Big4Guy

Regular readers here would have noted that this week, I am focusing on approaches to test automated controls. An easy way to test automated controls is to categorize them depending upon the type of automated control. Below, I have listed categories in automated controls can be classified for SOX IT audits.

- Restricted Access
- Account Mapping
- System Reports
- Configuration Controls
- Interface Controls

The testing startegy would need to be tweaked in each of the above type of automated control. Let me explain each one by one.

1. Restricted Access - The best way to test restricted access controls is to compare the system access configured with what is required as per the business process. Testing can be performed in a test environment by logging in with a user account and attempting restricted functions in the system. This approach to test restricted access automated controls will also help identify potential segregation of duties issues.

2. Account Mapping - To test how account mapping works, take up a sample transaction and conduct a walkthrough. This would mean looking at the supporitng documents, transaction entry screens in the system to the final general ledger account where the transaction resides. In a test environment, SOX auditor can attempt to enter a transaction in invalid account combinations, or cost center to confirm accuracy of account mapping in the system.

3. System Reports - System generated reports are used in SOX testing by both the management and the external auditors. To test system report controls one needs to go back to the financial statement assertions. Any system generated report should satisfy the completeness, existence and valuation assertions. In other words data in a system report should be accurate i.e.valuation, report should include all data which is required as per user query i.e. complete and finally all data in reports should be supported by adequate evidence.

4. Configuration Controls - Testing Configurable controls in systems require technical expertise. System parameters and settings should reflect business policies and procedures. Any mis-match can be a indicator of potential financial mis-statements. Certain configurable controls are inherent in the system and are hard-coded. If need be, the SOx IT auditor can go to the source code with the help of the application programmer to test such controls.

5. Interface Controls - Interface controls apply where two different IT systems share information. Normally, output of one system forms the input of the other system. Interface controls testing includes checking hash totals, control totals after data upload, validity checks and reconcilation reports after the interface run. Interface controls can also be tested using exception reports if they are available in the system.

More on Sarbanes Oxley

Total Cost of Internal Controls
Evaluating Disclosure Controls & Procedures
Cost Benefit Analysis Before Implementing Controls
IT Governance for Sarbanes Oxley