Audit Serve, Inc.
 |
Technical Articles |
|
|
Conferences |
|
|
Audit Programs |
|
|
Audit Serve Seminars |
|
|
Consulting Services |
|
|
Audit Vision Email Newsletter Free! |
|
|
What's New |
|
|
Contact Us |
The Worldwide Connection for Audit, Security, Control and SOX Professionals
Assessing
the Adequacy of IT General
Controls SOX Testing (Part
1 of 2)
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
HP NonStop Server
Security and Encryption Solutions
www.xypro.com
SOX
testing is quite different from all other types of testing.
The objective of the SOX test is to prove that the control
activities included in the Risk and Control Matrices are functioning as
stated. Therefore, the first
part of the assessment of testing is to determine whether the test
procedure and the control activities properly correlate with each other.
The
next step is to determine whether there is a way to prove that the control
activity is functioning. There
are various types of testing approaches used but only a few would meet the
SOX requirements.
Walkthrough
testing (i.e., Inquiry) is not acceptable within SOX and Observation
testing does not prove that sample selected were proper.
Therefore, only testing involving Inspection and reperformance is
used for SOX. Reperformance
testing is used to test detective controls to ensure that the review
processes are being performed properly.
The
next area to be assessed is whether data is available for the test to
prove that the control is effective.
Within SOX IT General Controls, many of tests which involve change
control and security authorizations require having a formal request.
Unless there was a systematic method to identify the event in which
a request was to be required there would not be an effective method to
test the control. Otherwise,
the starting point of the test would be based on the request forms which
were kept on file which would not ensure that request forms which were
missing would represent a failed condition for the SOX test.
The
last area for evaluating an effective test is to determine the method used
for pulling test samples. Traditional
IT General Control audits would select the sample size based on the
population. SOX approaches
sample sizes differently and basis it on the control frequency.
However, if there are any variations in the in which the control
functions, then separate sample pools need to be used.
Since most IT environments are distributed, it is important to
establish proper separation points for test sample pools.
For instance, if an organization has thousands of production
servers, it would not be a sufficient sample size to select 20 samples
annually for a test which validates that user access requests are being
properly processed. Although the Big Four provides guidance that a daily
control should have an annual sample size of 20, the population in this
case would require additional samples to be selected.
The
assessment of whether appropriate sample sizes and sample distributions
are important components to evaluate the overall adequacy of the SOX
testing.
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.
This article appeared in a past issue of the Audit Vision E-Mail Newsletter.
Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US
This website has been optimized for Netscape and Internet Explorer 4.0
and above. Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000 All rights reserved. 27 Pine Street, Suite 700, New Canaan,
CT 06840 USA.