Impact of Computer-Assisted Audit Techniques on Sarbanes-Oxley Act Sections 404 and 409. Scarlett Choi ACC 626

Transcription

1 Impact of Computer-Assisted Audit Techniques on Sarbanes-Oxley Act Sections 404 and 409 Scarlett Choi ACC 626

2 INTRODUCTION In order to restore the declining investors confidence in the capital markets due to series of highly-publicized fraudulent activities of corporations and alleged audit failures, the Sarbanes-Oxley Act (the Act ) was passed as law in July The Act significantly expanded the rules for corporate governance, disclosure, and reporting by highlighting the responsibilities of corporate executives and directors, lawyers, and accountants. Moreover, it created a broad oversight regime for auditors of public companies along with the emphasis on the critical role of internal control over financial reporting (ICFR), which is a process designed and maintained by management to provide reasonable assurance regarding the reliability of financial reporting and the preparation of the financial statements for external purposes with GAAP. The purpose of implementing such controls is to support the integrity and reliability of the company s external financial reporting processes. 1 With an increasing employment of sophisticated and complex information technology (IT) in all levels of corporations, auditors encounter many firms with its financial reporting processes wholly dependent on the IT systems. Hence, auditors must determine how the firm uses its IT systems to initiate, record, process, and report transactions or other financial data. This understanding is necessary to plan the audit and to determine the nature, timing and extent of tests to be performed to gain a sufficient understanding of internal controls. 2 In light of the implementation of the Act and the increasing demand on auditors to make the audit more effective and efficient, major initiatives have been put in place toward development and proliferation of computer-assisted audit tools and techniques (CAAT). 3 This report focuses on the two key provisions of the Act that are associated with IT, Section 404 Enhanced Financial Disclosures, Management Assessment of Internal Control and Section 409 Real Time Issuer Disclosures. It delves into the specifics of the CAAT and explores the background of the two key provisions. The report serves to determine the role and the implications of CAAT with the implementation of the Act, and to outline the most prominent type of CAAT that is available to comply with the provisions. COMPUTER-ASSISTED AUDIT TECHNIQUES While CAAT are any technology that is used to assist in the completion of an audit, it can be 1 Deloitte & Touche, Ernst & Young, KPMG, PricewaterhouseCoopers. Perspectives on Internal Control Reporting A Resource of Financial Market Participants. AICPA. December Cerullo, Michael J. and Cerullo, M. Virginia. Impact of SAS No. 94 on Computer Audit Techniques. Information Systems Control Journal. 1 (2003). ISACA - Information Systems Control Journal. 10 June Braun, Robert L. and Davis, Harold E. Computer-assisted audit tools and techniques: analysis and perspectives. Managerial Auditing Journal (2003): ProQuest. University of Waterloo Lib. 14 June Page 1 of 13

