Welcome to our series on SOX Key Reports Testing!
Presented by SOX Key Reports − your one-stop resource for key reports
____________________________________________________________
Today we will discuss how to
test SOX key reports
for SOX compliance
I suggest you watch the video.
It's easier to understand
if you are a
visual/audio learner.
The content below
is the same as the video.
It's for those who learn
by reading.
How to test SOX key reports for SOX compliance
Understand complexity
- Data or reports can often be very complex, therefore the testing of SOX key reports, and the auditing thereof, can also be quite complex.
- Knowing how to answer what the auditors are looking for is crucial
- There are dozens of criteria that need to be documented when testing the validity of a report
- A typical SOX Key Reports Testing template has almost 350 lines addressing over 20 topics
This sample, taken from a PWC SOX Key Report template, shows the typical beginning and end of their form.
The questions on a typical auditor’s template fall into three main categories:
Recalculation
Could the results of the report be duplicated if the same parameters were used?
Completeness
Does the report fully include the data (number of rows, or records, or amounts) within the stated parameters?
Accuracy
Does the report accurately include the data (correct dates, amounts) from the source documents within the stated parameters?
There are four main report types:
-
Standard/canned reports
- This type of report is preprogrammed into the software
- Typically, the report parameters cannot be modified by the end user, other than the date range
-
Customized
- These customizable reports are built in-house by your IT team or user
- The end user set the report data fields or parameters or wrote the script based on their specific needs
- When these reports are locked from further edits after they are finalized and fall under your IT general controls for change management, they can be relied upon because they undergo the normal processes for testing and approval
-
Query
- These are customized searches or queries built in-house by your IT team
- When these queries are locked from further edits after they are finalized and fall under your IT general controls (ITGC) for change management, they can be relied upon because they undergo the normal processes for testing and approval
-
Ad hoc query
- These customizable queries are also built in-house by your IT team or user
- The end user created the search by selecting the report fields or parameters or writing their own script on the fly
- These reports were not “locked down” or not subject to ITGCs and therefore require higher scrutiny if used as a Key Report or input
Document the report type
One typical source to identify a standard report is from the SOC1 Type 2 report from your third-party vendor.
Your third-party SaaS vendor hired external auditors to provide the SOC1 Type 2 reports to show that the service provider you are using has been audited for its own internal controls and that the reports from this provider can be relied upon.
For example, if one of your key reports is from Equity Edge, you would need to document whether this was a standard report generated in Equity Edge (perhaps as included in their SOC1 report) or if it was generated using other criteria (i.e., customized report, query, ad-hoc query, etc.).
The sample below shows one way to answer the auditor's question about the source of the report.
One typical source to identify a standard report is from the SOC1 Type 2 report from your third-party vendor.
Verify the reliability of the report
Now that you know what kind of key report you have and that it is from a reliable source, you can begin to test the report and the validity of the source data.
Your documentation will include a summary of the procedures performed to assess the
- accuracy
- completeness, and
- validity of the source data.
As you can see from the example, the summary references the tabs where your exported data and reports can be found in the workbook. These tabs are where you show your work in validating the completeness and accuracy of your test.
Section C – Completeness
This is one gauge that you may overlook and assume that as long as your data is proven to be accurate, that is sufficient. Do not, however, underestimate the importance of using complete data to test your report and documenting how you validated its completeness.
In the PWC example for completeness, the following steps were taken.
- Steps 1-3 show how the data was gathered and where it is saved in the workbook.
- Step 4 describes the steps taken to verify the completeness of the data.
Step #4 is the heart of the check for completeness. Once the parameters for each report are matched and the data exported, ensuring that the same data appears in both sets of data is crucial.
In our example testing the Equity Edge Expense Allocation – Recognition report, step four was described his way:
Part of testing a key report includes mapping it to an internal control (or controls).
- It is important that your control be clearly understood by the process owner, not only in how it is designed and functions, but also in how it is documented
- This is also important for the person who documents the testing of the key controls and maps a SOX key report to an internal control
Going forward - now what?
✔. Maintaining the integrity of your reports is an important role for
members of your SOX compliance team
✔. Properly training report owners is
paramount to being able to sustain a
reliable inventory of your key reports
✔. Report owners must continually stay
up to date on their responsibilities
✔. Management must have a thorough
understanding of how to document
each report for the criteria asked for by external auditors.
About
Useful Links
Legal
SOX Key Reports specializes in testing key reports to ensure SOX 404B compliance. Our experience is unsurpassed and our work is guaranteed.
Educational Resources
SOX Key Reports © 2022
All rights reserved.