Audit Services PDF Print E-mail
Written by Webmaster Rob   
Wednesday, 11 May 2011 08:22

According to the PCAOB, the number of publicly traded companies reporting material weaknesses in internal control over financial reporting directly as a result of the Sarbanes-Oxley (SOX)Act raised significantly in 2005.

CPA firms are under pressure to maintain higher standards as their role changes from consultant to examiner. Public companies have a limited window of time to grasp the imposing requirements and to implement the necessary changes to comply with the regulations.

CSF bv provides the critical resources and the IT, regulatory, and enterprise security expertise to meet business compliance objectives. Our suite of compliance services includes Sarbanes-Oxley 404/IT External Audits, Sarbanes-Oxley 404/IT Internal Readiness, SAS 70 Audit Services compliance services.

SOX 404/IT External Audit

SOX Section 404 establishes rules to ensure that members of senior management of all publicly traded companies address their responsibility for implementing internal controls over financial reporting. Each company must assess the effectiveness of its controls and annually report the results to the SEC. Because the reliability of financial reporting is heavily dependent on a well-controlled IT environment, IT management is a vital component of SOX 404 conformance.

CSF bv collaborates with accounting firms to provide external audit services. We utilize our deep IT expertise and the COBIT framework to conduct the required 404/IT audit for external attestation. Our team evaluates and tests IT general and application controls to determine whether or not we can attest to management’s assertion as to the design and operating effectiveness of internal controls over the financial reporting process.

SOX 404/IT Internal Readiness

Complying with SOX is a time-consuming and documentation-intensive task, requiring substantial planning. Underestimating the requirements for this effort can lead to misallocation of financial and human resources and increased risk of noncompliance.

MindSource leverages significant external audit experience to deliver 404/IT Internal Readiness services. Our process includes the application of accepted standards, best practices, and control frameworks, including COBIT , ITIL, ISO 2700x, and COSO to achieve effective, efficient, and compliant internal controls. A typical 404/IT engagement begins with Project Scoping and follows with the iterative audit and controls testing process.

Project Scoping and Gap Analysis

Project Scoping is critical to SOX compliance efforts; planning saves time, effort, and money. A high-level analysis identifies compliance gaps and sets forth plans for implementing internal controls and remediating deficiencies. The steps include the following:

  • Discovering internal control programs and financial reporting processes and performing a risk analysis to determine the key controls
  • Mapping IT systems that support internal controls and the financial reporting process from data capture to final statement publication
  • Identifying and documenting areas of deficiency in control design and operating effectiveness of key control domains
  • Developing remediation strategies

SOX 404/IT Internal Audit/Controls Testing

Because SOX requires management to assess the effectiveness of internal controls on an annual basis, the internal audit function is critical to achieving compliance. MindSource leverages deep knowledge of compliance and the COBIT IT control framework to evaluate and test IT controls. This process includes:

  • Taking a risk analysis-based approach to identify the key IT general controls
  • Assessing the control design and enumerating gaps, closely monitoring documentation deficiencies
  • Testing the operating effectiveness of key IT controls, noting all exceptions, significant deficiencies, and material weaknesses


Using a trusted third party to manage and perform documentation can reduce the cost of compliance and take pressure off of internal resources. According to AMR Research, documentation is among the top 2005 SOX spending priorities. Creating, modifying, and storing documents typically occupy more man-hours than all other compliance activities.

Our experts collaborate with your team to identify and create documentation of systems, policies, and procedures to achieve compliance requirements and to optimize IT planning and implementation. Areas of documentation focus include:

  • Corporate governance, as it relates to the IT function
  • IT and Security Policies
  • Detailed Operating and Control Procedures
  • Standard Forms for all IT general control domains, including Access control, Program development, Program change control and Computer operations
  • Network Maps and Process Diagrams

Security Assessment

Having periodic independent security assessments conducted is an IT best practice generally accepted to be a required control measure to achieve SOX 404 IT compliance. MindSource offers a comprehensive suite of enterprise security assessment services to ensure that clients meet their compliance needs.

CSF bv Enterprise Security Assessment Services

Compliance Remediation Services

With a broad range of enterprise-class IT infrastructure implementation experience, MindSource acts as a trusted partner for developing and deploying security and infrastructure initiatives. Our team performs these functions by deploying best-of-breed systems within your system development life cycle (SDLC) to achieve SOX compliance and other business objectives.

CSF bv IT Infrastructure Services

SAS 70 IT Readiness

SOX 404 requires that public companies not only demonstrate control over their own internal processes, but that they also ensure control over processes outsourced to critical service providers.

The AICPA has developed an auditing standard for service providers to certify the efficacy of their own internal controls and to communicate this to the management and auditors of their clients or prospective clients. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a certified audit of a service provider’s control activities over information technology and related processes. Public companies seeking to comply with SOX 404 are increasingly demanding SAS 70 reports from their service providers.

MindSource provides SAS 70 IT readiness services including project scoping, gap analysis, documentation, and remediation to prepare our clients for their SAS 70 audit.

Last Updated on Wednesday, 11 May 2011 08:43