Understanding the Sarbanes-Oxley Act
The frequency of the tests will vary depending on what is being tested. For
example, a test for a control that requires the IT department to follow the written
backup procedure regularly may be tested only annually, but a test that general ledger
accruals are being done properly might be conducted quarterly. It's usually up to the
company's controller and internal audit staff, perhaps with feedback from the external
auditors, to devise a schedule that makes the most sense.
Sometimes testing is done on all cases of a particular procedure, and sometimes
only a subset is tested. If there were only three changes to an accounting system
over the year, and the change control process is being tested, it would make sense
to examine each change control document. On the other hand, if a control applied
to every purchase order the company generated, and the company generates 10,000
purchase orders every year, then a subset would be tested. A testing subset may be
a random selection, or it may be only the most expensive orders. The auditors will
determine what sort of testing should be done.
Deviations from Internal Controls
Since we're all human, and since the designers of internal controls cannot anticipate all
possible events that may impact a particular control, it is certain that occasionally there
will be deviations between written procedures and what was actually done. Perhaps
a key employee was sick, and her replacement didn't realize that some particular
task needed to be performed, or perhaps an employee wasn't properly trained on a
I like to say "there are only two kinds of people in a regulated company: those who
have deviated, and those who will deviate." Deviations from management systems
such as internal controls should be expected. What is important is that the deviations
are detected (perhaps by a downstream control or from an audit), and that some form
of cause and risk analysis is performed, and that corrective action was taken and
The point is that a good system of internal controls should have as one of its
components a procedure for handling deviations and corrective actions.
Following are some examples of IT procedures that come from a small public company
that stood up to repeated testing by both large and small audit firms. Certainly, your
company's procedures will and should be different, but the following examples should
give you a sense of effective IT procedures.