866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Internal Audit Teams vs. Schellman for Your Sarbanes-Oxley (SOX) ITGC Testing Blog Feature
Andrew Broderick

By: Andrew Broderick

Print/Save as PDF

Internal Audit Teams vs. Schellman for Your Sarbanes-Oxley (SOX) ITGC Testing

Compliance and Certification

When positioning your organization to achieve its SOX ITGC objectives and reporting obligations, you can’t take any chances for fear of negative fallout. And while establishing a team of dedicated internal IT audit professionals can help streamline those processes, there are challenges in maintaining such a team—just as there are advantages to substituting an independent IT audit team instead.

IT general controls are the building blocks of your cybersecurity, which means that ensuring they are operating effectively is critical to your compliance objectives—so critical that it’s worth using a highly skilled, experienced, and independent IT audit team to test and report on them.

But why, you might wonder, should you consider contracting out your internal audit function rather than building and maintaining one yourself? As Schellman does offer a potential solution for your internal SOX ITGC testing, we’ll explain.

In this article, we’ll overview both the benefits of a competent and systematic internal audit team and the challenges in maintaining one, as well as the merits of outsourcing or co-sourcing SOX ITGC testing to an assessor like us so that you can understand all your options in this regard more thoroughly.

 

The Benefits of an Internal Audit Team (Beyond SOX ITGC Testing)

These days—amidst a turbulent cybersecurity landscape and ever-evolving threats—organizations recognize the need for expertise and proactivity when identifying risks, implementing controls, and proceeding through SOX ITGC compliance obligations. A mature IT internal audit function should foster continuous monitoring and improvement of existing IT operations and controls, enabling your organization to maintain momentum as it—as well as the threat landscape—changes.

That’s because an internal audit team—when competent and systematic in its approach—should be capable of periodically performing compliance activities such as:

  • Risk assessments
  • Testing controls
  • Documentation reviews
  • Walkthroughs and process reviews
  • Reporting findings and recommendations
  • Follow-up activities/corrective actions

All this will more easily allow your organization to establish and maintain internal controls—including those over financial reporting—thereby keeping your information secure. Additionally, the efforts of a dedicated team will also facilitate an easier experience when dealing with external auditors. Given that your internal audit team will be constantly identifying and mitigating risks, enhancing control effectiveness, and providing assurance to stakeholders, that should reduce the level of effort your external auditors have to make—and that could, in turn, reduce your associated costs.

 

The Challenges of Maintaining an Internal Audit Team

As good as that sounds, it’s also not simple to set up and retain. Here are some of the typical hurdles organizations face when implementing a devoted internal audit function:

  • Resource Issues: Insufficient budgets can present a problem, as hiring full-time, experienced, and certified IT audit resources will mean paying their competitive salaries—salaries that may become an even bigger expense with each passing year to retain that staff.
  • Turnover and Skill Gaps: Like any other team, internal audit departments deal with turnover and skill gaps, but in this case, that may make it more difficult for you to meet annual reporting requirements. Plus, any delays in completing audit assignments might reduce the relevance of findings and hinder your organization's ability to address emerging risks promptly.
  • Evolving Cybersecurity Landscape: To maintain the expertise necessary to do a thorough job, internal auditors must stay current with evolving technologies and acquire diverse skill sets, including those in data governance and cybersecurity. Add in the related concerns around advancing technology, increasingly sophisticated cybersecurity risks, and changing reporting standards, the challenge of upskilling staff to address these problems is only exacerbated.

Why Schellman for Your SOX ITGC Testing

 

However, you do have the option to potentially sidestep these challenges by instead working with a skilled third party to co-source your internal audit functions. At Schellman, we listened to the concerns of our clients who were having trouble keeping up with their annual reporting process—particularly for their SOX obligations—and how they were seeing higher external audit fees. In response, we created our dedicated Internal Audit services—with a focus on SOX ITGC testing—and it may be a better answer for you than an internal audit team.

Before you think it, yes—engaging us to do this testing would mean the “extra” expense that comes with co-sourcing your internal audit function, but at the same time, you stand to gain significant efficiencies and cost savings, among other advantages.

