Enhancing Internal Audit Capability for IT Audits
Arming Staff, Seniors, and Managers with the competency and practices to audit IT systems, applications, and controls.
Understand the IT Audit ecosystem. Provide advice on IT system and control scoping for SOX compliance and an organization’s IT control environment.
Better test and support IT controls. Design control testing attributes and support ITGC, ITAC, and IPE testing results.
Defend IT control testing conclusions to external auditors. Reduce back-and-forth and unnecessary retesting.
Develop internal auditors into well-rounded Integrated Auditors. Expand their roles and further build out their auditing skillset.
Ensure SOX and Internal Audit professionals keep pace with evolving IT environments. Help reduce deficiencies and improve enterprise risk management initiative.
What You Get
Register for SYNERGY
Building Today’s Integrated Internal Auditor
This course explores different types of IT controls found in an organization’s control environment and SOX program and applies real-world scenarios to enhance critical thinking and problem solving skills.
Register for SynergyCourse Overview & Introduction to IT Auditing in SOX Compliance
Description
This course introduces IT auditing within the context of SOX compliance, emphasizing the unique challenges faced by auditors without a technical background. Participants will explore key IT control areas, the impact of IT on financial reporting, and regulatory expectations for technology-related controls. The session will include a high-level introduction to control types and discussions to enhance auditors' ability to assess IT risks effectively.
Learning Objectives
Explain the role of IT auditing in SOX compliance and its significance for financial reporting.
Identify key IT controls and common challenges non-IT auditors face when engaged in testing.
Discuss common frameworks auditors should know for background in IT audit.
Challenges of Scoping IT Components in Business Process Controls
Description
Effective SOX scoping must account for technology that supports financially material accounts. Unfortunately, IT components are often overlooked until issues arise during walkthroughs or testing. This course will explore properly identifying and including IT elements in the SOX scope from the outset, reducing surprises and audit deficiencies.
Learning Objectives
Recognize common IT components that impact business process controls in SOX audits.
Conduct a systematic scoping exercise to identify IT systems relevant to financial reporting.
Develop strategies to ensure IT components are properly considered in the SOX scope.
IT System Risk Assessments and Control Identification
Description
IT risk assessments are critical for identifying key control areas in SOX compliance. This course will cover different types of IT risk assessments auditors commonly encounter, including application risk, infrastructure risk, and third-party risk. Attendees will learn how to evaluate IT risks effectively and determine the appropriate controls for mitigating them.
Learning Objectives
Differentiate between various IT risk assessment methodologies used in SOX audits.
Identify control requirements based on assessed IT risks.
Apply risk-based approaches to IT control testing and documentation.
Simulated Scoping Exercise and Group Discussion
Description
Participants will apply SOX scoping principles through a hands-on exercise in this interactive session. Using a real-world business scenario, they will assess IT components supporting financial processes, identify risks, and determine control requirements. The session will conclude with a group discussion on best practices and common pitfalls.
Learning Objectives
Perform an IT scoping exercise using a structured methodology.
Identify critical IT dependencies in financial processes.
Collaborate in a group setting to discuss scoping challenges and solutions.
IT Entity Level Controls (ELCs) – Importance and Common Pitfalls
Description
IT ELCs play a fundamental role in SOX compliance but are often overlooked or misunderstood. This course will provide an in-depth review of IT ELCs, their impact on financial reporting, and common failures in testing these controls. Participants will also explore evolving cybersecurity-related ELCs and their growing importance in audit frameworks.
Learning Objectives
Define IT ELCs and their role in supporting financial reporting integrity.
Identify common pitfalls in testing IT ELCs and strategies for effective assessment.
Evaluate cybersecurity-related ELCs and their impact on SOX compliance.
IT General Controls (ITGCs) – Access Management
Description
Access management is a critical ITGC area that directly affects financial reporting reliability. This course will delve into best practices for user access controls, segregation of duties, and privileged account management. Participants will analyze real-world case studies of ITGC failures and their impact on SOX audits.
