SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Internal Audit Teams vs. Schellman for Your Sarbanes-Oxley (SOX) ITGC Testing

Compliance and Certification

When positioning your organization to achieve its SOX ITGC objectives and reporting obligations, you can’t take any chances for fear of negative fallout. And while establishing a team of dedicated internal IT audit professionals can help streamline those processes, there are challenges in maintaining such a team—just as there are advantages to substituting an independent IT audit team instead.

IT general controls are the building blocks of your cybersecurity, which means that ensuring they are operating effectively is critical to your compliance objectives—so critical that it’s worth using a highly skilled, experienced, and independent IT audit team to test and report on them.

But why, you might wonder, should you consider contracting out your internal audit function rather than building and maintaining one yourself? As Schellman does offer a potential solution for your internal SOX ITGC testing, we’ll explain.

In this article, we’ll overview both the benefits of a competent and systematic internal audit team and the challenges in maintaining one, as well as the merits of outsourcing or co-sourcing SOX ITGC testing to an assessor like us so that you can understand all your options in this regard more thoroughly.

 

The Benefits of an Internal Audit Team (Beyond SOX ITGC Testing)

These days—amidst a turbulent cybersecurity landscape and ever-evolving threats—organizations recognize the need for expertise and proactivity when identifying risks, implementing controls, and proceeding through SOX ITGC compliance obligations. A mature IT internal audit function should foster continuous monitoring and improvement of existing IT operations and controls, enabling your organization to maintain momentum as it—as well as the threat landscape—changes.

That’s because an internal audit team—when competent and systematic in its approach—should be capable of periodically performing compliance activities such as:

  • Risk assessments
  • Testing controls
  • Documentation reviews
  • Walkthroughs and process reviews
  • Reporting findings and recommendations
  • Follow-up activities/corrective actions

All this will more easily allow your organization to establish and maintain internal controls—including those over financial reporting—thereby keeping your information secure. Additionally, the efforts of a dedicated team will also facilitate an easier experience when dealing with external auditors. Given that your internal audit team will be constantly identifying and mitigating risks, enhancing control effectiveness, and providing assurance to stakeholders, that should reduce the level of effort your external auditors have to make—and that could, in turn, reduce your associated costs.

 

The Challenges of Maintaining an Internal Audit Team

As good as that sounds, it’s also not simple to set up and retain. Here are some of the typical hurdles organizations face when implementing a devoted internal audit function:

  • Resource Issues: Insufficient budgets can present a problem, as hiring full-time, experienced, and certified IT audit resources will mean paying their competitive salaries—salaries that may become an even bigger expense with each passing year to retain that staff.
  • Turnover and Skill Gaps: Like any other team, internal audit departments deal with turnover and skill gaps, but in this case, that may make it more difficult for you to meet annual reporting requirements. Plus, any delays in completing audit assignments might reduce the relevance of findings and hinder your organization's ability to address emerging risks promptly.
  • Evolving Cybersecurity Landscape: To maintain the expertise necessary to do a thorough job, internal auditors must stay current with evolving technologies and acquire diverse skill sets, including those in data governance and cybersecurity. Add in the related concerns around advancing technology, increasingly sophisticated cybersecurity risks, and changing reporting standards, the challenge of upskilling staff to address these problems is only exacerbated.

Why Schellman for Your SOX ITGC Testing

 

However, you do have the option to potentially sidestep these challenges by instead working with a skilled third party to co-source your internal audit functions. At Schellman, we listened to the concerns of our clients who were having trouble keeping up with their annual reporting process—particularly for their SOX obligations—and how they were seeing higher external audit fees. In response, we created our dedicated Internal Audit services—with a focus on SOX ITGC testing—and it may be a better answer for you than an internal audit team.

Before you think it, yes—engaging us to do this testing would mean the “extra” expense that comes with co-sourcing your internal audit function, but at the same time, you stand to gain significant efficiencies and cost savings, among other advantages.

Here are five reasons to consider using our team to perform your SOX ITGC testing.

