General Controls 1228



  • Hi,
    General controls are classified into :

    • Programme Development
    • Programme Change
    • Computer Operations
    • Access to Data and Programmes
      what does fall under Computer Operations?


  • COBIT holds the answers you seek.



  • Computer Operations:
    The processes and controls in place over the day-to-day operations of the information technology systems and applications to ensure that production systems are able to meet financial, operational, and compliance business objectives.
    Typical Key Sub-components:

    • Policies and procedures
    • Organization and management
    • Scheduling and batch processing
    • Backup management
    • Recovery procedures from operational failure
      Source: PwC ‘Practical Guidance for Management on SOX 404’


  • Denis:
    thanks for the response. Well I was looking for a detailed ans I did go thru them but I was expecting an ans based on practical expereince as you are highly experienced. The thing is that I just joined a company as an IT Auditor and they are expecting me to do sox audit on my own with minimum assistance. That is why, I am asking such questions(Probably stupit ones). Hope you dont mind.
    bogyman:
    thanks for your response also.



  • I had to do a mapping of the general controls to those 4 categories. The computer operations category for us contained all the controls related to running the data center, which included physical controls, environmental controls, security, backup and restore, tape rotation, patch mangement (all platforms and devices), monitoring system admin activities, user access (add/change/delete) as well as monitoring, etc…



  • thanks ugogirl, it was helpful…I have one more question…now a days I have been given the responsibilities of testing general controls and responses from you guys are helping me a lot. I have noticed that only select auditors are allowed to perform application testing and today I was going through iia.com and found that this institute provides specialised trainings for the Oracle, Peoplesoft, JD Edward, SAP and other ERP systems and each of this trainings costs no less than USD1300.
    Does it show that you have to have special knowledge before you start application testing?
    Presently I do not posses any kind of special knowledge. Should I believe that I wont get to test apps unless I get these training?



  • Does it show that you have to have special knowledge before you start application testing?
    Should I believe that I wont get to test apps unless I get these training?
    There is no requirement that you have special knowledge to perform testing of application controls, however it is very helpful if you have experience with the application so you know what to look for, what questions to ask, and type of evidence to request. The client will not turn you lose on the application typically. Most of the time you request for a person to be assigned to you with knowledge of the application and this person is on the business side and if necessary others from IT. You prepare your questions in advance of meeting with them. then you sit down and ask them to show you specific things, make screen prints, run reports, etc… whatever is needed for the test script.
    if the test script is fairly detailed and specific, some of this will be spelled out. I’ve seen very specific test scripts and also some very generic test scripts.
    Training is always nice have but may not occur prior to you testing application controls. You may need to do some research on the specific ERP systems on your own via the internet and other resources your company may already have. Other research that may be helpful is on sox and the erp system specifically.



  • Thanks ugogirl…that was really helpful…
    I was going through the App Control Objectives given in the doc ‘Control Objectives for Sarbanes Oxley’. I understand that evey environment has its own features that may be diff from others and accordingly, approach towards identification of critical app, risk assesment, and control activities will be diff. Since, any Financial Application has to ans the questions asked in the questionnaires(in above mentioned doc), can we ask the same questions as they are, in every Financial App environment such as Oracle 11i, SAP, Peoplesoft or any other ERP App or any other custome build application?


Log in to reply