Testing 100%? 852
SOX-Migration last edited by
Anyone else’s external auditor telling them that management should test 100% of controls? Does anyone plan on doing this?%0AThanks.
Denis last edited by
Management should test what they deem sufficient to give them assurance over their system of internal control, the auditor has no say in the matter.%0AGenerally, I would not expect any company to need to test 100% of controls as you would expect to find that each financial statements risk/assertion is addressed by more than one control. You can cover off all your risks without testing every control.%0AFrom experience I would only expect to have to test around 30-40% of controls in any process to get sufficient assurance - you can test more if you want to, but you wouldn’t need to.%0ATell the auditor to take a running jump…
IrquiM last edited by
Ours are (D-and-T), and we will, as that will save cost on auditing fee, knowing where all the problems might appear, and trying to mitigate them before the external auditors come in.%0AThey will also, to some extend rely on our testing.%0AAll in all, we found that testing everything before the auditors come, might save us huge amounts of USUSD%0AEdit:%0AReading your question again, and thinking about it, we will test 100% of what the auditors will test, not 100% of the controls…%0AWe are going to test all the controls we’ve put as main/primary controls%0AMaking sure that all these are functioning as the are supposed to, keeps the auditors to go to our secondary controls for further testing when the main/primary ones fail.
ugogirl last edited by
Anyone else’s external auditor telling them that management should test 100% of controls? Does anyone plan on doing this?%0AThanks. %0AExternal auditors generally tell clients to take a ‘risk based’ approach. Idenfity risks, evaluate and rank those risks, determine what controls are in place or that need to be in place to address those risks. management may then select the ‘key’ controls to be tested based on the risk ranking. They may decide that high or medium risks should be addressed in testing first. In general, I’ve seen 100% testing of key or primary controls. The other non-key controls could be tested but may not be tested. They could be tested if the control would address a weakness in a primary control.
Arun70 last edited by
From what I understand the auditors are insisting on the management test All the controls. I think that this is a case of stretching it too far.
In our company (and also in many other organizations that I know) the management is testing all the Key controls (as against all the controls…). We (the management) identified the Key controls and agreed the same with the external auditors upfront and went about testing the key controls only.
I couldn’t agree more with Denis… Ask the auditors to take a running jump…
lekatis last edited by
Some auditors need to take a running jump.%0A100% testing… I remember the old good days.%0AI worked for a company as an external consultant. The case was classification of documents.%0A Their opinion: ’ Everything is important for us. 100% of our documents are secret’%0A 8O %0A If everything is secret, nothing is secret. Simply, everything is the same. Classification means finding the differences, putting in classes, having different procedures for different classes.%0ASend this auditor to a McDonald’s and ask him to say:%0A’I’d like some fries.’ %0AThe girl at the counter will answer:%0A’Would you like some fries with that?’%0A He may understand what is 100%
hdienno last edited by
Thanks for your feedback. And I apologize…I meant 100% of significant controls.
lekatis last edited by
It is necessary to test 100% of your primary controls. External auditors will test them too. %0AIn all audits of internal control over financial reporting, the external auditor must perform enough of the testing himself or herself so that the auditor’s own work provides the principal evidence for the auditor’s opinion.%0A %0AThe auditor may, use the work of others to alter the nature, timing, or extent of the work he or she otherwise would have performed. For these purposes, the work of others includes relevant work performed by internal auditors, company personnel and third parties.%0AThe extent to which the auditor may use the work of others depends on the degree of competence and objectivity of the individuals performing the work. %0A If the external auditor determines that management’s process for assessing internal control over financial reporting is inadequate… the external auditor will test everything and will not ‘use the work of others’ %0A You need more time and money. They will dig very deep. %0A External auditors will combine your weak controls will find weaknesses… A good combination of weak controls could create a material weakness…even if individually they are low on the scale