It has been 8 years since the publication of IT Control Objectives for Sarbanes-Oxley Guide, 2nd Edition and 12 years since the passage of the US Sarbanes-Oxley Act (SOX). As a result, a new edition, IT Control Objectives for Sarbanes-Oxley: Using COBIT 5 in the Design and Implementation of Internal Controls Over Financial Reporting, 3rd Edition, was necessary to accommodate new and revised guidance and standards from ISACA, the Public Company Accounting Oversight Board (PCAOB), the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board (ASB), and the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
The 3rd edition retains the same look and feel as previous editions. It is not a rewrite, but a major upgrade to the widely read 2nd edition. The updated guide is not an assessment of an organization’s governance of enterprise IT (GEIT); rather, it is a practical guide that provides guidance on a very focused topic—the assessment of effectiveness of internal controls over financial reporting (ICFR).
Four Significant Changes Since 2006
Four significant changes occurred in the years following the release of the 2nd edition in 2006:
- The PCAOB issued Auditing Standard No. 5 (AS 5), “An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements,” in 2007 as a replacement of the prior Auditing Standard No. 2 (AS 2). This new standard contains major amendments to the requirements for the audit of effectiveness of ICFR. AS 5 takes a markedly more risk-based approach to the planning and conducting of the audit.
- ISACA released COBIT 5 in 2012, which included major changes to the framework. Many organizations subject to SOX use COBIT 4.1 in some way. This may be as a foundation for their systems of governance and internal control in a technology environment. Equally important, most of the larger accounting and auditing professional services firms, as well as consultants, created their internal control and audit templates from the 2nd edition of this guide. Thus, a road map from COBIT 4.1 to COBIT 5 is needed for IT and financial management within organizations and for their internal and external auditors and consultants.
- COSO released its updated Internal Control—Integrated Framework in 2013. COSO is the framework used by most US organizations to meet their responsibilities under SOX to maintain a system of ICFR. ISACA has closely aligned the COBIT framework to COSO over the years. It is important to highlight the changes and show how they align with COBIT 5.
- Most organizations that are subject to the internal control requirements of SOX employ third-party service organizations to achieve their objectives and increasingly rely on outsourcing of various IT general controls (ITGC) and transaction-level outsourcing arrangements. Auditors of the organizations that must comply with SOX typically rely extensively on independent attestation audits of these third-party service organizations. The ASB recently promulgated Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization. SSAE 16 replaces Statement on Auditing Standards No. 70 (SAS 70), Service Organizations, which has been an important element of compliance with SOX.
There are several lessons learned over the last 8 years that makes the timing of this guide just right:
- Many enterprises subject to the requirements of SOX to maintain a system of ICFR are also subject to other areas of regulatory compliance. Examples of these regulations include the US Health Insurance Portability and Accountability Act (HIPAA), Basel III, the Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS). Enterprises will often leverage their SOX internal control compliance as a foundation for these other compliance requirements. The level of detail may vary between the particular compliance requirement and general SOX compliance. Certain regulations, such as PCI DSS, are somewhat more prescriptive. Other regulations may have different parameters, such as data retention periods. Yet, as enterprises have observed and managed, there is a high degree of similarity in the maintenance of internal control, regardless of the source of the regulatory regime. Maintaining SOX compliance on ICFR will go far toward meeting other compliance requirements.
- Over time, most organizations have matured in their maintenance of ICFR from a technological perspective. Increasingly, organizations take a risk-based approach more seriously. They have driven their control narratives and attest templates from a top-down, risk-based approach.