Learning Objectives
Explain the role of access management in ITGCs and SOX compliance.
Identify key access control failures and their potential financial reporting risks.
Develop risk-based approaches for testing access management controls.
Testing Scenarios and Case Studies on ITGC Failures
Description
Auditors often encounter ITGC failures that impact SOX compliance. This session will present real-world scenarios of ITGC breakdowns, including access management failures, unauthorized system changes, and inadequate monitoring. Participants will evaluate each case study and discuss remediation approaches.
Learning Objectives
Analyze real-world ITGC failures and their financial reporting implications.
Develop strategies for identifying and mitigating ITGC deficiencies.
Apply risk-based thinking when evaluating ITGC issues in audits.
IT Application Controls (ITACs) – Identification and Scope
Description
IT application controls (ITACs) govern automated financial reporting processes but are often difficult to identify and test. This course will guide participants through ITAC scoping, control mapping, and reliance on system-generated information. Case studies on financial system controls will be used to enhance learning.
Learning Objectives
Differentiate between ITGCs and ITACs in SOX compliance.
Identify ITACs within financial reporting systems.
Develop an approach for testing ITACs using system implementation documentation and vendor reports.
Using Financial Reporting Systems as Case Studies for ITACs
Description
This hands-on workshop will immerse participants in the process of identifying IT application controls (ITACs) within financial reporting systems. Using a real-world financial reporting application as an example, attendees will assess control design, identify deficiencies, and develop compensating control strategies to address gaps. Discussions will emphasize the importance of ITACs in ensuring the accuracy and reliability of financial reporting.
Learning Objectives
Identify and evaluate ITACs within a financial reporting system.
Analyze control deficiencies and their potential impact on financial reporting accuracy.
Develop and recommend compensating controls for mitigating identified risks.
Understanding SOC 1 Reports and Third-Party Risks
Description
With increased reliance on third-party software providers, auditors must evaluate vendor controls through SOC 1 reports. This session will provide a comprehensive guide to SOC 1 report assessments, identifying key control areas, and addressing vendor deficiencies. The discussion will also cover expectations related to fourth-party risks and their implications.
Learning Objectives
Interpret SOC 1 reports and their relevance to ITGC frameworks.
Identify control gaps in SOC 1 reports and develop mitigation strategies.
Assess the impact of third- and fourth-party risks on SOX compliance.
Workshop on Evaluating SOC 1 Reports and Mitigating Vendor Control Gaps
Description
This hands-on workshop will provide participants practical experience in evaluating SOC 1 reports. Attendees will review sample reports, identify deficiencies, and determine compensating controls to address vendor control gaps. Attention will be given to identifying which fourth-party controls may be relevant.
Learning Objectives
Analyze SOC 1 report findings and identify areas of concern.
Develop mitigation strategies for vendor control deficiencies.
Apply best practices for integrating SOC 1 reviews into the audit process.
Documentation Expectations – Flowcharts, Narratives, Policies, and Procedures
Description
Clear and comprehensive documentation is essential for SOX compliance. This course will explore best practices for preparing flowcharts, narratives, policies, and procedures that align with audit requirements. Participants will discuss common documentation challenges and ways to streamline evidence collection.
Learning Objectives
Define key SOX documentation requirements for IT controls.
Identify best practices for preparing effective audit documentation.
Develop strategies for overcoming documentation challenges in IT audits.
Information Prepared by the Entity (IPE) – Best Practices and Testing Strategies
Description
IPE plays a critical role in SOX audits, but its definition and testing expectations often vary. In IT, we have the added challenge of working with disparate systems often feeding into many potential data sources. This session will provide auditors with practical approaches to assessing IPE risks, validating data integrity, and implementing controls for reliable financial reporting.
Learning Objectives
Explain the importance of IPE in IT audits and financial reporting.
Identify best practices for testing IPE reliability and accuracy.
Develop an approach for documenting and validating IPE compliance.