3 more specifically defined as tools and techniques used to directly examine the internal logic of an application as well as to draw indirect inferences upon an application's logic by examining the data processed by the application 4. CAAT can be used in achieving the goals of audit 5 by performing various audit procedures including test of details of transactions and balances, analytical review procedures, compliance tests of IS general and application controls, and penetration testing 6. CAAT play a significant role in enhancing the effectiveness and efficiency of riskassessment procedures. Through the use of software, auditors can improve the quality of audit evidence. By automating procedures, CAAT removes subjectivity and bias in performing financial analysis and auditors save time. As well, CAAT provide comprehensive analysis (i.e. identification of both inherent and control risks; supplementation on trend analysis with data from multiple sources) in order to assist in performing preliminary analytical reviews in risk-assessment process where its result drives overall audit approach. 7 Moreover, CAAT can be successfully employed in enhancing the effectiveness and efficiency of the audit procedures. With the use of CAAT, complete verification covering all doubtful cases with inadequate validations is possible with minimal effort and time and with guaranteed accuracy. As well, the use of CAAT increases credibility for substantive testing to provide total assurance or clear pinpointing of errors and frauds. 8 There are six different types of CAAT that are available in achieving the objectives of financial statement audits: 1) Test Data: Uses auditor-prepared input data to test the current version of a client-supplied copy of application within the client's system. Once auditor s data is processed, the systemgenerated results are compared to auditor expectations. Any departure from the expected results would indicate logic or control problem. 9 2) Integrated test facility: Requires auditor to be involved in the system design. Creates audit modules within the system that allow "dummy" test data to be segregated from actual "live" data in the system. Once established, test data can be placed in the normal transaction stream 4 Ibid. 5 ISACA. Use of Computer-Assisted Audit Techniques. IS Auditing Guideline. (1998): June 2008.< ContentGroups/Journal1/20033/Using_CAAT_to_Support_IS_Audit.htm> 6 Coderre, David. Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. Global Technology Audit Guide. Institute of Internal Auditors. 25 July < 7 Vuchnich, Alex. Using CAATTs in Preliminary Analytical Review to Enhance the Auditor's Risk Assessment. The CPA Journal (2008): ProQuest. University of Waterloo Lib. 12 June ISACA. Use of Computer-Assisted Audit Techniques. IS Auditing Guideline. (1998): June < Content/ContentGroups/Journal1/20033/Using_CAAT_to_Support_IS_Audit.htm> 9 Braun, Robert L. and Davis, Harold E. Computer-assisted audit tools and techniques: analysis and perspectives. Managerial Auditing Journal (2003): ProQuest. University of Waterloo Lib. 14 June Page 2 of 13

4 and auditor can evaluate application controls during normal operations using the results. 10 3) Parallel simulation: Auditor develops application designed to replicate the results of the client's application using client-supplied data. Comparison of the results allows auditor to evaluate quality of the process performed by the client's application. 11 4) Embedded audit module (EAM): Auditor inserts audit module in the client's application that will identify transactions that meet some pre-specified criteria as they are being processed, reviewed in real-time or in batch. Particularly effective in identifying large transactions for substantive testing or controls testing by identifying transactions processed in a manner inconsistent with policies and procedures. 12 5) Generalized audit software (GAS): Software allows data extraction and analysis. Relative simplicity of use requiring little specialized IS knowledge and its adaptability to a variety of environments and users. Facilitates greater coverage compared to other types of procedures achieved through queries that allow the auditor to analyze data and extract information from the client's database. Several audit operations supported by GAS. 13 6) Continuous auditing: Method used to perform control and risk assessments automatically 14 and allows an on-going review and analysis of business information on a real time basis 15. More specifically, enables independent auditors to provide written assurance on a subject matter using a series of auditors' reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter. 16 GAS is most frequently used at present due to minimal disruption and reliance on client as well as relative simplicity of use 17. However, there are two major drawbacks to the use of GAS due to the complex IT environment established in firms and the implementation of the key provisions of the Act: 1) incompatibility of such software with the complex file structures of database systems; and 2) inability to constantly monitor the information system and provide timely warning when unusual transactions or patterns occur in the system. In order to address these issues of GAS, audit and assurance services are leaning toward a continuous model, which incorporates EAM, Extensible Business Reporting Language 10 Ibid. 11 Ibid. 12 Ibid. 13 Ibid. 14 Coderre, David. Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. Global Technology Audit Guide. Institute of Internal Auditors. 25 July < 15 AICPA. Continuous Audit. AICPA Information Technology Centre. 25 July < +Audit+and+Internal+Control/IT+Systems+Audit/Continuous+Audit> 16 Huang, Shi-Ming et al. Developing A Continuous Auditing Assistance System Based On Information Process Models. The Journal of Computer Information Systems (2007): ProQuest. University of Waterloo Lib. 25 July Singleton, Tommie. Generalized Audit Software: Effective and Efficient Tool for Today s IT Audits. ISACA JournalOnline. 2 (2006). 10 June < for_todays_it_audits.htm> Page 3 of 13

