Elevating IT SOX programs through PCAOB inspection results and staff outlooks

Public Company Accounting Oversight Board (PCAOB) inspections are designed to provide a basis for assessing the degree of compliance by an accounting firm with applicable requirements related to auditing issuers [1]. These inspections are intended to identify whether deficiencies existed in the reviewed audit work, and whether such deficiencies indicated defects or potential defects in the accounting firm’s system of quality control over audits. The inspection process strives to bring improvement in the quality of audit services through a focus on effective prevention, detection and deterrence of audit and quality control deficiencies. Sarbanes-Oxley (SOX) stakeholders, whether they represent the issuer or the accounting firm, should review PCAOB inspection results and annual staff outlook reports, as these reports provide feedback and insight that can greatly benefit an organization’s SOX program.

When developing or improving an information technology (IT) SOX program, analyzing and applying insights from the PCAOB inspection results and the annual PCAOB staff outlooks can enhance the quality of and efficiency in an IT SOX program. As with many types of audits or inspections, lessons learned are often the catalyst that drives change and improvements, whether those changes come from updating the existing internal control framework or improving upon audit procedures and audit evidence. Insights garnered from the PCAOB inspection results help IT SOX practitioners develop a better understanding of how to interpret IT SOX compliance standards and how to better develop auditing methodology and support to adhere to those standards. 

Audit evidence and the sufficiency of the evidence tends to be a common theme when an independent third-party review is performed. This is no exception when it comes to PCAOB inspections. A key takeaway from the PCAOB inspection process is the ability for auditors to not only understand audit standards, but how auditors support audit procedures and the evidence they utilize to adhere to these standards.

For IT SOX, evidentiary support often comes from the underlying IT systems that support financial reporting. The ability to extract system data and information pertaining to areas such as access, security, configuration management, etc., is critical in helping test and verify the IT internal controls. What can matter even more (in certain circumstances) is how the auditor puts forth the system data and information (i.e., where the evidence originated from, how the evidence supports the specific IT internal control, etc.). The ability to put forth supporting evidence in a clear, concise and easily translatable way demonstrates professional due care in understanding audit standards and what evidence was needed to satisfy those standards.