Automated control baseline 1486

  • Hi,
    I am part of the SOX team for a foreign filer. Our auditors (KPMG) are asking us to baseline all our automated controls even the SAP functionalities we are relying on that are out of the box.
    Can you tell me about your experience?
    They also want us to test every IT report and spreadsheet utilized in the performance of a manual control. As we utilized a risk based approach, we wanted to test only the critical spreadsheet that were having impact on F/S and that were complex in nature. What did you do?
    KPMG said that they asked this for all their clients. They having been able to provide us with request from PCAOB. We know that the PCAOB mentioned last May that a baseline could be done to take profit of benchmarking approach on automated controls but I don’t see where they say that we have to.
    Your comments are welcome.
    Thanks in advance.
    We have about 325 KC without the IT General ones.

  • Hi and welcome to the forums 🙂
    I’m not familiar with SAP software and I found some interesting articles via Google using ‘SOX SAP’ as the search keywords.
    It looks like at one point SAP might have had more information publicly available and they are now specializing in SOX compliancy add-ons as part of their consultancy services? Still, it wouldn’t hurt to touch base with your SAP representative for SOX information.
    The external auditors are most likely mandating the testing of each manual control to ensure proper ‘separation of duties’, ‘checks and balances’, and other classical audit practices. They will most likely require very strict adherence, so that there is greater certainty that no one can ‘cook the books’ along the way.
    There are a lot of inputs and indirect application relationships associated with Financial systems. This may be why the external auditors are mandating company-wide controls (e.g., well beyond the scope of just the Financial reports).
    I’m more of an IT person, and maybe some of the other experts here can comment on these types of requirements.

  • Thanks for your help.
    Did your auditors required you to baseline either your main accounting application for instance Peoplesoft, etc… and your legacy systems?

  • We have PeopleSoft. Our externals, PwC, required us to test once a year what they call ‘automated’ controls. This includes much of what you are saying. For example, we have to test once a year that the Auto-assign function for employee IDs works. We also have to test that deduction tables in our payroll side of PS won’t let anything have a higher priority than taxes, etc. These are only tested once a year, but yes, we are required to test them. If you can get out of it, let me know how you did it. We would love to eliminate our testing of those controls because it really does seem like a waste of time. Hope I could help a little.

  • Thanks Jason for sharing 🙂 Likewise in our case, many systems that don’t appear to be directly related to the financial systems will get thrown into the mix. As I work in the insurance profession, all of our systems appear to be interrelated financially.
    For example, we have front-end systems that rate and write the insurance policies, others that service claims, customer service systems, etc … Ultimately, all of these items feed into our General Ledger and accounting applications. Thus everything from initial input systems to the final accounting process is considered ‘financial’ in nature and therefore subject to SOX compliancy.

  • Thanks for your input.
    It seems that PwC are more reasonable in their demands. They were our SOX consultants and they took a risk based approach. For instance, according to them although we have to test some automated controls selected as KEY due to their high impact on F/S, others like the automated control in SAP that prevent J/E not in balance from being posted, they said that we don’t have to test it as it is a functionality that comes with SAP and we can’t configure it. KPMG is saying no, we have to test.
    Listing to them, I am wondering how they can sign our F/S. They must redo everything manually.
    Some of our systems have be developped internally and have been working the same way for years without changes. They still want us to test it and they want us to demonstrate that every IT report we utilized in our key control for instance one that we review, is accurate, complete, etc…

  • dear souris
    just to add a bit on this
    Iam pretty sure You know,that by it design, SAP has lots of inbuilt controls.
    These become usefull only if they are configured to be so used. So effectively automation of any control in an application/ERP depends on whether at all they are enabled.
    I would suggest you to do a Test of design for SAP controls yourself(meaning an internal independent team), document the results and provide them to your auditors.
    All that is automated has to be enabled.

  • I would push back heavily on your auditors if they are asking for significant baseline detail for a vendor supplied package.
    The UAT performed on the app is the key to proving the experts have ‘signed’ the apps functionality off confirming it is operating as it should. It is very important not to baseline ALL functionality but only the key controls being relied upon by your business on your IT app. Your business will need to identify the key controls so you can focus your baseline on this.
    ie - if you have a PV calc being performed and the business rely on your IT app for the financial assertion ‘accuracy’ - to ensure PV are calculated accurately, then you should only baseline to prove the PV calc is calculating things accurately and prove this nothing more. You should not just baseline your entire app, focus only on key controls.
    As for SAP - I would suggest that the UAT is owned and held by the vendor and so you would never be able to ‘prove’ this - that is why you have bought the package from the experts and not designed one inhouse. Clearly you do not have access to all the development UAT performed by SAP. The auditors have to recognise this. The bedding down of SAP to integrate with the rest of your packages would require some testing but not to the details of ’ baseline SAP’ as you seem to suggest is being requested.
    You have to focus your IT work on the Key Controls the business are relying on and do not overwork the baseline as most of the information should already be to hand.
    hope that helps

Log in to reply