Sarbanes Oxley SOX 404 IT General Control Test Plan Templates Free Download

Download Free Sarbanes Oxley (SOX) 404 IT General Control Test Plan

- Obtain a copy of the organization’s SDLC methodology.

- Review the methodology to determine that it addresses security, availability and processing integrity requirements.

- Review the organization’s SDLC methodology to determine if it considers both the development and acquisition of new systems and major changes to existing systems.

- Review the methodology to determine if it addresses application controls.

- Consider whether there are appropriate steps to ensure that application controls are considered throughout the development or acquisition life cycle, e.g., application controls should be included in the conceptual design and detailed design phases."

- Review the SDLC methodology to ensure that the organization’s overall strategic direction is considered, e.g., an IT steering committee must review and approve projects to ensure that a proposed project aligns with strategic business requirements and that it will utilize approved technologies.

- Review the SDLC to determine if users are appropriately involved in the design of applications, selection of packaged software and testing.

- Determine if post-implementation reviews are performed on new systems and significant changes reported.

- Select a sample of projects that resulted in new financial systems being implemented.

- Review the documentation and deliverables from these projects to determine if they have been completed in accordance with the acquisition, development and planning process."

- Select a sample of technology infrastructure implementations.

- Review the documentation and the deliverables from these projects to determine if infrastructure requirements were considered at the appropriate time during the acquisition process."

- Confirm that the organization’s policies and procedures are regularly reviewed and updated as changes in the environment dictate.

- When policies and procedures are changed, determine if management approves such changes.

- Select a sample of projects and determine that user reference and support manuals and systems documentation and operations documentation were prepared."

- Review a sample of application documentation (including user documented policies and manuals) to determine if they comply with the policies and procedures that have been documented by the organization.

- Select a sample of system development projects and significant system upgrades (including technology upgrades).

- Determine if a formal testing strategy was prepared and followed.

- Consider whether this strategy considered potential development and implementation risks and addressed all the necessary components to address these risks, e.g., if the completeness and accuracy of system interfaces were essential to the production of complete and accurate reporting, these interfaces were included in the testing strategy."

- Select a sample of system development projects and significant systems upgrades that are significant for financial reporting.

- Where it was considered that capacity and performance were of potential concern, review the approach to load and stress testing.

- Consider whether a structured approach was taken to load and stress testing and that the approach taken adequately modeled the anticipated volumes, including types of transactions being processed and the impact on performance of other services that would be running concurrently."

- Select a sample of system development projects and significant systems upgrades that are significant for financial reporting.

- Determine if interfaces with other systems were tested to confirm that data transmissions are complete, e.g., record totals are accurate and valid.

- Consider whether the extent of testing was sufficient and included recovery in the event of incomplete data transmissions."

- Obtain a sample of system development projects and significant system upgrades that are significant for financial reporting.

- Determine if a conversion strategy was documented.

- Review the conversion testing plan.

- Consider whether the following were considered: data transformations, input of data not available in the old system, edits, completeness controls and timing of conversions.

- Determine if the conversion was included in acceptance testing and was approved by user management."

- Determine that a documented change management process exists and is maintained to reflect the current change process.

- Consider if change management procedures exist for all changes to the production environment, including program changes, system maintenance and infrastructure changes.

- Evaluate the process used to control and monitor change requests.

- Consider whether change requests are properly initiated, approved and tracked.

- Determine whether program change is performed in a segregated (non-production), controlled environment.

- Select a sample of changes made to applications/systems to determine whether they were adequately tested and approved before being placed into a production environment.