Extent of testing on legacy system 2225

  • What is the practice out there regarding the testing of controls on a legacy system that was used for part of the year?

  • Hi Hoiya - As SOX 404 requirements don’t mandate testing rules by platform, the amount of sampling/testing might be more condusive to the inherient risks and how the system was used and relied upon during the 1st part of the year.
    On a legacy conversion project, the SOX auditors would be interested in how accurately the data was migrated and the financial controls associated with backloading the new environment (at least that was my experience on a prior project).
    If you all migrated data and the applications to another platform, that would be the focal point of your controls testing process now. Historically, you may need to prove the accuracy of migration and balances as of change over date. In some cases (unless a read only copy was left on the mainframe), there may not be an application or existing data to test?
    This might also be a good question to ask the external auditor.

  • I think that the answer may depend on the system and related controls over any financial statement items impacted by the system. For example, we have had occasions where we have transitioned to a new payroll system over time. When the transition starts towards the end of the year, we may not be too concerned if the system does not impact all employees or only impacts 1/12 of total payroll costs if we have entity-level controls in place to get us comfortable that total payroll costs post-transition are reasonable. A system change that kicks in mid-year would likely be in-scope, but we may decide to not test the outgoing system as it will not be in place as of year end.

  • KYMike - even though the legacy system is not in place as of year-end, wouldn’t the reliability of the P-and-L still be in scope for the whole year?
    It sounds painful, but I almost think we have to test the legacy system controls (for the months it was in operation), the migration of data, plus the new system controls. Or am I being too conservative?

  • Hi Hoiya,
    In my opinion you should test only the new system once SOX requires as off certification. But, If you are in an integrated audit (internal control and financial statements audit) you will need to consider both systems.
    In this situation, you will consider the level of comfort you receive from each system and also make substantive tests for the whole year.

  • All,
    Thank you for your input. I did a little more research and saw that AS5 B2. even said the auditor ‘should obtain evidence that internal control over financial reporting has operated effectively for a sufficient period of time, which may be less than the entire period…’
    Does that translate to that any legacy system will be off the hook unless the auditors go for the integrated audit approach?
    I guess this concept seemed weird to me as I have a financial auditing background back in the days.

  • That’s what happened to me too… I’ve worked for 8 years in a Big Four and now I’m an internal auditor, doing SOX.
    The concept that internal control might be operating effective at as off date is something that I couldn’t understand and agree. Something wrote by lawyers (excuse me if someone here are one).

  • To clarify my earlier response - I would weight testing of the two systems based on the relative impact on my Financial Statements for the year.

  • Yes, if any of the control impacting financial is being carried out/or is depending on this legacy application, it will be tested for SOX and you have to note down the date on which controls where established so that during testing, samples are picked up from that date onwards.

  • I would like to revisit this topic, as I just had a meeting with our external auditor. They are now saying that we do not need to test the legacy system regarding baseline (system controls) or manual controls related to the legacy system. The legacy system will be in place for 6 months of this year so it will be generating half of the results. I am still nervous about not doing any testing on the management side, because it is something we cannot go back and test, should the auditors change their minds towards the end of the year.
    For the migration efforts, we will have testing surrounding the migration of data. But I still wonder if management is required by SOX to assess the ‘validity’ of the data – meaning, we are migrating the data correctly (the USD100 in the legacy system is carried forward as USD100 and not USD101), but how do we know the legacy system generated the USD100 properly under the legacy controls?
    The auditors will get comfort on the first 2 quarters’ numbers by doing substantive testing – not something management would do.
    Auditors are saying that we need to test only the controls on the new system, and the migration effort. We plan on doing both of those. I am just wondering about the controls on the legacy system. What would you do as management?

  • As management I would be testing my controls to the extent that I’m concerned about the risks. Ultimately, management should not have a control environment and process controls just because they want to comply with SOX but rather because they want to operate their business safely.
    Bootom line, management should perform the level of testing required to gain the assurance it wants/needs to run it’s business regardless of what the auditors want for SOX.

Log in to reply