Report Writer (FrX) Considered In-Scope? 2515
Netmation last edited by
What are the opinions as to whether a tool like FrX, a report writer for financial reports, needs to be considered in-scope for Sarbox GCC’s ?
harrywaldron last edited by
Hi - I’d most likely answer ‘no’ for the tool itself, contributing to material Financial system risks. Still, external SOX auditors might evaluate Sage’s FRx Report writer in looking at it’s usage and controls.
For example, they might look at more broadly at the associated risks of end-user reporting in the following areas:
– Accuracy (e.g., how do users balance and certify their results)
– Usage (e.g., do users export results to Excel and are these spreadsheets properly secured and controlled)
– Financial Decision Making (e.g., what decisions are typically made with the generated reports and would they affect any company valuations that might be reported to shareholders)
– Security (e.g., who can use the reportwriter and are IT finanical system master files or tables properly restricted)
– Maintenance (e.g., is the product being kept up-to-date? are there any unpatched security vulnerabilities?)
The application of SOX 404 requirements are up to each company to formulate, based on their automated Finance IT system risks and controls. While the tool itself may not be in-scope, in many companies the end user financial reporting process could be applicable depending on it’s risk assessment.
As one more idea, you may want to contact the external SOX auditors for more ideas.