Appendix I – SOX methodology

Scope and financial reporting risk assessment............................................................................................. 2

Planning and risk classification ..................................................................................................................... 2

Planning materiality (PM) ....................................................................................................................... 2
Tolerable error (TE) ................................................................................................................................ 3
Quantitative and qualitative risk .............................................................................................................. 3
Identification of significant items ........................................................................................................... 54
Overall account scoring ........................................................................................................................ 76

Process documentation............................................................................................................................... 76
Narrative ............................................................................................................................................... 76
Use of service organizations ................................................................................................................ 76
Critical spreadsheets and other end-user computing (EUC) tools ....................................................... 87

Control inventory ..................................................................................................................................... 1110

Overview ........................................................................................................................................... 1110

Sample size guidance ............................................................................................................................. 1413

Sample size splitting protocols ......................................................................................................... 1413
Splitting samples on controls at multiple locations ........................................................................... 1615
Sample selection methods ............................................................................................................... 1716

Testing process ....................................................................................................................................... 1817

Design ............................................................................................................................................... 1817
Execution .......................................................................................................................................... 1817
Documentation.................................................................................................................................. 1918
Evaluation/interpretation ................................................................................................................... 1918
Conclusion ........................................................................................................................................ 1918

1
Scope and financial reporting risk assessment

Scoping involves determining the documentation necessary and the nature, timing and
extent of testing of controls to be performed for each significant account, disclosure and
business process. The company must identify the significant accounts and components
that will be subject to SOX. A risk assessment is completed to assist in the determination
of significant accounts. The financial reporting risk assessment is a tool used by
management to identify and analyze risks relevant to the preparation of financial
statements. The resulting classification rates the risk of material misstatement in the
significant accounts and related assertions of the financial statements.
Objective
This classification is utilized during planning and scoping and throughout the year to
determine the nature and extent of documentation and testing that is to be performed by
management. An effective risk analysis results in an assessment by management that
focuses resources on those areas of highest risk to ensure that a direct relationship is in
place between the risk that a material weakness could exist in a particular area of the
company’s controls and the amount of attention during management’s documentation
and testing of the related controls. Additionally, the risk assessment offers an opportunity
to reconcile management’s perception of risk with that of the external auditors.

The risk assessment is an integral part of a top-down approach that focuses first on
company-level controls, significant accounts, significant processes and then on
individual controls at the process, transaction or application level. The overall risk related
Approach to each significant account is assessed to determine the nature, timing and extent of
testing of the controls related to that specific account, and eliminates, from further
consideration, accounts that have only a remote likelihood of containing a material
misstatement, and devotes less audit attention to the areas of low risk.

Quantitative and qualitative factors are considered to determine the significance of an

account. Management will use these risk factors to eliminate those accounts that have
Risk factors
only a remote likelihood of containing misstatements that could cause the financial
statements to be materially misstated.

Planning and risk classification

Planning materiality (PM)

For listed entities or entities in regulated industries that are profitable, it is presumed that users of financial
statements focus on operating results and, in particular, income. These users often consider misstatements
greater than 5% of pretax income to be material. As such, PM is typically 5% of pretax income when pretax
income is the appropriate measurement base.

PM may be increased when evidence suggests that users, including regulators, would have a higher
threshold for materiality (up to 6%-8% of pretax income). PM may also be increased when an entity is not
listed in an unregulated industry and for statutory audits of subsidiaries (10% of pretax income).

Further considerations may be helpful in determining PM:

 The entity operates in a business environment that is not changing rapidly

 The entity has a viable business with good long-range prospects and has a strong balance sheet
 Past history on the engagement indicates that management is competent, of high integrity and applies
conservative rather than aggressive accounting principles

2
In certain circumstances, a measurement basis other than pretax income may be more appropriate. When
choosing an alternative measurement basis, consideration should include what measurement basis is most
meaningful to financial statement users. The following ranges may be considered when setting PM:

Measurement basis: Range:

Revenue ½%-1%
Gross margin 1%-2%
EBITDA 2%-5%
Equity 1%-5%
Assets ¼%-½%

The low end of the range should be considered for listed entities and entities in regulated industries. The
high end of the range should be a starting point for non-listed entities in an unregulated industry and
statutory audits of subsidiaries.1

Tolerable error (TE)

SOX Methodology standards are set to obtain reasonable assurance of detecting material misstatements.

