SARBANES-OXLEY (SOX) PROJECT APPROACH MEMO

To:

From:

Date:

Subject: Sarbanes-Oxley (SOX) Project Approach

Cc:

OVERVIEW

This document summarizes the overall Sarbanes-Oxley (SOX) compliance strategy, methodology and approach
that Company ABC will employ in developing test plans to evaluate the operating effectiveness of the company’s
significant process-level controls (which includes entitywide information technology [IT] controls – commonly
referred to as IT general controls [ITGC]). This document also explains the approach that will be used to develop
and execute the related test plans.

The purpose of this approach framework is to provide the organization guidance in developing test plans to verify
consistency and completeness to test controls across the company. For each of the controls that management
concludes appropriate to test (i.e., the primary [key] controls identified during the “documentation” efforts), the
specific nature, frequency and extent of the testing is subject to the judgment of management.

CONTROL DESIGN EFFECTIVENESS

A control is designed effectively if the control provides reasonable assurance the related risk of misstatement is
reduced to acceptably low levels and corresponding financial statement assertions are achieved. In some cases,
multiple controls may be required to adequately mitigate risk, and the aggregated controls must each be
evaluated for design and operational effectiveness.

Generally, controls are deemed to be in place and effective if the control is properly designed to mitigate the
related risk and operating as designed. Accordingly, control design attributes considered by management include:
• Appropriateness of the control considering the nature and significance of the risk
• Competence and authority of the people performing the control
• Frequency and consistency with which the control is performed
• Criteria for investigation (e.g., threshold) and process for follow-up on exceptions
• Dependency on other control(s) or information prepared by entity (IPE) (i.e., spreadsheets and system
reports).

Control design effectiveness will be assessed through walk-throughs, the process of following one transaction
through related processes and obtaining evidence of control design and implementation, of high- and medium-risk
primary (key) controls.

1 Source: www.knowledgeleader.com
 CONTROL OPERATING EFFECTIVENESS

Generally, controls are operating effectively when they are in place and functioning as designed to mitigate
associated risks. Management utilizes various testing methods to evaluate a control’s operating effectiveness,
including:
• Inquiries of process and control owners or key members of the management team
• Inspection of relevant control documentation
• Observation of the control process or procedure in action
• Analysis or re-performance of the operation of the control using a sample selection of transactions (generally,
this method provides the greatest level of evidence)

Depending on the control, one (or a combination) of the above testing methods are used to obtain sufficient
evidence of control operating effectiveness. Ultimately, the testing method and sample sizes are defined at the
discretion of management and guidance provided by external auditors.

NATURE, EXTENT AND TIMING OF TESTING

NATURE
The nature, extent and timing of testing to be performed will be based on the risk, nature of the control and the
frequency of the control. The critical attributes defining the nature of controls that determine whether the control is
primary (key) or secondary (nonkey) (i.e., manual/automated, preventive/detective, routine/nonroutine) will also
factor into the determination of the nature and extent of testing required. For example, manual controls may
generally require more extensive testing than system controls. In addition, the type of underlying transaction
subject to the control (either a routine transaction or nonroutine transaction) should be considered when
developing the testing plans. Routine transactions occur consistently, typically as scheduled, utilizing a
predetermined source and nature of information and have the attributes that allow for systematic processing.
Nonroutine transactions can occur daily, monthly, quarterly or annually; however, they do not occur in any
consistent pattern and typically involve manual interaction and judgment. For classification purposes, nonroutine
transactions also include those processes involved with developing an estimate in recording a transaction.

Depending upon the nature of the control and testing performed, tests of controls over routine transactions can
occur intermittently during the year, whereas the nature and frequency of controls addressing nonroutine
transactions (including estimates) may be limited to month-, quarter- or year-end. As in identifying the nature of
the control, the extent and frequency of the testing are also subject to considerable judgment by the process
owner and project leader.

EXTENT
The extent of testing generally refers to the scope of controls for which management will apply its testing
methodology, and sample sizes utilized by management to gain reasonable assurance as to the operating
effectiveness of the control.

Testing Approach
The matrix below describes management’s scope of operating effectiveness testing.

Control Priority Testing Scope

Test primary (key) controls utilizing the sample sizes below. Sample sizes may be
High
judgmentally expanded for more critical control tests.

Medium Test primary (key) controls utilizing the sample sizes below. Sample sizes may be

2 Source: www.knowledgeleader.com
 Control Priority Testing Scope

judgmentally expanded for more critical control tests.

Management will rely on process documentation and entity-level controls to evaluate

Low
ongoing design and operating effectiveness of controls.

