Audit and Assurance

Expand all | Collapse all

SOX test frequency

  • 1.  SOX test frequency

    Posted 26 Feb, 2020 08:41

    My company has designed SOX IT test frequency as an annual test.  However, external auditor required us to test with sample covering Q4 as a result we required to test again to include Q4 data.

    In the past (> 6 years ago) the test is done once a year with data coverage partial last year and partial this year.
    I see the pro and con doing test once a year vs twice a year:

    Test twice a year:
    Pro:the data are from current audit period but we will always missed testing mid October - December data.
    Con: we need more resource to do the test.

    Test once a year:
    Pro: the control is operating effectively for a period of 12 months.
    Con: the test sample only partial of the year.

    Our IT control rated as medium to low risk by external auditor, they do independent test for change management and rely on our management test for the remaining control.

    I would like the test to put back to once a year.  However,
    how to justify assurance level from a test that only covering partial data to external auditor and management?
    Is there any one successfully push the requirement to test more to get Q4 data and stays once a year testing?
    If we put back the test to once  a year is that potentially reduce their reliance on our test result?

    I really appreciate share experience from this community.


    Audry Lowe
    IT Compliance Analyst

  • 2.  RE: SOX test frequency

    Posted 26 Feb, 2020 11:55

    The external auditor work is driven by the risk of financial statement material misstatement.   They are doing this additonal test to get audit comfort and identify mitigating controls to reduce the risk.

      Is this an financial reporting application for revenue, A/R, cash?
    For additional testing, there might have been some general IT controls that may have arisen such as issues: Segregation Duties, Change Management, etc.

    With more information, I may be able to help

    Sal Rodriguez
    Director of Internal Audit

  • 3.  RE: SOX test frequency

    Posted 26 Feb, 2020 12:25
    ​This is for every ERP used at different entities in our environment.  We are trying to integrate many ERP applications to one but it is a long road.  Right now i have more than 5 applications in scope for external audit and >10 ERP application subject to internal management testing.  Those in EA scope need to be tested twice to get Q4 coverage.

    Audry Lowe
    IT Compliance Analyst