TE is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeds PM. At the individual account or balance level, TE should be
considered.

TE should be calculated at either 50% or 75% of PM:

 For listed entities and entities in regulated industries 50% of PM is an appropriate starting point.
 For non-listed entities in an unregulated industry and statutory audits of subsidiaries, 75% of PM is an
appropriate starting point.

TE should be adjusted based on professional judgment. In making this determination, we consider:

 Expectations of misstatements
 Designation in the client and engagement acceptance and continuance process
 Collective understanding of the entity and industry
 Past history with the entity
 Assessment of risks associated with the entity
 Results of our observations of the entity’s control environment and the effect on internal controls over
the financial statements.2

Quantitative and qualitative risk

The concept of materiality is considered to determine which accounts are significant. Overall materiality is
based on discussion with Management, the external audit firm and planning materiality guidance. This
amount is based on the measurement basis from continuing operations adjusted for any items deemed
appropriate by Management and external audit firm such as one-time balance sheet restructuring entries.
Tolerable error is based on 50 or 75% of the overall materiality. This allows for the aggregation of
misstatements across accounts as well as for increases in account significance throughout the year.

The account balance is considered the primary quantitative risk factor for purposes of the risk assessment.
On a quarterly basis, the balance sheet and income statement accounts will be reviewed.

1 Source: EY Global Audit Methodology and Supplemental Audit Guidance – “P07_2 Determine Planning Materiality.”
2Source: EY Global Audit Methodology and Supplemental Audit Guidance – “P07_3 Determine Tolerable Error.”

3
Any changes in materiality will be discussed with Management, external audit firm and the SOX Steering
Committee (or equivalent).

4
A classification of high, medium or low will be assigned to both the quantitative and qualitative factors.

High Medium Low

The quantitative If quantitatively greater If quantitatively less than If quantitatively less than
classification is than planning materiality planning materiality but still planning materiality and not
assessed as: consequential to the consequential to the
financial statements financial statements

The qualitative If there are factors that If there are factors that If there are factors that
classification is represent a high inherent indicate an average indicate a minimal inherent
assessed as: risk of material inherent risk of material risk of material misstatement
misstatement misstatement

Identification of significant items

The following evaluation must be conducted to identify significant line items from the financial statements
and determine the significant accounts.

1. Request the year-end trial balance, statement of condition and statement of operations from Financial
Reporting, the version of which includes zero balance accounts and is grouped into financial statement
line items.
2. Verify that the trial balance agrees with the year-end financial statements. Ensure that line-item
descriptions agree with those used on the financial statements. Make changes where necessary.

A. Evaluate the significance of each line item by considering line item materiality as follows. Consider
average balances when necessary.

>4% of pretax income (or High

measurement basis)
1%-4% of pretax income (or Medium
measurement basis)
0%-1% of pretax income (or Low
measurement basis)

B. Evaluate the significance of each line item by considering qualitative factors such as:

 Number and composition of accounts that comprise the line item

 Volume of activity, complexity and homogeneity of the individual transactions processed through
the line item’s accounts
 Susceptibility to material error or fraud (consider impact of line item on executive compensation)
 Accounting and reporting complexities of the line item (includes use of estimates)
 Exposure to losses and contingent liabilities

Assign a priority of high, medium or low to each line item.

C. Scores are assigned to the prioritization characteristics as follows:

Priority Score
Low 1
Medium 2
High 3

5
 Scores are averaged to provide an overall conclusion as to the level of criticality of the financial
statement line as follows:

Average score Line item significance

Avg. score >2 High (significant line item)
Avg. score >1.5 and <=2 Medium (significant line item)
Avg. score<=1.5 Low3

Scoring exception

Line items with one or more of the following characteristics rated high are automatically rated high
overall:

 Susceptibility to material error or fraud

 Accounting and reporting complexities (includes use of estimates)

Also note that the rating for statutory requirements is not included in the average score as this
characteristic is either high or not applicable.

