SOX Professionals Group

 View Only
  • 1.  Risk-Based Categorization of SOX Applications and Controls

    Posted 10-12-2022 03:42 PM

    I am curious if other companies have taken a risk-based approach to categorizing applications by the function it plays in the control environment, and then applying certain controls based on that risk category.  For example, all ITGCs are applied to financial applications that directly impact financial reporting and a subset of key controls are applied to tools supporting ITGCs (identity and access services, change management records tool, tool used for code development and deployment, etc) on those financial applications.  Or, do companies apply all standard ITGCs to all in-scope financial applications and supporting tools.  Thanks!

    Nick Tobkin
    Director of Cybersecurity

  • 2.  RE: Risk-Based Categorization of SOX Applications and Controls

    Posted 10-13-2022 09:51 AM

    Thank you, Nick, for putting this out there – much more succinct than my post and I am curious as well, having scoured forums for something to adopt (rather than start from ground zero). Unfortunately, we are pressured by the audit teams towards the latter and the work-intensive, more-than-reasonable assurance it entails. Documenting, executing, and maintaining evidence of a full suite of ITGCs for tools, not only supporting ITGCs as you state, but also supporting the execution of review or application controls (i.e., user access reviews, API-based interface of revenue data) is burdensome. Admittedly, the struggle to bring all stakeholders together to assess, define, and deploy such a framework/approach delays progress towards maturity. If anyone is willing to share a starting point towards categorization and an appropriate subset, it would be welcomed and appreciated.

    Barb Terlap
    Internal Controls Manager

  • 3.  RE: Risk-Based Categorization of SOX Applications and Controls

    Posted 10-19-2022 08:52 AM
    Great question, and I hope others will weigh in as well.
    For probably 10 years, we had this debate every year with our external auditor (2 different firms) and while we had an agreement in principle with one firm, we could never get them to sign off on us scaling back on ITGC testing for any in-scope applications or tools.
    I really enjoyed the presentation you did this summer explaining how Target is maturing your cyber audit practices. I think it makes sense to sit down with your external auditor, help them understand how the Company is maturing it's controls and and make your case that your the risk related to certain ITGCs, especially those leveraging universally used tools, are really low and could be scoped back for testing.
    At the end of the day, you've got to get your external auditor "comfortable" that your ITGCs are appropriate and functioning as designed, and if limited testing is "uncomfortable" for them you'll probably continue to test as we did.
    Please keep us updated if you're successful in convincing your auditor to your preferred approach.

    Grant Ostler
    Industry Principal

  • 4.  RE: Risk-Based Categorization of SOX Applications and Controls

    Posted 10-26-2022 02:01 PM
    Hi Nick, I have had the same experience as other posters where I have not seen yet where we can rationalize controls dedicated to an application dependent on use/financial impact.  Working with two separate external auditors, they have always pushed the full ITGCs vs a sub-set.  The only times I have seen not all ITGCs being applied is if the application is cloud based and controls can be pointed to a SOC report.

    When onboarding a new application we use a full listing of ITGCs to apply to the new application even if its not in scope for SOX just to get them SOX ready.

    Sakina Lara, CPA, CFE, CISA
    SOX Compliance Manager, Dover Corporation
    Executive Advisor of the SOXPro Group
    Chicago, IL