newly-listed companies: When a company goes public for the first time.

Special-purpose acquisition companies (SPAC): When an acquired company becomes public.

Each case and scenario can present different reporting rules of what ITGC reports will need to be presented, by who and when. Be sure to be explicitly clear on which reporting rules apply to your circumstances. For a detailed understanding of your ITGC obligations, you can consult an external auditor, a lawyer, or you can consult with AudITech.

2. Understand if you need to get an internal opinion, or both an external and internal opinions

Once you’ve established that you need ITGC, the first thing to do is to find out what regulatory requirements your formal, final ITGC opinions must meet. For example, your final ITGC opinion may need to come from your senior management only, or a combination of your senior management and an external auditor.

The purpose of these formal opinions is to align internally and externally on the health and status of your ITGC environment. Since you haven’t yet at this stage implemented robust ITGC, it is likely that the two opinions will converge around a verdict that your ITGC have either low weakness, or severe weakness. The amount of time that you will need in order to implement successful and ongoing ITGC and to monitor them, will depend on the outcome of your ITGC opinions gathering.

There are circumstances in which your company may be exempt from obtaining an external auditor’s opinion on the health status of your ITGC environment. These exemptions do not mean you won’t need to be ITGC compliant, it simply means you may not be obliged to obtain an auditor’s opinion.If you’re unsure, check with AudITech. We’ll tell you everything you need to know about your ITGC and ITGC opinions obligations.

3. Onboard the CIO

Ok, now that you understand that you need ITGC in place and which opinions you need to gather, it’s time for ACTION. Before rolling out your ITGC action strategy, you’ll need to build strong allegiance with the right stakeholders. This starts with your CIO.

For an effective ITGC and SOX compliance strategy to integrate into daily business operations, your CIO must be onboarded into the strategy, to become your co-advocate.

Build trust with your CIO: If you’re in a new role, or you’re not close to your CIO, take the time to break the ice. You need to get a trusted buy-in for this to work, so don’t just burst into their office with ITGC demands.

Educate your CIO on ITGC: If they’re unfamiliar with ITGC, tactfully share the right information. Educate them about the lasting organizational benefits, plus the compliance benefit to their role of making strong Internal Controls part of compliance culture and best practice.Give your CIO confidence: Show them that you understand the ITGC gaps in the organization, that you know how to fix them and that you know which tasks must be administered to which people.

4. Build your ITGC strategy A-team

Ok. Now that you’ve gained your CIO’s trust and understanding, it’s time to collaborate on building your ITGC A-team.

Your ITGC A-team could include:

  • An IT department project manager
  • IT Controls Owners with a heavy burden of controls
  • IT security personnel
  • Your Chief Information and Security Officer (CISO)
  • Any other stakeholder of IT governance in the organization

To choose your ITGC and Internal Controls superstars, it helps to first define what each member’s ITGC superpowers should be, then you can decide which remits can best meet each need. To do this, you should follow these steps:

Define ITGC goals: and don’t just make it about ‘SOX compliance’. Make it about the benefit to data integrity and overall organizational performance.

Define ITGC actions that will fulfill each goal: and make sure the actions you define are sufficient to carry your ITGC goals forward continuously.

Define who needs to be responsible for each action: It could be your IT team, it could be your CIO, it could be your finance team, or it could be you—the CFO or Compliance Officer. Remember—building your ITGC and SOX compliance A-team is about fundamental change to certain roles and remits. Each new ITGC task delegated should become a continual part of a yearly ITGC process—not as part of a single project—so your ITGC strategy stakeholders must embrace this reality. Your IT team is crucial in facilitating system access and helping you perform IT audits.

Once you’ve mapped out your ITGC A-team, it’s time to connect them to the new, emerging ITGC strategy mindset, workflows and responsibilities. We highly recommend to personalizing your rapport with them, while emphasing on the unique value they can bring to ITGC implementation and monitoring. It’s incredibly important that you take the time and care to do this well. The long-term results of your ITGC strategy will depend on it. If you fail to build the right relationships, educate the right people on ITGC and achieve committed stakeholder adoption, then ITGC will become neglected. You’ll regress back to square one.