For FY XXXX, management will evaluate operating effectiveness for high- and medium-priority primary
(key) controls and high-priority IT processes and applications identified in the risk assessment.

The following information should be maintained in the work papers to document the procedures performed and
the results of those procedures:
• Test plan
• Sample selected
• Descriptions of visual observations
• Sample documentation
• Nature and frequency of exceptions
• Review procedures performed by the process owner

Sampling Methods
The testing population to be addressed is defined as all items constituting an account balance or class of
transactions subject to testing.

Sampling addresses two important factors in control testing; which transactions will be tested in the population
and the method in which the selections were sampled. Samples must be selected by the individuals performing
the testing. Biases in testing must be avoided. Process owners of the area under review should not assist in the
sampling process to avoid biased selections.

System controls should be evaluated to determine if adequate evidence of operating effectiveness can be
obtained through the use of smaller sample sizes (or “samples of one”) due to the nature of such controls. If the
process owner and the testing team determine that control and/or all controls within a given process do not lend
themselves to this approach, the testing approach should be discussed with management for that control and a
revised approach should be developed and documented by the project team.

Sample Sizes
The standard sample sizes defined below have been determined by management in accordance with Institute of
Internal Auditor (IIA) standards and guidance provided by the external auditor. However, sample sizes can be
adjusted based on the unique nature of each control. The sampling approach is subject to the judgment of
management in determining how to apply it to the specific controls subject to testing. Management and internal
audit plan to work closely with external auditors to review sample sizes for primary (key) controls to maximize the
extent to which external audit can rely on management/internal audit’s testing.

Factors to consider when choosing sample size:

• Stability and overall strength of the control environment
• Knowledge of the location of errors that have occurred in the past (i.e., known historical exceptions)
• Population size
• Significance of the control to the stated assertion
• Required accuracy of sample results

Standard Sample Size Table

3 Source: www.knowledgeleader.com
 Control Population Total
Interim Allowable Roll-Forward
Roll-
Interim Control Allowable Control
Forward
Exceptions Exceptions
Frequency Instances Sample Size

Ongoing Greater XX XX XX XX XX
than 365

Daily 365 XX XX XX XX XX

Weekly 52 XX XX XX XX XX

Monthly 12 XX XX XX XX XX

Quarterly 4 XX XX XX XX XX

Semiannua 2 XX XX XX XX XX
lly

Annually 1 XX XX XX XX XX

Timing
Testing will be performed in two phases: interim and roll-forward. “Interim” is defined as testing performed on
controls during the Q1, Q2 and Q3 timeframe, and Rollforward is defined as testing performed on controls during
the Q4/year-end time frame. Controls testing will proceed based on the following:
• Interim Testing:
Interim testing will cover Q1, Q2 and Q3 transactions, where possible. Should there be one exception in the
interim testing for an ongoing or daily frequency control (see Interim Allowable Control Exceptions column
above), the sample size may be expanded to determine if the finding could be considered an “isolated
incident.” Refer to the exception conditions below for details on expanding sample sizes for allowable
exceptions. For exceptions greater than the allowable rate, testing should stop and an action plan should be
created so remediation efforts can begin.
• Roll-forward Testing:
A minimum sample of transactions occurring in Q4 will be tested to confirm that the control was operating
effectively throughout the year. Should there be one exception in the roll-forward testing for an ongoing or daily
frequency control (see Roll-Forward Allowable Control Exceptions column above), the sample size may be
expanded to determine if the finding could be considered an “isolated incident.” Refer to the exception
conditions below for details on expanding sample sizes for allowable exceptions.
• Remediation Testing:
For remediation testing, management will first define the population for testing. The population represents the
number of times that the remediated control will operate between the control reevaluation date and year-end.
The population should be documented in the test plan and will be used as the basis for the sample size. The
sample size should provide a sufficient basis for determining the control is operating effectively at year-end.
Remediation sample sizes can be adjusted depending on timing of remediation.

EXCEPTION CONDITIONS

An exception is noted when a control is not designed appropriately or does not meet one of the attributes tested
by management in evaluating its operating effectiveness. If exceptions are found during testing, the reasons for
the exception and control frequency are evaluated to determine if the sample size can be expanded to gain

4 Source: www.knowledgeleader.com
assurance regarding operating effectiveness. When evaluating the reasons for the exception, the tester should
consider whether:
• The control is automated (in the presence of effective ITGCs, there is a presumption that automated
application control is expected to always perform as designed).
• The degree of intervention by which process personnel contributes to the deviation.
• Management became aware of the exception on a timely basis.
• Management responds to the deviation on a timely basis (if management was aware of it).

