Elevating IT SOX programs through PCAOB inspection results and staff outlooks

Public Company Accounting Oversight Board (PCAOB) inspections are designed to provide a basis for assessing the degree of compliance by an accounting firm with applicable requirements related to auditing issuers [1]. These inspections are intended to identify whether deficiencies existed in the reviewed audit work, and whether such deficiencies indicated defects or potential defects in the accounting firm’s system of quality control over audits. The inspection process strives to bring improvement in the quality of audit services through a focus on effective prevention, detection and deterrence of audit and quality control deficiencies. Sarbanes-Oxley (SOX) stakeholders, whether they represent the issuer or the accounting firm, should review PCAOB inspection results and annual staff outlook reports, as these reports provide feedback and insight that can greatly benefit an organization’s SOX program.

When developing or improving an information technology (IT) SOX program, analyzing and applying insights from the PCAOB inspection results and the annual PCAOB staff outlooks can enhance the quality of and efficiency in an IT SOX program. As with many types of audits or inspections, lessons learned are often the catalyst that drives change and improvements, whether those changes come from updating the existing internal control framework or improving upon audit procedures and audit evidence. Insights garnered from the PCAOB inspection results help IT SOX practitioners develop a better understanding of how to interpret IT SOX compliance standards and how to better develop auditing methodology and support to adhere to those standards. 

Audit evidence and the sufficiency of the evidence tends to be a common theme when an independent third-party review is performed. This is no exception when it comes to PCAOB inspections. A key takeaway from the PCAOB inspection process is the ability for auditors to not only understand audit standards, but how auditors support audit procedures and the evidence they utilize to adhere to these standards.

For IT SOX, evidentiary support often comes from the underlying IT systems that support financial reporting. The ability to extract system data and information pertaining to areas such as access, security, configuration management, etc., is critical in helping test and verify the IT internal controls. What can matter even more (in certain circumstances) is how the auditor puts forth the system data and information (i.e., where the evidence originated from, how the evidence supports the specific IT internal control, etc.). The ability to put forth supporting evidence in a clear, concise and easily translatable way demonstrates professional due care in understanding audit standards and what evidence was needed to satisfy those standards.  

Additionally, when reviewing the PCAOB Staff Outlook for 2021 Inspections a critical component pertains to responding to cybersecurity threats and incidents. Cybersecurity has played an ever-growing role in IT SOX, with more focus being applied when a cybersecurity incident has occurred at an organization. Audit firms and engagement teams should be monitoring cybersecurity activity at their clients and updating audit methodology accordingly. Also, with the PCAOB’s ongoing focus on documentation and supporting evidence, auditors should be planning accordingly when it comes to cybersecurity. Making sure the audit plans, procedures and conclusions of any cyber-related activity is appropriately evidenced and documented is a necessary step to bring transparency to the audit engagement around cybersecurity and cyber-related matters that could affect the audit or financial statements.

From enhancing internal controls and ensuring regulatory compliance to supporting strong cybersecurity principles in an organization, use the PCAOB’s inspection results and staff outlooks to boost your organization’s SOX program.

For more information on this topic or to understand how Baker Tilly can help strengthen your SOX program, connect with a cybersecurity specialist.

[1] The Public Company Accounting Oversight Board (PCAOB) has four primary duties, one of which is to establish or adopt auditing and related attestation, quality control, ethics and independence standards. As part of their oversight, the PCAOB inspects registered public accounting firms to assess their compliance with Sarbanes-Oxley (SOX), rules of the PCAOB, rules of the Securities and Exchange Commission (SEC) and professional standards, in connection with the accounting firm’s performance of audits and issuance of audit reports.