Gain their trust: Just as you did with your CIO, gain their trust first. Don’t do this by email. Meet with them at a time of their choosing. This doesn’t need to be first thing on a Monday morning, or in a formal presentation. Perhaps over a working lunch when the atmosphere may be more relaxed and less formal.

Empower and educate them: Work collaboratively on helping them fully understand importance to the organization’s overall success of integrating new ITGC responsibilities into their daily work.

Emphasise the personal value they’ll gain: Help them understand how adopting new ITGC-related responsibilities into their work can help raise their profile within the company, gain senior stakeholder trust and develop their career skill set.

Great. If you’ve built the right ITGC strategy allegiances well, you’ll be in a strong position to start actually implementing your ITGC strategy.

5. Roll Out Your New ITGC Strategy

Ok, ITGC advocacy over. If you advocate well, your ITGC strategy stakeholders should be onboarded, briefed, aligned and motivated. Now it’s time to get practical and understand the business processes and the associated IT systems. In order to help your newly-formed team of ITGC advocates and implementers succeed, you’ll need to have a firm grasp of how business processes are designed and how they combine with the IT environment. You may have internal documentation available on this, or you may have to coordinate with key stakeholders that can share granular details. The key theme is to be exhaustive in mapping business processes to associated IT assets.

6. Identify IT Systems’ Control Owners

Once you’ve mapped business process design and associated IT systems, you’ll need to discover who the Control Owners are for each IT asset and arrange to meet with them collectively.

Gain their trust and collaboration: It’s hard to overstate the importance of identifying and working closely with Control Owners. They are your ITGC front line. Without their collaboration, there is no ITGC.

Sell the value of ITGC to Control Owners: The best way to gain trust and collaboration from Control Owners in your organization is to help them understand the business value and personal value of ITGC—just as you did with your CIO.

7. Train Each Control Owner on New ITGC Controls Obligations

Following your personal meetings with IT-system Control Owners, you’ll need to arrange to meet with each of them for a full ITGC training. Each

Control Owner must be crystal clear on:

  • The definition and control process for new ITGC that they must learn
  • How the internal IT audit process works
  • How ITGC are tested
  • How to document ITGC

Don’t make your Control Owner ITGC training a one-way monologue of ITGC dictats. Make it interactive. Use it as an opportunity to learn what each Control Owner actually does. The last thing you want is for ITGC to be treated as unimportant or optional by Control Owners. Unless ITGC training is delivered thoroughly, with a shared vision of their paramount importance, Control Owners will lapse into poor ITGC habits.

8. Meet the External Auditor

Meeting your external auditor is the final step before gaining your ITGC and, eventually, SOX compliance certification. When you meet your external auditor, your ultimate goal is to leave them with the impression that your company is 100% ready for SOX compliance, with strong, continual ITGC firmly in place. Show your external auditor every step of your ITGC strategy design and implementation. To gain your external auditor’s trust, you’ll need to forensically present every stage of your ITGC implementation strategy.

Present everything—all the steps you’ve taken, your ITGC stakeholder team, processes, ITGC controls design, monitoring metrics—tell them your CIO, IT team and SOX compliance manager are all included in your ITGC A-team. Providing your external auditor with confidence will impact his/ her professional opinion. When the time comes, his/ her opinion on your ITGC will be more assured and more valuable.

9. Keep the Continuous Monitoring

The guidelines detailed here should be continually deployed in your organization. They also need to be continually maintained by the various ITGC stakeholders identified as responsible for new ITGC best practices long-term. You need to picture this as an ongoing strategy.

