The Information Systems Audit and Control Association has released the third edition of its book
The book was originally published in 2004 and has been updated with input and direction from global experts from many organizations, including several accounting and professional firms. Companies have used it as a tool for design, implementation and assessment of IT controls in support of Sarbanes-Oxley compliance and other global financial reporting requirements.
The third edition comes in response to significant changes and updates in the industry. For example, ISACA released COBIT 5, an update to the business and IT framework, in 2012. Many organizations subject to the Sarbanes-Oxley Act have used COBIT 4.1.The guide provides a road map from COBIT 4.1 to COBIT 5 for the design of IT general controls frameworks to achieve and sustain SOX compliance, and for their internal and external auditors and consultants to assess the effectiveness of the control environment. Other changes that prompted the update include:
The Public Company Accounting Oversight Board also issued Auditing Standard No. 5 (AS 5), “An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements” in 2007 as a replacement for the prior AS 2. The standard contained major amendments to the requirements for the audit, including a more risk-based approach.
The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, released its updated Internal Control-Integrated Framework in 2013. COSO is the framework used by most organizations to meet their responsibilities under the Sarbanes-Oxley Act to maintain a system of internal control over financial reporting. ISACA has closely aligned the COBIT 5 framework to COSO.
Auditors of the organizations that must comply with the Sarbanes-Oxley Act typically rely extensively on independent attestation audits of third-party service organizations. The Auditing Standard Board (ASB) recently promulgated Statement on Standards for Attestation Engagements No. 16 (SSAE16), Reporting on Controls at a Service Organization. SSAE 16 replaces Statement on Auditing Standards No. 70 (SAS 70), Service Organizations, which has been an important element of compliance with Sarbanes-Oxley.
“Significant changes and enhancements were made in the regulatory environment and with professional guidance in recent years,” said Ken Vander Wal, past international president of ISACA, in a statement. “Coupled with lessons learned that come from a decade of experience in the application of internal controls in a technology landscape, a refreshed approach to Sarbanes-Oxley compliance was needed. This latest guide will help professionals align with these changes in the industry.”
