General Discussion Forums - System upgrade and SOX

Guidance & Resources

Certification

Training

Research Foundation

Periodicals

Bookstore

Career Center

Chapters & Institutes

About The IIA

Membership

Navigation:

login

DISCUSSIONS > IT AUDITING

Thread Title: System upgrade and SOX
Created On Tuesday February 14, 2012 1:43 PM

System upgrade and SOX

System upgrade and SOX

System upgrade and SOX

System upgrade and SOX

Posts: 20
Joined: Nov 2002

Tuesday February 14, 2012 1:43 PM

User is offline

View thread in raw text format

My company is performing a system upgrade to their ERP system. They will be upgrading through multiple versions. I believe they are on a very old version that came out in 2001 and are upgrading to the newest version that came out within the last year. There were many versions in between. They are planning on upgrading the month before our year end. The group in charge of the upgrade has stated that there will be no process changes as a result of the upgrade. I wa wondering what implications such an upgrade has on SOX compliance. What should IA be concerned about. How do we go about validating that processes are not going to change. Documentation around the upgrade is weak at best (i.e. project plans, change management, testing etc...)

Posts: 33
Joined: Aug 2008

Wednesday February 15, 2012 1:59 PM

User is offline

View thread in raw text format

Not having documentation definitely makes it difficult for you. But also, it sounds like the group in charge doe not have the proper experience to be managing this. This should be done as a project with defined costs, timelines, goals, testing, etc. or as you mentioned, change management. Will they at least test after each version upgrade?

Can you get information from the vendor or contact them to ask what processes may have changes to them between your current and the new version? That will at least narrow the focus. The only other thing is to do a basic Application Audit (input, processing, output, security) audit on the various pieces of the system once implemented.

Hopefully you can chat with the lead about the risks, what controls should be put in place prior to implementation and documentation of the process. You may want to follow that conversation up with an email outlining your discussion with the person and hold onto that.

Posts: 91
Joined: Apr 2003

Thursday February 23, 2012 9:54 AM

User is offline

View thread in raw text format

I agree with Awdit’s comment about this group’s lack of project management experience. If the group in charge of the upgrade truly believes there will be no process changes from the upgrade, they are either hopelessly naïve or terribly incompetent. There will be numerous process changes, many pretty minor but several will likely be significant. Just by way of example: when we did a version upgrade in our SAP Materials Management module last year, it generated 120 NEW segregation of duties conflicts. That’s because the new version changed some of the transaction codes in roles that everybody involved in inventory processing had. And if you are going thru multiple versions, the changes will likely be more pronounced.

Also, implementing new versions the month prior to fiscal year end is one of the worst practices, particularly if you are subject to Sarbanes Oxley.

Implementing version upgrades is no different than any other system implementation or change. Doesn’t your IT group have a standard system development and change methodology? If not, how did they ever pass a controls audit? Managing system changes is IT project management 101.

Posts: 15
Joined: Jul 2011

Thursday March 15, 2012 9:11 PM

User is offline

View thread in raw text format

Hopefully your year end is not too close. When your external auditors come in they'll be looking to see what CM process was followed, how data integrity was tested, sign-offs, etc. Paul is 100% on the money...never change a system the month before year end. We avoid changing anything the last quarter if possible.

Also, making a leap across what is likely several major version changes will, like Paul said, cause process changes even if the guys doing to the upgrade don't think it will.

You're better off holding off on the upgrade until after your new fiscal year starts. That way you only have to test one system, not both, and it will give you time to remediate any exceptions found during SOX testing at the beginning of your fiscal year.

DISCUSSIONS > IT AUDITING

The Institute of Internal Auditors • 247 Maitland Avenue Altamonte Springs, FL. 32701-4201 USA
+1-407-937-1100 • FAX +1-407-937-1101 • www.theiia.org