Nick,
Great question, and I hope others will weigh in as well.
For probably 10 years, we had this debate every year with our external auditor (2 different firms) and while we had an agreement in principle with one firm, we could never get them to sign off on us scaling back on ITGC testing for any in-scope applications or tools.
I really enjoyed the presentation you did this summer explaining how Target is maturing your cyber audit practices. I think it makes sense to sit down with your external auditor, help them understand how the Company is maturing it's controls and and make your case that your the risk related to certain ITGCs, especially those leveraging universally used tools, are really low and could be scoped back for testing.
At the end of the day, you've got to get your external auditor "comfortable" that your ITGCs are appropriate and functioning as designed, and if limited testing is "uncomfortable" for them you'll probably continue to test as we did.
Please keep us updated if you're successful in convincing your auditor to your preferred approach.
------------------------------
Grant Ostler
Industry Principal
Workiva
------------------------------
Original Message:
Sent: 10-12-2022 03:41 PM
From: Nick Tobkin
Subject: Risk-Based Categorization of SOX Applications and Controls
I am curious if other companies have taken a risk-based approach to categorizing applications by the function it plays in the control environment, and then applying certain controls based on that risk category. For example, all ITGCs are applied to financial applications that directly impact financial reporting and a subset of key controls are applied to tools supporting ITGCs (identity and access services, change management records tool, tool used for code development and deployment, etc) on those financial applications. Or, do companies apply all standard ITGCs to all in-scope financial applications and supporting tools. Thanks!
------------------------------
Nick Tobkin
Director of Cybersecurity
Target
------------------------------