SOX Engine
Risk Mapping
Sarah Chen
Auditor
5 assertions mapped
13 financial accounts
15 controls
F/S Assertions
Existence
14
Rights & Obligations
7
Valuation
3
Completeness
9
Accuracy
2
Controls
ITGC-AM-001
fail
access management
Timely Termination of Access
Existence
Rights & Obligations
All Financial Accounts (system-wide access)
ITGC-AM-002
pass_with_exceptions
access management
Periodic User Access Reviews
Existence
Rights & Obligations
All Financial Accounts (system-wide access)
ITGC-AM-003
fail
sod
Segregation of Duties — Conflict Detection
Existence
Valuation
Rights & Obligations
Completeness
Accounts Payable
Cash & Equivalents
+2
ITGC-AM-004
pass
access management
Privileged Access Monitoring
Existence
Rights & Obligations
All Financial Accounts (system-wide access)
ITGC-CM-001
pass_with_exceptions
change management
Change Approval Documentation
Existence
Completeness
Valuation
All Financial Accounts (system-wide)
ITGC-CM-002
pass
change management
Developer Access to Production
Existence
Completeness
All Financial Accounts (system-wide)
ITGC-CM-003
pass_with_exceptions
change management
Emergency Change Procedures
Existence
Completeness
All Financial Accounts (system-wide)
ITGC-OPS-001
pass_with_exceptions
it operations
Backup Completion Verification
Existence
Completeness
All Financial Data (recoverability)
ITGC-OPS-002
pass
it operations
Batch Job Monitoring
Completeness
Accuracy
All Financial Accounts (batch processing)
ITGC-OPS-003
pass
it operations
Incident Response Documentation
Existence
Rights & Obligations
All Financial Accounts (incident impact)
ITGC-AM-005
pass
access management
Password Policy Enforcement
Existence
Rights & Obligations
All Financial Accounts (authentication)
ITGC-AM-006
pass_with_exceptions
access management
New User Provisioning Authorization
Existence
Rights & Obligations
All Financial Accounts (system-wide access)
ITGC-CM-004
pass
change management
SDLC Testing Documentation
Existence
Completeness
Accuracy
All Financial Accounts (system integrity)
ITGC-OPS-004
pass
it operations
Database Direct Access Restriction
Existence
Completeness
Valuation
All Financial Accounts (data integrity)
ITGC-OPS-005
pass
it operations
Security Log Monitoring & Alerting
Existence
Completeness
All Financial Accounts (detection capability)
Financial Accounts
All Financial Accounts (system-wide access)
4 controls
1 pass
3 issues
Accounts Payable
1 controls
0 pass
1 issues
Cash & Equivalents
1 controls
0 pass
1 issues
Revenue
1 controls
0 pass
1 issues
General Ledger
1 controls
0 pass
1 issues
All Financial Accounts (system-wide)
3 controls
1 pass
2 issues
All Financial Data (recoverability)
1 controls
0 pass
1 issues
All Financial Accounts (batch processing)
1 controls
1 pass
All Financial Accounts (incident impact)
1 controls
1 pass
All Financial Accounts (authentication)
1 controls
1 pass
All Financial Accounts (system integrity)
1 controls
1 pass
All Financial Accounts (data integrity)
1 controls
1 pass
All Financial Accounts (detection capability)
1 controls
1 pass
Play Walkthrough