Remediation and Operating time 2115
Comply last edited by
I am an internal auditor of a European subsidiary of an US company under SOX jurisdiction.
What is the procedure for performing a follow-up test / remediation testing in order to ensure the control is remediated properly and exception / deficiency is closed and the control is operating effective.
For example, I test April (monthly control) of Q2 and the control failed due timeliness. The control owner is notified and is able to complete May in time.
Could I select May for testing? If no exceptions occur, the control passes, thus considered as effective.
Last year, I always selected 2 samples as follow-up testing (remediation testing). If both samples pass, the remediation was completed, the exception / deficiency closed and the control considered operating effective.
In my opinion, a control should be operating for a defined time frame before you could consider a control effective.
The external auditor requires a certain time frame prior reporting period (year-end)
For a monthly control, 2 month, weekly control, 5 weeks.
Should this be applicable for the quarter-ends?
The documentation available does not provide me a satisfying answer.
Would appreciate your thoughts.
EMM last edited by
Ideally , your samples should be the same size of higher than your external auditor’s.
If a control failed the first time around, the sample size selected for remediation should be the same size as the control is not deemed to be in place until confirmed as in effect.
The sample can be reduced if you are rolling forward a test for year end and you have already passed the control test the last time around.
Testing should be on a continuous, periodic basis, with more reliance on the effectiveness to be based on testing and evidence of the existence of the controls in operation at year-end.