3. Determine the significance of the account to the overall line item. Using the trial balance mapping to the
financial statement line items, prioritize the accounts considering the following:

A. Begin with assessing account materiality as follows:

Ranking Year-end balances

(consider year-to-date average
balances when necessary)
High >10% of line item or
>4% of pretax income
Medium 5%-10% of line item or
3%-4% of pretax income
Low 0%-5% of line item
<3% of pretax income

B. In addition, consider other qualitative factors:

 Volume of activity, complexity and homogeneity of the individual transactions processed through
the line item’s accounts
 Susceptibility to material error or fraud (consider impact of line item on executive compensation)
 Changes from the prior period in account characteristics (new complexities, new transaction types)
 Accounting complexities associated with the account (e.g., estimates, valuations)
 Nature of account (suspense accounts generally warrant greater attention)
 Exposure to losses represented by the account or likelihood of significant contingent liabilities
arising from the activities involved
 Existence of related-party transactions in the account

C. Scores are assigned to the prioritization characteristics (refer to 2.C. above)

3
Line items ranked low are eliminated from further evaluation because there is a remote likelihood that the line item contains a
misstatement that could cause the financial statements to be materially misstated.

6
Overall account scoring

Accounts with one or more of the following characteristics rated high are rated high overall:

 Susceptibility to material error or fraud (consider impact of line item on executive compensation)
 Accounting complexities associated with the account (e.g., estimates, valuations)

Otherwise, scores are averaged to provide an overall conclusion as to the level of criticality of the account.
Refer to the Average score/line item significance table in Step 2.C. for scores.

Processes and activities related to those accounts rated medium or high will be addressed in the SOX 404
documentation and testing.4 Note that accounts with less than US$500k at 12/31 or US$500k in average
balance are not included in the scoping, as the likelihood of material misstatement is low. An exception to this
is suspense accounts.

Process documentation

Narrative

Process documentation will include a detailed narrative. Process documentation is created and updated
based on interviews with business unit personnel. These interviews will be focused on identifying the points
within the flow of transactions where data is initiated, authorized, recorded, processed and reported.
Additionally, the interviews will focus on points within the process at which a misstatement, including a
misstatement due to fraud, could occur, as these are the points where controls are necessary. Processes
over non-routine and estimation transactions often have higher risk because they are more likely to be
influenced by business risks and management decisions.
The objectives of the documentation of processes related to significant accounts and disclosures are to:

 Enable management to understand the processes underlying the significant accounts from beginning
to end
 Cover the initiation, authorization, recording, processing and reporting of individual transactions
Process owners will be provided with the documentation prior to finalization to ensure accuracy and
completeness as well as for approval of final documentation.
The narrative documenting the processes will include the following elements:

 Document status (draft or final)

 As-of date
 Process owner
 Applications and system used (including third-party service providers)
 Process steps

Use of service organizations

Although outside service organizations may be used to process financial data, management is ultimately
responsible for the internal control over this financial information and may need to assess the design and
operating effectiveness of the service organization’s internal control.

4
Accounts rated “low” are eliminated from further evaluation as there is a remote likelihood that the account contains misstatements
that could cause the financial statements to be materially misstated.

7
For outsourced activities, processes and functions that are considered significant to the company’s internal
control over financial reporting, the SOX Steering Committee will determine if a Statement on Standards
for Attestation Engagements (SSAE) 16 exists. If the SSAE 16 exists, the Steering Committee will:

 Identify controls in place to review and evaluate the SSAE 16. The scope of this review should evaluate
the scope, period of time covered, opinion and testing exceptions within the SSAE 16.
 Map the SSAE 16 user control considerations to the control identified as part of the process
documentation.
 As appropriate, map the SSAE 16 control objectives evaluated by the service organization’s external
auditor to the controls identified as part of the process documentation.

If a SSAE 16 does not exist, alternate procedures may be performed. These procedures may include:

 Identifying controls at the service organization and coordinating the test of identified controls with the
outsourced provider’s Internal Audit department.
 Requesting the service organization auditor to perform agreed-upon procedures.

Critical spreadsheets and other end-user computing (EUC) tools

Spreadsheets and other EUC tools may be utilized for financial reporting. In addition to Excel spreadsheets,
EUC tools include Microsoft Access, Query Reports from ACCPAC, etc. As such, the control environment
and specific control activities should be considered for evaluation as part of the 404 process.

