As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - Roll forward testing
Posted: Wed Nov 23, 2005 12:41 am Post subject: Roll forward testing
Questions on roll forward testing.
 What is roll forward testing? Does it cover only testing of operating effectiveness for the last quarter or testing of 'amended' controls after the SOX audit whereby deficiencies are raised & required to be 'fixed' or 'amended', or both?
 What exactly is roll forward testing trying to achieve apart from supporting the management assertion of controls for the last quarter of the year?
 If SOX audit by external auditors is not completed till end of November and therefore organization do not know what their deficiencies are, do we still need to perform roll forward testing supposedly if there's no change to the process & your testing of samples were up to September?
 Is it required to perform roll forward testing on ALL controls or can we test on those really key controls?
In this subject, in fact, it all depends on the wish and objectives of the headquarters, in concordance with the external auditors. That said it all depends on how confident is local management on the control environment, comunication and risk assessment controls. Then, I believe we can go into the control activities. The size of the samples and the type of controls depends on that first step.
In previous experiences, we launched a quarterly representation letter where controllers/ financial directors stated compliance with internal policy (or not) and the existence of certain controls that was preventing the SOX team to perform quarterly roll forwards and testings. And this with the agreement of the external auditors of course.
Once a year, close to year end, controls were tested keeping the significance and materiality in mind.
Joined: Aug 10, 2004 Posts: 74 Location: Washington, DC
Posted: Sat Dec 03, 2005 11:38 am Post subject:
There are generally two types roll-forward audit procedures:
1. substantive tests of accounts and balances, and
2. tests of key financial controls.
The first type (substantive tests) refers to testing and account balance at an interim date and then testing the transactions between the interim date and the date of the financial statements. The most common accounts tested and then rolled forward to year end are accounts reveiveable (and the allowance for doubtful accounts) and inventory. See abrema.net/abrema/anal_proc_g.html for a good (textbook) definition.
The second type--SOx/control testing--is similar in the sense that controls are tested prior to the "as-of" date of management's assessment over the financial controls, and then "rolled forward" to the "as of" date. The rolling forward tests can include "inquiry," "observation," "inspection," and "walk through".
Basically, once a control is found to be effective (at interim), an auditor can perform as much testing as they need to assure (themselves) that the control is still effective, without having to completely re-test. The roll-forward tests don't have to include all procedures that were performed at interim (so that the audit work can be spread throughout the year which can be more efficient (i.e. less expensive)).
For a full discussion go to PCAOB's AS-2 ( pcaob.org/Rules/Rules_of_the_Board/Auditing_Standard_2.pdf page 246 "Examples of Extent-of-Testing Decisions" ) and the PCAOB's Staff Question and Answer #51 ( pcaob.org/Standards/Staff_Questions_and_Answers/2005/05-16.pdf )
Side note: There are times that people refer to "rolling forward" account balances. In this case, the ending balance from year 20x1 is rolled forward as the beginning balance of the account in year 20x2.
Joined: May 28, 2004 Posts: 35 Location: Philadelphia, PA- USA
Posted: Wed Dec 07, 2005 5:42 pm Post subject:
As John Malekar explains the Roll-Forward Testing" is key within the Sarbanes Perspective.
Practical explanation of Roll-Forward is - TESTING that would be conducted at a later point in the Audit Year that bridges the timing gap between the prior testing, but before the conclusion of the final audits for the financial year.
Specific to Sarbanes - the Auditors / Management need to attest effectiveness of the controls - for the entire 12 month period. Let us say that Company XYZ ends its financial year 12/31. If the audit teams complete majority of the testing - say by the end of Q2. Irrespective of the test outcome - Auditors need to perform additional testing towards the end of the year mainly to assure that the Operational Effectiveness of the controls - still remain optimal and that if any additional changes to the control environment since last audit- in this case from Q2.
Well planned quarterly audits and constant monitoring of the control environment for changes/ continued effectiveness would greatly minimizes the need for Roll-Forward testing and last minute demands from the external auditors. _________________ Madhav Vedula CISA
Sr.Internal Audit Consultant
We have both Internal and external Audits, I am curious as to why we do yearend testing and then still need to supply evidence for a roll forward questioner, my VP, Senior Operations Director and myself as Change Management Manager state that there have been no changes since yearend testing, the external auditors also sends us a roll forward questioner asking the same but do not require another round of samples since yearend testing has essentially just completed all the way through mid-December, and we are fairly confident that there have been no changes for the last two or three weeks. Yet our internal audit still ask for this, we are a company that was bought by another company, we are under that umbrella..can they just say do it no matter what?? Any policies or guidelines on this?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.