Screenshots from ADP payroll 1703



  • Well, here is another good one for you. We are testing SOX ITGC for a mid size public company. Our role is consulting for this engagement.
    So, while testing ITGC we came upon some documents showing ADP screenshots with several user IDs from employees that no longer work for the company. Upon further investigation we discovered that these IDs now are removed. The control we are testing has to do with Proper User Authorization to ADP system and it is a violation to have active users that no longer work for the company.
    So, in my conclusion during operating effectiveness testing I stated that we found these users; therefore this control is not operating effectively. However, my supervisor said that since this now is fixed we should state that it is passing with no exceptions noted. She said that we are testing at a point in time not a period in time so now there are no issues.
    So I am thinking that what kind of auditing is that? If you find evidence that the control is not working how you can state that now it is working. I hope there are some kind of rules in testing SOX controls so I would appreciate if anyone can point me to any references for such issues.
    Where do you draw the line? Should we be going around and saying Hey tomorrow I will come by and get screenshots from your system so make sure everything looks right. This does not sound like auditing to me.
    Thank you
    Criterion



  • Hi,
    I think the issue that you described is best handled in the audit report or conclusions derived from the tests of operating effectiveness that you performed in connection with your testing efforts.
    Specifically, in your conclusion, it is necessary to state the period selected that was used to select your audit samples. For example, you should state that you examined the ADP user profiles (screenshots) on mm/dd/yy for the existence of unauthorized employees. At the time of audit, you found that unauthorized persons (terminated employees) were still in the system. The audit covers the internal controls over financial reporting for the quarter ending 3/31/xx, 6/30/xx, 9/30/xx or 12/31/xx (assuming that you are a calendar year reporting entity).
    If after you performed your audit procedures, the process owner identified the unauthorized or terminated employees and removed their access to ADP, that is fine and quite desirable. However, the fact remains that at the time of audit, unauthorized persons were found having access to the ADP system.
    Thus, the underlying control (prompt removal of terminated employees) would fail at that point in time, to which you are reporting and for which is covered by your audit procedures. The underlying control would fail and you would need to consider the compensating controls to determine if the control deficiency is significant and could lead to a material error in the financial statements. If so, a material control weakness would require disclosure.
    The compensating controls, however, might be adequate to minimize the risk of error and thus, lower the related financial reporting risks to either an immaterial impact and/or remote likelihood, in which case, you might not need to disclose it. This decision is based on audit judgment.
    Either way, the control deficiency existed at the time of audit and should not be ‘cleared’ because the process owner had identified the error and corrected it immediately after the audit procedures were performed and/or before you had reported the conclusion of the test results.
    Hope this helps,
    Milan



  • Are you still on first assertion or are you second time round?
    If you are first time round for s404 then I would note this as a passing control - noting the remiediated failure in your working papers - as suggested by your supervisor.



  • The compensating controls, however, might be adequate to minimize the risk of error and thus, lower the related financial reporting risks to either an immaterial impact and/or remote likelihood, in which case, you might not need to disclose it. This decision is based on audit judgment.
    I agree with Milan on all except the above comment. My feeling is that you should disclose to your client all deficiencies that you noted, even if there were adequate compensating controls in place. It is important for the client to understand where issues were noted in order to ensure that these controls may be better monitored in the future. Of course, you would mention any compendating controls, but the fact that compensating controls exist does not override the fact that there was a failed control.



  • This is actually 2nd time around. These users were there until mid year.



  • you test things Like access control AS ON DATE. The client might have taken the screenshots as on the date of its internal assessment. ACLs are ought to change from the time of such assessment to the time of your assessment.
    I would still go with your colleague and regard this as a pass. Assessments are against controls ON A PARTICULAR DAY.



  • As an IT professional, I’ve participated in numerous audits in my 34 years of experience. Most auditors who find points still mention them in the official audit papers - even though we have corrected a deciency immediately. In my experiences, they’ve been more like the police officer who pulls you over when you’re 1 mph over the limit – they ain’t gonna cut you a break 😉 🙂
    Maybe the way to address this is to:

    1. Factually state the findings and past deficiencies
    2. State the amended procedures and immediate corrective actions taken by the client
    3. Recommend that the current procedures be re-examined during the next audit to ensure compliancy
      This way the exposure is noted and there’s incentive to do better, as it’ll be looked at again in the future.


  • She said that we are testing at a point in time not a period in time so now there are no issues.
    Management is to test over a period of time, but make an assertion on the effectiveness of controls as of a point in time. By testing over a period of time, we gain confidence that controls are effective at year end. Those found not to be effective can be retested at year end. Otherwise we would only test controls at year end, which is not practical.



  • She said that we are testing at a point in time not a period in time so now there are no issues.
    Management is to test over a period of time, but make an assertion on the effectiveness of controls as of a point in time. By testing over a period of time, we gain confidence that controls are effective at year end. Those found not to be effective can be retested at year end. Otherwise we would only test controls at year end, which is not practical.
    Well put.
    What the supervisor said is correct - but if not properly explained can give wrong impression.
    I would tend to report the deficiency and then show it as remediated. In my own organisation one of the concerns I have is the low number of deficiencies being reported - though it may seem strange if the results coming through are too good it makes me suspicious.
    Showing failures and showing that they’ve been dealt with is a good thing.


Log in to reply