Application controls testing for SOX

VENKAT · Newbie Joined: Jun 29, 2006 Posts: 4

Hi,

I have 2 questions pertaining to Application Testing:

1st question - Is it required to test the integrity of the application for "Off-the-shelf" packages or well known ERP such as Oracle Financials / Peoplesoft that are identified as SOX critical applications? Is there any certificate received from the Vendor of the integrity of the product that will suffice to avoid an end-to-end application audit?

2nd question - In the event of any customisations done to the product, will the UAT testing documentation suffice to assure the Management on the integrity of the data processed? Further, if the customisations pertain to REPORT generation, will this UAT need to be considered for SOX testing?

Thanks.

Venkat.

Chhaava · Posted: Fri Aug 25, 2006 7:42 am Post subject:

Good Morning Venkat,

Any application that somehow facilitates financial reporting is having a SOX scope. Therefore, evidence of UAT and QC is required. Vendor's certificate although useful, is not a complete evidence of compliance.

To sum up, evidence of QC and UAT and benchmarking of the programming logic is required

harrywaldron · Posted: Fri Aug 25, 2006 11:35 am Post subject:

Hi Venkat -- I agree with Chhaava's good points, as SOX compliancy standards don't deliniate as to whether an application is a vendor supplied package verses one that is custom built. As testing centers around workflow and financial controls, a poorly implemented vendor based system can have issues.

milan · SoxGuru Joined: Oct 17, 2005 Posts: 414 Location: NY

Q1. Is it required to test the integrity of the application for "Off-the-shelf" packages or well known ERP such as Oracle Financials / Peoplesoft that are identified as SOX critical applications?

A1. Yes, application controls testing must be conducted on the signifcant financial applications. Oracle Financials / Peoplesoft, SAP, etc., all have embedded processing controls. However, it is necessary to test input, processing, and output controls to obtain comfort in connection with transactions processed through the system.

Additionally, because these systems are not configured out of the box, the control configurations must be designed to suit your business processes and the controls might not be configured properly. For example, within an ERP System, it is possible to turn 'off' various control settings that may not be applicable to your business. If a control setting is inactivated, it may render the system ineffective in providing the intended controls necessary to ensure reliable and accurate financial reporting.

Q1a. Is there any certificate received from the Vendor of the integrity of the product that will suffice to avoid an end-to-end application audit?

A1a. Certainly, a software vendor's certificate can establish some trust that the application performs as designed. However, the certificate is generally not considered to be a substitute by the external auditor as assurance on the ICFR.

Q2. In the event of any customisations done to the product, will the UAT testing documentation suffice to assure the Management on the integrity of the data processed? Further, if the customisations pertain to REPORT generation, will this UAT need to be considered for SOX testing?

A2. Please refer to the other replies.

Hope this further helps,

Milan

VENKAT · Newbie Joined: Jun 29, 2006 Posts: 4

Thanks for the timely responses. These definitely are useful pointers for extent of Management testing required.

Cheers!

Venkat.


Create an account	Home · Topics · Downloads · Your Account · Submit News · Top 10


Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.