audit-support

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Audit Support

审计支持

Important: This skill assists with SOX compliance workflows but does not provide audit or legal advice. All testing workpapers and assessments should be reviewed by qualified financial professionals. While "significance" and "materiality" are context-specific concepts that are ultimately assessed by auditors, this skill is intended to assist professionals in the creation and evaluation of effective internal controls and documentation for audits.

SOX 404 control testing methodology, sample selection approaches, testing documentation standards, control deficiency classification, and common control types.

重要提示：本技能协助处理SOX合规工作流，但不提供审计或法律建议。所有测试工作底稿和评估都应由合格的财务专业人员审核。虽然“重要性”和“重大性”是最终由审计师评估的特定情境概念，但本技能旨在协助专业人员创建和评估用于审计的有效内部控制及相关文档。

本文涵盖SOX 404控制测试方法、样本选择方案、测试文档标准、控制缺陷分类及常见控制类型。

SOX 404 Control Testing Methodology

SOX 404控制测试方法

Overview

概述

SOX Section 404 requires management to assess the effectiveness of internal controls over financial reporting (ICFR). This involves:

Scoping: Identify significant accounts and relevant assertions
Risk assessment: Evaluate the risk of material misstatement for each significant account
Control identification: Document the controls that address each risk
Testing: Test the design and operating effectiveness of key controls
Evaluation: Assess whether any deficiencies exist and their severity
Reporting: Document the assessment and any material weaknesses

SOX第404条款要求管理层评估财务报告内部控制（ICFR）的有效性，流程包括：

范围界定：识别重要账户及相关认定
风险评估：评估每个重要账户存在重大错报的风险
控制识别：记录应对各风险的控制措施
测试执行：测试关键控制的设计有效性和运行有效性
缺陷评估：判断是否存在缺陷及其严重程度
报告编制：记录评估结果及任何重大薄弱环节

Scoping Significant Accounts

重要账户范围界定

An account is significant if there is more than a remote likelihood that it could contain a misstatement that is material (individually or in aggregate).

Quantitative factors:

Account balance exceeds materiality threshold (typically 3-5% of a key benchmark)
Transaction volume is high, increasing the risk of error
Account is subject to significant estimates or judgment

Qualitative factors:

Account involves complex accounting (revenue recognition, derivatives, pensions)
Account is susceptible to fraud (cash, revenue, related-party transactions)
Account has had prior misstatements or audit adjustments
Account involves significant management judgment or estimates
New account or significantly changed process

若某账户存在超过极小可能性的重大错报风险（单独或汇总），则该账户属于重要账户。

量化因素：

账户余额超过重大性阈值（通常为关键基准的3-5%）
交易量大，错误风险更高
账户涉及重大估计或判断

定性因素：

账户涉及复杂会计处理（收入确认、衍生品、养老金）
账户易受欺诈（现金、收入、关联方交易）
账户曾出现过错报或审计调整
账户涉及重大管理层判断或估计
新增账户或流程发生重大变更

Relevant Assertions by Account Type

按账户类型划分的相关认定

Account Type	Key Assertions
Revenue	Occurrence, Completeness, Accuracy, Cut-off
Accounts Receivable	Existence, Valuation (allowance), Rights
Inventory	Existence, Valuation, Completeness
Fixed Assets	Existence, Valuation, Completeness, Rights
Accounts Payable	Completeness, Accuracy, Existence
Accrued Liabilities	Completeness, Valuation, Accuracy
Equity	Completeness, Accuracy, Presentation
Financial Close/Reporting	Presentation, Accuracy, Completeness

账户类型	关键认定
收入	发生、完整性、准确性、截止
应收账款	存在、估值（坏账准备）、权利
存货	存在、估值、完整性
固定资产	存在、估值、完整性、权利
应付账款	完整性、准确性、存在
应计负债	完整性、估值、准确性
权益	完整性、准确性、列报
财务结账/报告	列报、准确性、完整性

Design Effectiveness vs Operating Effectiveness

设计有效性 vs 运行有效性

Design effectiveness: Is the control properly designed to prevent or detect a material misstatement in the relevant assertion?

