How to Perform Test of Design for hysical Segreg of Duties 936
-
During our SOx project I have seen several controls in design that mention segregation of duties, but which is not facilitated by authorizations in IT system. Meaning that the mention something like: There is SOD between facility management (grants access to company buildings) and human resources (ensures employee data is processed). Out of context this seems an awkward control, but it is not, I assure you.
Now we perform the Test of Design and most SOD controls we check via authorizations in our ERP system. But how to handle those physical SOD controls? They are part of our control environment. And the control environment is not transaction-oriented. Tests of controls such as walk-through or the re-performance of the control for a sample of items will not be possible.
Wondering how other companies orked with this problem?
Best Regards,
Ramon
-
are you saying there is no evidence or proof of the SOD for physical controls?
how do you now it is being performed?
-
Ther are two ‘tests’ to be performed -
Design effectiveness and Control operational effectiveness.
Design effectiveness is as simple as concluding that if the control is working as intended, the identified risks are reduced to an acceptable level.
Operational effectiveness is the physical test to determine whether or not the control is working. In some cases, this is through inquiry and observation - what is necessary to gain access to the building? who grants this access? what systems are involved? who has security to access those systems? are there reports to show who has been granted / denied access? who reviews them? what are they used for?
It seems like you should be able to test these controls by asking the right questions and then, if systems or reports are involved, following the trail to see where it leads.