In a recent post of his on LinkedIn, Joseph Kassapis wrote:
I was reading a typically excellent blog/post of Norman Marks on Control Testing (in the context of commenting on 2 reports on SOX Controls Testing), and was struck and intrigued by his insistence/emphasis on testing “Data” in the mistaken impression that this amounts to testing the Control(‘s effectiveness). He named this twice in his post as a fallacy/defect in the reports, and it instantly caught my attention, being something I always found extremely interesting and important: to what extent correct output can be taken to mean/evidence correct mechanism.
…
External Audit standards, as I fairly confidently recall/understand, expressly preclude this position, i.e. state that the correctness of the recorded transactions, as regards their aspects controlled by the control, can in no way and under no circumstances be taken as evidence of soundness/effectiveness of the control; and I sort of ‘resented’ this, regretted it, wished it was not there; without actually being able to really/genuinely fault it, logically; rather minding its being inconvenient, making things harder, depriving us of easy tests and forcing us to conceive harder ones, (towards the already very hard task/goal of attaining satisifaction of effective functioning of…