5 (XBRL), database technology, data warehouse, and internet technology to help achieve the dynamic, real-time auditing. 18 SARBANES-OXLEY ACT SECTION 404 AND ITS IMPLICATIONS One of the key provisions of the Act is Section 404 Enhanced Financial Disclosures, Management Assessment of Internal Control. In conjunction with the Auditing Standard No. 5 (AS5), which superseded Auditing Standard No. 2 (AS2) in 2007, the Section 404 of the Act requires: 1) the management s assessment on the effectiveness of ICFR as at the company s year-end; 2) external auditors opinion on the management s assessment; and 3) external auditors own assessment. The AS5 replaced AS2 in order to increase the accuracy of financial reports while reducing unnecessary costs, especially for smaller public companies. It was intended to make Section 404 audits and management evaluations more risk-based and scalable to company size and complexity, allowing the audit to be more effective and efficient. In turn, AS5 was put in place to strengthen investor protection by refocusing resources on what truly matters to the integrity of financial statements. 19 The key elements of AS5 is consistent with AS2 in that it serves to achieve the objective of improving the quality of F/S as it is a single standard based on providing reasonable assurance on both the design and operating effectiveness of ICFR. The new Standard is less prescriptive and more principles-based, and provides for greater use of professional judgment by auditors by requiring the auditors to 1) take a top-down, risk-based approach, focusing on the areas with the greatest risk of material misstatements; and 2) include only the requirements necessary for an effective audit. 20 AS5 also promotes flexibility by making audits scalable by allowing changes to fit the size and complexity of any company. 21 Moreover, AS5 adopted a definition of significant deficiency as a deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for 18 Huang, Shi-Ming et al. Developing A Continuous Auditing Assistance System Based On Information Process Models. The Journal of Computer Information Systems (2007): ProQuest. University of Waterloo Lib. 25 July U.S. Securities and Exchange Commission. SEC Approves PCAOB Auditing Standard No. 5 Regarding Audits of Internal Control Over Financial Reporting; Adopts Definition of "Significant Deficiency. 25 July U.S. Securities and Exchange Commission. 12 June < 20 Brownlee, Elaine and O Shea, Niall. SOx s404: The New Guidance: What It Really Means. Accountancy Ireland (2007): ProQuest. University of Waterloo Lib. 13 June U.S. Securities and Exchange Commission. SEC Approves PCAOB Auditing Standard No. 5 Regarding Audits of Internal Control Over Financial Reporting; Adopts Definition of "Significant Deficiency. 25 July U.S. Securities and Exchange Commission. 12 June < Page 4 of 13

6 oversight of the registrant's financial reporting. This definition is used in the context of evaluating the required communications under the Section 404 of the Act. 22 In properly assessing the effectiveness of a firm s ICFR which is embedded in complex IT systems, Statement on Auditing Standards No. 94 (SAS 94) The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit provides specific guidance to auditors by stating that CAAT are needed when a significant amount of financial information supporting one or more financial statement assertions is automated by complex electronic IT. In these situations, the auditor must assess control risk by performing tests of controls, regardless of firm size. 23 There are three broad categories of CAAT in which the types of CAAT described above can be classified under: 1) Auditing around computer: Test reliability of computer generated info by calculating expected results and compare to output. Adequate when automated systems are simple and straightforward. Major weakness is that it doesn t determine correctness of program logic. 24 2) Auditing with computer: Draw indirect inferences upon an application's logic by examining the data processed by the application 25. GAS is frequently employed to audit with the computer by performing substantive tests and limited test of controls For example, GAS can be used to test the functioning of complex algorithms in computer programs, but it requires extensive experience in using the software. 26 3) Auditing through computer: Test automated processing steps, programming logic, edit routines and programmed controls. Assumed that if programs are functioning as designed, errors and irregularities would be detected and outputs can reasonably be accepted as reliable. Appropriate for testing controls in complex IT systems. Techniques include test data technique, parallel simulation, integrated test facility, and embedded audit module. 27 SAS 94 and firms dependence on complex IT systems with regards to its financial reporting signal the diminished likelihood that "audit around the computer" and the audit with the computer approaches will be appropriate. As a result, auditors must begin to incorporate state-of-the-art auditing software applications in the audit process. This will 22 Ibid. 23 Cerullo, Michael J. and Cerullo, M. Virginia. Impact of SAS No. 94 on Computer Audit Techniques. Information Systems Control Journal. 1 (2003). ISACA - Information Systems Control Journal. 10 June < /20033/Impact_of_SAS_No_94_on_Computer_Audit_Techniques.htm> 24 Ibid. 25 Braun, Robert L. and Davis, Harold E. Computer-assisted audit tools and techniques: analysis and perspectives. Managerial Auditing Journal (2003): ProQuest. University of Waterloo Lib. 14 June Cerullo, Michael J. and Cerullo, M. Virginia. Impact of SAS No. 94 on Computer Audit Techniques. Information Systems Control Journal. 1 (2003). ISACA - Information Systems Control Journal. 10 June < /20033/Impact_of_SAS_No_94_on_Computer_Audit_Techniques.htm> 27 Ibid. Page 5 of 13

