Computer Operation - Batch Processing 1026



  • Has anyone got any experience or information on the following control test under Computer Operation ?
    ‘Unauthorized jobs or scripts can be submitted and subsequently executed’
    I am a new to SoX and I am trying to understand this from the first test plans developed by our auditors. The test control will include things like who have right to submit batch/scripts, vouch scheduled and manual batch processing, exception reports, review etc.
    The concern here I guess is trying to understand what is a batch job. Does it mean all batch job in the entire system ? There could be too many. Any ideas will be great. Thx.



  • Batchjobs with data that impacts your financial records?



  • I had similar thoughts too.
    Could it be something like a monthly financial reports generated by scheduled batch jobs ?
    If so, then all the regular system and application batch jobs will not be included. eg. Daily restart processes, backup scripts etc.



  • the way i’ve defined batch jobs is the are doing ‘work’ in the sense that they create or transform data. the batch jobs are executing some program or commands that change business data.
    i don’t include backups because those are tested separately.



  • Can you elaborate more on your definition of business data ? Maybe an example if you have one. Its certain my current problem is not able to categories different type of batch jobs, and the risk of this is creating a lot of unnecessary work to setup controls on regular operational routines as opposed to essential ones. Thx.



  • any data that is of interest to the business and must be kept for the successful running of the business. it would be stored in databases, files, master files. examples could be customer data, vendor data, financial transactional data, etc…
    batch jobs can create, update, or delete data that the business relies upon. it is important to undersand who can run these jobs, whether there is an audit trail of who is running what jobs/scripts, how access is restricted, and how you can ensure unuthorized scripts or jobs are not run. also, audits want to ensure there is proper change control on the programs and batch jobs to make sure unauthorized changes don’t slip through to production.
    for SOX scoping purposes, we have excluded batch jobs that are only in IT operational systems. for example, it you have a helpdesk application, or internal training tracking application. if it is operational systems for IT, there needs to be controls in place but the data doesn’t have a financial impact typically.



  • Thanks for this and its well explained. I am now more comfortable not to include IT Operational batch in the scope.



  • for SOX scoping purposes, we have excluded batch jobs that are only in IT operational systems. for example, it you have a helpdesk application, or internal training tracking application. if it is operational systems for IT, there needs to be controls in place but the data doesn’t have a financial impact typically.’
    If you are no longer placing it in scope I take it the batch you were looking at fills one of the above criteria.


Log in to reply