Sarbanes-Oxley Walkthrough Guidance for General IT Controls

This tool provides guidelines for a Sarbanes-Oxley walkthrough for general IT controls.
Four domains of general computer controls include information technology entity-level; security; computer operations; change control (SDLC, move to production, application/infrastructure maintenance). Walkthroughs are conducted by the external auditor and are meant to: confirm the auditor’s understanding of the processes relevant to financial reporting and the design of relevant controls; confirm key risks and controls that affect financial reporting; evaluate the effectiveness of the control design – management has already represented that the controls documented in the Risk and Control Matrices (RCMs) provide reasonable assurance that the risks have been mitigated, and management must now provide the external auditor with sufficient insight into the control environment to reinforce the same conclusion; and to trace a transaction from start to finish (“Test of one”).