A couple of weeks ago, I had written a post about how automated controls are different from manual controls. Today I would like to share my learnings on how to test automated IT controls. So if you are looking for some tips on testing automated application controls, stick around. The tips below can be used as a guide to the approach required to test automated IT controls. Here goes:

Use IOER - Automated controls should be tested using standard nature of tests. This means the IT auditor should use inquiry, observation, examination and reperformance. Testing automated controls is similar to manual controls in this respect.

Test All Business Conditions - All automated controls which support an entities financial applications need to be tested. Testing should ensure that all business scenarios relevant to internal controls over financial reporting are tested to ensure completeness.

Reperformance in Test Environment - Autoamted controls which require reperformance of the control activity should be tested in a test environment. Such test environment should be a replica of the most recent production environment. Reperformance of controls in production environment should be avoided.

Positive Vs Negative Testing - Automated controls should be tested to ensure they work both ways. Simply speaking the IT auditor should conform that application controls work effectively to ensure that all authorized transactions are allowed and all unauthorized transactions are disallowed. This can be done with a thorough knowledge of the business rules and processes.

Configurations Testing - Automated controls require an auditor to test how financial systems have been set up. Checking the system configuration should be done in the production environment. Auditors can take screenshots of the system as evidence of system setup.

More On Sarbanes Oxley

Control Self Assessment & SOX 404
Audit Techniques - Walkthrough
Scoping for ITGC
Role of Process Owners in 404 Compliance