First Year Testing Guidance 1573

  • Hi All,
    I am working with a Multinational telecom company, as part of a testing team for the controls which have been designed by the Internal and external SOX team. Before the testing is to commence we need to identify issues which we might be expected to encounter in the process. Since i am part of the internal audit function within the organization the issues i have suggested are pretty standard, the sort which would be expected to occur in any form of control testing.
    I was wondering whether my suggestions were complete. Since SOX 1st year SOX testing has been complete in the US they may have a better insight on what to expect and what not to expect. I am hoping here that someone might guide me on where I can perhaps find out what issues a testing team should expect. Obviously, since most work done in this area is confidential so I am expecting maybe a more generic view on this which allows test planning to be completed in a way where we can include additional time and resources for unexpected occurances with a more accurate test plan.
    I would appreciate anyones guidance on this matter.

  • Our internal audit team performed the testing in the first year and then passed on to the process owners in year 2. We (wrongly) assumed that the process owners could follow the prior year audit test workpapers in order to perform the year 2 testing. Our results varied widely as to compliance with those performing testing who had some prior public accounting background performing the best and those who were outside of accounting (HR, IT) on the low end.
    My advice would be to ensure that you have a strong training program in place to cover testing requirements (sample size selection, test documentation, etc) working through some real examples.

  • We performed a combination of self-assesment and independant (i.e. Internal Audit) testing. Sample sizes different in each case

  • Ok i am really newbie …why??..i am guessing the sample size was greater for the self assessment and smaller for the internal auditors for more assurance.
    Second thing, did you change the sample size after testing to increase the level of assurance from the testing? if so was this a serious concern? because my point of view on this whole thing is that if this causes a significant delay in completing the testing we should actually build this time into our test plan so that we can be sure that we do not finish after the proposed end date as per the test plan.
    Appreciate your help on this.

  • Sample size for internal audit is more formally dictated. Extent of testing for self-assessment is more at the discretion of the process owner.

Log in to reply