Haley consulting and advisory services logo r1
Leading Technology through Controls and IPE Audits
Fabio oyxis2kalvg unsplash

Regularly review the risk and controls matrix

FRC, PCAOB, IAASB, JOA, etc. have all been working to increase the rigor and level of quality and assurance with regards to conducting audit and the requirements of the audit firms in their engagements. This translates into more information required to complete the assessment. Stay ahead of the audit before the engagement by preparing for the following due to increased / changed requirements.

The objectives to ensure the RACM is complete and accurate

  • Review the control objective language to ensure that it is accurate and the statements on how the system behaves to support the process.
  • Ensure that the mapped required configuration evidence that supports the control objective is accurate and matches the control language.
  • Regular review will help identify gaps between new controls where evidence has not yet been identified and logged in the library.

Evidence reporting for key and non-key controls

The goal of evidence reporting is to provide enough information that informs and assures that the controls are working and the evidenced configurations are complete and accurate so as to close out each request quickly and completely.

  • Have a detail explanation ready and reportable in business level lexicon of how the system configuration supports the control objective.
  • If the evidence is obtained via code (sql, etc), have the code and a detailed explanation along with the underlying objects and their definitions. If these are standard objects, references from the software company can be used (for example Oracle’s eTRM).
  • If the results of the evidence are not in line with the control language, work with the controls owner and controls leadership to provide rationale and possible mitigating controls when there is deviation.
  • Version your code. It will be audited and one of the determinations after baseline is if the code has changed or not. If this can not be proven, the code will most likely be audited for accuracy and completeness for every cycle.

Further on this as well as recommendations and guidance on IPE audits to follow.

Care to share your thoughts and recommendations? How are you leading technology through the audit?

References –

Developments in Audit 2020 | FRC – https://www.frc.org.uk/getattachment/58ac503e-a547-4f9e-8e52-16c7f5355586/Developments-in-Audit-2020.pdf

Tips for auditing with changed controls during the pandemic | Journal of Accountancy – https://www.journalofaccountancy.com/news/2020/apr/auditing-with-changed-controls-during-coronavirus-pandemic.html

Auditing Standards | PCAOB – https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/standards/auditing/documents/auditing_standards_audits_after_december_15_2020.pdf?sfvrsn=5862544e_4

ISA 220 (Revised) Quality Management for an Audit of Financial Statements | IAASB – https://www.ifac.org/system/files/publications/files/IAASB-International-Standard-Auditing-220-Revised.pdf

Share the Post:

Explore More Posts

Blockchain 7478506 1280

The Principle of Least Privilege: A Critical Cornerstone for Secure and Compliant Operations

Read More >>
Communication

Communication with Auditors: Tips From a Psychological Perspective

Read More >>
Audit 4189560 1280 (1)

Preparing for Your Year-End SOX Compliance Audit: A Practical Checklist

Read More >>
Files 1614223 1280

Tighten Up Your Documentation for a Smoother Audit: Insights from PCAOB Standards

Read More >>
Automation 7411686 1280

Fighting SOX Audit Fatigue with Robotic Process Automation (RPA)

Read More >>
Fatigue

Turning SOX Audits into Opportunities: How to Combat Audit Fatigue

Read More >>
Policy

Policy Based GRC Implementations

Read More >>
Chess 2730034 1280

Mastering Segregation of Duties and Sensitive Access Analytics: A Comprehensive Guide pt. 2

Read More >>
Lightbuldlearn

Mastering Segregation of Duties and Sensitive Access Analytics: A Comprehensive Guide pt. 1

Read More >>
Standard quality control concept m

Segregation of Duties and Sensitive Access: Oracle EBS Responsibilities- a deep dive

Read More >>
Haley consulting and advisory services logo rev
Haley Consulting and Advisory Services
Haley Consulting and Advisory Services stands at the forefront as a premier provider of digital transformation solutions that ensure SOX compliance for organizations utilizing Oracle Applications.
Contact
Social
Linkedin Twitter
Haley consulting and advisory services logo r1