1. Develop assurance objectives for risks of information systems.
2. Design assurance procedures.
3. Communicate assurance results.
4. Collaborate with others to achieve these objectives.

Practice of IT auditing

Interview auditors from PriceWaterhouseCoopers on SOX compliance and the practice of IT audit: Chris Bowler, Jason Li, and Zenny Bowry

1. Some starting points:

   1. How has financial auditing and IT auditing changed due to SOX?
   2. Are companies getting value from SOX?
   3. Are SOX requirements likely to be changed?
   4. What skills does an auditor need for SOX work?

SOX experiences

1. Katz, D. M. 2006. A tough act to follow. CFO Magazine (March): 65-70.
2. Shaw, H. 2006. The trouble with COSO. CFO Magazine (March): 75-77.
3. Stuart, A. 2006. Serenity now! CFO Magazine (March): 79-83.
4. Wagner, S., and L. Dittmar. 2006. The unexpected benefits of Sarbanes-Oxley. Harvard Business Review (April): 133-140.
5. O'Sullivan, K. 2006. The case for clarity. CFO Magazine (September): 65-69.

1. Develop assurance objectives for risks of information systems.
2. Design assurance procedures.

Examine the potential roles of continuous auditing

1. What is continuous auditing? Nehmer; Vasarhelyi/Halper. What is required to make continuous monitoring and auditing feasible?
   1. Why are auditor-defined rules (heuristics) needed for continuous monitoring and auditing?
2. What would continuous monitoring look like? Consider this example of monitoring payables with Oversight Systems software at American Electric Power
3. What role might continuous assurance have with respect to the Sarbanes-Oxley Act of 2002 (SOX) Section 404? Are CPAs and IS auditors interpreting the role of continuous assurance the same way?
4. How can digital analysis be useful in auditing?
   1. Internal auditing
   2. Analytical procedures
5. What about continuous auditing accounts for interest in it with respect to SOX?
   1. Process improvement payoff related to Sarbanes Oxley compliance due to continuous auditing: Business Finance Magazine Nov. 2005
   2. Efficiencies required for Sarbanes Oxley and how continuous auditing will play a role
      1. Business Finance Magazine Dec. 2004
      2. eWeek Aug. 5, 2005
6. How could continuous auditing be employed to avoid a rogue trader (link replaced 11/15)?
7. What about real-time financial reporting prompts interest in continuous auditing?
8. Why do continuous monitoring and auditing require formalizability?

Continuous monitoring and auditing:

1. Vasarhelyi/Halper
2. Nehmer

Digital analysis:

1. Internal auditing
2. Analytical procedures

Uses for continuous monitoring:

1. Monitor payables with Oversight Systems software: American Electric Power
2. Improve processes: Nov. 2005
3. Avoid a rogue trader (link replaced 11/15)
4. Support real-time financial reporting
5. Monitor business processes

1. Develop assurance objectives for risks of information systems.
2. Design assurance procedures.

PC-Now case

Consider PC-Now Company's procure-to-pay process:

1. Role of controls
   1. Which controls support which financial statement assertions for cash and accounts payable balances:
      1. Existence
      2. Completeness
      3. Valuation
      4. Rights/obligations
   2. Which of the controls in 1 would be considered key controls for SOX compliance?
   3. Which controls support operational effectiveness and efficiency but would not be considered key controls for SOX compliance?
   4. Which controls seem to be superfluous? Why?
2. Proof of concept: Implementation as a continuous audit
   1. For the non-superfluous controls, which ones seem sufficiently formalizable for continuous auditing?
   2. For the controls in 2.1, what else is required to implement them for continuous auditing?

PC-Now procure-to-pay process

Modeling internal control:

1. Krishnan et al. 2005. On data reliability assessment in accounting information systems. Information Systems Research 16(3): 307-326