Test Planning

1
SOX How did we get here and where are we going?
Outline

• A Little History.
• Some Definitions.
• Section 404.
• Internal Controls.
• Testing.
• Summary.
• Q A.

Presented by David Thompson, SISQA david.thompson
_at_supervalu.com
May 2009
2
HistoryWhat caused it?

• President George W. Bush signed the
  Sarbanes-Oxley (SOX) Act, H.R. 3763 into law on
  July 30, 2002.
• The Bill raced through congress and was signed by
  the president in less than 100 days from the time
  it was first approved in House.
• Senator Paul S. Sarbanes and Representative
  Michael G. Oxley were the bills sponsors
  therefore, we get the common identifier SOX.

3
History What Went Wrong?

• Enron was the first corporation in 2001 that
  showed egregious signs of mismanagement and filed
  for bankruptcy in the same year.
• Global Crossing concealed its financial position
  from the public and had to file for bankruptcy.
• WorldCom overstated earnings by 3.8 billion in
  one of the largest cases of bookkeeping fraud.
• Tyco gave millions of dollars in questionable
  bonuses, loans, and other payments to its upper
  management.
• The founders of Adelphia Communications could not
  account for 2.3 billion dollars and were
  convicted of defrauding the company.
• All in all, a pretty good couple of years dont
  you think?

4
HistoryWhere weve been

• The idea of corporate responsibility and of
  requiring corporations to attest to their
  internal controls is not new. It is essentially
  the same information that was called for in 1978
  by the commission of Auditors Responsibilities,
  better known as the Cohen Commission (Gupta
  Leech, 2006, 8).
• 23 years later Congress had to enforce corporate
  governance instead of industry self regulating
  itself and after how many billions of dollars
  lost, lives destroyed, and retirements postponed.
• A company must report SOX compliance on its
  annual 10K form.

5
Definitions

• Internal Control - The policies, procedures,
  practices and organizational structures designed
  to provide reasonable assurance that business
  objectives will be achieved and that undesired
  events will be prevented or detected and
  corrected (COBIT framework, 1998, p. 13).
• Material Weakness - a deficiency, or combination
  of deficiencies, in internal control over
  financial reporting, such that there is a
  reasonable possibility that a material
  misstatement of the registrants annual or
  interim financial statements will not be
  prevented or detected on a timely basis
  (Definition, 2007).
• Significant Deficiency - A deficiency, or a
  combination of deficiencies, in internal control
  over financial reporting that is less severe than
  a material weakness, yet important enough to
  merit attention by those responsible for
  oversight of the registrants financial
  reporting (Definition, 2007).

6
What is Section 404?

• Lets back up a minute
• The SOX law is made up of 11 Titles.
• Section 4 contains a wealth of information on
  what companies have to do.
• It is the Enhanced Disclosure Law.
• Section 4 is made up of 9 subsections.
• Section 404 is the 4th subsection of Title IV of
  the law that we, as IT people, will be most
  concerned with.
• Section 404 has only 170 words, the
  interpretation of those words has led to many
  different ways for companies to document their
  internal controls.
• The COSO framework (which can be acquired here
  http//www.coso.org/IC.htm) is generally accepted
  as the model to guide the creation and assurance
  of internal processes in financial reporting.
• However, COSO is lacks practical steps and
  guidance to evaluate whether a company has an
  effective system of internal control over
  financial reporting.

