Comparing IT Auditing Frameworks

Comparing IT Auditing Frameworks
COSO and COBIT and Audits, Oh My!

Auditors, controllers and other professionals in the midst of Year 2 of the Sarbanes-Oxley Act of 2002 (SOX) find that there are some maturing models in the compliance area. Accelerated SOX filers already have this “rite of passage” behind them, and they continue to refine and advance the objectives mandated by SOX’s Section 404.

Other needs, however, continue to emerge: Nonaccelerated filers are due their “hazing” and there are talks, albeit without substantial progress, for SOX-like requirements for governmental agencies and large not-for-profit organizations. Although a trickle-down effect is yet to be detected in companies not registered with the Security and Exchange Commission, new audit standards requiring all audits to be risk-based will put more pressure on C-level executives to tighten their internal controls—and on auditors to test them.

IT assurance, a major part of the internal control assessment and certification, is based on an integrated framework that addresses the unique issues that matter in the IT environment. SAS 94 requires an understanding of the auditor to “consider the effect of the IT on the controls relevant to the audit.” The Committee of Sponsoring Organization’s (COSO) Integrated Framework has been often the framework that dictated all internal control assessment and testing. However, with the introduction of the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information Technology (COBIT), the adaptation by auditors both internal and external has been gaining ground.

The two frameworks have their pros and cons. Most notably, COSO has been widely accepted as the framework for all internal control–related attest engagements, and especially applicable for an audit of financial statements. The incorporation of COSO in SAS 94 gives it credence. However, the market changed with SOX 404, and the introduction of ever-onerous requirements on IT controls has made COBIT an up-and-coming framework. Today’s auditors are also more comfortable with the IT concepts, whereas COSO is more general; COBIT is more granular in its IT approach.

Practitioner Input

We approached some specialists who are already in the thick of the SOX and IT attest services. Mark S. Chapin is a partner in Ernst & Young’s Metro New York Area Technology and Security Risk Services practice. Lucas Kowal is an Audit Manager at Bear Sterns & Co. Ryan Shin is an IT auditor at J.H. Cohn LLP.

Q: What is your preference, if any, in terms of framework of choice with respect to IT attest and review services?
Ryan Shin: COSO is the standard of internal controls recognized by leading companies interested in improving internal controls and complying with laws, rules and regulations. The Sarbanes-Oxley Act of 2002 has specifically recognized COSO as an acceptable framework to assess internal controls. We adopted COSO for all engagements of general and/or application controls assessment.

Lucas Kowal: I have always relied on COBIT as a baseline for control; COBIT can be tailored in ways which support our work.

Mark Chapin: At Ernst & Young, COBIT has historically been the framework underlying our IT attest and review services. However, since COSO is the internal control framework embedded in the auditing standards (whether ASB or PCAOB), we have reconciled the COBIT framework to COSO to isolate the objectives relevant to, say, an audit of internal control over financial reporting.

Q: What has been your experience with this framework, and the “other” framework in current internal or external attest services?
Mark Chapin: The COBIT framework has served us and our clients well. ISACA’s IT Governance Institute did practitioners and registrants a huge favor by publishing its IT Control Objectives for Sarbanes-Oxley white paper. While this document does not have the weight of authoritative standards or regulations, it is a reasonable and practical interpretation of the current frameworks that is also public domain, and thus usable by entities that have not developed their own framework.

Ryan Shin: In conducting IT attest and review services, our overall objectives are to consider general controls over IT used for the preparation of the financial statements. We evaluate the following areas if there are appropriate policies and procedures that cover them according to SAS 94: (1) data center and network operations; (2) operating system development and maintenance; (3) application acquisition development, implementation and maintenance, and (4) logical and physical access security. Our work is COSO-based, and we have not adopted any other framework.

Lucas Kowal: Clients find it is too difficult to understand SAS 94. In addition, COSO is geared for process work. Because it is challenging to explain a 500-page-long framework to clients, and because IT is not process-based in itself, the COBIT framework is more suitable to an IT audit.

Q: What has been the market movement, if any, you have noticed in terms of IT attest services (external or internal)? What are the growing areas of concern, risk or growth?
Ryan Shin: PCAOB’s Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements, had a positive impact on SAS 70 market movement. We do receive more proposal requests from potential clients on SAS 70 engagements than pre-SOX era.

Lucas Kowal: What we see mostly is additional work in the IT regulatory compliance such as reporting, archiving and privacy. These are not new market niches, but new areas in mostly existing clients.

Mark Chapin: In addition to increased demand for SAS 70s, we are seeing a lot of activity in the areas of process centralization and overall IT effectiveness, along with security and privacy issues.

Q: Have you used any collaboration or comingling of the two frameworks? Whatever your answer, if you had to use both in an attest engagement, how would it be done, as a “primary” and “secondary”? By area of audit?
Lucas Kowal: Typically, we will use COBIT and map it to COSO. COSO is helpful because the PCAOB’s standards and the SOX Act refer to COSO as its prime framework. However, COSO is rather shallow on IT auditing so we use COSO as a general framework and map the COBIT objectives to the COSO objectives when we handle IT-related audits.

Mark Chapin: We are currently developing a broader framework that encompasses COBIT and the other frameworks noted previously, to enable a broader business- and operations-focused dialogue with companies.

Ryan Shin: Our primary framework for assessing IT general controls is COSO. We refer to COBIT’s RFC guidelines in specific assessment areas such as evaluating IT policies and procedures, risk assessment documents, etc.

Upcoming IT Auditing Conference

The IT auditing framework landscape is continually changing. COSO may represent the tried-and-true framework for some auditors, while others see COBIT as the way to firmly get hold of a wily IT environment. To help make sense of it all, and to see how to develop new services and added-value features for the CPA practice, the Society’s Technology Assurance Committee is sponsoring a one-day conference on Sept. 14, 2006, titled “Assurance and Technology Conference.” The conference will present viewpoints of CFOs, auditors and law-enforcement and IT professionals regarding this exciting field, combining client relationship with audit, management and technological expertise.

Yigal Rechtman, CPA, CFE, CITP, CISM, is the vice chair of the NYSSCPA’s Technology Assurance Committee and is a partner at Nasberg PLLC. He can be reached at yrechtman@PersonCPA.com.