Identifying and Addressing Deficiencies in IT Controls
Description
Auditors must proactively identify IT control deficiencies and implement remediation plans. This course will cover methods for evaluating control gaps, documenting deficiencies, and developing corrective actions. Participants will also learn how to communicate findings to stakeholders.
Learning Objectives
Identify common IT control deficiencies and their root causes.
Develop a risk-based approach to addressing IT control gaps.
Communicate IT audit findings effectively to management and external auditors.
Fireside Chat – Open Discussion with Guest Speakers from the Audit Collective and Course Wrap-Up
Description
This interactive session will allow participants to interact with experienced professionals in the IT audit field. In a roundtable discussion format, guest speakers from the Audit Collective will share their insights and experiences related to SOX compliance, ITGCs, ITACs, SOC reports, and other key topics covered in the course. Attendees will have the chance to ask questions, discuss challenges, and gain practical knowledge from experts in the field.
Learning Objectives
Gain insights from experienced IT audit professionals on SOX compliance challenges.
Engage in meaningful discussions on ITGCs, ITACs, and other key audit topics.
Apply lessons learned from industry experts to improve IT audit practices.
Toby DeRoche
MBA, CIA, CCSA, CRMA, CFE, CISA, cAAP
Toby DeRoche is the founder of Insight CPE, LLC, dedicated to advancing education for audit, risk, and fraud professionals. Throughout his career, he has advised governance and assurance professionals on effective solutions for audit, risk, and compliance challenges.
With nearly 20 years of experience in internal audit, fraud examination, and technology enablement consulting, Toby brings deep expertise to the profession. He has authored over 100 blogs and written the books Agile Audit: Transformation and Beyond and Only Audit What Matters.
In addition to his thought leadership, Toby applies his expertise in practice as a Senior Manager of IT Controls at Agilon Health.
How the course works
length
schedule
(Monday to Thursday)
Timing
Duration
Starts
.svg)
Ends
Synergy is not for everyone
Register for SynergyYou are a good fit for this course if:
SOX Auditors, Internal Auditors, and Internal Controls SOX practitioners who have never been trained on the fundamentals and practical application of IT Audit.
If you manage a SOX compliance program that struggles with determining what ITGCs and ITACs should be in and out of scope, and are looking for ways to reduce IT control deficiencies.
If you are looking for a sound strategy to use to improve your organization’s approach to IPEs and IUCs.
You are not a good fit for this course if:
IT Auditors with more than 8 years of experience.
You are not respectful or quickly dismissive of new ideas, practices or concepts.
Register for Synergy
Early Bird Price Until Jan 1
$1,095 $1,295
Practical, cohort-based training to master the fundamentals of modern internal auditing
9 expert Instructor-led
7 facilitated workshops and peer discussions
Syllabus with all shared presentations and templates
BONUS 12 month access to the Internal Audit Collective Community
Frequently Asked Questions
Who is this course for?
- Internal Audit Staff, Seniors, and Managers who are tasked with the use of data analytics in the course of an internal audit project
- A risk-based audit leader seeking an application agnostic of any data analytics application
- Any 2nd or 3rd line compliance or transaction-based auditor with data analytic responsibilities
Who are you? And what is the Internal Audit Collective?
Hi - I’m Tom O’Reilly. I help internal audit and SOX professionals uplevel their programs and careers.You can read more about my backstory and why I built the Internal Audit Collective here.
What if I cannot attend all of the meetings?
You will receive CPE credits for all sessions that you attend.
You will receive a certificate of completion for participating in 80% of the meetings (13 total)
OK - I’m sold. What happens after I pay for the course?
Once you are registered, you will receive a welcome email, which will include the program syllabus with meeting information and materials. You will be asked to choose what breakout sessions you’d like to attend (7 total). You’ll then receive meeting invites.
What do I do if I have any additional questions?
Email me at: Tom@InternalAuditCollective.com - and I’ll get back to you asap.