Controls testing is key to SOX 404 compliance. Every year, the financial auditor is faced with a question "Which Controls should be tested for SOX Compliance?". Controls testing should be performed to ensure the auditor's conclusion whether controls address the risk of material mis-statement. To take a simple example, management assertion for completeness may include that accounts within the Accounts Receivable area are complete and accurate. The financial auditor will then develop the SOX testing plan to verify if the account receivable processes support the above assertion.

In SOX testing, the financial statement auditor must keep in mind that

- there may be more than one control that addresses the risk of mistatement to a relevant assertion; and

- On the other hand, one control may address the risk of mistatement for more than one financial statement assertion.

So how should the external financial auditor determine, which controls to test? The decision to include a particular control for testing should be based on which controls individually or in combination address the assessed risk of mis-statements for a given financial statement assertion. The way the controls are labeled has nothing to do with whether they should be selected for testing.

With AS5, auditors need to take a risk based approach to testing controls. In a scenario where there are entity level controls, transaction level controls as well as specific control activities, it is not neccesary to test all of these. The external auditor needs to have a good explanation on the risk assessment used for selecting controls to test. Under AS5, it is not neccesary to test all controls relevant to an assertion or test outdated controls.

Related SOX Posts:

- Entity Level Controls for SOX Compliance
- SOX Project Management 
- SOX Journal Entry Testing Approach
- Control Self Assessment for Sarbanes Oxley