Thinking like an auditor.....................................................................
SOX requires public companies to document every tiny step of each of their
processes from beginning to end. The auditor’s job is to follow each process
(such as order to cash, for example) and ask the following questions:
Who’s involved throughout the process?What kind of access do they have? What other accesses do they have?
Who has approved what?This exercise is extremely time- and resource-intensive, especially when you
consider that companies often have different systems (running their Human
Resources on SAP and their Procurement on Oracle, for example), and within
the various systems there are hundreds of different roles. The auditor is
expected to understand both the business side and the IT side, and then pull
all this data together to run reports. This monumental task is why auditors
get paid so much. They are highly paid detectives, sniffing out SoD violations
and the potential for fraud and negligence.
Making the computer your auditor..................................................
Managing all these interdependencies is like three-dimensional chess, and
even massive spreadsheets with teams of analysts can’t reveal all the possi-
ble combinations that could lead to problems, let alone monitor them in real
time. The only way to handle all this kind of complexity is to automate it,
making technology into a virtual auditor. Chapters 6 and 7 tell you how.