Two Factors that changed Auditing in 2015

Source LinkedIn, Author Jody Paterson

The corporate audit landscape is changing when it comes to managing access controls in ERP systems like SAP®. 2015 will be the first year where these changes will be most impactful and relevant in the audit season come October. Recently, we hosted a joint webinar with KPMG on this topic. It did so well, and connected with so many people in a timely fashion, that I am publishing this short article to summarize it.

The Implications of COSO 2013

The latest update to the widely-implemented COSO framework has updates that increase the reliance of controls on IT. This is to usher in the new computerized era we are in now. With this update comes a higher reliance on completeness and accuracy of the controls that support these large financial systems – access controls being a big part of that. This means that for a control to be effective, you must be able to prove the data extracted is complete, and that the data analysis is accurate. For companies managing segregation of duties, emergency access and provisioning using manual approaches, proving completeness and accuracy becomes close to impossible.

Increased Scrutiny from PCAOB

The Public Company Accounting Oversight Board (PCAOB), as one of its responsibilities, oversees how external auditing firms reach their conclusions on control effectiveness in their audits of organizations. In the case of IT audits, PCAOB is looking closer at manual and in-house developed field tools used to audit segregation of duties. They’re challenging the external audit companies on concluding an effective control when testing manual processes. The reason is largely due to the COSO 2013 updates mentioned before. At the same time, automated tools have become more prevalent, meaning using manual tools will no longer be considered a reliable way to audit segregation of duties any longer. Naturally – after having a tough review from the PCAOB, external audit firms will ensure not to have a repeat in 2015.

What does this mean for organizations? It leads to two outcomes:

  • Tougher Audits

Get ready because auditing will become much tougher. There will be higher expectations for controls over the processes and technology used to monitor access controls. Organizations will have to be aware of this. The ‘do nothing’ option is no longer acceptable. What makes it an even more dire situation is that an ineffective control finding in October will leave you with only a few months to address the findings before year end.

  • No More Manual

Say goodbye to homegrown databases and spreadsheets. Organizations will have to start leveraging technology that automates key processes and controls. External auditing firms will put the pressure on organizations to use automated tools for increased transparency, completeness and accuracy.

Organizations that are still managing their access controls manually should consider these factors and prepare to comply with current frameworks and expectations from external auditors. Not all external audit firms will have this sense of urgency, however this will be a growing trend in the coming years.


Tuesday, October 20, 2015 In: Hot Topics Comments (None)

Contact us

3 Appleton Court, Calder Park
Wakefield, WF2 7AR

+44 (0) 1924 254 101

Mailing List

Subscribe to our newsletter.