Control requirements may differ as spreadsheets/EUC tools typically have a wide range of complexity and
usage. Therefore, the uses and complexity of spreadsheets/EUC tools should be evaluated using the
following process:

1. Inventory all spreadsheets/EUC tools that are used to support significant financial processes and
utilized in the performance of a control.
2. Evaluate the use and complexity of the identified spreadsheets/EUC tools. The uses and complexity of
information contained in the spreadsheets/EUC tools should be grouped into the following categories:

Medium
High (financial) (analytical/management Low (operational)
information)

Purpose/use Used to directly determine Used to support analytical Used to facilitate tracking
financial statement review and management and monitoring of workflow to
transaction amounts or decision-making. These support operational
balances that are may be used to evaluate the processes, such as listing of
populated into the general reasonableness of financial open claims, unpaid invoices
ledger and/or financial amounts. and other information that
statements. previously would have been
retained in manual, paper file
folders. These may be used
to monitor and control that
financial transactions are
captured accurately and
completely.

8
 High Medium Low

Complexity Support complex Perform simple calculations Spreadsheets/EUC tools

calculations, valuations
and modeling tools. These
spreadsheets/EUC tools
are typically characterized
by the use of macros and
multiple supporting
spreadsheets/EUC tools
where cells, values and
individual spreadsheets
are linked. These might
be considered
“applications” in their own
right. They often are used
to determine transaction
amounts or as the basis
for journal entries into the
general ledger or financial
statement disclosures.
such as using formulas to which serve as an electronic
total certain fields or logging and information
calculate new values by tracking system.
multiplying two cells. These
spreadsheets/EUC tools
can be used as methods to
translate or reformat
information, often for
analytical review and
analysis, for recording
journal entries or for making
a financial statement
disclosure.

3. Determine the necessary level of controls for the identified spreadsheet/EUC tool based on the overall
rating of the spreadsheet/EUC tool. The importance of the integrity and reliability of the information
generated by the spreadsheet/EUC tool increases as the complexity progresses from low to high and
as usage increases. This assessment should dictate the strength of the control environment
surrounding each spreadsheet/EUC tool. This overall rating is classified utilizing the below method.

HL HM HH
High High High

ML MM MH
Use

Medium Medium High

LL LM LH
Low Medium Medium

Complexity

9
4. Determine the required controls that should be in place and assess existing controls. The required
controls are:

Tool rating
Required control Description
(Low, medium, high)

Data integrity Implementing a process to ensure that data embedded in

spreadsheets is current and secure (e.g., “locking” or protecting Low, medium and high
cells to prevent inadvertent or intentional changes to standing
data; or storing spreadsheets in protected directories

Change control Maintaining a controlled process for making changes to and

testing a spreadsheet/EUC tool, and obtaining formal sign-off Low, medium and high
from an independent individual that the change is functioning as
intended

Version control Ensuring that only current and approved versions of

spreadsheets/EUC tools are being used by creating naming Low, medium and high
conventions and directory structures

Access control Limiting access at the file level to spreadsheets/EUC tools on a

central server and assigning appropriate rights. Spreadsheets Low, medium and high
can also be password-protected to restrict access

Input control Ensuring that reconciliations occur to make sure that data is
input completely and accurately Low, medium and high

Back-up Implementing a process to back-up spreadsheets/EUC tools on

a regular basis Low, medium and high

Documentation Ensuring that the appropriate level of spreadsheet

documentation is maintained and kept up-to-date to understand Medium and high
the business objective and specific functions of the
spreadsheet/EUC tool

Overall analytics Implementing analytics as a detective control to find errors in

spreadsheets used for calculations. However, analytics alone High
are not a sufficient control to completely address the inherent
risk of financial amounts generated using spreadsheets/EUC
tools

Logic inspection An individual other than the developer inspecting the logic in
critical spreadsheets High

Standard manual controls and processes, as described above, are used to help mitigate the risk associated
with spreadsheets/EUC tools. However, as the importance of the information generated by a
spreadsheet/EUC tool increases, reliance on manual controls and process may not be sufficient. For more
significant amounts and/or spreadsheets/EUC tools with higher complexity, it may be very difficult to
achieve an adequate level of control without migrating these functions to an application system with a more
formalized information technology controls environment.

10
Control inventory

Overview

A control inventory or control matrix is created to list the controls identified during the process
documentation phase. Process owners will be provided with the control inventory prior to finalization to
ensure accuracy and completeness.