Here are five reasons to consider using our team to perform your SOX ITGC testing.

1. Our Expertise—Both Broad and Focused

Over the past two decades, Schellman has built its reputation as a leader in IT compliance and numerous regulations. Right now, we’re:

 

  • At the top of the FedRAMP Marketplace for authorized services;
  • Dually accredited for ISO certifications with ANAB and UKAS;
  • A trusted PCI QSA company; and
  • The HITRUST Assessor for some of the largest companies in the world.

In addition to all that, from the start, our foundational service has been SOC. Today, we opine on over 1,700 SOC reports annually, all of which involve performing ITGC and business process testing. So, whether you just need help with SOX, or you’re looking for even more compliance assistance, we have the knowledge and experience to meet your needs.

2. Independence

When validating anything—to satisfy compliance requirements or otherwise—objectivity is key.

And while it is possible to keep your internal audit function separate, when you engage an external firm like ours to assess the effectiveness of your internal controls, you eliminate the possibility of a conflict of interest entirely, thereby providing further comfort to stakeholders that your SOX ITGC testing results can truly be relied upon.

3. Our Scalable and Concentrated Workforce

When an organization does field an internal audit team, oftentimes the personnel involved also have additional, disparate job duties—in other words, while the internal audit team may exist, its focus is split.

But when you engage Schellman for your SOX ITGC testing, you’ll get a developed, highly skilled, and technical IT audit workforce that is not only familiar with the reporting standards you need to meet but will also be able to make that their sole focus on your behalf.

So not only will you receive incredibly thorough testing from experts, but you stand a better chance of getting it completed timely and ahead of your compliance deadlines, as you won’t need to worry about staff prioritizing other work.

4. The Auditor-to-Auditor Connection

Aside from providing efficient SOX ITGC testing, we’ll also help you have a better experience with your other external assessors.

If you’re SOX-obligated, you likely have financial auditors needing to understand the impact of your ITGCs on financial reporting. As experienced auditors ourselves, we’re also no strangers to interfacing with our fellows, but more importantly, we know what they’ll be looking for, and our team’s systematic and disciplined approach to the testing of controls will enable your external auditors to more easily rely on the results.

All that should yield less time and effort for your external IT and financial auditors, and maybe—depending on the number of efficiencies found—even reduced fees.

5. Better Positioning for a Cyber Secure Future

Aside from delivering on your ITGC and business process testing, our structured and rigorous approach will also ensure that your organization is well-positioned to cope with changing and unexpected cybersecurity obligations.

As recently as 2023, SEC reporting standards over cybersecurity events have increased, but when you engage our resources, our team of skilled cybersecurity professionals will be able to assist in the documentation and testing in the event any incident arises during your reporting cycle.

 

Moving Forward with SOX ITGC Testing

 

Ensuring your IT general controls remain effective and operational is not just a cornerstone of your IT organization, but it’s also required across compliance initiatives, making the testing and reporting on them more crucial than perhaps anticipated.

A well-resourced internal audit function can certainly facilitate solid ITGCs, but for those organizations who don’t have the budget to accommodate one, Schellman now offers a specific service that may be the right alternative for you—in “standing in” for your internal audit team and filling that gap, we can provide you with a greater level of comfort, understanding, and knowledge regarding these controls while also helping you gain efficiencies and up-front transparency with costs.

To learn more about our Internal Audit Services, including SOX ITGC and Business Testing, and how the process would work—contact us today.

About Andrew Broderick

Andrew Broderick is a Principal in the SOC Services practice of Schellman. As a part of the SOC Services group, Andrew helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. Prior to joining Schellman, Andrew worked in internal audit for six years, including four years in IT audit performing NIST SP 800-53 assessments, ITGC evaluations, and application development consulting engagements. During this time, Andrew attained the Certified Information Systems Auditor (CISA) certification and gained experience with numerous control frameworks, platforms, and databases including Windows, Unix, and DB2. In addition, his experience includes nearly four years of financial statement audit and tax compliance at a regional Certified Public Accountant firm in Columbus, OH. He attained his CPA license while serving clients in the manufacturing, hospitality, and not-for-profit industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.