7 enable the audit process to be more effective because the scope of the transactions being analyzed can be increased at a minimal marginal cost. In addition, economic forces at work in capital markets appear to be signaling the demand for more timely assurance on financial information reported annually, quarterly, and throughout the year. 28 However, for real-time financial information to have value, the decision makers (i.e. investors) need real-time assurances from an independent third party (i.e. auditors) that the information is secure, accurate and reliable. 29 SARBANES-OXLEY ACT SECTION 409 AND ITS IMPLICATIONS The Section 409 Real Time Issuer Disclosures of the Act requires all SEC-registered companies to report any event that may cause a material effect on their financial or operational results within 48 hours in a form that can be understood by the public stakeholders and potential new investors of the organization 30. Hence, the responsibilities of C-suite executives, particularly CFOs, of publicly held companies that trade on US exchanges have extended beyond the scope of historic expectations. In essence, this Section has also expanded the responsibilities of the auditors to the extent that they are required by law to look for material events such as fraud. Section 409 created new challenges for organizations in regards to data integration. Organizations need to know whether their key financial systems are capable of providing data in real time, or if the organization will need to add such capabilities or use specialty software to access the data. Moreover, the firms need to account for changes that occur externally changes by customers or business partners that could materially impact its own financial positioning (e.g. key customer/supplier bankruptcy and default). 31 In order to comply with Section 409, organizations face increasing need to support market predictability with robust competitive intelligence tools and techniques for early warning and analysis of potential scenarios that could impact the business 32 in the financial and operational aspects. To avoid a hasty rip-and-replace of existing systems, IT control professionals are recommended to assess the organization s technology capabilities in the following categories 28 Ibid. 29 Sarva, Srinivas. Continuous Auditing Through Leveraging Technology. (2006). ISACA JournalOnline. 10 June < 30 Johnson, Arik. Definitely Maybe. Competitive Intelligence Magazine. 7.6 (2004): 37. ProQuest. University of Waterloo Lib. 25 July Chan, Sally and Lepeak, Stan. IT and SARBANES-OXLEY. CMA Management (2004): ProQuest. University of Waterloo Lib. 25 June Johnson, Arik. Definitely Maybe. Competitive Intelligence Magazine. 7.6 (2004): 37. ProQuest. University of Waterloo Lib. 25 July Page 6 of 13