Evaluated through walkthroughs (trace a transaction end-to-end through the process)
Confirm the control is placed at the right point in the process
Confirm the control addresses the identified risk
Performed at least annually, or when processes change

Operating effectiveness: Did the control actually operate as designed throughout the testing period?

Evaluated through testing (inspection, observation, re-performance, inquiry)
Requires sufficient sample sizes to support a conclusion
Must cover the full period of reliance

设计有效性：控制措施是否能合理预防或发现相关认定的重大错报？

通过穿行测试评估（追踪交易从开始到结束的全流程）
确认控制措施部署在流程的恰当节点
确认控制措施能应对已识别的风险
至少每年评估一次，或在流程变更时评估

运行有效性：控制措施在整个测试期间是否按设计要求实际运行？

通过测试评估（检查、观察、重新执行、询问）
需要足够的样本量来支撑结论
必须覆盖整个依赖期间

Sample Selection Approaches

样本选择方案

Random Selection

随机选择

When to use: Default method for transaction-level controls with large populations.

Method:

Define the population (all transactions subject to the control during the period)
Number each item in the population sequentially
Use a random number generator to select sample items
Ensure no bias in selection (all items have equal probability)

Advantages: Statistically valid, defensible, no selection bias Disadvantages: May miss high-risk items, requires complete population listing

适用场景：交易层面控制的默认方法，适用于大样本量总体。

方法：

定义总体（期间内受控制约束的所有交易）
为总体中的每个项目依次编号
使用随机数生成器选择样本项目
确保选择无偏差（所有项目被选中的概率相等）

优势：统计有效、可辩护、无选择偏差劣势：可能遗漏高风险项目、需要完整的总体清单

Targeted (Judgmental) Selection

定向（判断性）选择

When to use: Supplement to random selection for risk-based testing; primary method when population is small or highly varied.

Method:

Identify items with specific risk characteristics:
- High dollar amount (above a defined threshold)
- Unusual or non-standard transactions
- Period-end transactions (cut-off risk)
- Related-party transactions
- Manual or override transactions
- New vendor/customer transactions
Select items matching risk criteria
Document rationale for each targeted selection

Advantages: Focuses on highest-risk items, efficient use of testing effort Disadvantages: Not statistically representative, may over-represent certain risks

适用场景：作为随机选择的补充用于风险导向测试；当总体规模小或高度多样化时作为主要方法。

方法：

识别具有特定风险特征的项目：
- 高金额项目（超过设定阈值）
- 异常或非标准交易
- 期末交易（截止风险）
- 关联方交易
- 人工或 override 交易
- 新供应商/客户交易
选择符合风险标准的项目
记录每项定向选择的理由

优势：聚焦最高风险项目、高效利用测试资源劣势：不具备统计代表性、可能过度代表某些风险

Haphazard Selection

随意选择

When to use: When random selection is impractical (no sequential population listing) and population is relatively homogeneous.

Method:

Select items without any specific pattern or bias
Ensure selections are spread across the full population period
Avoid unconscious bias (don't always pick items at the top, round numbers, etc.)

Advantages: Simple, no technology required Disadvantages: Not statistically valid, susceptible to unconscious bias

适用场景：当随机选择不可行（无连续的总体清单）且总体相对同质时。

方法：

无特定模式或偏差地选择项目
确保选择覆盖整个总体期间
避免无意识偏差（不要总是选顶部项目、整数金额项目等）

优势：简单、无需技术工具劣势：不具备统计有效性、易受无意识偏差影响

Systematic Selection

系统选择

When to use: When population is sequential and you want even coverage across the period.

