IT SOX Audit Services

Backbone Consultants provides independent audit support services for technology related Sarbanes Oxley (SOX) internal control testing for publicly held companies. Modern finance, accounting and treasury applications are technology based, resulting in a compliance obligation to validate the reliability of financial reporting. Backbone can effectively partner with a company’s internal audit department and work with their control owners to understand, test and document the internal control environment. Backbone's IT SOX Audit Services include:


Control Owner Interviews: Backbone's technical consultants will conduct interviews with designated control owners to gain an understanding of the process being tested from beginning to end. Meetings with key subject matter experts and system owners will help us document the processes and interrelated systems in detail. Comprehensive walkthrough documents will be created and reviewed with management to validate the control environment.


IT General Computing Controls: Backbone recognizes Information Technology General Computing Controls (ITGCC) as the foundational elements of a comprehensive IT control environment. Our trained consultants will leverage the COBIT framework, which groups 34 IT processes into four domains (Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring) as a baseline to conduct validation testing. Testing of the IT General Controls will provide the assurance needed for application and process control testing.


Work Paper Documentation: Throughout the SOX audit engagement, Backbone will capture detailed work papers to sufficiently support the planning, execution, and conclusion of our testing. Documentation standards can follow any client specific requirements, and at a minimum capture: period, purpose, procedure, criteria, population, and conclusion. All documentation will follow industry approved sampling methodologies and documentation standards.


Testing of Control Design: Backbone will evaluate the effectiveness of design for existing controls to determine if they satisfy the company's control objectives and if the control can prevent errors, fraud or financial misstatements. This work will be executed by reviewing existing documentation, performing interviews and process walkthroughs with persons accountable or with sufficient competence of the control area. If deficiencies are noted in the control design, solutions to effectively address gaps in the current design will be provided to management.


Testing of Operating Effectiveness: Backbone's detailed testing procedures will validate if the control is operating as it is designed, and if the control is effective. Execution of this work will be completed by walkthrough meetings with control owners and subject matter experts to understand all processes and systems part of the control. Evidence will then gathered to support the control design, this includes, but is not limited to screenshots, system settings, scripts, tickets, etc. Depending on the population size a non-statistical random sample may be taken to satisfy the control testing requirements.


Report Writing: Upon completion of control design or operating effectiveness testing, Backbone Consultants will provide detailed workpapers, audit memo, audit report, and any consultative memos summarizing our findings and recommendations. This documentation can follow client provided templates or forms, or leverage our defined standard reporting process and templates. This reporting is intended to provide an opinion on the state of controls over the processes in scope for testing. All supporting documentation will be referenced and supplied upon completion of the body of work.


Backbone’s IT SOX Audit Service delivers much more than a 'check the box audit', it ensures that you meet your compliance requirements and validates the maturity of your IT control environment. Backbone's team of Certified Information Systems Auditors (CISA) are highly qualified and experienced in conducting external SOX audits or internal review of an organization's IT control framework supporting the accuracy of financial reporting.