SOX requires a financial audit report to cover internal controls. The report must express an opinion whether the internal controls were designed and operated effectively to safeguard financial data during a financial period. A review of an organisation’s internal controls is a large part of the SOX compliance audit. A SOX compliance audit is therefore a measure of how well an organisation manages its internal controls – including internal IT controls that protect the IT infrastructure and applications, which handle the organisation’s financial data processing.
An independent IT SOX auditor is required to review controls, policies and procedures during the audit and can make use of a control framework such as COBIT. Internal controls include all IT (software and hardware) assets that process financial data. A SOX IT audit will look at the following high level internal control items:
- IT (logical and physical) security: this includes logical security at operating system (incl. network), application and database levels; physical security includes the protection of all hardware equipment under the control of an organisation
- Access control: i.e. user login, account and user activities, including user authentication, segregation of duties and user access rights on systems – i.e. at operating system, application and database levels
- Change control: over people, hardware and software changes
- Data availability: i.e. data back-ups and disaster recovery planning (DRP).