Tester's scope 2682

  • I would like to see how you view this situation:
    There is a control that an account analysis is prepared by Person A and reviewed by Person B. The design of this control is deemed effective.
    Person A and Person B signed off on this account analysis for a particular month. SOX tester selected this month for testing, obtained the analysis and saw that Person B signed off as the reviewer, and deemed the control effective since the analysis was reviewed. Later on, it was uncovered that there was a non-mathematical error (e.g. used wrong assumption in analysis, etc.) in the analysis that neither Person A or Person B detected.
    Would the SOX tester have done his job properly? I think that testers should do a reasonableness scanning of the analysis, and should be able to catch simple errors like mathematical errors. But are they responsible for catching errors that are non-mathematical, that is a result of management’s misjudgment of an analysis?

  • As you describe it would be difficult for a tester to identify the type of assumptions error you are referring to. Normally you are relying on the suitability/expertise of the reviewer to pick these things up. At first glance I wouldn’t see this as a failure by the tester.
    However, it is hard to generalise these things as you could have processes where the assumptions in a calculation - particularly where calculations are complex - would have their own control risks/objectives and seperate controls.

  • It depends on the importance of the control. If we are talking about an area where a material misstatement of the financial statements is at least reasonably possible then management’s assessment or the external auditor’s audit should be an effective audit.
    How can you audit that a control works effectively? First you have to undertand the process and the design of the control, then you pick a sample of executions of the control and reperform the control. If person B would really need to review the transaction and the assumptions going to the posting on the account in order for the control to be effective, then management’s assessor or the external auditor need to do the same thing during their reperformance of a sample. If by chance your sample only covered executions of the control that did not contain errors then it is not your fault (that’s life if you use samples). Just checking whether some person B left a tickmark or signature is not an audit of the effectiveness of a control. Person B may have done no review at all and may have just left tickmarks and signatures.

Log in to reply