Tests of Operating Effectiveness - Timing of Procedures 2029

  • Hi,
    Currently, I am developing the control testing schedule for a ‘Year One’ entity and the assessment will be conducted by the auditor (PwC) in Q4 2007.
    In connection with controls testing:

    1. Is it necessary to test controls two times (Q2, and Q3) for the auditor to conclude during SOX assessment that the control is operating effectively?
    2. What is the best way to schedule and perform controls testing so that the auditor can place maximum reliance on the test results, but will still allow the Company to remediate control gaps if found during the first round of testing?
    3. Specifically, it would also be helpful if anyone has input on timing of controls testing procedures in connection with the following:
      3a. Financial Reporting Cycle - Conduct 2 quarters (Q2 and Q3) of controls testing since most of the controls are performed quarterly.
      3b. Revenue and Receivables Cycle - Conduct 1 or 2 quarters of controls testing (Q2 and/or Q3)?
      3c. Fixed Assets Cycle - Conduct controls testing in Q3 only?
      3d. Payroll Cycle - Conduct controls testing in Q3 only?
      3e. Purchasing-to-Payables - Conduct controls testing in Q3 only?
      For SOX IT:
      3f. Change Management - Conduct controls testing in Q3 only?
      3g. Security and Access - Conduct controls testing in Q3 only?
      3h. ITGC - Conduct controls testing in Q3 only?
      3i. SDLC - Conducft controls testing in Q3 only?
      As always, thank you for your feedback and thoughts.

  • Milan,
    I would respond as follows:

    1. You only need to have tests performed once in the year, but it is recommended that you test twice so as to ensure that you have adequate chances of remediating any deficiencies.
    2. It is best to perform the first set of tests as early as possible so as to ensure that your external auditors can perform their testing (they cannot start until you finish)
    3. I am not sure what you mean here. A general rule of thumb is that it takes about 3 hours per control to complete (this is an average only as some will take 5 minutes and some, with larger sample requirements may take longer, especially if photocopying of documentation is to be completed for your files)

Log in to reply