Method:

Calculate the sampling interval: Population size / Sample size
Select a random starting point within the first interval
Select every Nth item from the starting point

Example: Population of 1,000, sample of 25 → interval of 40. Random start: item 17. Select items 17, 57, 97, 137, ...

Advantages: Even coverage across population, simple to execute Disadvantages: Periodic patterns in the population could bias results

适用场景：当总体是连续的，且希望在期间内均匀覆盖时。

方法：

计算抽样间隔：总体规模 / 样本规模
在第一个间隔内随机选择起始点
从起始点开始每隔N个项目选择一个

示例：总体1000个，样本25个 → 间隔40。随机起始点：第17项。选择项目17、57、97、137……

优势：总体覆盖均匀、执行简单劣势：总体中的周期性模式可能导致结果偏差

Sample Size Guidance

测试文档标准

—

工作底稿要求

Control Frequency	Expected Population	Low Risk Sample	Moderate Risk Sample	High Risk Sample
Annual	1	1	1	1
Quarterly	4	2	2	3
Monthly	12	2	3	4
Weekly	52	5	8	15
Daily	~250	20	30	40
Per-transaction (small pop.)	< 250	20	30	40
Per-transaction (large pop.)	250+	25	40	60

Factors increasing sample size:

Higher inherent risk in the account/process
Control is the sole control addressing a significant risk (no redundancy)
Prior period control deficiency identified
New control (not tested in prior periods)
External auditor reliance on management testing

每项控制测试都应记录以下内容：

控制识别：
- 控制编号/ID
- 控制描述（做什么、谁执行、执行频率）
- 控制类型（人工、自动化、依赖IT的人工控制）
- 控制频率
- 应对的风险和认定
测试设计：
- 测试目标（要验证的内容）
- 测试程序（分步说明）
- 预期证据（控制有效时应看到的证据）
- 样本选择方法及理由
测试执行：
- 总体描述及规模
- 样本选择细节（方法、选中项目）
- 每个样本项目的结果（通过/失败及检查的具体证据）
- 记录发现的异常及完整描述
结论：
- 总体评估（有效/缺陷/重大缺陷/重大薄弱环节）
- 结论依据
- 异常影响评估
- 考虑的补偿控制（如适用）
签字确认：
- 测试人员姓名及日期
- 复核人员姓名及日期

Testing Documentation Standards

证据标准

Workpaper Requirements

—

Every control test should be documented with:

Control identification:
- Control number/ID
- Control description (what is done, by whom, how often)
- Control type (manual, automated, IT-dependent manual)
- Control frequency
- Risk and assertion addressed
Test design:
- Test objective (what you are trying to determine)
- Test procedures (step-by-step instructions)
- Expected evidence (what you expect to see if the control is effective)
- Sample selection methodology and rationale
Test execution:
- Population description and size
- Sample selection details (method, items selected)
- Results for each sample item (pass/fail with specific evidence examined)
- Exceptions noted with full description
Conclusion:
- Overall assessment (effective / deficiency / significant deficiency / material weakness)
- Basis for conclusion
- Impact assessment for any exceptions
- Compensating controls considered (if applicable)
Sign-off:
- Tester name and date
- Reviewer name and date

充分证据包括：

显示系统强制执行控制的截图
已签署/草签的审批文件
带有可识别审批人及日期的邮件审批记录
显示操作人及操作时间的系统审计日志
重新执行的计算及匹配结果
观察记录（含日期、地点、观察者）

不充分证据：

仅口头确认（需佐证）
无日期的文件
无法识别执行人/审批人的证据
无日期/时间戳的通用系统报告
仅“与[姓名]讨论”但无佐证文档

Evidence Standards

工作底稿组织

Sufficient evidence includes:

Screenshots showing system-enforced controls
Signed/initialed approval documents
Email approvals with identifiable approver and date
System audit logs showing who performed the action and when
Re-performed calculations with matching results
Observation notes (with date, location, observer)

Insufficient evidence:

