Application controls testing for SOX 1719



  • Hi,
    I have 2 questions pertaining to Application Testing:
    1st question - Is it required to test the integrity of the application for ‘Off-the-shelf’ packages or well known ERP such as Oracle Financials / Peoplesoft that are identified as SOX critical applications? Is there any certificate received from the Vendor of the integrity of the product that will suffice to avoid an end-to-end application audit?
    2nd question - In the event of any customisations done to the product, will the UAT testing documentation suffice to assure the Management on the integrity of the data processed? Further, if the customisations pertain to REPORT generation, will this UAT need to be considered for SOX testing?
    Thanks.
    Venkat.



  • Good Morning Venkat,
    Any application that somehow facilitates financial reporting is having a SOX scope. Therefore, evidence of UAT and QC is required. Vendor’s certificate although useful, is not a complete evidence of compliance.
    To sum up, evidence of QC and UAT and benchmarking of the programming logic is required



  • Hi Venkat – I agree with Chhaava’s good points, as SOX compliancy standards don’t deliniate as to whether an application is a vendor supplied package verses one that is custom built. As testing centers around workflow and financial controls, a poorly implemented vendor based system can have issues.



  • Q1. Is it required to test the integrity of the application for ‘Off-the-shelf’ packages or well known ERP such as Oracle Financials / Peoplesoft that are identified as SOX critical applications?
    A1. Yes, application controls testing must be conducted on the signifcant financial applications. Oracle Financials / Peoplesoft, SAP, etc., all have embedded processing controls. However, it is necessary to test input, processing, and output controls to obtain comfort in connection with transactions processed through the system.
    Additionally, because these systems are not configured out of the box, the control configurations must be designed to suit your business processes and the controls might not be configured properly. For example, within an ERP System, it is possible to turn ‘off’ various control settings that may not be applicable to your business. If a control setting is inactivated, it may render the system ineffective in providing the intended controls necessary to ensure reliable and accurate financial reporting.
    Q1a. Is there any certificate received from the Vendor of the integrity of the product that will suffice to avoid an end-to-end application audit?
    A1a. Certainly, a software vendor’s certificate can establish some trust that the application performs as designed. However, the certificate is generally not considered to be a substitute by the external auditor as assurance on the ICFR.
    Q2. In the event of any customisations done to the product, will the UAT testing documentation suffice to assure the Management on the integrity of the data processed? Further, if the customisations pertain to REPORT generation, will this UAT need to be considered for SOX testing?
    A2. Please refer to the other replies.
    Hope this further helps,
    Milan



  • Thanks for the timely responses. These definitely are useful pointers for extent of Management testing required.
    Cheers.
    Venkat.


Log in to reply