IT General Controls – Financial Audit Support
These types of audits cover procedures of IT such as IT asset management (which serves as the sound basis for IT operations), logical and physical access management, change management, incident management, backups and restores, risk management, vulnerability management (including patching and malware), network security controls and security awareness trainings.
All these procedures can contribute to establish reasonable assurance in support of the financial statement close procedure and are normally in scope of the external audits. Auditing these procedures, in case of positive conclusions, could enable the financial audit team to place reliance on the IT systems.
Also, if your organisation has an internal audit department and there are qualified IT auditors, subject to the effectiveness of the IT General Controls and the quality the audit documentation your internal audit delivers, your organisation could gain another efficiency, namely that the external auditor can place reliance on the control testing performed by the internal auditors.
This is not to say, the external auditors will not need to do anything. They will still need to review the documentation, re-perform the audit and see if they arrive at the same conclusion as internal audit did.
To be able to reach this level of maturity it requires alignment of controls (yours and your auditor’s) to cover the risks for financial audit, alignment on sampling (size and randomisation) and exception/gap handling.
Your organisation will not be able to enjoy the benefits of this from one day to the next, but it is worthwhile, because once you achieve it, you can maintain it and benefit from this in the longer run. Not to mention that your management will feel more in control of the operation of your organisation.
By doing any of the above described activities, the extent of financial audit procedures can be drastically reduced and so you save time, effort and money. The more your company implement, the more you gain from the effort.
Sarbanes Oxley Act 404 (shortly SOx)
This type of audit is in-between the financial and compliance audit, as the ultimate purpose is to support controls over finance and sales processes generating the revenue. However, it also has an aspect of confirming that management does what they say they do.