#60 | SOX Test of Effectiveness & Documentation
Here is an overview of what the testing training will cover. Our testing is on Test of Effectiveness or TOE. We’re verifying that control has been in place, and it operates as it was designed over a period of time.
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
In this training, we will cover the control description and what the test procedures mean. I ‘ll also go over what the lead sheet looks like and talk about the work paper documentation to document how we’ve done our testing and our conclusions.
Lead Sheet & Control Descriptions
This is what we call a lead sheet, and it is part of our workpapers. Workpapers mean everything related to how we did testing for a control. A lead sheet is basically a sheet that summarizes all of the procedures that we’ve completed. I’m going to go through what each of these captions mean so that you have an overview and then we’ll dive specifically into the control itself.
Every lead sheet begins at the top with the (A) Company name. It also has the (B) Process Name and the (C) Fiscal Year.
Also, it has the (D) WorkPaper Reference. (E) Test Detail Sheet is the title of this sheet. The Process (F) we get directly from the RCM. The (G) Sub-Process is narrowing it down even more. (H) is Control Owner who is responsible for doing the control. Control ID (I) is the same as control number. Then we have the (J) Control Description.
Test Procedures
The Test Validation Approach is the test procedures on how are we going to validate the control works.
The (A) Test Method is about how you are going to test it. Observe means watching someone do it. Inspect mean looking at the documents. Re-perform means redo the whole procedure, and if you get the same results that the other person did, then you verify that it works.
How often is the (B) Control Frequency? This comes from the risk control matrix.
(D) Control in Place Date means when the control was put in place. Some companies are very specific such as it was in on January 1st. Sometimes, it’s different quarters. This just helps us know how often or how long this control has been in place so that we can select the right periods to test.
An example is if you put a control in place starting April 1st, you can only select samples after April 1st. Anytime from January to March 31st when that control was not in place, you wouldn’t expect to have any samples. The (E) Sample Period is when you are selecting sampling. Is it from Q1, Q2, or Q3? For the (F) Population Size, you would like to know how big our population size is.
The population size is related to how we will derive the sample. (A) Sample Deviation is about how we derive how many samples we will select. This is just the method of how we come up with the sample size to test.
Next is the (B) Sample Size. This is where you’ll see it has Round 1, Round 2 and Round 3. In total, the 3 rounds have to equal 12.
For the (C) Source File, it’s very important that we have this so that anyone can retrace our steps.
Work Paper documentation
We have (A) (Test Performed By). Who did the testing? (B) (Date Testing Performed) What was the date that we performed the testing? For (C) Test of Design (TOD), we want to find out if it effective or not.
Then we have (D) Test of Operating Effectiveness (TOE). Was it effective or not based on our samples?
At the very end, we have who the (A) Reviewer was for the work. What was the (B) Review Date? (C)Test Finding Assessment – Was the testing effective or ineffective? At the end here, there are (D) Notes. These are notes about what we did and how we conclude that it was or was not an exception.
Summary
To recap, we discussed the overview and the objective of Test of Effectiveness or TOE and talked about the following:
Leave a Reply