8 to secure a smooth transition in compliance with Section 409: 1) Quality of financial modeling capabilities: High quality of financial modeling capabilities help organizations anticipate and possibly avoid awkward reporting situations and help them adapt to rapidly changing situations. 33 2) Availability of internal and external portals: Portals help route and identify reporting issues and requirements to investors and other relevant parties. These capabilities address the need for rapid disclosure. 34 3) Breadth and adequacy of financial triggers and alerts: Financial triggers and alerts act as the defense line in order to comply with the Section 409 disclosure event. 35 4) Adequacy of document repositories: Repositories play a critical role both from the standpoint of event monitoring to assess disclosure needs as well as providing a mechanism to audit disclosure adequacy. 36 5) Adequacy of captured document audit trails: This is a critical element in establishing adequate disclosure processes and records of that disclosure. 37 Once these factors have been identified and assessed, the organizations should search to determine whether sufficient technologies are available in order to accomplish integration of data and hence be in compliance with Section 409. The following major vendors of business systems, information, and software provide solutions for their clients by catering to their regulatory compliance needs (i.e. Section 409 of the Act): 1) Oracle: Provides solutions in providing organizations access to a complete and accurate financial data that are timely, relevant, consistent, and available in real-time. Business systems help streamline the transparency of policies and procedures, enforce them, reduce the risk of malfeasance and errors, and improve confidence in business data. 38 2) SAP: SAP ERP Financials feature the following SOX compliance functions: project organization for documentation, testing, and sign-off for internal controls; test procedures based on the risk management framework defined by the Committee of Sponsoring Organizations of the Treadway Commission; risk mitigation and remediation; real-time drilldown analysis and reporting; management reporting and much more. 39 Furthermore, the company s capacity to be an early adopter of XBRL should be 33 Chan, Sally and Lepeak, Stan. IT and SARBANES-OXLEY. CMA Management (2004): ProQuest. University of Waterloo Lib. 25 June Ibid. 35 Ibid. 36 Ibid. 37 Ibid. 38 Oracle. Governance and Compliance. Oracle. 26 July < 39 SAP. SAP ERM Financials Compliance Solutions. SAP. 26 July < Page 7 of 13

9 determined 40 as its use has placed a substantial footing in the worldwide business community 41. XBRL will be a key tool to integrate and interface transactional systems, reporting and analytical tools, portals and repositories. 42 IMPACT OF CAAT ON SARBANES-OXLEY ACT SECTIONS 404 AND 409 Perhaps a key to being able to meet the requirements of improved efficiency and increased effectiveness in providing an audit opinion on a company s ICFR lies with continuous auditing. As well, given the constant demand for timely and reliable information, implementation of continuous auditing techniques combined with more frequent reporting can benefit those that rely on the published information. Furthermore, given the markets' tendencies to strategically react to the released earnings announcements in advance of audited financial results, continuous auditing may help in enabling detection of problems that materially affect organizations financial results as they occur rather than at the end of a reporting period. 43 The question still lies: What is the most prominent CAAT that is available in order for auditors to perform continuous auditing and for organizations to report on material financial or operational triggers in order to comply with the Sections 404 and 409 of the Act? The discussions on the implications of the Sections above lead to a CAAT that serves the needs of both auditors and organizations: Extensible Business Reporting Language (XBRL). XBRL is a platform and application-independent means of identifying, extracting, and presenting financial data and other business information in any way the user requires. Using XBRL, organizations can capture financial information at any point in the business cycle. XBRL is also a specialized business reporting language for existing and emerging financial and business reporting requirements. It makes the analysis and exchange of corporate information easier to facilitate, as well as more flexible and reliable. 44 The use of XBRL was driven by increasing investor demands and regulatory requirements for more frequent and detailed financial reporting. Such demands were primarily outlined in the two key provisions discussed in this report as they require high-level executives to sign off on the accuracy of financial statements and require companies to 40 Ibid. 41 Coderre, Dave. Are You Ready for XBRL? The Internal Auditor (2004): ProQuest. University of Waterloo Lib. 25 July Ibid. 43 Braun, Robert L. and Davis, Harold E. Computer-assisted audit tools and techniques: analysis and perspectives. Managerial Auditing Journal (2003): ProQuest. University of Waterloo Lib. 14 June Coderre, Dave. Are You Ready for XBRL? The Internal Auditor (2004): ProQuest. University of Waterloo Lib. 25 July Page 8 of 13

