Testing IT Controls for SOX Compliancy 254



  • I am looking for guidelines on performing testing of IT Controls for SOX compliancy. Does anyone know of any procedures that are readily available for testing of our controls prior to our audit? :?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • There is not an easy answer to this. A general observation I have in relation to this forum is that it seems that many of the posters are coming here looking for the checklist that will solve all of their Sox compliance issues. However, it’s not as simple as that and this is the sort of thinking that got us into this mess in the first place. This is not a criticism aimed at debilohr just a general observation.
    To be more specific about your request. The part of SOx that most people here are excited about is section 404, which is about control over the preparation of financial statement with directors needing to certify that they have a suitable system of internal control or alternatively to report deficiencies. Non-compliance = jail (maybe).
    IT control comes into play because most business processes are dependent on IT, we therefore need to be sure that control over IT is sufficent to support the business process. This means that we have to go through an exercise of identifying IT systems that are in scope i.e. the ones that support the business processes that lead to the financial statements.
    Once you’ve done all of that you need to assess IT control over the in-scope systems. Your best port of call for this is CobIT - found at isaca.org
    Hope this helps



  • Cobit Audit Guidelines has testing procedures for each Control Objectives process.
    Some process do not have specific testing procedure however guidance must be provided to ensure that the control is met.
    ie; Strategic Plan, Policies,Procedures should be provided as supporting Doc…
    Dennisg



  • Cobit Audit Guidelines has testing procedures for each Control Objectives process.
    Some process do not have specific testing procedure however guidance must be provided to ensure that the control is met.
    ie; Strategic Plan, Policies,Procedures should be provided as supporting Doc…
    Dennisg
    I think what you are asking for is the area External Auditors are looking at GCC or Pervasive areas like Security, SDLC, Change Management, Operations, Governance, Data Management etc…there could be up to 8 pervasive areas they may want to see Corp Guidance on depending on the corporation. These areas are assessed at the Corp Level, and then parts of each included into the application or system assessment to show that the applications or systems follow a general corp guidance for say Security, then proceed in this fashion utilizing a procedural documentation as additional supporting documentation to the corp docs.
    Ex: We have field office that do not have ‘their own’ Security policy, but follow Corp guideline to this level, then have a procedure specific to that office and is documented for that office say in user access…
    We then test the Corp security parameters that it covers all field offices that the tool used for requests is installed for that office, then test the site for procedures that they utilize the corp tool, and show all the proper authorizations, reviews of access etc etc…Is that more what you were asking?



  • The IT Governance Institute has published ‘IT Control Objectives for Sarbanes-Oxley.’ It is somewhat of a ‘COBIT-Lite.’ It has 12 major areas for IT general controls (including recommended tests of those controls) and an excellent appendix that includes typical application controls for 5 major business processes and links them to financial statement assertions. It is available (free download) at isaca.org. The major accounting firms are requiring their clients to evaluate IT controls using the COBIT framework.



  • The IT Governance Institute has published ‘IT Control Objectives for Sarbanes-Oxley.’ It is somewhat of a ‘COBIT-Lite.’
    Not strictly true. It is primarily a mapping of CobIT to COSO.
    The major accounting firms are requiring their clients to evaluate IT controls using the COBIT framework.
    In practice this is probably true, but the firms are not is a position to REQUIRE their clients to do anything. Every now and again they need to be reminded of this :twisted:



  • The IT Governance Institute has published ‘IT Control Objectives for Sarbanes-Oxley.’ It is somewhat of a ‘COBIT-Lite.’
    Not strictly true. It is primarily a mapping of CobIT to COSO.
    The major accounting firms are requiring their clients to evaluate IT controls using the COBIT framework.
    In practice this is probably true, but the firms are not is a position to REQUIRE their clients to do anything. Every now and again they need to be reminded of this :twisted:
    Hi,
    Can anybody give a link to download IT Control Objectives for Sarbanes-Oxley.’
    Thanx in advance



  • you will find it on isaca.org



  • you will find it on isaca.org
    mmm… but is it available to download from open sources?



  • you will find it on isaca.org
    mmm… but is it available to download from open sources?
    Yes, how’s your Japanese :oops:
    Seriously though, I believe you can get the english version without being a member, you just need to register on the site through the myisaca page. Apologies if this later proves to be incorrect.



  • The IT Governance Institute has published ‘IT Control Objectives for Sarbanes-Oxley.’ It is somewhat of a ‘COBIT-Lite.’
    Not strictly true. It is primarily a mapping of CobIT to COSO.

    I consider it COBIT-Lite for SOX too. What interest IT is the mapping between ITGC and COBIT given in the document which specifies 12 High level control objectives from COBIT. For IT ELC’s you have to consider more Objectives from the COBIT.


Log in to reply