1

SARBANES-OXLEY
TESTING PROCESSES
 2

Time for Review

•  Numerous SOX webinars include:
•  SOX Overview
•  SOX Authorita9ve Bodies
•  SOX legisla9on standards
•  SOX 404
•  COSO Webinars
•  SOX 302
•  SOX 806, 902, 906
•  Top Down Risk Assessment – Module 1
and 2
•  Evalua9ng ELCs and soP controls
•  XBRL
•  Each designed to fit together for a
comprehensive understand of SOX
 3

Introduction
•  The SOX overview webinar
course presented a
suggested process
sequence for complying
with Sarbanes-Oxley
•  Let’s review
 4

Sarbanes-Oxley Sequence
Define priority accounts to be reviewed;
Accoun9ng iden5fy significant accts./disclosures/
RA
relevant asser5ons

Document
Document transac5ons flows that
Processes materially impact FS

Use FS asser5ons to source

What are the risks Source Risks “what could go wrong”
Document controls at source of
What are the controls Document risk (preven5ve)or downstream
Controls
Who owns the controls in process (detec5ve)

Assess effec5veness
Is design of controls sufficient Assess
Design of control design
to address poten9al of MM

Validate
Test effec9veness of controls. Opera9ons
How are controls performing

Report
 5

Introduction
•  This segment will focus on the
valida9on of opera9on
•  Valida9on of control opera9on
is executed through test of
controls
•  Tests can be performed in
mul9ple ways and will be
dependent on the type of
control
•  In some instances, several tests
may be performed on one
control
 6

Agenda
•  Selec9ng controls to test
•  Tes9ng design/opera9ng
effec9veness
•  Rela9onship of risk and evidence
•  Nature/9ming of test of controls
•  Key vs. secondary controls
•  Tes9ng processes
•  Inquiry
•  Observa9on
•  Re-performance
•  Walkthroughs
•  Data Mining
 7

SELECTING
CONTROLS TO TEST
 8

Selection
•  Test those controls
important to the conclusion
about whether the assessed
risk of misstatement to each
relevant asser9on is met
•  This is a requirement per AS5
•  This will require reference to
your mapping of controls to
asser9ons
 9

Selection
•  There may be more than one
control for a par9cular relevant
asser9on
•  Or, there may be one control that
addresses the assessed risk of
misstatement to more than one
relevant asser9on.
•  It is not necessary to test all
controls related to a relevant
asser9on or to test redundant
controls
 10

Selection
•  Whether to test a control depends
on which controls (individually or
in combina9on) sufficiently
address the risk of misstatement
to a given relevant asser9on
•  It does not depend on how the
control is labeled (e.g., ELC,
transac9on-level, control ac9vity,
monitoring control, preven9ve
control, detec9ve control).
 11

DESIGN
EFFECTIVENESS
 12

Design Effectiveness
•  Tes9ng of design effec9veness
should occur prior to tes9ng of
opera9ng effec9veness
•  Assessor evaluates effec9veness
of controls in design and whether
the design would adequately
prevent a material error
•  If the design if not adequate –
process owners should reassess
the design of the process
•  Tes9ng of opera9on should not
occur un9l design of control is
validated as effec9ve
 13

Design Effectiveness
•  AS5 procedures to test design
effec9veness include a mix of:
•  Inquiry of appropriate
personnel
•  Observa9on of company
opera9ons
•  Inspec9on of relevant
documenta9on
•  Walkthroughs
 14

Design
•  Important! Design should be re-
evaluated, at a minimum, each
aeesta9on year. Why
•  Because everything changes….just
because the design was adequate
in previous periods does not mean
it is s9ll relevant
•  Systems changes... people
changes... organiza9on changes...
control changes...all impact design
and effec9veness
 15

Design
•  If your SOX process is not
including a step to evaluate
design each year, you are not
following direc9ves per AS5
•  Result could be:
•  Improperly iden9fied controls
•  Poor design
•  Poten9al for significant
deficiencies or MW,
•  Problems with the CE
 16

