Trying to test each and every control in the organziation is an impossible task. Successful sarbanes oxley compliance requires that the extent of testing is determined before hand. Determining the extent of testing basically refers to deciding which controls to test and which controls to ignore. Many controls are redundant and provide little comfort as far as Sarbanes Oxley compliance is concerned. Organizations need to identify such controls. Such controls need not be tested. Some finer points in determining the extent of testing required are discussed below. Infact, the points discussed below can be used by companies as a guide to determine the extent of testing.

1. Control Importance - Simply speaking, controls which are more important should be tested extensively.
2. Nature of control -Preventive vs detective, manual vs automated controls need to be taken into account in deciding the extent of testing. Manual controls need to be tested more extensively that automated controls.
3. Frequency of Control - The more number of times a control is performed, the bigger the sample size for testing such controls. I have done a post exclusively for deciding the sample sizes for controls.

The above three factors can be very helpful to companies in deciding the extent of testing. Though there are other factors as well, the above three have the highest impact.

Related Posts

SOX Controls Testing Project Management
Sarbanes Oxley Audit Scope Limitations
Documenting IT & Application Controls
Using Work of Others in SOX Audit