When should SOX testing automation become a management control?
Our internal audit team built a script that compares terminated employees in HR to active access in several systems. It catches real exceptions. I am unsure whether audit should keep running it every quarter or whether management should own it going forward.
Once the logic is stable and the activity is valuable as recurring risk monitoring, management should usually own it.
Why? Because a repeatable exception test is no longer just an audit convenience. It has become a detective control. Internal audit can help validate the logic, but if audit keeps operating the control quarter after quarter, independence starts to blur.
The better end state is:
- management owns the recurring automated review
- evidence and exception handling are documented
- internal audit tests the automated control's design and operation
For CIA exam questions, the strongest answer usually protects third-line independence while improving first-line monitoring.
Master Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.