TESTING OPERATING
EFFECTIVENESS
 17

Operating Effectiveness
•  Opera9ng effec9veness is
tested by assessing whether the
control is opera9ng as designed
•  Includes evalua9on of
whether the person
performing the control
possesses the necessary
authority and competence
 18

Operating Effectiveness
•  Procedures to test opera9ng
effec9veness include a mix of:
•  Inquiry of appropriate
personnel
•  Observa9on of opera9ons
•  Inspec9on of relevant
documenta9on
•  Re-performance of the control
•  Data mining and analysis
 19

RELATIONSHIP OF RISK
TO CONTROLS TESTED
 20

Risk
•  Evidence necessary to prove
control effec9veness depends
upon the risk associated with the
control
•  Risk associated with a control is
the risk the control might not be
effec9ve and, if not effec9ve, a
MW may result
•  When risk associated with the
control being tested increases,
evidence that should be obtained
increases
 21

Risk
•  Note: Evidence about the
effec9veness of controls for each
relevant asser9on must be
obtained.
•  However, assessor is not
responsible for obtaining
sufficient evidence to support an
opinion about the effec9veness of
each individual control
•  The objec+ve is to express an
opinion on the company's ICFR
overall
 22

Risk
•  Allows assessor to vary evidence
obtained regarding effec9veness
of individual controls based on
the associated risk
•  Factors that affect risk:
•  Nature/materiality of
misstatements the control is
intended to prevent or detect
•  Inherent risk associated with
related accounts/asser9ons
 23

Risk
•  Changes in the volume/nature of
transac9ons that might adversely
affect control design or opera9ng
effec9veness
•  Account history of errors
•  Effec9veness of ELCs
•  Nature of the control and the
frequency with which it operates
 24

Risk
•  Degree the control relies on the
effec9veness of other controls
(e.g., CE or ITGCs)
•  Competence of personnel
performing control
•  Automated or manual control
•  Complexity of control and
significance of judgement used in
execu9ng the control
 25

Risk
•  The point is…..the level to
which a control should be
tested should be rela9onal to
the risk of MM
•  Tes9ng of controls should be
WELL documented with
adequate suppor9ng evidence
to aeest to the conclusion
 26

SOX - NATURE OF
TESTS
 27

Nature
•  Some tests, by their nature,
produce greater evidence of
control effec9veness than
others
•  Those tests which would
provide the greatest evidence
(from most to least) are as
follows:
•  Re-performance of a control
•  Inspec9on of relevant
documenta9on
•  Observa9on
•  Inquiry
 28

Nature
•  Inquiry alone does not provide
sufficient evidence to support
conclusion on control effec9veness
•  Nature of tests depends on the
nature of the control to be tested
•  Includes whether the opera9on of
the control results in documentary
evidence of opera9on
 29

SOX –
TIMING OF TESTS
 30

Timing
•  Tes9ng controls over a greater
9me period provides more
evidence than tes9ng over a
shorter 9me period
•  Tes9ng performed closer to
management's assessment date
provides more evidence than
tes9ng performed earlier in the
year
 31

Timing
•  Assessor must balance
performing the tests closer to
the as-of date with the need to
test controls over a sufficient
period
•  The more extensively a control
is tested, the greater the
evidence obtained from the test
 32

KEY VS. SECONDARY

CONTROLS
 33

Key vs. Secondary

•  No “official” defini9on of key
vs. secondary controls
•  Key control vs. non-key controls
have certain characteris9cs
•  Ul9mately it can depend on
your company’s defini9on
 34

Key Control
•  Key Control - Required to
provide reasonable assurance
that material errors will be
prevented/detected 9mely
•  Key control is the only control
that covers a risk of MM (it is
indispensable to cover its
control objec9ve)
•  If it fails, it is highly improbable
the other control could detect
the control absence
 35

Key Control
•  A control that covers more
than one risk or support a
whole process execu9on
•  Usually part of ELCs or high-
level analy9c controls
•  Must be tested to provide
assurance over financial
asser9ons (as part of the
SOX Compliance)
 36