Verbal confirmations alone (must be corroborated)
Undated documents
Evidence without identifiable performer/approver
Generic system reports without date/time stamps
"Per discussion with [name]" without corroborating documentation

按控制领域组织测试文件：

SOX测试/
├── [年份]/
│   ├── 范围界定与风险评估/
│   ├── 收入循环/
│   │   ├── 控制矩阵
│   │   ├── 穿行测试文档
│   │   ├── 测试工作底稿（每项控制一份）
│   │   └── 支持性证据
│   ├── 采购到付款/
│   ├── 薪酬/
│   ├── 财务结账/
│   ├── 资金管理/
│   ├── 固定资产/
│   ├── IT一般控制/
│   ├── 实体层面控制/
│   └── 总结与结论/
│       ├── 缺陷评估
│       └── 管理层评估

Working Paper Organization

控制缺陷分类

—

缺陷

Organize testing files by control area:

SOX Testing/
├── [Year]/
│   ├── Scoping and Risk Assessment/
│   ├── Revenue Cycle/
│   │   ├── Control Matrix
│   │   ├── Walkthrough Documentation
│   │   ├── Test Workpapers (one per control)
│   │   └── Supporting Evidence
│   ├── Procure to Pay/
│   ├── Payroll/
│   ├── Financial Close/
│   ├── Treasury/
│   ├── Fixed Assets/
│   ├── IT General Controls/
│   ├── Entity Level Controls/
│   └── Summary and Conclusions/
│       ├── Deficiency Evaluation
│       └── Management Assessment

当控制的设计或运行无法让管理层或员工在日常履职中及时预防或发现错报时，即存在内部控制缺陷。

评估因素：

控制失效导致错报的可能性有多大？
潜在错报的严重程度如何？
是否存在能弥补该缺陷的补偿控制？

Control Deficiency Classification

重大缺陷

Deficiency

—

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Evaluation factors:

What is the likelihood that the control failure could result in a misstatement?
What is the magnitude of the potential misstatement?
Is there a compensating control that mitigates the deficiency?

单个缺陷或多个缺陷的组合，其严重程度低于重大薄弱环节，但足以引起治理层的重视。

指标：

缺陷可能导致的错报超过微不足道但未达到重大水平
存在超过极小（但低于合理可能）的重大错报可能性
该控制是关键控制且缺陷未被补偿控制完全弥补
多个单独轻微缺陷组合后构成重大关注事项

Significant Deficiency

重大薄弱环节

A deficiency, or combination of deficiencies, that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

Indicators:

The deficiency could result in a misstatement that is more than inconsequential but less than material
There is more than a remote (but less than reasonably possible) likelihood of a material misstatement
The control is a key control and the deficiency is not fully mitigated by compensating controls
Combination of individually minor deficiencies that together represent a significant concern

单个缺陷或多个缺陷的组合，导致存在合理可能性：财务报表的重大错报无法被及时预防或发现。

指标：

识别出高级管理层的欺诈（无论金额大小）
重述已发布的财务报表以更正重大错误
审计师识别出公司控制未发现的重大错报
审计委员会对财务报告的监督无效
普遍性控制（实体层面、IT一般控制）存在缺陷，影响多个流程

Material Weakness

缺陷汇总评估

A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis.

Indicators:

Identification of fraud by senior management (any magnitude)
Restatement of previously issued financial statements to correct a material error
Identification by the auditor of a material misstatement that would not have been detected by the company's controls
Ineffective oversight of financial reporting by the audit committee
Deficiency in a pervasive control (entity-level, IT general control) affecting multiple processes

单个不重大的缺陷组合后可能变得重大：

识别同一流程或影响同一认定的所有缺陷
评估组合影响是否可能导致重大错报
考虑补偿控制的缺陷是否加剧其他缺陷的影响
记录汇总分析及结论

Deficiency Aggregation

整改

Individual deficiencies that are not significant individually may be significant in combination:

