Chapter 17. Testing Internal Controls

Internal control has always been important. However, passage of the Sarbanes-Oxley Act of 2002 by the U.S. Congress increased management’s awareness of this importance. Under this law, both the CEO and CFO must personally certify the adequacy of their organization’s system of internal control. An improper certification may result in criminal or civil charges against the certifier.

This chapter focuses on the internal controls within software systems. It is important for the tester to know that there are two general categories of controls: environmental (or general) controls, and controls within a specific business application (internal controls). This chapter covers three types of controls in the latter category (specific business application controls): preventive, detective, and corrective. The chapter then explains how to evaluate controls within an information system.


There are two systems in every business application: the system that processes transactions and the system that controls the processing of such (see Figure 17-1). From the perspective of the system designer, these two are designed and implemented as one system. For example, edits that determine the validity of input are included in the part of the system in which transactions are entered. However, those edits are part of the system that controls the processing of business transactions.

Figure 17-1. The two systems in every business application.

Because these two systems ...

Get Effective Methods for Software Testing, Third Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.