Corporate governance is the responsibility of an organization’s board of directors (BOD). The internal auditor (IA), the external auditor (EA), and the information technology (IT) auditor all play important roles in the process of corporate governance. By using established frameworks established by the Sarbanes-Oxley Act (SOX), the Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the Control Objectives for Information and related Technology (COBIT), organizations can demonstrate their adherence to regulations and legal requirements. Under SOX, these control frameworks have become the law and are no longer voluntary best practices. The audit process itself assists organizations to achieve proper governance. This paper evaluates the auditors’ role in the governance process and explains how auditors ensure that an organization’s governance system is well controlled and auditable. This paper also describes the likely consequences of the improper implementation of good governance.
IT Governance and Control
An organizations’ Board of Directors (BOD) has the direct responsibility for ensuring good corporate governance. One definition of corporate governance is the method of control in businesses in their direction and control (Florea, R. (Radu) & Florea, R. (Ramona), 2013). The Sarbanes-Oxley Act, 2002 (SOX), focuses on the enhancement of corporate governance through improved internal checks and balances. These checks and balances are to strengthen the accountabilities of those responsible for its management (Damianides, 2005). Good corporate governance may improve a company’s performance by assisting the BOD to discharge its legal requirements and its fiduciary responsibilities to the company’s owners (J. Chevers, D. Chevers, & Munroe, 2013).
The passing of SOX was the US government’s response to the way the public views due professional care and financial integrity, post Enron, Global Crossing and other previously ‘blue chip’ companies (Senft, Gallegos, & Davis, 2013). Before the passing of SOX, other control frameworks existed, including the Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO was optional, most companies regard it as best practice for corporate governance, and ethical business practices. After the passing of SOX, the recommendations became the law, and no longer just best practices (Damianides, 2005).
At the time when COSO in 1992, computer systems were not as prevalent as they are today, and COSO did not adequately address IT controls (Damianides, 2005). As a response to this, the publication of the Control Objectives for Information and related Technology (COBIT) followed, which allowed organizations to demonstrate their adherence to regulations and legal requirements (Senft, Gallegos, & Davis, 2013). The challenge now is how the external auditor (EA), the internal auditor (IA) and the...