CONFIGURATION AND APPLICATION CONTROLS 2663



  • My company is currently assessing the adequacy of application and configuration controls to determine if further efficiencies can be made in the Sarbanes-Oxley 404 attestation process. To that end, we are looking for any tool/guidance/checklist that exists in the market to assess the quality and completeness of application controls. By application controls we refer to all IT or system related controls that ensure that any given software with impact on financial reporting has the proper settings to prevent or detect errors: e.g. automatic three-way match, input controls, interface controls, system logic or controls around calculations. Please note that we are NOT referring to general IT controls (e.g. change management, system development life cycle, user access, data back-up, etc.)



  • Hi and Welcome to the forums 🙂
    If you have an external SOX auditor, it might be beneficial to check with them on their expectations. The COBIT framework is also used by many external auditors as a guideline for 404.
    Below are some SOX specific resources that might help in meeting 404 requirements:
    Top Down Risk Assessment (TDRA) and SOX testing
    http-and-#58;//en.wikipedia.org/wiki/SOX_404_top-down_risk_assessment
    TDRA is a hierarchical framework that involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. Both the PCAOB and SEC guidance contain similar frameworks. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. Key steps include:

    1. identifying significant financial reporting elements (accounts or disclosures)
    2. identifying material financial statement risks within these accounts or disclosures
    3. determining which entity-level controls would address these risks with sufficient precision
    4. determining which transaction-level controls would address these risks in the absence of precise entity-level controls
    5. determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls
      Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested. In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor’s) TDRA. As such, TDRA has significant compliance cost implications for SOX 404
      PCAOB - More Resources
      http-and-#58;//www.pcaobus.org/Standards/index.aspx
      http-and-#58;//www.pcaobus.org/Standards/Standards-and-Related_Rules/Auditing_Standard_No.5.aspx
      As COBIT is used by many external SAS auditors to provide guidelines for controlling automated financial systems, this resource may be helpful to research IT needs:
      Free COBIT 4.x PDF copy by registering with ISACA
      http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920
      Also, COSO provides excellent guidance in the general design of financial and workflow controls as noted here:
      COSO Guidance - Monitoring
      http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=2470


  • Please refer to COBIT 4.1 Application Controls AC1 thru AC6
    ( COBIT 4.0 had more … AC1 thru AC17)
    For details refer to following
    COBIT 4.1 Page 16
    COBIT Control Practices, 2nd edition : Pages 165 -171


Log in to reply