Professional Documents
Culture Documents
Resources with appropriate knowledge may be scarce for SOX readiness assistance SAP Knowledge + Controls Expertise +
Entity
Process
Control Objective
Risk
Control Activity
Control Objectives
Control objectives describe management goals/directives Objectives typically relate to:
Financial goals (completeness, existence/occurrence, rights/obligations, valuation/allocation, presentation/disclosure)
Operational goals (efficiency, accuracy, public image) Regulatory/legal goals (regulatory compliance, legal compliance)
Risks
Need to be addressed at several layers:
Organization risks Entity risks Process/IT risks Absolute risk - before consideration of current controls (e.g., Accounts Payable is inherently risky) Residual risk - remaining risk when all controls are considered (should be at an acceptable/appropriate level)
Risk assessment component of COSO is different than risks associated with control objectives and activities
Control Activities
Control activities are unique to an organizations industry, technologies, size, business processes, etc. Control activities are mapped to control objectives
Controls activities should include a balance of preventative and detective controls
SAP controls will not fit neatly into the CobiT generic control objectives
It is critical that these controls be included, however
SAP-Specific Controls
The SAP application has specific controls needs unique to the application that need to be identified, documented and tested
Example: Change control activities
System change option (SE06)
Integrating IT Controls
IT-enabled business process controls should be embedded in the business process documentation
For example, do not create a separate document for Accounts Payable IT controls
Control objectives can be achieved through a combination of manual and systematic controls
Integrating IT Controls
Types of IT controls include:
Configured (IMG settings) System-enabled (change records) Security (design and administration of security) Reports (open sales order report) IT Procedures/Policies (user administration procedures)
Need to work with business process owners and IT business analysts to understand and document the complete controls structure
Testing Basics
Testing is primarily performed to evaluate the operating effectiveness of control activities Testing documentation should consist of: Testing procedures performed to ensure that control activities are functioning properly Documentation of exceptions Testing is different than Understanding Conversations with control owners does not qualify as testing Key Controls Only key controls need to be testedeven if all controls were documented
Sample Sizes
Appropriate testing sample sizes should be determined based upon:
Frequency of the control (annually, quarterly, monthly, weekly, daily, multiple times per day, programmed) Type of testing (corroborative inquiry vs. attribute sampling) Frequency of testing of the control activity (quarterly vs. annually)
Additional samples may be necessary if exceptions are found Sample size guidance should be provided by external auditor
Types of Testing
Corroborative inquiry Consists of interviews with control owner(s) to verify that the control is working as documented and corroboration via:
Observation Independent viewing of a control process or physical control Examination/inspection of evidential matter Hardcopy or online Reperformance Independent performance of a control
Types of Testing
Attribute sampling Utilized when a sample of documentation will be the primary test of the control; measures a characteristic of a control (present or not present) Additional reliance placed on testing if it is performed in a manner consistent with sample sizes/approach of the external auditors Other reliance factors:
Type of controls (control environment vs. routine transactions) Competence of tester Objectivity (independence) of tester
Documentation of Testing
Indicate who was interviewed
Include names and titles
Note exceptions Refer to supporting workpapers and effectiveness gap documentation Provide signoff and date
Refer to workpaper <4330.03.01 Access to AS01>. Examined the report with Joe and Jane and noted that there were 40 active and 2 inactive users with this access. Identified 6 active users that should not have this access. Exceptions Noted: Access to this transaction appears excessive. See control effectiveness gap at workpaper <2140 Asset Management Effectiveness Gaps> - Issue 20. Work Performed by Mike Auditor on 6/30/2004.
Documentation Repositories
Documentation repositories will likely need to be created/installed to track the documentation needed by management to support their Section 302 assertion Solutions vary from complex network directory structures to robust tools Document-related consideration items when evaluating solutions:
Are documents loaded or hyperlinked? What documentation can be stored? Where is the documentation stored (application database or external server)? How is data archived? How is version control maintained?
Auditability of Controls
Documentation proving that controls are performed over time needs to be retained for audit purposes (i.e., the control must be audit-able) The amount of documentation should be reasonable but the control owner must be able to provide evidence of the control
May require additional signoff and filing procedures May require additional network storage
Auditors will request samples of documentation over a period of time, not just a walkthrough of the control procedure Retention of controls documentation similar to financial audit documentation retention requirements
Example Monitoring
Control: A daily checklist is used when monitoring the SAP system. The checklist is completed twice each day (morning and afternoon). Test: Auditor will select 10 days to examine evidence of the control. Documentation Requirements: Expectation that, at a minimum, completed checklists for each date will be available. The checklists should be initialed and dated by the control owner.
Review
Documentation requirements represent a significant element of SOX
Appropriate skills necessary to audit
IT-enabled business process controls should be embedded in the business process documentation General computer control documentation structure may differ from business processes Document tests of controls
Testing is different than Understanding
Retain documentation
Deloitte
Available at: www.deloitte.com Navigate to Services Risk Consulting
Questions???