SOD proof/evidence? 1069



  • Our external auditor will be testing different controls than what we have tested for IT general computing controls. Management has decided that we should develop new test scripts to test the controls that the external auditor will be testing, which are below.

    1. Duties of IT management do not include programming, operations or security
    2. Duties of the network administrators/operators/security officers do not include programming, IT management or involvement in financial reporting processes/controls
    3. Duties of Programmers do not include operations, security or IT Management
      We have already tested user access to systems and periodic reviews of user access. A user access list tells you what a user has the authority to do but not really their ‘duties’.
      What evidence do you think would need to be provided to prove the that these controls related to duties are operating effectively? We were thinking job descriptions and interviews of staff holding those roles. It sure doesn’t seem that a user access list will provide the ‘duties’ side of it.
      What are your thoughts on the evidence?


  • Our external auditor will be testing different controls than what we have tested for IT general computing controls. %0AThat’s their perogative, no big deal%0A Management has decided that we should develop new test scripts to test the controls that the external auditor will be testing, %0ABegs the question - Why? Really no need to do this, you do what you need and they do what they need. I would not expect 100% alignment. Remember they do not understand your business and your processes as well as you do.%0A %0Awhich are below.%0A1) Duties of IT management do not include programming, operations or security%0A2) Duties of the network administrators/operators/security officers do not include programming, IT management or involvement in financial reporting processes/controls%0A3) Duties of Programmers do not include operations, security or IT Management%0AWe have already tested user access to systems and periodic reviews of user access. A user access list tells you what a user has the authority to do but not really their ‘duties’.%0AWhat evidence do you think would need to be provided to prove the that these controls related to duties are operating effectively? We were thinking job descriptions and interviews of staff holding those roles. It sure doesn’t seem that a user access list will provide the ‘duties’ side of it.%0AWhat are your thoughts on the evidence? %0AI think what they are looking at sounds really imprecise. I mean where is the risk in managements ‘duties’ including programming if they do not actually have access to do so?%0AFrom what you describe you seem to have done enough.



  • I agree with Denis. Who cares what their ‘duties’ are as long as the access rights do not present a SOD issue? Security access rights will show what they are capable of doing in the system and that’s where your real concern should lie from an IT control perspective over SOD.



  • I agree with you.
    The problem is the external auditor wants us to test ‘duties’ via job descriptions, interviews, and other evidence that supports their is a segregation of duties. Apparently they have seen where IT mgt does hand-on programming, operations, and security – No SOD.
    We are planning on testing job descriptions and interviewing IT staff. Rather than retest stuff that has already been tested, we will have steps in the new scripts looking for evidence of IT staff actually performing their duties (mgt assigning staff to tasks, programmers writing code, security admins add/change/delete user, etc…) that will be cross-referenced to other scripts where we have already tested user access, mgt approvals, security, etc…
    It just seems like a lot of extra work to please an external auditor.



  • I agree with you.
    It just seems like a lot of extra work to please an external auditor.
    Which, as far as I can tell, is not actually a requirement of the Sarbanes-Oxley Act. If you don’t do this I would be interested to hear how they would justify management’s assertion being inadequate.
    Tell them that it is not management’s responsibility to carry out unnecessary testing of a non-risk at the whim of the auditor. In fact, just tell them to [insert appropriate verb] off.



  • I’m looking for information on classes or conferences held on the subject of User Access / SOD. If there are any specific to SAP, that would be even better.
    Thanks.


Log in to reply