Non-Key
•  Referred as sub-process,
secondary, ac9vity or opera9ve
control
•  Can fail without affec9ng a
whole process
•  In place to monitor certain
informa9on
•  Has an indirect effect on the risk
of MM
•  Should not involve significant
transac9ons
 37

Non-Key
•  Generally eliminated for
tes9ng purposes
•  If tested, walk-through
documenta9on is a useful tool
•  Could be evaluated under a
Control Self Assessment (CSA)
program
•  In the end…..Key Control keeps
the really bad thing from
happening (MW)
 38

TYPES OF TESTS
 39

Types
•  Tes9ng processes
•  Inquiry
•  Observa9on
•  Re-performance
•  Walkthroughs
•  Data Mining
 40

INQUIRY
 41

Inquiry
•  Tests of inquiry oPen involve
simple ques9oning of personnel
regarding the existence of tests.
Includes:
•  Ques9oning of personnel
responsible for the control
•  Distribu9on of ques9onnaires
and surveys
•  Inquiry will oPen occur during
walk-through processes
•  Inquiry alone is not sufficient to
determine if the design or
opera5ng effec5veness of a
control is adequate
 42

Example
•  Reconcilia5on of accounts
•  Ask responsible personnel if
the reconcilia9on of accounts
process is performed
•  Automated Maker/Checker
•  Ask a user of the system if
there is maker/checker
func9onality for a specific task
(i.e. management approval of
T&E reports)
 43

Example
•  Annual Business Con5nuity
Plan (BCP) Test
•  Ask personnel who support
the process whether a BCP
test took place
•  In effect, “inquire” of the
people responsible whether
there is a control for the risk
•  Why is inquiry not sufficient?
•  It does not provide tangible
evidence to evaluate
 44

OBSERVATION
 45

Observation
•  Observa9on is when the assessor
can affirm the control exists via
observa9on
•  Typical methods of observa9on:
•  Walkthrough opera9ons to
observe controls being
performed or ask to be shown
evidence control was performed
•  Other examples:
 46

Observation
•  Reconcilia5on of accounts
•  Obtain a copy of the
reconcilia9on paperwork
•  Observe an employee perform a
reconcilia9on
•  Obtain management repor9ng to
show whether a reconcilia9on
was performed
 47

Observation
•  Automated Maker/Checker
•  Look at the computer terminal
to observe the applica9on has a
process to record manager
approval
•  Refer to database reports to
show the employee name and
approving manager name are
recorded
 48

Observation
•  Annual BCP Test
•  Obtain copy of the BCP test
documenta9on
•  Observe conduct of a BCP
test
•  Why is observa9on alone not
sufficient?
•  People tend to do “the right
thing” when being observed
•  Assessors may not be able to
observe all processes that
are cri9cal
 49

RE-PERFORMANCE
 50

Re-Performance
•  Confirms the control operates
properly by independently re-
performing the control
•  Typical methods of re-performance:
•  Examine a sample of ac9vity that
the process and associated controls
were preformed according to
procedures
•  E.g. – Re-perform an inventory
count
•  E.g. – Re-perform a reconcilia9on
 51

Re-Performance
•  In re-performance also trace
the informa9on back to
suppor9ng or source
documenta9on and
recalculate the math or re-
perform the decision process
•  Based upon the available
informa9on, determine if you
would agree with the original
decision of the person
performing the func9on
 52

Re-Performance
•  Reconcilia5on of accounts
•  Re-perform a sample of the
reconcilia9ons to determine if
the same results can be
achieved
•  Note - this is not confirming the
reconcilia9on was performed, it
is confirming the reconcilia9on
achieved the correct results
 53

Re-Performance
•  Automated Maker/Checker
•  Perform tests on the
system using various
hypothe9cal test cases to
determine if the
func9onality performs as
specified by the business
and required by policy
 54

Re-Performance
•  Annual BCP Test
•  Re-perform the BCP test or
sample a por9on of the test.
•  Execute the procedures or a
“mock test” as outlined in
the procedures
 55

WALKTHROUGHS
 56

Walkthroughs.
•  Walkthroughs may be most
effec9ve in achieving objec9ves
for certain controls
•  Assessor follows a transac9on
from origina+on through the
company's processes, including
informa+on systems, un9l it is
reflected in the company's
financial records
•  Assessor uses the same
documents and informa9on
technology that company
personnel use
 57

