ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > IT Management

Compliance Toolkit

Sarbanes-Oxley: What IT managers need to know

Staff Tech Republic

Published: 18 Jan 2005 11:30 GMT

Testing control effectiveness
In general, testing controls boils down to three steps: First, inventory the control activities. Second, write test plans to evaluate the effectiveness of each control activity. Third, relate each activity to an "underlying assertion" in the financial statements.

Once you have an inventory of control activities, you can begin writing your tests of effectiveness. These tests determine whether the control is operating as intended and whether the person performing the control is properly qualified and authorised to do so.

The next step is to classify each control activity by relating it to the underlying financial statement assertions: Existence or Occurrence; Completeness; Valuation or Allocation; Rights and Obligations; and Presentation and Disclosure. Then you'll want to indicate whether your control is manual or automated, and indicate if the control is preventative or detective.

If you're starting to get bogged down by the audit jargon, you can read up on how to apply these terms by going to www.auditnet.org/sbc.htm and downloading the two-volume publication called Standards for Business Controls.

Next, you have to write the test steps, which are also known as audit procedures. Audit procedures consist of a combination of inquiry, observation, and detailed testing through either examination or re-performance. For ideas on how to test your controls, try reviewing existing audit programs. One source of free audit programs is www.auditnet.org.

To ensure coverage on the test of effectiveness, the PricewaterhouseCoopers approach uses four information processing objectives: Completeness, Accuracy, Validity and Restricted Access (CAVR). The CAVR approach gives you a standardised means to measure each control activity. You should select the information processing objective(s) which best relates to your control activity. Ideally, each element of CAVR should be addressed in some combination of control activities for each objective.

If you'll just have faith and follow along with what your project manager asks, your piece of the "control effectiveness" mosaic will eventually fit into place.

1 2 3 4

Did you find this article useful?
230 out of 464 people found this useful

Post a comment

Full Talkback thread

0 comments

Related Jobs

Senior Auditor, 30,000-38,000+ benefits, Peterborough

SAP FI CO Consultant - Manchester.

IT SOX Auditor

Loading Video Player ....

Featured Talkback

There will be further activation issues to watch out for as Microsoft plans to offer a similar service to independent software vendors whereby they can "control" licensing through activation and other measures similar to the Software Protection Platform.