Professional Documents
Culture Documents
Job Aid
understand
the
Test of Design (ToD)
SOA 404 Tester
The ToD has to establish whether the control design
Training
is suitable for preventing or detecting the addressed
Expert risks.
Tasks
1
Organization, Compliance and Management
Preparation for Testing and Performing Testing –Test of Design (ToD) s
Preparation for Testing
Before starting the testing process, testers must be well prepared. Good preparation is the precondition for correct, timely and effective
testing. The graphic provides a checklist for SOA testers to work through.
To enable a third party to repeat the ToD, the tester has to document the following points in a comprehensible way in the test documentation tool:
Based on the control frequency and the risk profile, the minimum
sample size can be deducted from the table below.
The determination of the sample size has to be documented in the test documentation tool.
3
Organization, Compliance and Management
Test Performance – Test of operating Effectiveness (ToE) s
Selection of samples:
2 The tester has to choose the samples to be tested. To this end, the tester can select either specific items or random items.
2.1 Determination of related population of the controls:
• Obtain a list of all transactions, for example, from the control owner before testing.
• Ensure that the required list is complete and accurate (consider, e.g., whether the period is accurate and whether there are any
unwanted filter criteria. Advisable to demand confirmation of the completeness of the list.
2.2 Selection of samples:
• Select specific items (e.g. the largest projects) or select the samples randomly by using the random sampling tool
(advisable if population contains mainly routine transactions).
• Arbitrary selection of samples must be avoied.
Sample selection must be documented so that an independent third party can clearly identify the individual samples
(e.g. invoice number 38764).
3 Testing of samples:
Different testing techniques can be used in order to obtain sufficient evidence that the control is being performed as designed.
Testing techniques commonly used to evaluate the operating effectiveness of a control are e.g. inquiry or corroborative inquiry, observation,
inspection, re-performance and system query. Information about the different testing techniques are provided in the ICFR Manual.
Execution of the ToE including the applied testing techniques must be documented.
Evaluation:
4
The execution of the control is effective or ineffective.
Evaluation of the ToE: The ToE has to be rated as:
• ineffective if the tester has found errors in the control
execution. It may be that the control is not operating as
designed because the documentation (e.g. check mark) that
provides proof that the control has been performed is missing.
Testing result and rationale for the conclusion reached must be documented.
4
Recommendations for the improvement/elimination of the control failure if the test case is ineffective is desired.
Remark (comment why the ToE could not be performed) mandatory field if the ToE has to be rated as not testable.