|
October 29, 2007
Sarbanes-Oxley Section 404 – Guidance for Documenting Test Results
Workpaper Referencing
Include workpaper references on the first page of each document (bottom, right-hand corner) using colored ink/pencil (use the same color for ALL workpaper references, e.g., blue). Use a standard referencing format such as the following:
- Process #_Control #_Sample_Support
- Example: FR-01-02_03_A_1
When there is a document (e.g., schedule, report, etc.) that has associated supporting documentation, reference the main documents with a letter (A) and the support with sequential numbering (A_1, A_2…).
If two or more items are being tested, use different letters for each item being tested (A, B, C, etc.).
Include the Document Title (if needed), Source (person who created the document or person who provided the information to you), and Application on the first page of each sample (bottom, left-hand corner). If all reports are from the same person and/or application/system, only cite the information on the first page of each schedule.
- Example: Title: Revenue Accrual Spreadsheet (Date)
Source: Joe Smith, Controller
Application: Excel
If there are multiple pages of relevant information, include all necessary pages and number each page in the bottom, right-hand corner accordingly (1/, 2/, 3/…). If the report already contains page numbers, there is no need to manually number these pages.
If the supporting documentation includes several pages of information, it is only necessary to include the pages that are relevant to the data being referenced or tied-out. However, make sure to include enough information so that the report can easily be referenced in future test periods.
Use tickmarks to document that the control performer has evidenced a task they performed. Tickmarks should be used consistently throughout a process. Define all tickmarks on the corresponding Tickmark Legend. Create tickmarks using colored pencil, but a different color than used in workpaper referencing. ALL tickmarks should be the same color.
To tie an amount from a supporting document, use a two-way reference by placing a unique tickmark and the document number (A, B_2), and, if necessary, the page number (1/, 2/) next to the amount on each schedule.
Documenting Test Results
Develop an overall conclusion on the overall effectiveness or ineffectiveness of each control tested.
- Effective – Sufficient evidence exists to conclude that the control is operating effectively. All attributes listed in the test plan are present.
- Ineffective – Insufficient evidence that the control is operating effectively.
For effective controls (without exceptions), use the following standard verbiage to complete the “Summary of Test Results” section:
- “For the [#] [document] [inspected/re-performed/observed], no exceptions were noted.”
- “Performed a real-time test on XX/XX/2007. No exceptions noted.”
For effective controls (where an exception was noted, but the sample was expanded and no additional exceptions were found), document the exception, location, and expanded sample size results. Use the following standard verbiage to complete the Summary of Test Results section:
- “Exception noted for [Report Name and Ref #] (See [WP Ref]). Evidence of review did not exist for this [Report Name].”
For ineffective controls, see the example given in the Remediation section below.
The tester should always confirm that there is not an explanation for the lack of evidence before noting an exception and/or concluding that the control is ineffective.
- In some cases, control tests will be concluded as effective if special circumstance exist. Special circumstances arise when the evidence supporting the performance of the control is not as expected (i.e. documentation deviates from the standard).
- Example: Management’s approval of an invoice cannot be seen on the face of the invoice; however, approval is evidenced in an email.
- In these situations, make notations on the attribute sheet and testing documentation to explain the circumstances and why the overall conclusion was still effective.
- Example: “Management’s approval was submitted via email rather than being noted manually on the invoice due to the manager being on vacation. As the email approval was obtained prior to the invoice being submitted for payment, this does not constitute an exception.”
Results of testing should be communicated to the Process Owner(s) and the Corporate Compliance Officer.
Documenting Control Remediation
For ineffective controls (resulting in a control deficiency), document the deficiency to enable monitoring and timely re-testing of remediated controls.
- Capture and document the following information, which should be in the Summary of Test Results:
- Description of deficiency (exception(s) and location(s) as well as sample expansion (if applicable))
- Financial statement impact (accounts/disclosures affected)
- Use the following standard verbiage:
“Exception noted for [Report Name and Ref #] (See [WP Ref]). Evidence of review did not exist for this [Report Name].
Due to the one exception noted, the required sample size was expanded from X to X. An additional exception was noted in the expanded sample for [Report Name and Ref #] (See [WP Ref]). Therefore, the control activity was deemed ineffective.
As a result, [account] (account #) and [account] (account #) could potentially be [over-/understated].”
- Complete the Remediation Action Plans section so that it includes the following:
- Action required and person responsible
- Estimated date of remediation—specific date for daily controls or reporting period for controls with other frequencies
- Example for a daily or multiple-times-per-day control:
“Per discussion with Jane Doe, invoices will not be processed for payment without management sign-off. If an invoice is submitted for processing without evidence of approval, the document will be forwarded to the appropriate approver for review. (Activity begins on (date)).”
- Example for a weekly, monthly, quarterly control:
“Per discussion with Jane Doe, the accounts payable account reconciliation will be prepared monthly, as evidenced by sign-off on the Reconciliation Checklist. (Effective for date Reporting (date)).”
Once it is determined that a control is not operating effectively or adequately documented to evidence proper performance, the deficiency should be raised to the Process Owner(s) and the Corporate Compliance Officer.
After documenting the control deficiency and remediation plan, send the following information to the project lead:
- Process name and number
- Control name and number (The control name is a high-level description of the control)
- Control owner
- Control description
- Test results
- Action plan, including estimated remediation date
- Status (to be remediated; remediated—ready to test; remediated—operating effectively; ineffective)
- Management comments (if applicable)
Filing Workpapers
File testing workpapers by business unit and process using the (insert color) file folders. The folder should be labeled as follows:
- Year [BU Name] Testing
[Process # and Process Name]
Set-up all folders in a consistent format.
- Ensure the left side of the folder contains the following item, in order (please use colored paper to separate each item):
- Cover page (on colored paper):
- Process number and Process name
- Map
- Control matrix
- The right side of the folder contains the following items, in order:
- Cover page (on colored paper):
- Test Plans and Documentation
- Control documentation (please use colored paper and labeled dividers to separate the documentation for each control):
- Control description
- Test details (test plan, sample size, test results, etc.)
- Population documents (if applicable)
- Attribute sheet
- Tickmark legend
- Samples
(3 pages, 55 KB)
|