Companies still struggling with information technology controls might find some help in new guidance from ISACA, which is meant to help steer companies toward IT controls that comply with numerous regulatory and professional demands.
Formerly known as the Information Systems Audit and Control Association, ISACA published a third edition of its IT Control Objectives for Sarbanes-Oxley, which focuses on using the association’s COBIT 5 framework for IT controls in the design and implementation of internal controls over financial reporting. The guide is targeted to chief information officers, IT managers, and control and assurance professions to help with scoping and assessment ideas, approaches, and guidance when it comes to the IT-related aspects of the COSO framework. Many public companies are in the final stages of adopting the new COSO framework in time for year-end audits, with companies and auditors still trying to resolve how to address documentation demands over certain IT control areas. Some companies have chosen to wait until next year to adopt the new COSO framework.
The updated guidance incorporates the requirements of Auditing Standard No. 5, which governs the external audit of internal control over financial reporting, with the COSO and COBIT frameworks. It provides detailed examples and application controls, ISACA says, and addresses issues in using audit reports provided from third-party service organizations regarding their own controls. ISACA says the latest edition of the guidance is “not a rewrite, but a major upgrade” of the second edition. “This guide is not an assessment of an enterprise's governance of enterprise IT (GEIT); rather it provides guidance on a focused topic—the assessment of effectiveness of internal control over financial reporting,” ISACA says.
Ken Vander Wal, past international president of ISACA, said in a statement that the market has witnessed significant changes in the regulatory environment and with professional guidance in recent years. As examples, the Public Company Accounting Oversight Board has revised its standards and refined its guidance on internal controls, while COSO has updated its internal control framework, ISACA has updated its COBIT framework, and the Auditing Standards Board of the American Institute of Certified Public Accountants updated its standards for third-party service organization audits. “Coupled with lessons learned that come from a decade of experience in the application of internal controls in a technology landscape, a refreshed approach to Sarbanes-Oxley compliance was needed,” he said. “This latest guide will help professionals align with these changes in the industry.”