Rollforward and Remediation Testing 1679

  • I need some assistance understanding the regulations on rollforward and remediation testing.
    What areas do you test? How much supporting documentation needs to be obtained? Who makes this decision?
    What sample sizes should be used for re-testing (i.e. Backup and Recovery logs)? Do you re-test all of the deficiencies?

  • Rollforward testing - Any rollforward testing should take into account when the original testing was performed and the criticality of the control being tested. We have opted to test routine, transactional, low risk controls via inquiry at year end for our roll-forward testing. For other controls, we are testing a very small sample near year end to ensure that the controls are still effective.%0ARemediation - We require retesting of all deficiencies. We perform full sample size tests once deficiencies have been remediated for daily and weekly controls. For less-frequent controls, if we test before we have enough occurances of the control to allow a full sample (primarily monthly controls which have to operate for 2 months before retesting), we will test 100%.

  • Thank you.
    I understand remediation testing, but there is still some confusion on how to approach rollforward testing.
    For example, I was at a client on 7/10-7/14 performing original testing for Backup and Recovery, Information Security, Change Management, Job Scheduling etc. How much rollforward testing do I need to do as for as SOX goes? Do I need to look at logical access again or who the System Admins are for each app.? Do I need to look at backup logs again? Who decides all of this?
    I ask all of this because I cannot find any information on rollforward testing and the regulations of SOX audits for IT.

  • With a good change management process in place, then the true system controls do not need to have roll-forward testing performed. Those controls with a manual aspect should ahve a small sample tested again near year end.
    To decide what controls should have roll-forward testing, you need to ask yourself what changes in controls could go undetected if they are not retested. System controls should not change. Any controls with a manual aspect are subject to change as humans are subject to error. From the population of controls with a manual aspect to them, those with the highest risk of error or any error leading to a potentially significant financial misstatement should definitely be physically retested. Those with a lower magnitude of risk can be verified though inquiry testing.

  • I would add some other ideas like:
    System controls may just need an inquire process to support if there has been changes.
    Manual controls: If there has been changes, you should test those controls. If there hasn’t been changes, you just need to take a smaller sample or use other lighter methods, like inquire/observe.

  • Roll Forward testing are normally performed when initial testing is conducted during first six months of the year.%0AI am using a sample of 15 for daily/mulitiple times daily, lower of 15% or 15 whichever is lower for as needed etc. This logic has been accepted by our independent auditors. I do not recollect the sample sizes for weekly, biweekly, monthly controls . But I can confirm if you need more guidance on this.

Log in to reply