Once the process documentation has been completed and risks and controls identified, the following
information is to be included in the control inventory for each process control inventory:

Information type Description

Key process Based on the mapping of accounts performed during scoping, determine the major classes
description of transactions and related processes, including information technology processes, which
influence the identified significant accounts. These processes will be listed on the control
inventory.

SOX key control Controls that support the financial statement assertions should be identified as “key”
indicator controls and will be noted as such on the control library.
Anti-fraud control The SOX controls identified as anti-fraud controls during the fraud risk assessment will be
indicator noted as such on the control inventory.
Anti-fraud key The SOX controls identified as anti-fraud controls that must be tested per the methodology
control indicator established for the fraud risk assessment are considered key anti-fraud controls and will be
noted as such on the control inventory.
Control owner The design and operating effectiveness of controls are the responsibility of management. To
facilitate ownership of the controls by the business unit, the primary person responsible for
performing the control will be documented.
Control The description of the control will include how the control is performed, who performs the
description control, what data reports, files or other materials are used in performing the control and what
physical evidence, if any, is produced as a result of performing the control.
Control nature Controls that management relies on to prevent or detect and correct errors, or to prevent or
detect fraud, may exist in any of the five COSO components. Relevant controls in each of
the five components should be identified and documented.
The two major types of controls are preventative and detective controls. Preventative controls
can be either manual or automated and are designed to prevent an error or fraud. Detective
controls can be either manual or automated and are designed to monitor the achievement of
the relevant process objectives, including identifying errors or fraud. The purpose of detective
controls is to detect errors that may have occurred.

To be effective, systems of internal control should include strong preventative controls in

addition to detective controls.
Control frequency The frequency of the control will impact the testing sample size. Therefore, the frequency will
be documented. The following frequencies will be utilized for documentation purposes:
 Annually  Biweekly
 Semiannually  Daily
 Quarterly  Multiple times per day
 Monthly  Ad hoc
 Weekly  Continuous (i.e., automated)

11
Information type Description

Control Not all controls provide the same level of assurance. The degree of assurance over internal
automation control varies depending upon several factors, including the level of automation. Automated
controls can provide consistent application of a control.

 Automated: automated controls encompass those control procedures performed by a

computer.
 Manual: manual controls encompass those controls performed manually, not by
computer systems.
Financial Financial statement assertions are representations by management as to the fair presentation
statement of the financial statements.
assertion
For each significant account and disclosure, the company will identify and document relevant
financial statement assertions. Financial statement assertions are classified in the following
broad categories which will be identified in the documentation.

 Existence: this assertion addresses whether assets or liabilities of the entity exist at a
given date and whether recorded transactions have occurred during a given period.
 Completeness: this assertion addresses whether all transactions and accounts that
should be presented in the financial statements are so included.
 Valuation: this assertion addresses whether asset, liability, equity, revenue and expense
components have been included in the financial statements at appropriate amounts.
 Rights and obligations: this assertion addresses whether assets are the rights of the
entity and liabilities are the obligations of the entity at a given date.
 Presentation and disclosure: this assertion addresses whether particular components of
the financial statements are properly classified, described and disclosed.
Information Controls should be designed and implemented to provide assurance that transactions and
processing balances are complete, accurate and valid, and that there is restricted access to assets and
objective records to prevent unauthorized changes to data or misappropriation of assets.

Although the financial statement assertions appear to be similar to the information processing
objectives, a one-for-one relationship does not exist, and they are used for different purposes.
Information-processing objectives are used to evaluate the design effectiveness of controls,
particularly application controls, within a business process. The following four information-
processing objectives are a standard to assess the integrity of the data that flows through a
process. The four objectives that will be identified in the documentation include:

1. Completeness
 All recorded transactions are accepted by the system (only once).
 Duplicate postings are rejected by the system.
 Any transactions that are rejected are addressed and fixed.
2. Accuracy
 Key data elements for transactions (including standing data) that are recorded
and input to the computer are correct.
 Changes in standing data are accurately input.
3. Validity
 Transactions, including the alteration of standing data, are authorized.
 Transactions, including standing data files, are not fictitious and they relate to
the business.
4. Restricted access
 Unauthorized amendments of data are barred from the system.
 The confidentiality of data is ensured.
 Company assets are physically protected from theft and misuse.
 The segregation of duties is ensured.