Identify all deficiencies in the same process or affecting the same assertion
Evaluate whether the combined effect could result in a material misstatement
Consider whether deficiencies in compensating controls exacerbate other deficiencies
Document the aggregation analysis and conclusion

针对每个已识别的缺陷：

根本原因分析：控制为何失效？（设计漏洞、执行失败、人员配置、培训、系统问题）
整改计划：修复控制的具体措施（重新设计、额外培训、系统增强、增加复核）
时间线：整改完成的目标日期
负责人：负责实施整改的人员
验证：如何及何时重新测试整改后的控制以确认其有效性

Remediation

常见控制类型

—

IT一般控制（ITGCs）

For each identified deficiency:

Root cause analysis: Why did the control fail? (design gap, execution failure, staffing, training, system issue)
Remediation plan: Specific actions to fix the control (redesign, additional training, system enhancement, added review)
Timeline: Target date for remediation completion
Owner: Person responsible for implementing the remediation
Validation: How and when the remediated control will be re-tested to confirm effectiveness

针对IT环境的控制，支持应用控制和自动化流程的可靠运行。

访问控制：

用户权限配置（新权限请求需审批）
用户权限移除（及时移除离职用户权限）
特权访问管理（限制并监控管理员/超级用户权限）
定期权限复核（按既定时间表重新确认用户权限）
密码策略（复杂度、轮换、锁定）
职责分离执行（防止冲突权限）

变更管理：

变更请求在实施前需记录并审批
变更在非生产环境测试后再推广
开发与生产环境分离
紧急变更流程（记录、事后审批）
变更复核及实施后验证

IT运营：

批处理作业监控及异常处理
备份与恢复程序（定期备份、测试恢复）
系统可用性及性能监控
事件管理及升级流程
灾难恢复规划及测试

Common Control Types

人工控制

IT General Controls (ITGCs)

—

Controls over the IT environment that support the reliable functioning of application controls and automated processes.

Access Controls:

User access provisioning (new access requests require approval)
User access de-provisioning (terminated users removed timely)
Privileged access management (admin/superuser access restricted and monitored)
Periodic access reviews (user access recertified on a defined schedule)
Password policies (complexity, rotation, lockout)
Segregation of duties enforcement (conflicting access prevented)

Change Management:

Change requests documented and approved before implementation
Changes tested in a non-production environment before promotion
Separation of development and production environments
Emergency change procedures (documented, approved post-implementation)
Change review and post-implementation validation

IT Operations:

Batch job monitoring and exception handling
Backup and recovery procedures (regular backups, tested restores)
System availability and performance monitoring
Incident management and escalation procedures
Disaster recovery planning and testing

由人员运用判断执行的控制，通常涉及复核和审批。

示例：

管理层对财务报表及关键指标的复核
超过阈值的日记账分录需主管审批
三方匹配验证（采购订单、收货单、发票）
账户调节表的编制与复核
实物存货盘点与观察
供应商主数据变更审批
客户信用审批

测试关键属性：

控制是否由合适的人员执行（具备适当权限）？
是否及时执行（在要求的时间范围内）？
是否有复核证据（签字、草签、邮件、系统日志）？
复核人是否有足够信息进行有效复核？
是否识别出异常并适当处理？

Manual Controls

自动化控制

Controls performed by people using judgment, typically involving review and approval.

Examples:

Management review of financial statements and key metrics
Supervisory approval of journal entries above a threshold
Three-way match verification (PO, receipt, invoice)
Account reconciliation preparation and review
Physical inventory observation and count
Vendor master data change approval
Customer credit approval

Key attributes to test:

Was the control performed by the right person (proper authority)?
Was it performed timely (within the required timeframe)?
Is there evidence of the review (signature, initials, email, system log)?
Did the reviewer have sufficient information to perform an effective review?
Were exceptions identified and appropriately addressed?