7
What is Section 404?Cobit to the rescue
0101
0101

• Cobit (Committee OBjectives for Information and
  related Technology) fills the void of how to
  interpret section 404.
• To govern IT effectively, Cobit defines 4
  domains
• Plan and Organise (PO)Provides direction to
  solution delivery (AI) and service delivery (DS)
  - 10 Controls
• Acquire and Implement (AI)Provides the solutions
  and passes them to be turned into services 7
  Controls
• Deliver and Support (DS)Receives the solutions
  and makes them usable for end users 13 Controls
• Monitor and Evaluate (ME)Monitors all processes
  to ensure that the direction provided is followed
  4 Controls

8
What is Section 404?Cobit to the rescue

• A company need only comply with the controls that
  are pertinent for them.
• I am personally involved with 7 controls, which
  are probably implemented at most companies.
• Here are the 7 Internal Controls Im involved
  with
• AI Manage Change
• AI Install and Accredit
• DS Manage Service Desk Incidents
• DS Manage Problems
• DS Manage Data
• DS Manage Physical Environment
• DS Manage Operations
• We chose not to comply with DS Manage
  Configuration. You might think everyone would
  need to comply with this and so do I. Im
  working on this one

9
Internal Controls

• But what is an internal control
• In a general sense, a control is defined as The
  policies, procedures, practices and
  organizational structures designed to provide
  reasonable assurance that business objectives
  will be achieved and that undesired events will
  be prevented or detected and corrected (COBIT
  framework, 1998, p. 13).
• Internal controls should be defined in a way that
  reduces or eliminates risk. The higher the risk
  of a material weakness occurring requires the
  greatest amount of work in elimination or
  mitigation of that risk.
• Internal controls can detect and correct errors
  or they can prevent errors.
• Which type would be preferred?
• Which type would require more time and effort to
  create and document?
• Most of the controls will probably be detect
  controls.
• Internal controls that prevent or detect material
  weaknesses are key controls.
• Therefore, the key focus on internal controls is
  key controls this is where the most time in
  understanding and testing should occur.

10
Internal Controls

• How to document an internal control
• 3 generally accepted methods
• Flowcharting
• Narrative
• Matrix
• Each method has is advantages and disadvantages,
  but I wont get into them here. We currently use
  narratives.
• I like narratives because
• Once written they can be used as a training aid
  or given to others to test.
• They can be precise.
• They are usually easy to follow.
• I dont like narratives because
• The ambiguity of the English language it can
  and usually does take multiple revisions to get
  it right.

11
Testing Internal Controls

• This is probably near and dear to all of our
  hearts here
• Think of testing internal controls the same way
  you would test software all the things youve
  learned and all the things in the CBOK still
  apply.
• Simply create a test procedure, like you would
  for any test and record your results. Be sure
  the results consist of all reporting
  documentation and how the sample size / audit
  pool was created.
• So what is an audit pool and how do you create
  one
• An audit pool is a subset of the records being
  reviewed.
• Audit pools can be created in a number of ways
  randomly, judgmentally, or all records can be
  chosen.
• Why would we choose an audit pool of a certain
  size?
• Confidence level, Tolerable rate of error, and
  Expected error rate of the population
• A website to create an audit pool based on the
  above criteria can be found here
  http//www.raosoft.com/samplesize.html

12
Testing Internal Controls Sample Sizes
(continued)

• For SOX, generally accepted sample sizes based on
  the frequency of the control are
• Yearly 1.
• Quarterly 2 to 3.
• Monthly 2 to 6.
• Weekly 5 to 15.
• Daily 25 to 60.
• I perform testing throughout the year so my goal
  is to use the largest sample size possible so our
  confidence level is highest when we are
  externally audited. I will use all the records
  available if possible i.e., I have an automated
  test. Sometimes this can mean 1200 records.
• An external auditor usually sticks to the
  generally accepted values noted above when they
  audit a company.

13
Testing Internal ControlsThings to remember

• Do everything you normally would when you test
  software .
• Do everything you normally would when you report
  your testing.
• Use you tool box youve created being a software
  tester.
• Record everything
• How a sample was created
• Who was spoken too
• What was the criteria used for determining
  success
• The very specifics of each test failure and why
  it was classified as a failure

14
Summary

• Things to remember
• Testing of internal controls for SOX is highly
  visible, so you want to be able to express the
  current state of testing very simply to
  management Ive created a Red, ,
  Green method of grading our controls.
• SOX section 404 may not reduce the chances of a
  financial misstatement but
• Any shortcomings found with the internal controls
  are really exposing problems with a process in
  your company and rectifying that problem will
  improve the operations of your company.
• Many complaints circulate about the cost of SOX
  and the added responsibility of SOX. SOX section
  404 is just ensuring what a company should
  already be doing for their best interest.
• Internal control testing should be performed
  throughout the year and not just at year end
  (when the external auditor comes).
• If the company has to report a material weakness,
  it could very well mean that the stock price will
  take a hit.
• If the material weakness could have been exposed
  by internal testing, but wasnt exposed until
  external testing and you were the tester Id
  start looking for a new job.