10 provide information on a timelier basis. Moreover, to decrease the public mistrust in the capital market, the provisions mandate companies to provide information in form that is easily understandable by public stakeholders and potential investors that supports evaluative and trend analysis. 45 XBRL is also advocated as it solves the long-standing problems of difficulty in communicating and employing information both within and outside an organization as a result of using widely disparate and incompatible systems to process their business data. It also solves the problems arising from inconsistent accounting terminology, principles, practices, and jurisdictional regulations by creating a vocabulary to precisely describe the information included in a report, taking regulatory, jurisdictional, and other variances into consideration. It works in conjunction with extensible markup language (XML), an Internetbased language that serves as the universal format for data on the Web. XBRL allows organizations to label or "tag" data in specific and meaningful ways for other potential uses (e.g. export tagged financial data in Excel spreadsheet using XBRL to the balance sheet). 46 These capabilities can improve the quality and quantity of financial reporting data, which has led XBRL to be endorsed by the International Accounting Standards Board and used by organizations in nations such as Australia, Canada, South Korea, Japan, Spain, the United Kingdom, and the United States. 47 XBRL is also a powerful and critical audit tool for auditors in reviewing their clients' compliance with the Act, particularly the Sections 404 and 409. Auditors need reliable information on a timely basis and in a reusable format such that it may be easily used for analysis. Prior to the introduction of XBRL, auditors had to search and manually input data into different software in order to reuse financial information for analysis and tests. XBRL improves the quality and effectiveness of audits by allowing auditors to retrieve data more easily and analyze it with greater accuracy. The data in XBRL format enables auditors to perform more analyses of data, facilitates comparisons against external data, increases the timeliness of reported information, and provides greater transparency. 48 XBRL is now supported by most current accounting, financial management, and tax software. This enables electronic exchange for importing and exporting data in an XBRL format. XBRL's interoperability with financial and data analysis applications significantly simplifies the preparation, dissemination, and analysis of financial and compliance reports. 45 Ibid. 46 Ibid. 47 Ibid. 48 Ibid. Page 9 of 13

11 Moreover, XBRL provides more relevant and reliable extraction and exchange of information between organizations, because it is an open process, which is not based on any proprietary technology, and requires minimal human involvement, resulting in fewer errors. 49 With an automated analysis and identification of items by attached XBRL tag, auditors benefit from being able to perform fast and accurate electronic searches and move the data to analytical software or a spreadsheet with a click of a mouse. Functions of XBRL also allow auditors to customize searches for multiple company data, making it easier to perform trend analysis and continuous auditing, and to compare data with industry benchmarks, other organizations, or different intracompany operations. 50 Moreover, XBRL facilitates the use of Web-enabled audit programs for standardsbased financial statement reviews. By integrating data analysis software programs into accounting functions, XBRL allows auditors to extract, analyze, and interpret evidence and to detect unusual transactions or patterns of transactions to deter fraud. Continuous auditing, supported by the XBRL format of financial data, can increase the efficiency and effectiveness of the audit process substantially, resulting in cost savings for auditors and their clients. 51 CONCLUSION With the implementation of two key provisions, Section 404 and 409, of Sarbanes Oxley Act in 2002, to restore investors confidence in the capital markets, Section 404 required highlevel executives to sign off on the accuracy of financial statements. Section 409 then mandated companies to provide information on a real-time basis and in way that is easily understandable by public stakeholders and potential investors with support from evaluative and trend analysis. Hence, organizations must respond by implementing an effective and economical data delivery mechanism to monitor, analyze and report functional, financial and operational events, which include those that may obstruct organizations from achieving its business objectives, increase the probability of risk, fraud, crime and other losses due to its material nature. One of the most promising technologies being implemented in organizations today is a real-time reporting solution. 52 In addressing the needs of both organizations and its auditors, the use of Extensible Business Reporting Language is recommended in order to facilitate the compliance of the Sections 404 and 409 of the Sarbanes-Oxley Act. 49 Ibid. 50 Ibid. 51 Ibid. 52 Cunningham, Michael. Meeting Sarbanes-Oxley Section 409 Requirements. Sept Sarbanes-Oxley Compliance Journal. 25 July < Page 10 of 13