1. Our Expertise—Both Broad and Focused

Over the past two decades, Schellman has built its reputation as a leader in IT compliance and numerous regulations. Right now, we’re:

 

  • At the top of the FedRAMP Marketplace for authorized services;
  • Dually accredited for ISO certifications with ANAB and UKAS;
  • A trusted PCI QSA company; and
  • The HITRUST Assessor for some of the largest companies in the world.

In addition to all that, from the start, our foundational service has been SOC. Today, we opine on over 1,700 SOC reports annually, all of which involve performing ITGC and business process testing. So, whether you just need help with SOX, or you’re looking for even more compliance assistance, we have the knowledge and experience to meet your needs.

2. Independence

When validating anything—to satisfy compliance requirements or otherwise—objectivity is key.

And while it is possible to keep your internal audit function separate, when you engage an external firm like ours to assess the effectiveness of your internal controls, you eliminate the possibility of a conflict of interest entirely, thereby providing further comfort to stakeholders that your SOX ITGC testing results can truly be relied upon.

3. Our Scalable and Concentrated Workforce

When an organization does field an internal audit team, oftentimes the personnel involved also have additional, disparate job duties—in other words, while the internal audit team may exist, its focus is split.

But when you engage Schellman for your SOX ITGC testing, you’ll get a developed, highly skilled, and technical IT audit workforce that is not only familiar with the reporting standards you need to meet but will also be able to make that their sole focus on your behalf.

So not only will you receive incredibly thorough testing from experts, but you stand a better chance of getting it completed timely and ahead of your compliance deadlines, as you won’t need to worry about staff prioritizing other work.

4. The Auditor-to-Auditor Connection

Aside from providing efficient SOX ITGC testing, we’ll also help you have a better experience with your other external assessors.

If you’re SOX-obligated, you likely have financial auditors needing to understand the impact of your ITGCs on financial reporting. As experienced auditors ourselves, we’re also no strangers to interfacing with our fellows, but more importantly, we know what they’ll be looking for, and our team’s systematic and disciplined approach to the testing of controls will enable your external auditors to more easily rely on the results.

All that should yield less time and effort for your external IT and financial auditors, and maybe—depending on the number of efficiencies found—even reduced fees.

5. Better Positioning for a Cyber Secure Future

Aside from delivering on your ITGC and business process testing, our structured and rigorous approach will also ensure that your organization is well-positioned to cope with changing and unexpected cybersecurity obligations.

As recently as 2023, SEC reporting standards over cybersecurity events have increased, but when you engage our resources, our team of skilled cybersecurity professionals will be able to assist in the documentation and testing in the event any incident arises during your reporting cycle.

 

Moving Forward with SOX ITGC Testing

 

Ensuring your IT general controls remain effective and operational is not just a cornerstone of your IT organization, but it’s also required across compliance initiatives, making the testing and reporting on them more crucial than perhaps anticipated.

A well-resourced internal audit function can certainly facilitate solid ITGCs, but for those organizations who don’t have the budget to accommodate one, Schellman now offers a specific service that may be the right alternative for you—in “standing in” for your internal audit team and filling that gap, we can provide you with a greater level of comfort, understanding, and knowledge regarding these controls while also helping you gain efficiencies and up-front transparency with costs.

To learn more about our Internal Audit Services, including SOX ITGC and Business Testing, and how the process would work—contact us today.

About Andrew Broderick

Andrew Broderick is a Principal in the SOC Services practice of Schellman. As a part of the SOC Services group, Andrew helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. Prior to joining Schellman, Andrew worked in internal audit for six years, including four years in IT audit performing NIST SP 800-53 assessments, ITGC evaluations, and application development consulting engagements. During this time, Andrew attained the Certified Information Systems Auditor (CISA) certification and gained experience with numerous control frameworks, platforms, and databases including Windows, Unix, and DB2. In addition, his experience includes nearly four years of financial statement audit and tax compliance at a regional Certified Public Accountant firm in Columbus, OH. He attained his CPA license while serving clients in the manufacturing, hospitality, and not-for-profit industries.