SOX requires a financial audit report to cover internal controls too. The report has to express an opinion whether the internal controls were designed and operated effectively to safeguard financial data during a financial period. A review of an organisation’s internal controls is a large part of the SOX compliance audit. A SOX compliance audit is therefore a measure of how well an organisation manages its internal controls – including internal IT controls that protect the IT infrastructure and applications, which handle the organisation’s financial data processing.
An independent IT SOX auditor is required to review controls, policies, and procedures during the audit and can make use of a control framework such as COBIT. Internal controls include all IT (software and hardware) assets that process financial data. A SOX IT audit will look at the following high level internal control items:
- IT (logical and physical) security. This includes logical security at operating system (incl. network), application and database levels. Physical security includes the protection of all hardware equipment under the control of an organisation.
- Access control (i.e. user login, account and user activities, including user authentication, segregation of duties and user access rights on systems – i.e. at operating system, application and database levels).
- Change control over people, hardware and software changes.
- Data availability (i.e. data backups and Disaster Recovery Planning (DRP)).
Based on many years’ of experience, BDO South Africa understands the intricacies associated with different risks responses and their accompanying internal IT controls (to counter IT risks in an organisation). We also understand internal IT control systems and the their role in supporting financial reporting. We can therefore assist in supporting your annual SOX audits by performing the SOX IT audit part.