由IT系统强制执行、无需人工干预的控制。

示例：

系统强制执行的审批工作流（无必要审批则无法推进）
三方匹配自动化（若采购订单/收货单/发票不匹配，系统阻止付款）
重复付款检测（系统标记或阻止重复发票）
信用额度强制执行（系统阻止超过信用额度的订单）
自动化计算（折旧、摊销、利息、税金）
系统强制执行的职责分离（防止冲突角色）
输入验证控制（必填字段、格式检查、范围检查）
自动化调节匹配

测试方法：

设计测试：确认系统配置是否按预期强制执行控制
运行有效性测试：对于自动化控制，若系统配置未变更，通常对控制进行一次测试即可覆盖整个期间（辅以变更管理ITGC测试）
验证变更管理ITGC的有效性（若系统变更，需重新测试控制）

Automated Controls

依赖IT的人工控制

Controls enforced by IT systems without human intervention.

Examples:

System-enforced approval workflows (cannot proceed without required approvals)
Three-way match automation (system blocks payment if PO/receipt/invoice don't match)
Duplicate payment detection (system flags or blocks duplicate invoices)
Credit limit enforcement (system prevents orders exceeding credit limit)
Automated calculations (depreciation, amortization, interest, tax)
System-enforced segregation of duties (conflicting roles prevented)
Input validation controls (required fields, format checks, range checks)
Automated reconciliation matching

Testing approach:

Test design: Confirm the system configuration enforces the control as intended
Test operating effectiveness: For automated controls, if the system configuration has not changed, one test of the control is typically sufficient for the period (supplemented by ITGC testing of change management)
Verify change management ITGCs are effective (if system changed, re-test the control)

依赖系统生成信息的完整性和准确性的人工控制。

示例：

管理层对系统生成的异常报告的复核
主管对系统生成的账龄报告的复核以评估准备金
使用系统生成的试算平衡表数据进行调节
对系统生成的工作流识别的交易进行审批

测试方法：

测试人工控制（复核、审批、异常跟进）
同时测试底层报告/数据（IPE——主体生成的信息）的完整性和准确性
IPE测试确认复核人依赖的数据是完整准确的

IT-Dependent Manual Controls

实体层面控制

Manual controls that rely on the completeness and accuracy of system-generated information.

Examples:

Management review of a system-generated exception report
Supervisor review of a system-generated aging report to assess reserves
Reconciliation using system-generated trial balance data
Approval of transactions identified by a system-generated workflow

Testing approach:

Test the manual control (review, approval, follow-up on exceptions)
AND test the completeness and accuracy of the underlying report/data (IPE — Information Produced by the Entity)
IPE testing confirms the data the reviewer relied on was complete and accurate

在组织层面运行、影响多个流程的广泛控制。

示例：

高层基调/行为准则
风险评估流程
审计委员会对财务报告的监督
内部审计职能及活动
欺诈风险评估及反欺诈计划
举报/道德热线
管理层对控制有效性的监控
财务报告能力（人员配置、培训、资质）
期末财务报告流程（结账程序、GAAP合规复核）

重要性：

实体层面控制可弥补但通常无法替代流程层面控制
实体层面控制无效（尤其是审计委员会监督和高层基调）是重大薄弱环节的强指标
有效的实体层面控制可减少流程层面控制的测试范围

Entity-Level Controls

—

Broad controls that operate at the organizational level and affect multiple processes.

Examples:

Tone at the top / code of conduct
Risk assessment process
Audit committee oversight of financial reporting
Internal audit function and activities
Fraud risk assessment and anti-fraud programs
Whistleblower/ethics hotline
Management monitoring of control effectiveness
Financial reporting competence (staffing, training, qualifications)
Period-end financial reporting process (close procedures, GAAP compliance reviews)

Significance:

Entity-level controls can mitigate but typically cannot replace process-level controls
Ineffective entity-level controls (especially audit committee oversight and tone at the top) are strong indicators of a material weakness
Effective entity-level controls may reduce the extent of testing needed for process-level controls

—