Walkthroughs
•  Procedures usually include a
combina9on of inquiry,
observa9on, inspec9on of
relevant documenta9on, and
re-performance of controls
•  Walkthroughs are oPen an
area taken for granted
•  The assignment may be
given to young or
inexperienced assessors
 58

Walkthroughs
•  To properly perform a
walkthrough, the assessor must
have the knowledge,
professional skep9cism and
understanding to ask probing
and difficult ques9ons
•  Assessor ques9ons personnel
about their understanding of
what is required by prescribed
procedures and controls
 59

Walkthroughs
•  Goal is to gain a sufficient
understanding of the process
and iden9fy important points
where a necessary control is
missing or not effec9vely
designed
•  Don’t take walkthroughs lightly
•  Ensure walkthroughs are
properly documented and
observa9ons of controls
recorded
 60

Walkthroughs
•  Suggested processes for walkthroughs:
•  Have someone within the company,
not associated with the process, be
present for the walkthrough
•  U9lize documenta9on (flowcharts/
narra9ves) and walkthrough the
transac9on as described
•  If documenta9on is inaccurate or
does not include relevant key
controls – ensure this is addressed
•  Walkthroughs can assist in iden9fying
gaps prior to the external auditors
evalua9on
 61

Test Conclusion
•  A conclusion of ineffec9ve
opera9on can be supported by
less evidence than necessary to
support a conclusion that a
control is opera9ng effec9vely
•  Because effec9ve ICFR cannot,
provide absolute assurance, an
individual control does not
necessarily have to operate
without any devia9on to be
considered effec9ve
 62

Test Conclusion
•  Evidence provided by tests of
the effec9veness of controls
depends on the mix of the
nature, 9ming, and extent of the
auditor's procedures
•  For an individual control,
different combina9ons of the
nature, 9ming, and extent of
tes9ng may provide sufficient
evidence in rela9on to the risk
associated with the control
 63

DATA MINING AND

ANALYTICAL
 64

Data Mining
•  Data mining, the extrac)on of
hidden predic)ve informa)on
from large databases, is a
powerful new technology
•  Data mining tools predict future
trends and behaviors, allowing
businesses to make proac9ve,
knowledge-driven decisions
•  The automated, prospec9ve
analyses offered by data mining
move beyond the analyses of
past events
 65

Data Mining
•  Data mining tools can answer
business ques9ons that
tradi9onally were too 9me
consuming to resolve
•  They scour databases for
hidden paeerns, finding
predic9ve informa9on that
experts may miss because it
lies outside their expecta9ons
 66

Data Mining
•  From a SOX perspec9ve, many
firms use data mining to analyze
trends in significant accounts
•  This analysis may iden9fy gaps in
controls
•  Mining is also used to iden9fy
poten9al trends or gaps that
may result in fraud
 67

Data Mining
•  Data analysis and mining can
provide the assessor a broader
range of evidence than pure
sta9s9cal sampling
•  Data mining tools have become
numerous and new ERP systems
also have significant query
capability that may serve the
purpose of some data mining
 68

Data Mining
•  Uses oPen extend to:
•  Evalua9on of GL entries
•  Examina9on of AP and
Payroll
•  Expenditure examina9on
•  Informa9on Technology ID
usage
•  Billing and revenue accounts
•  List is only as narrow as the
imagina9on
 69

SUMMARY
 70

Summary
•  There are many facets the
tes9ng of key controls
•  Organiza9ons must evaluate
each method and determine
which one will provide the
most reliable evidence
•  Tes9ng methods must be well
developed and tes9ng results
must be well documented
 71

Summary
•  This exercise must abide by AS5
requirements and ensure those
accounts that could significantly
impact the FS are iden9fied and
tested
•  Don’t forget about the impact of
en9ty level controls and soP
controls on poten9al control
effec9veness
•  Ul9mately, tes9ng and the analysis
found will be your support for your
opinion on ICFR