12
Information type Description

COSO internal As part of management’s assessments, the SOX Steering Committee (or equivalent) will
control document the five components of internal control. Controls will be listed on the control library.
component
1. Control environment
 The control environment establishes the overall tone for the organization and is
the foundation for all other components of internal control. COSO includes six
sub-components of the control environment:
o Integrity and ethical values
o Commitment to competence and development of people
o Management’s philosophy and operating style
o Organizational structure
o Assignment of authority and responsibility
o Human resources policies and procedures
 Participation by those charged with governance (Board of Directors, Audit
Committee, etc.)
2. Risk assessment
 As part of its risk assessment process, management should determine and
consider the implications of relevant risks that could hinder the achievement of
its objectives and provide a basis for managing the risks. Management should
identify the risks of material misstatement in the significant accounts and
disclosures and related assertions of the financial statements.
3. Control activities
 Control activities are the policies and procedures that help to ensure that
management’s directives are implemented. Control activities occur throughout
the organization, at all levels and in all functions. Control activities include, but
are not limited to:
o Approvals
o Authorizations
o Reconciliations
o Reviews of operating performance
o Security of assets
o Management reviews
o Performance indicators
o Segregation of duties
4. Information and communication
 The information and communication component includes the systems that
support the identification, capture and exchange of information in a form and
time frame that enable personnel to carry out their responsibilities, and financial
reports to be generated accurately.
5. Monitoring
 Monitoring is the continuous process that management uses to assess the
quality of internal control performance over time. There are three primary
components of monitoring:
o Ongoing monitoring occurs in the ordinary course of business and
includes regular management and supervisory activities.
o Periodic monitoring involves less frequent activities by senior
management.
o Reporting deficiencies involves reporting deficiencies to the appropriate
level of management and board of directors and remediation efforts.

13
Sample size guidance

The sample size is the number of records/transactions/occurrences that will be examined during the control
test. The selection of specific items to be tested from the population is called the sample.

The sample size will be determined using the chart below, as well as based on management’s direction. If
the control involves a single transaction for a given period (e.g., review of a bank reconciliation which occurs
only once during a month), the frequency of the control should be determined and the corresponding
samples size should be used (i.e., monthly control, three samples). If the control involves more than one
transaction for a given period (e.g., approval of purchase orders which occurs two to five times a day), the
population for a one-year period should be determined using the “population size” column and the
corresponding sample size should be used (daily – multiple times per day, 25 samples).

Type of Frequency of the Number of samples to be tested for Number of samples to be

control control low/medium risk processes tested for high-risk process

Manual Annually 1 1
Manual Quarterly 2 (*) 2 (*)
Manual Monthly 3 3
Manual Biweekly 4 6
Manual Weekly 5 8
Manual Daily 20 25
Daily – multiple times
Manual 25 40
per day
IT-dependent See table below
Automated Test of one

* Testing should include an intermediate quarter and the closing quarter.

Sample size selection for discretionary frequency controls, depending on the number of transactions which
occurred during the period considered, normally the current year:

If the population is Use the following frequency Use the following frequency
(low/medium risk): (high risk):
1 to 12 items Monthly frequency – 3 items Monthly frequency – 3 items

13 to 26 items Biweekly frequency – 4 items Biweekly frequency – 6 items

27 to 52 items Weekly frequency – 5 items Weekly frequency – 8 items

53 to 260 items Daily frequency – 20 items Daily frequency – 25 items

Daily multiple frequency – 40
261+ items Daily multiple frequency – 25 items
items

Sample size splitting protocols

Management’s opinion on internal controls is as of the end of a fiscal year. Therefore, evidence is needed
that the controls are operating near year-end. To achieve this objective, controls should be explicitly
validated near year-end through refreshed testing.