In general, if a control exception is identified for ongoing or daily control frequencies during interim testing;
expanded sample sizes will not be utilized. When an interim exception is noted, the control operating
effectiveness is considered “ineffective” for interim testing. An action plan will be created to allow process owners
time to remediate the control and remediation testing will be performed. However, if the testing team, process
owners and/or management believe the exception is “isolated” (rate of error less than 2-3%) an expanded sample
size, in accordance with the table below, may be utilized.

The following table should be followed to determine if a sample size can be extended for a particular test (*note
that this does not pertain to ITGC testing):

Control Number of Action Plan

Expanded Sample Control Ineffective
Frequency Exceptions Required

150% of sample size If there are no other If there are no other

(13 additional samples) findings in the expanded findings in the
Ongoing 1
sample, the control may expanded sample,
(i.e., total sample 38) still be considered the control may still
effective. If there is an be considered
150% of sample size additional finding, the effective. If there is an
(10 additional samples) control would be additional finding, an
Daily 1 considered ineffective. action plan is
(i.e., total sample 30) required.

Weekly Greater than 0 N/A If there are any findings, If there are any
the control is ineffective. findings, an action
Monthly Greater than 0 N/A plan is required.

Quarterly Greater than 0 N/A

Semiannuall
Greater than 0 N/A
y

Annually Greater than 0 N/A

Regardless of the number of exceptions, the tester should determine whether compensating controls exist or if
expanding the sample size is appropriate/necessary to conclude whether the results of the initial tests were
representative. This determination should be documented in the testing template or action plan.

Refer to Appendix A for an illustration of the approach for reviewing testing objectives post exception,
including details on extending sample sizes due to testing exceptions and retesting controls.

INEFFECTIVE CONTROL EVALUATION

Ineffective controls identified during testing are evaluated at year-end by management to determine the risk of
potential misstatements based on the affected significant accounts and assertions. Management’s evaluation
procedures include:

5 Source: www.knowledgeleader.com
• Gaining an understanding of related processes, risks and controls
• Determining potential gross impact to the financial statements and/or disclosures
• Assessing the overall design of internal controls to mitigate related risks, including identification of mitigating,
or compensating controls (mitigating/compensating controls reduce the likelihood and extent of a
misstatement)
• Determining realizable impact to the financial statements and/or disclosures based on the assessment of
design and the operating effectiveness of compensating controls

If the ineffective control exists at year-end, classify it as a Deficiency, Significant Deficiency or Material Weakness
according to the following definitions:
• Deficiency: Deficiency exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on
a timely basis.
• Significant Deficiency: Significant deficiency is a deficiency, or combination of deficiencies, that is less
severe than a material weakness, yet important enough to merit attention by those responsible for oversight of
the company’s financial reporting.
• Material Weakness: Material weakness is a deficiency or combination of deficiencies, such that there is a
reasonable possibility that a material misstatement of the company’s annual or interim financial statements will
not be prevented or detected on a timely basis.

Management will communicate ineffective controls identified during interim and roll-forward testing to external
auditors on a timely basis, and further coordinate the evaluation and classification of ineffective controls at year-
end.

SOX DOCUMENT RETENTION POLICY

DURING TESTING
Upon completion of testing, the testing templates (see Appendix B) should be retained after fieldwork.

YEAR-END
Upon completion of roll-forward testing, a summary completion memo is provided to the audit committee
documenting the overall testing results of SOX 404 activities performed.

6 Source: www.knowledgeleader.com
 Appendix A: Process for Reviewing Testing after Exceptions Identified
Examination of exceptions must consider both quantitative and qualitative factors.
Any exceptions found during testing for a control operating less frequently than
daily is generally considered an ineffectively operating control. Controls operating
daily or more frequently than daily can still be considered effective after taking into
consideration any qualitative factors.

Ineffectively
Complete testing operating internal
and the test control
results.

No Yes
No

Considering the results of management

Yes Examine and understand Yes
Test and auditor testing and information Exception
Determine if Exception causes and results of
objectives obtained in the examination above, representative
exceptions were found? exceptions. Were the test
met? could additional testing support that the of the
found during objectives met?
exception is not representative of the population?
testing. total population?

No

Extend testing and

reevaluate

If testing is extended and one more

exception is found, stop testing,
because the control should be
considered as operating ineffectively.

7 Source: www.knowledgeleader.com
 Appendix B: Sample Testing Template
(Insert Sample Testing Template)

8 Source: www.knowledgeleader.com