“Good level of detail with S-OX compliance focus for reviewing GCCs.”
-Robert Friend, Senior Auditor, FTI Consulting
Information technology is a foundational component for most, if not all, financial transactions. The PCAOB and external audit firms have recognized the significance of general computer controls (GCC), and much information has been learned regarding approach, selection, and testing of general computer controls since the implementation of Sarbanes-Oxley.
In this two-day seminar you will gain a solid understanding of the entire methodology for testing general computer controls. You will cover documenting the GCC environment, identifying the key GCC for testing, developing test plans, executing test plans, identifying control gaps, developing remediation plans, communicating testing results, and performing follow-up assessment activities.
You will review the 12 general computer control areas identified by the Information Technology Governance Institute (ITGI) and generally recognized by the PCAOB and external audit firms as critical for testing GCCs. Specifically, you will explore the following 12 COBIT® control objectives:
• Acquire or Develop Application Software
• Acquire Technology Infrastructure
• Develop and Maintain Policies and Procedures
• Install and Test Application Software and Technology Infrastructure
• Manage Changes
• Define and Manage Service Levels
• Manage Third-Party Services
• Ensure Systems Security
• Manage the Configuration
• Manage Problems and Incidents
• Manage Data
• Manage Operations
You will also examine the underlying practical details of how the objectives relate to “typical” IT environments and situations to gain the background you need for your SOX compliance efforts. You will examine the components of a SOX IT testing program, including the relationship with the business process auditors, a methodology for determining the scope of work to perform, and working with external auditors, and the IT organization where the GCC’s reside.
You will look at compiling real-world GCC testing matrices based on common general computer control platforms and scenarios, identifying key control processes from example GCC narratives and pinpointing control design gaps. You will then focus on developing and executing efficient test plans utilizing automated tools where possible while determining appropriate timelines. You will review elements of a workpaper documentation from a SOX perspective and use classroom exercises to walk through documenting and testing key controls from selected components in the 12 COBIT® areas.
Because SOX involves documenting control implementation gaps, you will identify these gaps and create risk-ranking criteria, potential remediation plans, compensating controls, retesting procedures, new timelines for retesting failed controls, and communication strategies to pursue with your external auditors. You will review lessons learned in the field and cover best-practice control techniques you can implement and test as part of your compliance program. You will outline efficient methods for leveraging automated technology vendor solutions to streamline information security implementation and testing requirements, along with techniques for implementing an efficient, effective, and sustainable SOX IT program.
Prerequisite: None Advance Preparation: None
Learning Level: Intermediate Delivery Method: Group-Live
Field: Computer Science