SOX Compliance and automated testing

There is an interesting article on IT systems and SOX compliance. It identifies

"three key building blocks required to ensure that IT controls exist and are formalized or structured in a way required by an organization’s management or its auditors, such that their design, assessment and remediation is totally integrated into the Sarbanes-Oxley compliance initiative. A SOX404 compliance application must support all of these three building blocks."

Building Block 1: Seamless integration of the three process-level controls - IT application controls, IT general controls and manual controls.

Building Block 2: Automatic testing of process-level IT application controls and incorporation of its result into the overall results of the test suite.

"In absence of any automation, most organizations end up manually testing hundreds of process-level IT application controls within their environment. For example, let’s take a control that ensures that the orders should only be processed within a customer’s credit limit. This control is typically implemented within an organization’s ERP system, but can be overridden for exceptions with proper authorization. Typically, most companies would print a report that lists out all orders that were processed within the last quarter, their credit limit at that time and if the override was applied, who applied the override and their role/title at the time the override was applied. Then the internal audit team would manually review each and every entry in the report and ensure that the control worked for every situation to score the control test as ‘having passed’. If not, they would score the control test as ‘having failed’ and would have to manually record every instance the test failed, so that proper disclosures and remediation processes could be triggered.

Such a manual process would have to recur every specified period for the testing that control and is repeated for every control within the organization. With hundreds of controls within an organization, manual testing of process-level IT application controls provides a major opportunity for reduction of cost of compliance. In addition, the sheer complexity of manually testing such controls in a large organization with heterogeneous systems increases exponentially.

Next generation of SOX compliance solution enables companies to address this issue and significantly reduce their cost of compliance by providing a framework that performs all of the following activities
Identifies if a control within the test documentation is a manual or application control. As a result, an application control does not need to be documented separately and eliminates the potential nightmare from co-relating application control documentation to test documentation.
Automates the testing of application controls via the ‘push of a button’ by reading the relevant data within the ERP system and applying the testing logic
Reports the results for the entire test – including manual and application controls, in an integrated manner. It captures the detailed scoring from the audit (for manual controls) and specifics details of records read and which records passed and which records failed the test and why (for application controls) as a part of integrated reporting, so the results can be easily reviewed by an internal or external auditor in future to ‘prove’ that the testing occurred and control is working as required. The compliance solution typically leverages the APIs to access the data within the popular ERP systems such as SAP, Oracle and PeopleSoft, as well as legacy/homegrown systems. Such a solution typically provides an out-of-the-box library containing hundreds of tests for automating the testing of application level controls within general ledger, procure-to-pay, order-to-cash, inventory / cost Accounting, asset management and payroll processes."

Building Block 3: Ability to easily define and assess relevant overall IT controls – typically derived from COBIT model - and reconcile them for the selected assessment framework such as COSO

In the final summary it concludes:

"IT systems are inextricably linked to the overall financial reporting process and need to be assessed, along with other important processes, for compliance with the Sarbanes-Oxley Act. In this brief, we have identified three key building blocks to ensure that IT controls exist and are structured in a way required by an organization’s management or its auditors, such that their design, assessment and remediation is totally integrated into the Sarbanes-Oxley compliance initiative. A next generation SOX404 compliance application must support all of these three building blocks."