____________________________________________________________
Today we will discuss how to
test SOX key reports
for SOX compliance
I suggest you watch the video.
It's easier to understand
if you are a
visual/audio learner.
The content below
is the same as the video.
It's for those who learn
by reading.
How to test SOX key reports for SOX compliance
Understand complexity
This sample, taken from a PWC SOX Key Report template, shows the typical beginning and end of their form.
The questions on a typical auditor’s template fall into three main categories:
Recalculation
Could the results of the report be duplicated if the same parameters were used?
Completeness
Does the report fully include the data (number of rows, or records, or amounts) within the stated parameters?
Accuracy
Does the report accurately include the data (correct dates, amounts) from the source documents within the stated parameters?
There are four main report types:
Document the report type
One typical source to identify a standard report is from the SOC1 Type 2 report from your third-party vendor.
Your third-party SaaS vendor hired external auditors to provide the SOC1 Type 2 reports to show that the service provider you are using has been audited for its own internal controls and that the reports from this provider can be relied upon.
For example, if one of your key reports is from Equity Edge, you would need to document whether this was a standard report generated in Equity Edge (perhaps as included in their SOC1 report) or if it was generated using other criteria (i.e., customized report, query, ad-hoc query, etc.).
The sample below shows one way to answer the auditor's question about the source of the report.
One typical source to identify a standard report is from the SOC1 Type 2 report from your third-party vendor.
Verify the reliability of the report
Now that you know what kind of key report you have and that it is from a reliable source, you can begin to test the report and the validity of the source data.
Your documentation will include a summary of the procedures performed to assess the
As you can see from the example, the summary references the tabs where your exported data and reports can be found in the workbook. These tabs are where you show your work in validating the completeness and accuracy of your test.
Section C – Completeness
This is one gauge that you may overlook and assume that as long as your data is proven to be accurate, that is sufficient. Do not, however, underestimate the importance of using complete data to test your report and documenting how you validated its completeness.
In the PWC example for completeness, the following steps were taken.
Step #4 is the heart of the check for completeness. Once the parameters for each report are matched and the data exported, ensuring that the same data appears in both sets of data is crucial.
In our example testing the Equity Edge Expense Allocation – Recognition report, step four was described his way:
Part of testing a key report includes mapping it to an internal control (or controls).
Going forward - now what?
✔. Maintaining the integrity of your reports is an important role for
members of your SOX compliance team
✔. Properly training report owners is
paramount to being able to sustain a
reliable inventory of your key reports
✔. Report owners must continually stay
up to date on their responsibilities
✔. Management must have a thorough
understanding of how to document
each report for the criteria asked for by external auditors.
SOX Key Reports specializes in testing key reports to ensure SOX 404B compliance. Our experience is unsurpassed and our work is guaranteed.
Educational Resources
SOX Key Reports © 2022
All rights reserved.