Testing Process Overview Terms to Remember

To perform testing properly, it’s important that the tester

is familiar with the testing environment. Internal Controls over Financial
Reporting (ICFR)
The ICFR are a subset of the overall internal control
s system with a focus on the controls related to the
In order to financial statements. They are fundamental to the
perform accurate recording of transactions and the
testing, the preparation of reliable, orderly and uniform worldwide
tester has to financial statements at Siemens. An SOA tester is part
of the ICFR.

Job Aid
understand
the
Test of Design (ToD)
SOA 404 Tester
The ToD has to establish whether the control design
Training
is suitable for preventing or detecting the addressed
Expert risks.
Tasks

Preparation for testing Test of operating Effectiveness (ToE)

Key Facts
• The Sarbanes-Oxley Act (SOA) is a US fede-
ral law that was enacted by the Securities and
Exchange Commission (SEC) in 2002, largely
in response to major corporate and accounting
scandals in the United States. SOA established
new and enhanced standards for corporate
governance, disclosure and reporting.
• The SOA Section 404 requires internal cont-
rols over financial reporting (ICFR) to be set
up and implemented.
• The testing process is a component of the SOA
Section 404 and plays an important role in ensu-
ring the effectiveness of the ICFR.
Performing tests (ToD and ToE) and
documentation of testing
In order to perform reliable testing results, testers
have to fulfill the following requirements:
Tasks
Objectivity
(e.g. independent, impartial)
Competence
(e.g. experience and education)
The ToE has to verify whether the control is being
performed as designed.
Process documentation (Annex 2)
The ICFR-related process documentation includes
information on how significant transactions are
initiated, recorded, processed and reported, the flow
of transactions to identify risk points and the
responsibilities within the process.
Risk and Control Catalog (Annex 3)
The ICFR-related risk and control catalog includes
information on the risks and control objectives, the
potential impact arising from the risk identified, the
probability of occurrence of the risk and the control
activities of the control owner.

1
Organization, Compliance and Management
Preparation for Testing and Performing Testing –Test of Design (ToD) s
Preparation for Testing
Before starting the testing process, testers must be well prepared. Good preparation is the precondition for correct, timely and effective
testing. The graphic provides a checklist for SOA testers to work through.

Test Performance – Test of Design (ToD)

The ToD determines whether a control is suitably designed to address the control objective and cover the identified risk points. The tester must consi-
der the following topics when evaluating the control design:

To enable a third party to repeat the ToD, the tester has to document the following points in a comprehensible way in the test documentation tool:

• the control execution of the control owner in own words,

• the competence and aptitude of the control owner,
• the execution of the ToD including the applied testing techniques
• the testing result and rationale for the conclusion reached
• recommendation for the improvement/elimination of the error if test case is ineffective (if possible)
2
Organization, Compliance and Management
Test Performance – Test of operating Effectiveness (ToE) s
If the ToD has been effective, the ToE must be performed. This test determines whether the respective control is actually performed as
designed. The tester has to consider the following topics when performing the ToE:

Determination of sample size:

1 The sample size depends on criteria such as the control frequency and the risk profile of a control.

Control Frequency: • is documented in Annex 3

• can be several times a day, daily, weekly, monthly, quarterly, semi-annually, annually or depending on occurrence
Risk Profile: • classified based on the criteria impact arising from the risk identified and probability of occurrence
• risk classification is higher, the higher the probability of a misstatement and the more significant the impact
• the impact and probability are documented in Annex 3

Based on the control frequency and the risk profile, the minimum
sample size can be deducted from the table below.

Example: A combined impact of 3 (material) and probability of 3

(more likely than not) is an indication that the risk is Example: The control occurrence is 220 and the control addresses points with
classified as high and thus addresses points of higher risk. a high risk (impact = 3 and probability = 3) the minimum sample size is 15.

The determination of the sample size has to be documented in the test documentation tool.
3
Organization, Compliance and Management
Test Performance – Test of operating Effectiveness (ToE) s
Selection of samples:
2 The tester has to choose the samples to be tested. To this end, the tester can select either specific items or random items.
2.1 Determination of related population of the controls:
• Obtain a list of all transactions, for example, from the control owner before testing.
• Ensure that the required list is complete and accurate (consider, e.g., whether the period is accurate and whether there are any
unwanted filter criteria. Advisable to demand confirmation of the completeness of the list.
2.2 Selection of samples:
• Select specific items (e.g. the largest projects) or select the samples randomly by using the random sampling tool
(advisable if population contains mainly routine transactions).
• Arbitrary selection of samples must be avoied.
Sample selection must be documented so that an independent third party can clearly identify the individual samples
(e.g. invoice number 38764).

3 Testing of samples:
Different testing techniques can be used in order to obtain sufficient evidence that the control is being performed as designed.

Testing techniques commonly used to evaluate the operating effectiveness of a control are e.g. inquiry or corroborative inquiry, observation,
inspection, re-performance and system query. Information about the different testing techniques are provided in the ICFR Manual.
Execution of the ToE including the applied testing techniques must be documented.

Evaluation:
4
The execution of the control is effective or ineffective.
Evaluation of the ToE: The ToE has to be rated as:
• ineffective if the tester has found errors in the control
execution. It may be that the control is not operating as
designed because the documentation (e.g. check mark) that
provides proof that the control has been performed is missing.

• effective if the tester has found no errors.

• not testable if the population is not sufficient to generate a

complete set of control samples

Testing result and rationale for the conclusion reached must be documented.

4
Recommendations for the improvement/elimination of the control failure if the test case is ineffective is desired.
Remark (comment why the ToE could not be performed) mandatory field if the ToE has to be rated as not testable.

Organization, Compliance and Management