I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 5, 2003Statutory Audit and IT Governance“The IT audit profession, with its capabilities and standards, is part of the solution.”Erik Guldentops, CISA, CISMTen years ago there was frankly not much talk aboutcorporate governance. Neither, to be truthful, was auditdiscussed much. Today the reverse is true. The reasonis because we tend to operate in a “plugging holes” mode,as the recent flurry of emerging audit and governancestandards illustrates. These recent developments (IAASB, COSO II, Sarbanes-Oxley, etc.) focus strongly on the system of internal control inresponse to recent scandals that have damaged the public trustin financial information and corporate disclosure. It is nowmandatory for the CEOs of public corporations quoted eitherin New York or London to perform a review of internal controlat least annually and to publicly disclose their formalevaluation. This is an important and burning driver but not the only one influencing the role of IT in governance andstatutory audit.This article will attempt to illustrate the importance of IT toenterprise reporting systems and, hence, to internal control,and thereby to corporate officers and auditors responsible forcertification. At the same time, the relevance of IT and ITgovernance will be shown. They are relevant to the processesby which financial information is produced, and mostimportantly, they are essential to survival and growth of theenterprise as a whole. Ultimately this increases the importanceof the role of IT auditors in IT governance, corporatereporting, internal control and statutory audit.There are some immediate relations one can draw withstatutory audit requirements when we look at some of themajor drivers for IT governance (see figure 1)1, including:• Trust—With investors willing to pay significantly more forshares of well-governed enterprises• Value—When considering the majority of enterprise marketvalue is in intangible assets• Survival—When trust can vanish overnight when based onintangibles and governance practices• Assurance—With its increasing requirements for risktransparency and increasing focus on internal controlsThe enormous value of information for most enterprisesincreases the priority of the statutory audit requirement to lookat how management exercises its custodianship over theseintangible assets.Equally, when considering the dependence on intangiblesand the speed with which trust can be lost (e.g., Enron and the ensuing demise of Arthur Andersen), the statutory auditrequirement to warn when there is an issue with the going concern cannot be ignored. There is now such corporate reliance.Trust and assurance depend on the integrity of theinformation reported and on the system of internal control thatan enterprise operates. Good governance and a sound systemof internal control are the responsibilities of management andthe board. Where they exist, the task of external auditors—interms of statutory opinion and attestation of the evaluation ofinternal control—is made a lot easier. The US Sarbanes-Oxley Act is undoubtedly the most far-reaching piece of legislation to affect the governance of USand international corporations. The act puts strongrequirements on management and auditors for theestablishment, evaluation and reporting on internal control (seefigure 2). In addition, it goes well beyond the financialcontrols traditionally associated with statutory audits, with theintroduction of “disclosure controls and procedures,” whichare more in line with the compliance and operational controlsof COSO (Committee of Sponsoring Organisations of theTreadway Commission). To exercise that responsibility,management and the auditors also need to look at:• IT’s role in the integrity of information• The system of internal controls over IT• The support IT provides to the overall system of internal controls Copyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.Value(Brookings)Trust(McKinsey)Assurance(Turnbull)Survival(Greenspan)ITGovernanceFigure 1—IT Governance DriversI NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 5, 2003• The management of IT risksHowever, none of these responsibilities can be exercisedwithout considering the enterprise information and the systemsthat capture, process, store and distribute it. This is where IT audit competencies and practices need tobe applied—more extensively than in the past—to supportmanagement’s and external auditors’ responsibilities relative tothe integrity of information, the appropriateness of riskmanagement and the adequacy of internal control. Thecomplexity and widespread deployment of IT systems in termsof organisational structures and resources, as well astechnologies used, has created the need for highly specialisedIT auditors who—as experts in IT governance best practice—can opine on these issues.Enterprise governance relates to the rules and processesthrough which business opportunities and risks are recognisedand managed to ensure enhanced and sustainable stakeholdervalue. IT governance covers the management processes which ensure the delivery of the expected benefits of IT in a controlled manner so that it supports current operationsand helps enhance the long-term sustainable success of the enterprise.There is a significant difference between strong and weakIT governance, as illustrated in figure 3. The difference has aprofound impact on trust and assurance.With these differences, it would be foolish to deny thatstrong IT governance has no impact on the integrity ofinformation, the system of internal control or audit risk.From a statutory audit perspective, strong IT governancereduces audit risk from, for example:• Poor security over business transaction capture, transfer,analysis and reporting• Poor management controls over completeness and integrity ofbusiness transaction capture, transfer, analysis and reporting• Misdirected or poor financial transparency of IT investments• Fraud or wilful manipulation or concealment of businessinformation While noting that most external auditors truly appreciate theimportance of IT, it is disappointing to see that statutory auditstandards appear to restrict themselves to those aspects whichstrictly relate to the preparation of financial statements, whilethere is a much larger array of risks that enterprises need toaddress.2The good news is that IT governance issues are