14
If the control has been enforced for the entire year, the sampling will be as follows:

Low/medium risk

Frequency of If you’re testing If you’re testing in For year-end/refresh testing on controls

control in May/June July/Aug/Sep Tested earlier in the Required portion of
year sample to be from 4th
quarter
Annual controls will be tested once during the fiscal year.
Quarterly 1st quarter 1st or 2nd quarter 3rd quarter 0
Monthly 1 month 2 months Remaining portion of 1 month
required sample size of
3
Biweekly 2 weeks 3 weeks Remaining portion of 1 week
required sample size of
4
Weekly 3 weeks 4 weeks Remaining portion of 1 week
required sample size of
5
Daily 12 days 17 days Remaining portion of 3 days
required sample size of
20
Daily – multiple 15 items 20 items Remaining portion of 5 items
required sample size of
25

High risk

Frequency of If you’re testing If you’re testing in For year-end/refresh testing on controls

control in May/June July/Aug/Sep Tested earlier in the Required portion of
year sample to be from 4th
quarter
Annual controls will be tested once during the fiscal year.
Quarterly 1st quarter 1st or 2nd quarter 3rd quarter 0
Monthly 1 month 2 months Remaining portion of 1 month
required sample size of
3
Biweekly 3 weeks 4 weeks Remaining portion of 1 week
required sample size of
6
Weekly 4 weeks 6 weeks Remaining portion of 2 weeks
required sample size of
8
Daily 15 days 20 days Remaining portion of 5 days
required sample size of
25
Daily – multiple 25 items 32 items Remaining portion of 8 items
required sample size of
40

15
If the control is a new control in the current year (e.g., remediated after January 1, 2012):

Low/medium risk

First month of control operation

Control
January through March April–June July/Aug/Sep
frequency
These controls can be tested in July-
Perform testing on these
September using the following sample
in December using full
sizes, with year-end/refresh required to
sample sizes:
round out the samples:
Quarterly Follow the field work 2nd quarter 3rd and 4th quarters
testing guidelines above
Monthly 1 month 3 months
for controls effective all
Biweekly year 2 weeks 4 weeks
Weekly 2 weeks 5 weeks
Daily 12 days 20 days
Daily –
15 items 25 items
multiple

High risk

First month of control operation

Control
January through March April–June July/Aug/Sep
frequency
These controls can be tested in July-
Perform testing on these
September using the following sample
in December using full
sizes, with year-end/refresh required to
sample sizes:
round out the samples:
Quarterly Follow the field work 2nd quarter 3rd or 4th quarter
testing guidelines above
Monthly 1 month 3 months
for controls effective all
Biweekly year 3 weeks 6 weeks
Weekly 3 weeks 8 weeks
Daily 18 days 25 days
Daily –
25 items 40 items
multiple

Note: If the control failed at the interim and is remediated during the year, the full population after
remediation must be tested at year-end.

Splitting samples on controls at multiple locations

In order to reduce management testing efforts, samples may be split between multiple locations. For
example, if facilities at Location A, Location B and Location C all have a similar daily multiple control that,
in substance, is the same, split daily multiple sample sizes across the three locations.
Use the following steps to determine sample sizes to be used when splitting across multiple locations:

 Determine the number of locations where the control exists

 Determine the frequency of the control
 Based on the frequency and number of locations, use the table below to determine the sample size
 Judgmentally allocate the sample across the locations

16
Protocols on splitting sample sizes across multiple locations for similar controls:

Frequency of control Sample size for split controls

(doubled from normal sample)
Low/medium risk process High risk process
Daily multiple 50 80
Daily 30 50
Weekly 10 16
Biweekly 8 12
Monthly 6 6
Quarterly 2* 2*
*Quarterly controls will be tested using full samples regardless of similarities across locations
Annual controls will be tested once at all locations

Sample selection methods

When determining a sample for tests of controls, a technique should be selected that provides sufficient
appropriate audit evidence on which to conclude. The appropriate way of selecting items from the
population for testing is important to prevent us from including unintentional bias in our selection.

Defining the population from which a sample is selected is the same whether we are performing tests of
controls or tests of details, or statistically or judgmentally determining the sample size. The population is
the entire set of data on which we wish to draw a conclusion. The population shall include all transactions
during the period of coverage.

Acceptable sample selection methods for SOX testing include:

 Random sampling
 Judgmental sampling

Random sampling is appropriate when:

 Evidence exists that the population is complete

 IA is able to obtain a listing of population items on which to conclude
 Few, if any, exceptions are expected

In applying a random sample selection method, we may use EY/Random or a random number generation
functionality (e.g., in Microsoft Excel) to generate the sample items. EY/Random is a firm-developed
program that assists us in determining which items in the population to select. Random numbers provide a
basis for selecting samples from printed listings or manual records. Before using EY/Random, we establish
a unique identification number for every sampling unit in the population. In the absence of sequentially
numbered documents, it may be difficult to establish correspondence between the random numbers and
the items in the population.5

Judgmental sampling is appropriate when professional judgment and prior information are utilized to select
higher risk samples and is best suited when sample size populations are small or when it is not possible to
gather a complete listing of population items. Judgmental sampling should be selected sparingly and must
have suitable justification.

