Key Report Testing - Best Practices
PinnedOur company went public in 2018, we have been diligently working to get up to SOX404 standards. In 2019 one of our major requirements was creating a repository and baseline testing of all of our Key Reports (ITDCs). We are now looking for the most efficient way to manage the baseline as we go forward and were wondering what other companies do as a best practice (ie. Test all reports every year or put on a rotation? Did you add one SOX Control to your RCM to cover all reports, add a control by system to cover reports generated by the system, a control by process, etc... Are they tested by IT or by the business?) Any information you could share would be greatly appreciated.
-
We have created an IPE test phase, by quarter for our controls. This phase is added to the regular control test. Our external auditors asked for this as they said it will make it easier for them to find that type of testing. We have to test reports every three years, and when they change. We also require evidence of report generation procedures (system screen shots).
Our external auditor explained what they consider to be the two types of IPE tests:
- A control where mangement is expected to validate the C&A of a report as part of control execution. This will be tested as part of the normal control test with an IPE test phase added, and a cross reference to where the testing is located. This is being done so the external audit IT team can readily idenfity this type of tesing. In addition to the validation done by management we require screen shots showing how the report / file was generated.
- Reports / file we rely upon as part of internal audit control testing (e.g. new hire report, user listing,etc.).GITC controls over the environment used to generate the report have to be effective. We gather the same evidence as listed in item 1 but we also have to tie record counts and such, make sure the data returned matched that requested, etc. In some cases, we have to recreate the report using the parameters shown in the query, or work with IT to obtain the raw data and then recreate the report. That is typically when a report is new, changed or it has been three years.
Thank you for the question. I"m looking forward to reading other responses.
I am anxious as to what other are doing as well. Thanks for the question.
0Thanks Donna, the work done is it actually done by IT, the business, or the people performing the testing? We were thinking that the area owner of each report was responsible to demonstrate they validated the C&A (and provide evidence), and from a testing perspective our role is to see the evidence and some level of approval from the owner.
We were thinking the 3 year rotation as well, I think having a separate phase sounds like a great idea and is something I will bring to the team.
0If a report is used as part of a control, then the control owner is responsible for validating the C&A of the data / file. If we independently ask for a report then we had to do that work.
0Please sign in to leave a comment.
Comments
3 comments