SOX Testing for IT

A Handbook for the Consultants Testing IT Application Controls
Member Submitted

there needs to be a healthy relationship among the team. It is highly probable that the IT consultant might become bugged by the continuous doubts clarification sessions that he might have with the SOX guy. But it is up to the SOX guy to make the IT consultant feel he is not being bugged. One simple way to lessen the friction is by consolidating all the doubts and then approaching the IT consultant to get things clarified at one go, unless otherwise it requires immediate clarification.

Other couple of things that might provide a positive outlook is:

  1. Saving a spreadsheet/any document in printable format (With the print area and dimensions set)
  2. Saving the spreadsheet with the cursor on cell A1
  3. Having proper folder structure and naming conventions for all the documents
  4. eeping the work area organized
  5. And most importantly, a smile on the face

The above listed items might not be too much of a thing on the surface, might not even seem like things related to SOX, but when followed, they provide a positive impact that ultimately helps in getting things done easily.

c) Innovation
True that hiring a SOX consultant would reduce the burden of IT consultants. But for the price they pay for a SOX consultant, some form of innovation will always be expected.

Though SOX consultants do not do coding or do much creative work, there is always scope for innovation in the work they do. For example, doing an assessment of how the controls testing was done previously and providing recommendations to optimize the same can be a good starting point. Also, creating walkthroughs of various stages of SOX testing, would serve good when a new comer arrives at the scene.

One good advantage that a SOX consultant has is the lull period in his work. The SOX guy may not be busy all round the year doing stuff. Once a deadline is achieved, until the next testing period starts, he might have valuable time to his credit to do innovation. If properly planned, the spare time can be utilized to perform innovations of monstrous capacities.

Task Demarcation
"One man can be a crucial ingredient on a team, but one man cannot make a team."

True to the quote above, there cannot be success unless the SOX and IT consultants work together (but may be in the ratio 70:30).

There are some things that need to be tested only by a person who has immense knowledge in the application. Even though a SOX tester might know the application well, he might not be familiar with the intricacies of a system. Cases like simulating an error need to be done by the IT person with SOX consultant being a witness, to ideally certify a control. All such factors ought to be kept in mind while drawing a line between the tasks of SOX consultant and IT AD. A sample task demarcation can be as follows :

SOX Consultant

  • Help the IT AD to understand the guidelines
  • Distribute a checklist of what is required from IT for a control
  • Obtain the evidences with the help of IT AD
  • Help IT to obtain signoffs from IT and business management
  • Validate the evidences
  • Document all evidences, signoffs with acceptable naming conventions in proper folder structures


  • Understand the guidelines
  • Provide the evidences according to the guidelines to the SOX consultant when it could not be obtained directly by the consultant. Eg. Simulating an error condition
  • Review the documents, signoff verbiages and provide email signoffs on them

All the issues in SOX testing arise due to lack of clarity

About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.