Yellow
15
References

• COBIT framework (2 ed.). (1998). Rolling Meadows,
  IL Information Systems Audit And Control
  Foundation.
• Davern, A., Lee, M., Palafoutas, J. (2005).
  Sarbanes-Oxley section 404The section of
  unintended consequences and its impact on small
  business. Retrieved from http//www.aeanet.org/gov
  ernmentaffairs/AeASOXPaperFinal021005.asp
• Definition of the Term Significant Deficiency, 17
  Securities and Exchange Commission 210 and 240
  (2007).
• Financial Executives International . (2006).
  Sarbanes-Oxley section 404 implementation survey
  PowerPoint slides. Retrieved from
  http//www2.financialexecutives.org/news/404_surve
  y_4_6_06.cfm?
• Financial Executives International. (2005).
  Sarbanes-Oxley section 404 implementation survey
  PowerPoint slides. Retrieved from
  http//www.financialexecutives.org/EWEB/DynamicPag
  e.aspx?webcodeadv_SOX404_survey_3_21_05
• Gilbert Welytok, J. (2008). Sarbanes-Oxley for
  dummies (2 ed.). Indianapolis, IN Wiley
  Publishing, Inc..
• Giordano, R. E. (2007). Enabling efficient small
  and midcap Sarbanes-Oxley 404 compliance --
  Check the (Sar)Box. International Journal of
  Disclosure and Governance, 4(1), 42-51. Retrieved
  from http//proquest.umi.com

16
References

• Gupta, P. P., Leech, T. (2006). Making
  Sarbanes-Oxley 404 work Reducing cost,
  increasing effectiveness. International Journal
  of Disclosure and Governance, 3(1), 27-48.
  Retrieved from http//proquest.umi.com
• IT Governance Institute, (2006). IT control
  objectives for Sarbanes-Oxley. Retrieved from
  https//www.isaca.org/Template.cfm?SectionSecurit
  yCONTENTID45261TEMPLATE/MembersOnly.cfm
• IT Governance Institute, (2007). Cobit 4.1.
  Retrieved from http//www.isaca.org/Content/Naviga
  tionMenu/Members_and_Leaders1/COBIT6/Obtain_COBIT/
  Obtain_COBIT.htm
• Institute of Internal Auditors, (2008).
  Sarbanes-Oxley section 404A guide for management
  by internal controls practitioners. Available
  from http//www.theiia.org/download.cfm?file31866
  
• Keating, E. (2006). Sarbanes-Oxley Act how did
  we get here?. Retrieved from CasePlace.org
  http//www.caseplace.org/d.asp?d2644
• Linkous, J. (2008). Put the i in IT compliance.
  Communications News, 45(12), 26,28. Retrieved
  from http//proquest.umi.com
• Ramos, M. J. (2008). How to comply with
  Sarbanes-Oxley section 404Assessing the
  effectiveness of internal control (3 ed.).
  Hoboken, NJ John Wiley Sons, Inc.
• Sarbanes-Oxley Act, 7201 U.S.C. 107-2004
  (Public Company Accounting Oversight Board 2002).
  It can be found here http//www.sec.gov/about/la
  ws/soa2002.pdf
• Special Report A price worth paying? - Auditing
  Sarbanes-Oxley Sarbanes-Oxley. (2005). The
  Economist, 375(8427). Retrieved from
  http//proquest.umi.com

17
Questions Answers