While I was browsing the blogs in my spare time, my eye catches the old early 2000s cases of corporate financial scandals like the collapse of Enron due to fraudulent accounting practices and how the Sarbanes-Oxley Act came into effect, especially the SOC Compliance part.

The first thing that came into my mind was digging out any role of an IT Auditor to ensure compliance with this act.

Well, it was late night at that time, and I thought doing research may require a lot of time googling and compiling stuff from the internet, so one thing I did was to use Chat GPT to speed up the process. Here is the compilation of the questions I asked and what Chat GPT answered.

What is SOX Compliance?

“SOX compliance refers to the requirements of the Sarbanes-Oxley Act of 2002, a U.S. federal law designed to improve corporate governance and financial reporting. Specifically, SOX compliance pertains to Section 404 of the Act, which requires publicly traded companies to establish and maintain internal controls over financial reporting.”

“To be SOX compliant, companies must implement policies and procedures that ensure the accuracy and completeness of financial information, as well as establish controls to prevent fraud and protect against financial misstatements. Compliance with SOX is intended to increase transparency and accountability in financial reporting, and help restore investor confidence in public companies. Companies that are not compliant with SOX may face significant penalties, including fines and even criminal charges.”

I cross-verified with the IIA website and this seems to be the correct information provided by Chat GPT.

Does SOC Compliance apply to foreign subsidiaries?

“Yes, the SOX Act applies to foreign subsidiaries of public companies that are listed on U.S. stock exchanges. The Act requires these foreign subsidiaries to comply with the same financial reporting and internal control requirements as their U.S. parent companies.

However, the extent of SOX compliance requirements for foreign subsidiaries may vary depending on factors such as the size and complexity of the subsidiary's operations, the nature of its business, and the regulatory requirements of the country in which it operates. The SEC has issued guidance on how U.S. public companies can comply with SOX requirements for their foreign subsidiaries, and many companies have developed specific compliance programs for their foreign operations.”

Is there any role of an IT Auditor in SOX Compliance?

“IT auditors are responsible for evaluating and testing the IT controls that support financial reporting to ensure compliance with SOX. They help ensure that public companies have effective internal controls over financial reporting, including IT-related controls, and identify any control deficiencies that need to be addressed.”

So from the answer, It is clear that there is the role of an It auditor is to evaluate the controls with an emphasis on internal controls over financial reporting. This lead to another question of any framework or guidance used to design and test the internal controls to comply with Section 404 of Sarbanes-Oxley Act.

Does Sarbanes-Oxley Act provide any framework/standards/guidance on how to design and evaluate internal controls specific to IT controls?

“The Sarbanes-Oxley Act (SOX) does not provide a specific list of controls that must be implemented, but instead requires companies to establish and maintain effective internal controls over financial reporting. The implementation of internal controls is left to the discretion of each company, and the specific controls that are implemented may vary depending on the company's size, complexity, and industry.

However, the Public Company Accounting Oversight Board (PCAOB) provides guidance on the implementation of internal controls over financial reporting. The PCAOB has issued Auditing Standard No. 5, "An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements," which outlines the requirements for auditors to evaluate a company's internal controls over financial reporting.

In addition, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed a widely used framework for internal controls known as the COSO Internal Control Framework. The framework includes five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring.

While the COSO framework is not specific to SOX, it is often used as a basis for the design and implementation of internal controls over financial reporting that are required by SOX.”

Since the emphasis is more on controls over financial reporting but this lead to the question of IT governance and other general controls, the COBIT framework.

Do Companies use COBIT 5 instead of COSO for SOX compliance?

The COSO framework is widely used and is often considered the de facto standard for internal controls over financial reporting. It emphasizes five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring.

The COBIT 5 framework, on the other hand, is a comprehensive framework that provides guidance on the governance and management of IT processes. It includes a set of processes and controls that help ensure the effective and efficient operation of IT systems and processes. While COBIT 5 is not specifically designed for SOX compliance, it can be used to help identify and implement effective controls over financial reporting that are required by SOX.

Ultimately, the choice of the framework will depend on the needs and requirements of each company, as well as the expertise and experience of the IT auditor and the company's internal audit team. Some companies may use both frameworks to take advantage of the strengths of each framework and ensure a comprehensive approach to internal controls over financial reporting.

This explains a lot for designing audit programs not only to test the internal controls over financial reporting but also the Governance and management of IT processes as well.

To conclude, from the perspective of SOX compliance, the role of the IT auditor is to gain an understanding of the requirements of Section 404 of the Sarbanes-Oxley Act 2022 and to ensure IT systems and processes supporting the financial reporting are designed and operated effectively.

There are a lot of articles published by ISACA and other professional bodies which can be used as guidance for conducting the comprehensive assessment of IT systems and processes by designing audit programs, controls testing, and reaching to conclude the SOX compliance maturity level of the company being audited.