10. Bonus Step – Automate Your ITGC

Congratulations, you’ve completed your journey along the long, winding road to designing and establishing ITGC. However, there must be an easier way. Why not bypass complex IT interventions? Ask us for a demo or discover how to implement ITGC the simple way

Traditional ITGC strategy involving heavy IT interventions can cause delays and loss of business continuity. Why not automate ITGC with AudITech? This way, your IT team doesn’t have to get involved. You’ll perform IT audits flawlessly and independently from your browser. 

Let’s get IT audits done simply, so that you can spend more time getting things done.

How to Implement ITGC the Simple Way

If there’s one thing that makes SOX compliance officers smile, it’s effective IT general controls. However, the way towards ITGC compliance means months of multi-stakeholder meetings, IT department interventions, and expensive, specialist man-hours.

The complexity and likelihood of human errors involved in manual ITGC monitoring keep the risks that these controls aim to eliminate well in place. 

How Does a Typical Organization Currently Audit ITGC?

A typical ITGC audit preparedness process goes something like this:

1. Management teams discover the need to create IT General Controls, as part of their SOX compliance readiness.

2. Various reports, extracted from relevant IT systems, as well as the required IPEs (Information Produced by the Entity. Usually a screenshot) are transferred bit by bit to the ITGC consultants. Needless to say that these are produced after running numerous requirement clarifications meetings with them. Each IT system is discussed and treated separately.

3. Weeks roll by as stakeholders focus on important daily priorities. Urgency grows as SOX compliance deadlines approach. Lots of emails are exchanged.

4. Finally, the ITGC consultants create manual working papers, (usually excel documents) one working paper control per system. Assuming no human error has crept into the manual process, then ITGC are considered “effective”. 

5. Stakeholders return to their desk, long-term ITGC monitoring may or may not be ignored, and the process will repeat itself when the next audit date approaches. 

The risks, cost, and timescale involved in such a repetitive and inefficient process are huge.

How to Audit IT General Controls Simply? Embrace Automation. 

Nobody’s pretending ITGC readiness and compliance are easy. Moreover, the more digitally-enabled businesses go global, the more controls auditors need to make sure are effective. 

A lot of organizations have managed to automate and simplify many business processes. Digital transformation projects are widespread. Yet, when it comes to ITGC and compliance monitoring, nobody seems to be hitting the ‘automation’ button.

Today, there are simpler, faster, more cost-efficient routes towards continuous monitoring of IT General Controls. Maintaining the outdated methods and manual complexity simply doesn’t make sense. There are better ways.

Imagine having the ITGC independence to produce recognized ITGC documentation in-house. Now imagine reports extracted automatically from IT systems, without IT-team intervention, plus an online dashboard with the ITGC status and statistics that let the SOX compliance officer know where things are at any given moment. There is no need to imagine – this is a very real possibility with AudITech’s SaaS solution.

AudITech’s software can minimize the compliance and financial risks of complex and manual IT audit projects, without the need for a long and tedious implementation process. Our solution eliminates so many potential human errors and oversights. We let you integrate all your IT assets into a single online dashboard, with continuous monitoring and useful statistics, so that you can forget about endless email iterations with control owners or the IT team, and invest your precious time on other things.

Once our solution is in place, IT audits and SOX compliance become streamlined, background processes, rather than a burdensome project that creates spiraling cost and annual risk. ITGC should be a continual business process, not a pop-up project performed at the last minute.

Start With an AudITech Demo.

If you’re a newly listed company facing SOX compliance requirements or an organization aspiring for greater compliance efficiency, don’t go down the manual route of annual ITGC complexity.

Ask us for an AudITech demo. We will show you how to securely integrate your IT systems with our platform, how to audit any of them in just a few minutes, and how simple, smart and valuable IT audits can be.

Achieve full ITGC Audit Independence & peace of mind

We’ll guide you through your first ITGC Audit in minutes. Learn to create fast, official, trusted ITGC reports recognized by IT-auditors

Schedule an AudITech Demo

"*" indicates required fields

This field is for validation purposes and should be left unchanged.