SOX required testing for IT general controls 363



  • I am trying to find some guidance on the level of testing that is required for SOX on IT general controls. I’m not looking for guidance on what types of control objectives to test or how to test them (e.g. COBIT). But more of what level of testing is required for SOX. Our SOX team leader understands it that company-level controls (whether IT or not) don’t need to be tested but rather documented and providing an overall assessment on those controls.
    We’ve used an IT general controls questionnaire (similar to COBIT) that the IS department answered. We’ve then gone back and documented more based on their answers and tested in some cases. But the documentation is not in the standard SOX format of identification of key controls because it is based off of questions (which most of the time allude to a control, but not always).
    I’m just trying to get feedback on what SOX requires for IT general controls documentation and testing and determine the level of testing that needs to be done. I’m confused because I see a definite need to test general access and change management controls, initially and going forward, but maybe not necessarily controls related to organizational structure. But they are all (company-level) general controls which usually don’t have to be fully tested.
    Any guidance that anyone can provide is greatly appreciated. Thanks.



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • You also need to test the Company Level Controls. How else would demonstrate that those are effectiv? Those Controls also belong to your Overall Control System. And in most cases the Company Level Controls are the most important ones. Just to mention things like Management Override. And that is what SOX is aimed at.



  • Perhaps it makes sense to conduct a risk assessment on all the IT General controls. Those that are considered low risk can be ignored, but the others need to be tested.
    Company level controls should be tested, if not low risk. If there is documentation required, such as a strategic plan, then test if it is updated regularly, communicated to those that need to understand it, and whether actual performance is periodically compared to it.



  • A risk assessment should definetly be performed. But keep in mind, that you want to difference between operational risks and financial misstatement risks. If you don’t do this you’re ending up with to many key controls to handle.


Log in to reply