SOX and Application Testing 739



  • I am in the process of developing a generic test strategy for testing application software to ensure that all the financial implications of the application have been taken care of and tested. This is completely aligned with SOX. I did peruse the COBiT guidelines that were available free of cost. It just has illustrative examples. Is there any defined standard/library of test control points that exist which I could incorporate in my test strategy?
    Also, I would like to know if the approach i am taking is right and what other things i could refer to for this purpose.
    Thanks… 🙂



  • unfortunately there are no ‘out of the box’ list of application controls. everyone is off creating their own. There are some generic areas where you would expect to find controls which include the following:

    • application can be maintained and recovered, if necessary.
    • changes to the application are authorized, adequately tested, and appropriately moved into production.
    • user access is administered based upon proper authorization.
    • data entry is adequately controlled.
    • inaccurate or untimely data into or out of the system is detected.
    • data integrity and confidentiality are appropriately maintained during data transmissions.
    • data is appropriately protected.
    • problems encountered during transfer are resolved.
    • data transferred between systems is accurate and complete.
    • verify that only valid transactions are processed.
    • reporting used for management decisions is accurate and complete.
      some of these the ‘users’ would be aware of and could possibly include these in narrative for their process as part of their controls. some of these would be strickly IT controls tied to a specific application. some could be general IT controls related to an application.
      Good luck.


  • Thanks a lot for the information ugo… i would develop something on these lines and more now… 😄


Log in to reply