Self-testing program 1979



  • Now entering year 2 of our compliance, we are thinking of asking the business to self-test. Do you have any experience with this? Any ideas or things to avoid. I am also trying to see if I could start with an existing template.
    Our idea, is that the business would self-test and Internal would do some had hoc tests during the year.
    Thank you in advance for all your ideas.
    Natacha



  • My comapny does 100% self test for all key controls with an internal audit review of all processes over a 3-year cycle (i.e. 1/3 each year).%0AThis has been accepted by the auditors and the recent PCAOB guidance would suggest that this can become more commonplace



  • Denis,
    What are the procedure you have in place. Our auditors are KPMG and are interpreting SOX in the most conservative manner.
    For instance, if one of your control is the review of a reconciliation. Does the control performer (reviewer in this case) completes a checklist ensuring that he performed every step of his review, how do they go about? Or is someone from another department testing him?
    Can you give me a specific example.
    Currently, our idea, would be that each control performer would complete a checklist indicating the steps he completed and the information reviewed.
    Thanks in advance,
    Natacha



  • Denis,
    What are the procedure you have in place. Our auditors are KPMG and are interpreting SOX in the most conservative manner.
    For instance, if one of your control is the review of a reconciliation. Does the control performer (reviewer in this case) completes a checklist ensuring that he performed every step of his review, how do they go about? Or is someone from another department testing him?
    Can you give me a specific example.
    Currently, our idea, would be that each control performer would complete a checklist indicating the steps he completed and the information reviewed.
    Thanks in advance,
    Natacha



  • What are the procedure you have in place. Our auditors are KPMG and are interpreting SOX in the most conservative manner.

    Remind KPMG that:
    it is the responsibility of management, not the auditor, to determine the appropriate nature and form of internal controls for the company and to scope their evaluation procedures accordingly
    For instance, if one of your control is the review of a reconciliation. Does the control performer (reviewer in this case) completes a checklist ensuring that he performed every step of his review, how do they go about? Or is someone from another department testing him?
    Yes, typically this is exactly what we do. Processes are signed off by a process owner who’s responsibility it is to ensure that all their key controls are operating effectively. They may delegate some of this testing e.g. testing of automated controls by IT but typically we would expect to see a detailed audit test plan with approriate evidence of the test. For a rec we would expect 10 or so questions to be answered by the tester to indicate that the control is operating effectively.



  • Totally agree with you Denis that this is management’s perogative to decide.
    I have toyed with introducing self certification myself and it would be interesting to see all the pros and cons of applying this methodology. When discussed recently we found ourselves focusing on three aspects:

    1. Non-compliance. We wanted to apply a model similar to Denis’ with cyclical testing however management felt they were not prepared to accept the risk that areas of the business may not comply and that these may be detected by the auditors before us because of the testing cycle.
    2. Independence. We recognised that self-certification lacked independence and is the weakest form of assurance. We piloted areas reviewing each other either through self certficiation or as a QA of that self certification. Unfortunately this became unworkable because of the internal culture, politics and time constraints within the organisation.
    3. Cost. Perhaps the greatest driver. As self certification is the weakest assurance the auditors were not prepared to rely on it as opposed to independent testing. At GBP1000 per day per auditor it was found that by employing an independent testing fuction the audit costs could be substantially reduced by more than the cost of that function. With the revised guidance encouraging auditors to rely more on third parties, couplied with a relaxation in the need for them to undertake full walkthroughs on every process I think there is yet further opportunity for cost savings in this area. Thus managemnet end up with greater assurance at less cost.
      All this being said this gives rise to the risk that those involved with the processes become divorced from the requiement to comply with SOX. Therefore we have considered applying a model very similar to the one Denis describes but for our process design only - I guess you could call it baselining the manual processes. For the operation of the controls themselves we will probably stick with independent testing.


  • Souris,
    It may be worth noting that when KPMG submitted comments to the PCAOB with regards to the proposed new audit standard for SOX, they criticised the proposal that they could rely on management’s assessments without evaluation
    pcaob.org/Rules/Docket_021/Comments/all.pdf
    This may indicate that your auditors would feel more comfortable with Third party involvement as opposed to self- certification…
    Theoretically, the more comfortable the auditors are with your work, the less assessment they will perfom.



  • Hi
    I am working for a subsidiary of a US listed (NASDAQ) company, which is located in the Netherlands as Internal Auditor.
    This is our second year of SOX compliance.
    I am interested in the self test program but I wonder how it is operating.
    If I am correct, the control owner performs a quarterly assessment of the effectiveness of control which is executed by the control owner self.
    The assessment is performed and documented by the control owner. Internal Audit reviews the performed self assessment.
    How to determine if the control owner is competent and independent to perform a self assessment? Are the results of the self assessment combined to the employee’s appraisal? This is my biggest concern. You will understand there is a conflict of interests.
    How is the review of the assessment of control owner performed? Is independent testing performed or is review of the assessment sufficient.
    Is extend of testing by external auditor changed after implementing the self testing program?
    I assume the external auditor will increase extend of testing. Is this self testing program still cost effective?
    Could someone describe me the steps taken to implement a self testing program?
    Thanks in advance.


Log in to reply