- While SOX technically applies only to certain corporations that are subject to the oversight of the US Securities and Exchange Commission (SEC), similar or identical regulations have been implemented in countries worldwide, making many more organizations subject to similar compliance requirements. For example, J-SOX is the unofficial term for a part of Japan’s Financial Instruments and Exchange Law that was promulgated by the Japanese National Diet in June 2006 to ensure that corporate information is disclosed in a fair manner to investors. In India, Clause 49 of the exchange listing requirements for public companies is also similar to SOX. The 8th EU Company Law Directive, which became EU law in 2009 (2006/43/EC), imposes requirements on audit committees that have strong similarities to the ICFR provisions of SOX.1 These and several other regulatory changes around the world indicate that the implications of SOX go well beyond the particular aspects of the regulation of SEC registrants. Other organizations, such as not-for-profits and governmental agencies, adopt the standard voluntarily or by specific national requirements. Yet others, such as large private companies, are encouraged by their financial providers to apply the standard. Therefore, it is not only publicly traded companies that are maintaining systems of ICFR or are subject to audit on these controls for SOX.
- After more than a decade of SOX audits, the focus of organizations has shifted more to the management of risk and ensuring better value from their investments, including the implementation of SOX controls. For example, many organizations have benefited from the implementation by rationalizing their application and IT infrastructure platforms and architectures.
What Is Included in the 3rd Edition?
This guide has been developed in a modular fashion to allow users to go to specific topics and appendices as opposed to reading the guide from cover to cover. For example, many mature SOX and COBIT users have used the previous edition of IT Control Objectives for Sarbanes-Oxley to develop their ITGC templates. These users will want to update those templates for the revised COBIT 5 content and can refer to appendix A of the 3rd edition, which contains all of the revised COBIT 5 content on ITGC and entity controls.
The following ISACA publications are particularly important as a foundation for this updated guide:
- COBIT 5: Enabling Processes, published in 2012
- COBIT 5 for Risk, including example risk scenarios, published in 2013
- Relating the COSO Internal Control—Integrated Framework and COBIT, published in 2014
- COBIT and Application Controls—A Management Guide, published in 2010
Notable changes and additions found in this new edition include:
- The requirements of PCAOB’s AS 5 and the concept of ICFR are presented in chapter 2. The reader is introduced to a summary PCAOB COBIT 5 mapping with detailed requirements in appendix A.
- The role of COSO and the relationship to COBIT 5 moves from an appendix to chapter 3 in the new edition. The chapter provides a more detailed COBIT 5 mapping to the five PCAOB areas and provides mappings to the new COSO principles.
- A new chapter (chapter 4) provides detailed examples of application controls retained from the previous edition’s appendix C.
- Chapter 5 provides an SSAE 16 primer. Given the increased importance of outsourcing of various ITGC and transaction level business processes, the material on audit of internal controls over third-party organizations is now in the main body of the guide.
- The IT compliance road map is provided in chapter 6 and has been significantly updated for COBIT 5. It covers the maintenance of internal controls coupled with the audit of the effectiveness of those internal controls.
Conversion to COBIT 5
In keeping with the language of internal controls and control objectives required for SOX, the updated guide focuses on the language of internal controls and control objectives as defined by COSO. In the transition from COBIT 4.1 to COBIT 5, the control objectives were translated to management practices. Similarly, the control practices in COBIT 4.1 were converted to activities in COBIT 5. It is straightforward, then, to convert the language of management practices and activities in COBIT 5 to the language of control objectives and control activities in the SOX environment.
IT Control Objectives for Sarbanes-Oxley, 3rd Edition is available now from the ISACA Bookstore.
Gary Bannister, CGEIT, CGMA, FCMA
Is a self-employed consultant based in Vienna, Austria, specializing in internal control audits, information security programs training and education of IT professionals. He has more than 45 years of experience specializing in major IT application and information security audits and IT risk management and application project developments.
Roger Debreceny, Ph.D., CGEIT, FCPA
Is the Shidler College distinguished professor of accounting in the Shidler College of Business, University of Hawaii at Manoa (USA). Debreceny teaches accounting, auditing and accounting information systems. He is the senior editor of the Journal of Information Systems. Prior to becoming an academic, he had a career in corporate finance for multinational corporations in Asia.