12 APPENDIX I The Section 409 Real Time Issuer Disclosures itself is geared more towards the C-suite executives of organizations than towards a CA practitioner. This is due to the fact that the Act requires all SEC-registered companies to report any event that may cause a material effect on their financial or operational results within 48 hours in a form that can be understood by the public stakeholders and potential new investors of the organization. While the report addressed the responsibilities of C-suite executives, particularly CFOs, of publicly held companies on how to comply with the Section, the report also addresses the assurance side of the Section by recommending a CAAT that can be used in order to audit organizations compliance to the Act. Page 11 of 13

13 REFERENCES AICPA. Continuous Audit. AICPA Information Technology Centre. 25 July < dit/continuous+audit> Braun, Robert L. and Davis, Harold E. Computer-assisted audit tools and techniques: analysis and perspectives. Managerial Auditing Journal (2003): ProQuest. University of Waterloo Lib. 14 June Brownlee, Elaine and O Shea, Niall. SOx s404: The New Guidance: What It Really Means. Accountancy Ireland (2007): ProQuest. University of Waterloo Lib. 13 June Cerullo, Michael J. and Cerullo, M. Virginia. Impact of SAS No. 94 on Computer Audit Techniques. Information Systems Control Journal. 1 (2003). ISACA - Information Systems Control Journal. 10 June < Computer_Audit_Techniques.htm> Chan, Sally and Lepeak, Stan. IT and SARBANES-OXLEY. CMA Management (2004): ProQuest. University of Waterloo Lib. 25 June Coderre, David. Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment. Global Technology Audit Guide. Institute of Internal Auditors. 25 July < Coderre, Dave. Are You Ready for XBRL? The Internal Auditor (2004): ProQuest. University of Waterloo Lib. 25 July Cunningham, Michael. Meeting Sarbanes-Oxley Section 409 Requirements. Sept Sarbanes-Oxley Compliance Journal. 25 July < Deloitte & Touche, Ernst & Young, KPMG, PricewaterhouseCoopers. Perspectives on Internal Control Reporting A Resource of Financial Market Participants. AICPA. December < Huang, Shi-Ming et al. Developing A Continuous Auditing Assistance System Based On Information Process Models. The Journal of Computer Information Systems (2007): ProQuest. University of Waterloo Lib. 25 July ISACA. Use of Computer-Assisted Audit Techniques. IS Auditing Guideline. (1998): June < _Audit.htm> Johnson, Arik. Definitely Maybe. Competitive Intelligence Magazine. 7.6 (2004): 37. ProQuest. University of Waterloo Lib. 25 July Page 12 of 13

14 Oracle. Governance and Compliance. Oracle. 26 July < SAP. SAP ERM Financials Compliance Solutions. SAP. 26 July < Sarva, Srinivas. Continuous Auditing Through Leveraging Technology. (2006). ISACA JournalOnline. 10 June < gh_leveraging_technology1.htm> Singleton, Tommie. Generalized Audit Software: Effective and Efficient Tool for Today s IT Audits. ISACA JournalOnline. 2 (2006). 10 June < _Effective_and_Efficient_Tool_for_Todays_IT_Audits.htm> U.S. Securities and Exchange Commission. SEC Approves PCAOB Auditing Standard No. 5 Regarding Audits of Internal Control Over Financial Reporting; Adopts Definition of "Significant Deficiency. 25 July U.S. Securities and Exchange Commission. 12 June < Vuchnich, Alex. Using CAATTs in Preliminary Analytical Review to Enhance the Auditor's Risk Assessment. The CPA Journal (2008): ProQuest. University of Waterloo Lib. 12 June Page 13 of 13