key to fulfilling management’s P&P, and thus management will likely want to have them tested and
            evaluated for operating effectiveness by the IA function or other applicable group.

            For those controls that are tested, the CITP would evaluate the relative effectiveness of those controls.
            For those deemed to be reasonably reliable, the financial audit could rely on those controls, which would
            affect the nature, timing, and extent (NTE) of audit procedures.

            That test could be a test of one instance, a sample of one. Both the PCAOB and AICPA have stipulated in
            standards that under the right set of circumstances, a test of one could be sufficient. One way those
            circumstances would be met is if the control objective has a dichotomous outcome, for example, the
            transaction was approved or not approved. Regardless, the CITP will need to develop a testing procedure
            that will result in sufficient evidence to evaluate the automated control.


            Evaluate and test logical SoD

            Logical SoD can provide the same kind of assurance that a manual SoD provides, either in the gathering
            of financial audit evidence, or in evaluating the effectiveness of controls by B&I for internal purposes.

            Testing them can begin with something as simple as verifying there is logical access controls of some
            kind. This test can be done by simply bringing up the critical application and seeing if there is a login, and
            if so, typing ENTER, ENTER to see if any passwords have been established. A review of the application
            technical manual should also reveal whether logical access is part of that application.
            Once the CITP determines that the application has logical access controls, the CITP would determine
            whether there is SoD within the system. Sometimes that can be done by reviewing the access table
            where data is stored for granting access rights and comparing that to job descriptions or some other
            relevant information that describes roles and corresponding access privileges — that is, who has the
            authority to be using that application or the function of that application, and at what level (no access,
            read-only access, read-write access, or module-specific access, e.g., reports only).

            The objective of whatever test is chosen is to determine whether evidence exists that the proper SoD has
            been implemented in the application or whether the application does not have its own logical access
            controls.

            The CITP might also be interested in password policies, if the application or system provides for its
                11
            own.  The objective is to determine whether standard best practices were followed in establishing
            password policies in the system.


            Evaluate and test spreadsheet controls
            A special case of application level controls is that associated with office productivity applications such as
            electronic spreadsheets or DBMS. There is a significant use of electronic spreadsheets in financial


            11
              Some systems use the O/S access rights and password policy either by default or by admin’s choice at setup. For
            instance, Microsoft Dynamics and other products use Active Directory factors when Microsoft’s SQL Server and
            network O/S is being used to house the Dynamics applications.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-13