Termination Testing -- What Gets Tested
| Scenario | Classification | Why |
|---|
| Single late disable, isolated human error | CD | One-time, not systemic |
| Late disable because batch sync has a structural gap (e.g. weekends, after-hours) | SD | Systemic -- every future Friday/weekend term has same gap |
| IdP disabled on time BUT ERP app role never removed; access review fails to catch it | SD/MW | Two controls both fail; orphaned role persists indefinitely |
Key distinction: "No confirmed unauthorized login" = compensating observation, NOT a cure. It reduces severity but does not eliminate the deficiency.
SoD Classification -- The Decision Tree
| Situation | Class. |
|---|
| HIGH SoD + NO mitigating control at all | SD / MW -- unmitigated risk on SOX GL |
| HIGH SoD + MC with a dollar threshold gap (structuring risk) | CD -- partial MC exists but incomplete |
| HIGH SoD + MC with 100% independent review coverage | Adequate -- fully mitigated if operating |
| "Management is aware" of SoD | NOT a control -- awareness ≠ mitigation |
MW threshold: "Reasonable possibility" of material misstatement. No fraud needs to have occurred. The risk alone is sufficient.
TOD vs. TOE -- Never Confuse These
| Test | Question it answers | Evidence |
|---|
| TOD | "Could the control work?" (design, config) | Review policy docs, inspect config screens, walkthrough |
| TOE | "Did it actually work during the period?" | Sample logs, tickets, sign-off records, exception reports |
Config review = TOD only. Even a perfectly configured MFA policy could have bypasses in practice. Always need TOE evidence for SOX conclusion.
Provisioning Exceptions -- The Rule
- Control requires both approvals (mgr + data owner)? One missing = exception. Always.
- Role risk level affects severity of the exception, not whether it exists
- Verbal post-hoc confirmation = not valid TOE evidence
- SLA missed with no documented exception = exception, regardless of how close to the deadline
SSO Bypass Risk -- The Follow-Up Question
- Disabling IdP = cutting SSO access -- IF no local ERP accounts exist
- Always ask: "Are built-in ERP local/emergency accounts disabled or password-randomized?"
- SAP example: SAP* and DDIC are default local accounts that bypass SSO entirely
- This is a TOD gap -- the control design is incomplete without addressing local account bypass
Sampling -- Know the Numbers
| Risk / Frequency | Sample Size |
|---|
| High-risk, daily/frequent (e.g. terminations, provisioning) | 40--60 |
| Moderate risk | 20--30 |
| Low risk | 10--15 |
Small sample (5--8) on a high-risk control = insufficient for SOX conclusion unless documented rationale exists. "Manager approved it" is not sufficient rationale.
Didion connection: The auditor who writes "management is aware" and closes a Material Weakness candidate has located their professional standard in managerial approval -- not character. That is Didion's definition of the loss of self-respect, applied to audit practice. Each such closure is fresh footage in the interminable documentary.