#59 | SOX Walk-through Overview
In this session, I will be reviewing with you a SOX Walk-through and an example of documentation and what level of detail is needed so that auditors can rely on your work.
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
Objectives of Walk-through
There are two objectives to a walk-through:
- Test of Design (TOD) – which verifies that a control is designed appropriately and that it will prevent or detect a particular risk
- Test of Effectiveness (TOE) – although it’s less reliable, it is use for verifying that the control is in place and it operates as it was designed
It’s a great test if your control only happens once a year because there’s only one sample to test. When your control happens multiple times throughout the year or a period, a walk-through will only satisfy as one sample.
Here is an example of a control description. This is the review and approval of the journal entries.
- Control Activity- describes the control in detail. In this case, the journal entries are reviewed by a person at a higher level than the preparer, and the reviewer will validate specific items
- Frequency – how often the control happens
- Control Owner – person who is doing this control
- PBC Request – in order to do the walk-through procedure, we need a sample. Once we request it, we’re going to get evidence of the review and approval, the detail listing and the spreadsheets that support it, and any of the required system generated reports.
- Walk-Through Procedures – it tells us the steps we need to take to test this control. First we are going to select a sample for the journal entry. Next, get evidence and review it.
- Source Files – tells us the files used in the testing. We list the name of the actual source report and who we got it from. In this case, it’s going to be the report, “JE listing with selection softcopy.” We got it from Black Widow. We want to put the name of the documents that we used because it helps anyone retrace our steps.
Here is the comment section. Once you completed the testing, you’re going to write some very specific comments. In our example, it says, “A2Q2 obtained the population, the JV report generated from Oracle for Q1 2016. We randomly selected a JV as the walk-through sample.”
If you go back to the test procedures, it says, “Get evidence of independent approval and examine.” These are the 5 steps to complete. When we do the walkthrough, what we’re writing are the results of the 5 steps.
If everything matches, the conclusion is this design is effective. There are times when it may be design ineffective, and that is what we would be writing for our walk-through procedures.
That’s an overview of how you document for walkthroughs.
To recap, we discussed the following:
Leave a Reply