Improving Internal Audit’s ability to audit IT.

Description:

Participants will apply SOX scoping principles through a hands-on exercise in this interactive session. Using a real-world business scenario, they will assess IT components supporting financial processes, identify risks, and determine control requirements. The session will conclude with a group discussion on best practices and common pitfalls.

Learning Objectives:

• Perform an IT scoping exercise using a structured methodology.

• Identify critical IT dependencies in financial processes.

• Collaborate in a group setting to discuss scoping challenges and solutions.

Description:

IT ELCs play a fundamental role in SOX compliance but are often overlooked or misunderstood. This course will provide an in-depth review of IT ELCs, their impact on financial reporting, and common failures in testing these controls. Participants will also explore evolving cybersecurity-related ELCs and their growing importance in audit frameworks.

Learning Objectives:

• Define IT ELCs and their role in supporting financial reporting integrity.

• Identify common pitfalls in testing IT ELCs and strategies for effective assessment.

• Evaluate cybersecurity-related ELCs and their impact on SOX compliance.

Description:

Access management is a critical ITGC area that directly affects financial reporting reliability. This course will delve into best practices for user access controls, segregation of duties, and privileged account management. Participants will analyze real-world case studies of ITGC failures and their impact on SOX audits.

Learning Objectives:

• Explain the role of access management in ITGCs and SOX compliance.

• Identify key access control failures and their potential financial reporting risks.
  

• Develop risk-based approaches for testing access management controls.

Description:

Change management and system integration are integral to maintaining a controlled IT environment. This course will cover best practices for managing system changes, tracking IT modifications and ensuring system integrations do not introduce financial reporting risks. Participants will explore real-life change management failures and discuss mitigation strategies.

Learning Objectives:

• Identify key risks associated with change management and system integrations.

• Assess the impact of ineffective change management on financial reporting.
  

• Develop testing strategies for change management and integration controls.
  

Description:

Auditors often encounter ITGC failures that impact SOX compliance. This session will present real-world scenarios of ITGC breakdowns, including access management failures, unauthorized system changes, and inadequate monitoring. Participants will evaluate each case study and discuss remediation approaches.

Learning Objectives:

• Analyze real-world ITGC failures and their financial reporting implications.

• Develop strategies for identifying and mitigating ITGC deficiencies.

• Apply risk-based thinking when evaluating ITGC issues in audits.

Description:

IT application controls (ITACs) govern automated financial reporting processes but are often difficult to identify and test. This course will guide participants through ITAC scoping, control mapping, and reliance on system-generated information. Case studies on financial system controls will be used to enhance learning.

Learning Objectives:

• Differentiate between ITGCs and ITACs in SOX compliance.

• Identify ITACs within financial reporting systems.

• Develop an approach for testing ITACs using system implementation documentation and vendor reports.

Description:

This hands-on workshop will immerse participants in the process of identifying IT application controls (ITACs) within financial reporting systems. Using a real-world financial reporting application as an example, attendees will assess control design, identify deficiencies, and develop compensating control strategies to address gaps. Discussions will emphasize the importance of ITACs in ensuring the accuracy and reliability of financial reporting.

Learning Objectives:

• Identify and evaluate ITACs within a financial reporting system.

• Analyze control deficiencies and their potential impact on financial reporting accuracy.

• Develop and recommend compensating controls for mitigating identified risks.

Description:

With increased reliance on third-party software providers, auditors must evaluate vendor controls through SOC 1 reports. This session will provide a comprehensive guide to SOC 1 report assessments, identifying key control areas, and addressing vendor deficiencies. The discussion will also cover expectations related to fourth-party risks and their implications.

Learning Objectives:

• Interpret SOC 1 reports and their relevance to ITGC frameworks.

• Identify control gaps in SOC 1 reports and develop mitigation strategies.

• Assess the impact of third- and fourth-party risks on SOX compliance.

Description:

This hands-on workshop will provide participants practical experience in evaluating SOC 1 reports. Attendees will review sample reports, identify deficiencies, and determine compensating controls to address vendor control gaps. Attention will be given to identifying which fourth-party controls may be relevant.

Learning Objectives:

• Analyze SOC 1 report findings and identify areas of concern.

• Develop mitigation strategies for vendor control deficiencies.

• Apply best practices for integrating SOC 1 reviews into the audit process.

Description:

Clear and comprehensive documentation is essential for SOX compliance. This course will explore best practices for preparing flowcharts, narratives, policies, and procedures that align with audit requirements. Participants will discuss common documentation challenges and ways to streamline evidence collection.

Learning Objectives:

• Define key SOX documentation requirements for IT controls.

• Identify best practices for preparing effective audit documentation.

• Develop strategies for overcoming documentation challenges in IT audits.

Description:

IPE plays a critical role in SOX audits, but its definition and testing expectations often vary.  In IT, we have the added challenge of working with disparate systems often feeding into many potential data sources. This session will provide auditors with practical approaches to assessing IPE risks, validating data integrity, and implementing controls for reliable financial reporting.

Learning Objectives:

• Explain the importance of IPE in IT audits and financial reporting.

• Identify best practices for testing IPE reliability and accuracy.

• Develop an approach for documenting and validating IPE compliance.

Description:

Auditors must proactively identify IT control deficiencies and implement remediation plans. This course will cover methods for evaluating control gaps, documenting deficiencies, and developing corrective actions. Participants will also learn how to communicate findings to stakeholders.

Learning Objectives:

• Identify common IT control deficiencies and their root causes.

• Develop a risk-based approach to addressing IT control gaps.

• Communicate IT audit findings effectively to management and external auditors.

Description:

This interactive session will allow participants to interact with experienced professionals in the IT audit field. In a roundtable discussion format, guest speakers from the Audit Collective will share their insights and experiences related to SOX compliance, ITGCs, ITACs, SOC reports, and other key topics covered in the course. Attendees will have the chance to ask questions, discuss challenges, and gain practical knowledge from experts in the field.

Learning Objectives:

• Gain insights from experienced IT audit professionals on SOX compliance challenges.

• Engage in meaningful discussions on ITGCs, ITACs, and other key audit topics.

• Apply lessons learned from industry experts to improve IT audit practices.