Process Owners (non-auditors) testing controls 1332



  • We’re about to begin our effectiveness testing (we’re a subsidiary of foreign filer) and we’re going to have some of the process owners test their own controls and I as the SOX Manager will test others which will be about a 50/50 split. I have created a file with instructions on how to test each control as well as the sample size and frequency to test. My concern is that the process owners are not auditors and what other pertinent instructions should I be providing them to ensure I receive a quality audited control? Also, does anyone have a good process of documenting their audit so as to get the information without causing a lot of administrative work. Again, they should be following my instructions, but I need proof that this was done.
    Thank you for your help.



  • Ensure that the test documentation lists the control to be tested, the support to be tested, the results of the individual tests of each piece of support and a conclusion as to the effectiveness of the control. Someone will need to review a sample of the test documentation to ensure that the tests are being properly documented.
    Provide examples to your testers of how good documentation should look. Provide them with a standard reporting format.
    If they follow your instructions, you should not have too many issues.



  • I agree with kymike.
    While I understand the desire to use process owners to test Key Controls to save money (consulting fees), I think that there are a few things that you can do (or, consider), as SOx Manager to increase the validity of the test results:

    1. If you have been authorized to supervise a certain number of process owners’ work hours, then the best use of those hours would be to test Key Controls of other process owners (i.e. not their own); which will increase the independence of the test with the temp auditor (process owner).
    2. If process owners test their own Key Controls, then you could select the test sample for them. (I’m a big fan of stat sampling in general, but a well-documented judgment sample chosen by a real auditor (you) is better than a sample chosen by a process owner.)
      Just a thought.


  • Thank you KyMike and John for your replies. This certainly helps. I will be reviewing all testing completed by the process owners, but I would really prefer to complete the testing myself so your insights help. Do either of you have a preferred testing template form that you especially like? I currently have all the data detail (you name it, I’ve got it) in an excel file and was planning on having the process owners merely complete another two columns for their testing (explaining what they looked at and their conclusion) in an effort to save everyone time. Any thoughts? Also, I planned on asking them to provide me with hard copies of documentation proving their testing and conclusion to support excel file. I am concerned that we’ll be generating a lot of paper or electronic files. Any thoughts?



  • Another thing to consider is whether or not your external auditor will rely on process owner testing. Our external auditors do not rely on process owner testing for their purposes. They do, however, rely on internal audit’s testing, thus saving some fees because they have to test less. We still utilize process owner testing to a large degree to test lesser controls that our external auditor doesn’t necessarily require testing on. This is expressly for our Certifying Officers’ sakes. They review all the process owner testing before signing the certifications for our 10Qs and 10K.
    Hope I helped.



  • Yes, you need to confirm whether your independent auditors would accept testing by process owners for reduction in their scope. For 302 and 404 purposes, it is acceptable, not sufficient for attestation by Independent Auditors.
    All the best.



  • External audit will be more apt to consider management testing and the related test results if a consistent and well thought out approach is used by management to plan and perform controls testing.
    A Leading Practice and approach for consideration:
    Initiate Control Certification Process Internal Audit notifies Control Owners of start of Internal Control Certification process.
    Owner: Internal Audit
    Certify Key Controls
    Control Owners review and certify the internal controls within their purview in the CAT.
    Owner: Control Owner
    Verify Key Controls
    Executives review and test a sample of internal controls and certify as to their adequacy in the CAT. They complete their review by signing a verification statement.
    Owner: Executive Owner
    Certification Questionnaire Review
    Internal Audit completes the Certification Questionnaire after meeting with each Executive Owner and reviews the document with the Executive Owner in order to address any unresolved issues.
    Owner: Internal Audit
    Discussion of Key Controls
    The Disclosure Committee consists of the General Counsel, the SVP of Internal Audit, the CFO, the Corporate CFO, the VP of Ethics, and the external auditor (observer role only).
    The committee discusses the results of the Internal Control Certification process (including controls not certified) and any significant changes in business processes, management turnover, systems implementation, and changes in internal control structure.
    Owner: Disclosure Committee
    Discussion of Key Controls
    The CFO and the SVP of Internal Audit discuss any control weaknesses and identified trends with the CEO.
    Owners: CFO and SVP of Internal Audit
    Sign Off on SEC Certification
    The CEO and CFO conduct a final discussion of the internal controls and then sign off on SEC certification.
    Owner: CEO and CFO
    Review Certification
    The audit committee reviews the certifi cation once the process is complete. Annually, the SEC certification is reviewed by the external auditor.
    Owner: Audit Committee



  • I agree with Milan - you also need to consider your resources - if you are relying on management - i suggest you provide a sumamry justifying why they are appropriate to carry out the work (ACA etc).
    If nothing else this can provide comfort to the externals and they may therefore reduce the sample size.
    However IA doing the work is best if you have the resource to do it



  • Independent auditors are looking for objectivity. As long as controls are tested by somebody independent of the process owner, the independent auditors would accept those efforts.
    This is based on professional experience with independent auditors on SOX efforts.



  • Before uploading the software on the system it should undergo the process of testing to debug all the errors occur during the process of working.



Log in to reply