5Source: EY Global Audit Methodology and Supplemental Audit Guidance – “SM_2 Audit sampling techniques and
sample selection methods.”

17
Testing process

Design

The test plan should include the approach, scope, sample size and documentation requirements to support
the conclusion on effectiveness.

There are four types of testing techniques performed to obtain evidence about the operating effectiveness
of controls. Those types are (listed in order of highest to lowest level of assurance obtained): re-
performance, inspection/examination, observation and inquiry.

Testing technique Description

Gives the greatest assurance that a control is operating effectively. The testing
team will perform validation procedures for selected controls by re-performing the
control activity.
Re-performance
An example of when this would be used is in testing a physical inventory control
when you would observe a count and perform an independent test of quantities.
This should be used when a high degree of confidence in the control is necessary.

Most frequently used techniques. This includes reviewing documents that are
used in the application of the control or results from the operation of the control.
Inspection/examination
Examples include reviewing evidence that controls are being performed,
reconciliations are prepared and signed off by supervisors, and exception reports
are reviewed and marked with checkmarks or written explanations. These testing
techniques are used when there is evidence of a manual control being performed.

Used when no documentation exists and is often used in combination with inquiry.

Observation Observation is used frequently with system controls where an error message or
validation check cannot be easily evidenced via a paper trail, however, can be
seen on the operator’s screen.

Should be used in combination with other testing techniques to gain an

understanding of the control being performed and gather information about the
control. This involves questioning or interviewing the person performing the
Inquiry control and can be oral or written.
For example, inquiry is used when questioning an accountant on what documents
are necessary and how they perform a reconciliation.

These techniques are used when conducting a Test of Design (TOD) and/or a Test of Effectiveness (TOE).
The TOD is the initial test conducted to evaluate the adequacy of controls in place to mitigate risks. Once
this test is successfully completed, the TOE is performed to determine the effectiveness of the controls in
place to mitigate risks.

Execution

Procedures to evaluate the operating effectiveness of controls must be sufficient to determine if controls
are operating effectively.

Internal controls over financial reporting residing within business processes rated low risk will not be tested.
The rating of business processes will be re-evaluated quarterly.

18
Documentation

Documentation should include descriptions of the nature, timing and extent of the procedures used and
should include a list of exceptions, if any, their cause and implications on management’s assertion. All
documentation, including electronic reports and supporting data that is or may be used to test controls,
should be retained to allow others, including the external auditors, to re-perform the test.

Evaluation/interpretation

Management must determine whether each testing exception indicates a deficiency in the design or
operating effectiveness of a control, or both. This includes identifying the underlying or “root” cause of the
error to determine appropriate next steps. The identification of control exceptions may result in:

 Extending the test

 Re-evaluating the original decision to rely on that control and considering whether another control can
be substituted
 Development of a Management Action Plan for a control gap

Conclusion

Three steps are necessary when testing is complete:

1. The Control Operator will conclude on the effectiveness of the individual controls based on test
results. There are three types of possible testing results:
a. Test effective: when there is reasonable evidence, that for the period and the sample
selected, the control properly works.
b. Test ineffective: when for the period and the sample selected, there exists at least one item
that is not effective, or the control does not cover the real risk. The cause of the deficiency
will be documented and an action plan carried out.
c. N/A: when no events have occurred during the period selected, thus no test can be
performed.
2. The Process Owner will conclude on the effectiveness of the collective controls in mitigating the
process risks.
3. The Process Owner certifies to the adequacy of the design and operating effectiveness of the
internal controls affecting financial statement assertions for the entire process.

Management will need to evaluate any control deficiencies and determine whether they, individually or in
the aggregate, require remediation and/or might need to be disclosed to the independent auditors and the
Audit Committee. Timely evaluation of control deficiencies will allow sufficient time for follow-up remediation
and re-evaluation of controls before management must make its assertion. All conclusions and
recommendations should be documented in writing.

19