One of the most interesting internal audits that I have come across is the SOX audit. Now I don't come from a financial background and although I have always wanted to be a finance whiz, I found that there were always a million people way better than I. So I did what came naturally to me - took up Information Systems as a major in my MBA degree. So I got a job as a consultant in one of the the Big 4 companies and have been doing audits and advisory work for some time now.
While all of the other projects involve a lot of routine checks and redundant implementation guidelines, the SOX project is a complete learning experience. If you really wanna know more about the SOX act, I recommend you to read this - http://en.wikipedia.org/wiki/Sarbanes_Oxley .
So what role does an IT person play in a SOX audit? Well to start with, SOX is an act that deals with the financial reporting controls of an organization to be transparent, credible and accountable. Every big organization today depends on their ERP or other enterprise applications to generate various financial records. Also, most revenue generating services of any organization run on the underlying applications that are indispensable to the company. What if these applications itself are running in a malicious way? What if they don't correctly interpret the input, don't process accurately and worst of all sins, don't give appropriate outputs! What if a customer of the service should be billed $50 but is actually billed $52? So all the financial controls are in place, but the application is proving to have less credibility.
Thats where IT auditors come into the picture! We check all critical applications and check that application controls, too, are transparent, credible and accountable. Since IT applications are the platforms to any functional process in an organization, it becomes very important to understand and decode the process each critical revenue generating application flows through and ensure that enough measures have been taken for appropriate conduct of those applications. These are preventive measures. It is also important to include corroborative methods which log and record critical controls in each application which primarily serves as a means to catch a problem if and when it occurs. These are detective measures.
The reason a SOX IT audit is so attractive is because of the thorough and in-depth understanding you get of the organization's processes. You not only brush against industry expertise, but also come across some of the industry's and technology's best practices. In a few weeks, you learn about a particular industry more than some people do in 5 years. And you get to talk to the senior-most of executives who share morethan 15 years of experience for you to understand their processes better. The organization I'm auditing currently is in the telecom industry and the wide array of knowledge I have received in the past few weeks about telecom processes is just phenomenal!
If you ever have a chance to do a SOX audit or SOX preparation for an organization, go for it. Absolutely.
1 comment:
Yippeeeeeyaieeekeee yuuuuuyuooooo
Post a Comment