Back to Details

sox-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SOX Compliance Testing

SOX合规测试

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.
Important: This command assists with SOX compliance workflows but does not provide audit or legal advice. All testing workpapers and assessments should be reviewed by qualified financial professionals before use in audit documentation.
Generate sample selections, create testing workpapers, document control assessments, and provide testing templates for SOX 404 internal controls over financial reporting.
若遇到不熟悉的占位符或需要查看已连接的工具,请参阅 CONNECTORS.md
重要提示:本命令可协助完成SOX合规工作流,但不提供审计或法律建议。所有测试工作底稿和评估报告在用于审计文档前,均需由合格的财务专业人员审核。
为SOX 404财务报告内部控制生成抽样选择、创建测试工作底稿、记录控制评估结果,并提供测试模板。

Usage

使用方法

/sox <control-area> <period>
/sox <control-area> <period>

Arguments

参数

  • control-area
    — The control area to test: 
    • revenue-recognition
      — Revenue cycle controls (order-to-cash)
    • procure-to-pay
      or 
      p2p
      — Procurement and AP controls (purchase-to-pay)
    • payroll
      — Payroll processing and compensation controls
    • financial-close
      — Period-end close and reporting controls
    • treasury
      — Cash management and treasury controls
    • fixed-assets
      — Capital asset lifecycle controls
    • inventory
      — Inventory valuation and management controls
    • itgc
      — IT general controls (access, change management, operations)
    • entity-level
      — Entity-level and monitoring controls
    • journal-entries
      — Journal entry processing controls
    • Any specific control ID or name
  • period
    — The testing period (e.g., 
    2024-Q4
    , 
    2024
    , 
    2024-H2
    )
  • control-area
    — 待测试的控制领域: 
    • revenue-recognition
      — 收入循环控制(订单到收款)
    • procure-to-pay
      p2p
      — 采购与应付账款控制(采购到付款)
    • payroll
      — 薪资处理与薪酬控制
    • financial-close
      — 期末结账与报告控制
    • treasury
      — 现金管理与资金控制
    • fixed-assets
      — 固定资产全生命周期控制
    • inventory
      — 存货计价与管理控制
    • itgc
      — IT一般控制(访问权限、变更管理、运维)
    • entity-level
      — 实体层面与监控控制
    • journal-entries
      — 会计分录处理控制
    • 任何特定的控制ID或名称
  • period
    — 测试周期(例如:
    2024-Q4
    , 
    2024
    , 
    2024-H2

Workflow

工作流程

1. Identify Controls to Test

1. 确定待测试的控制

Based on the control area, identify the key controls. Present the control matrix:
Control #Control DescriptionTypeFrequencyKey/Non-KeyRiskAssertion
[ID][Description]Manual/Automated/IT-DependentDaily/Weekly/Monthly/Quarterly/AnnualKeyHigh/Medium/Low[CEAVOP]
Control types:
  • Automated: System-enforced controls with no manual intervention
  • Manual: Controls performed by personnel with judgment
  • IT-dependent manual: Manual controls that rely on system-generated data
Assertions (CEAVOP):
  • Completeness — All transactions are recorded
  • Existence/Occurrence — Transactions actually occurred
  • Accuracy — Amounts are correctly recorded
  • Valuation — Assets/liabilities are properly valued
  • Obligations/Rights — Entity has rights to assets, obligations for liabilities
  • Presentation/Disclosure — Properly classified and disclosed
根据控制领域,识别关键控制。呈现控制矩阵:
控制编号控制描述类型执行频率关键/非关键风险等级认定事项
[ID][描述]人工/自动化/依赖IT每日/每周/每月/每季度/每年关键高/中/低[CEAVOP]
控制类型:
  • 自动化: 由系统执行、无需人工干预的控制
  • 人工: 由人员凭借判断执行的控制
  • 依赖IT的人工控制: 依赖系统生成数据的人工控制
认定事项(CEAVOP):
  • C完整性 — 所有交易均已记录
  • E存在性/发生性 — 交易真实发生
  • A准确性 — 金额记录正确
  • V计价 — 资产/负债计价恰当
  • O权利与义务 — 实体拥有资产权利、承担负债义务
  • P列报与披露 — 分类与披露恰当

2. Determine Sample Size

2. 确定样本量

Calculate sample sizes based on control frequency and risk:
Control FrequencyPopulation Size (approx.)Recommended Sample
Annual11 (test the instance)
Quarterly42
Monthly122-4 (based on risk)
Weekly525-15 (based on risk)
Daily~25020-40 (based on risk)
Per-transactionVaries25-60 (based on risk and volume)
Adjust for:
  • Risk level: Higher risk controls require larger samples
  • Prior year results: Controls with prior deficiencies need larger samples
  • Reliance: Controls relied upon by external auditors may need larger samples
根据控制执行频率和风险等级计算样本量:
控制执行频率总体规模(约数)推荐样本量
每年11(测试该单次执行)
每季度42
每月122-4(根据风险调整)
每周525-15(根据风险调整)
每日~25020-40(根据风险调整)
每笔交易不固定25-60(根据风险和交易量调整)
调整因素:
  • 风险等级: 高风险控制需要更大样本量
  • 上年测试结果: 存在过往缺陷的控制需要更大样本量
  • 依赖程度: 被外部审计师依赖的控制可能需要更大样本量

3. Generate Sample Selection

3. 生成抽样选择

Select samples from the population using the appropriate method:
Random selection (default for transaction-level controls):
  • Generate random numbers to select specific items from the population
  • Ensure coverage across the full period
Systematic selection (for periodic controls):
  • Select items at fixed intervals with a random start point
  • Ensure representation across all sub-periods
Targeted selection (supplement to random, for risk-based testing):
  • Select items with specific risk characteristics (high dollar, unusual, period-end)
  • Document rationale for targeted selections
Present the sample:
SAMPLE SELECTION
Control: [Control ID] — [Description]
Period: [Testing period]
Population: [Count] items, $[Total value]
Sample size: [N] items
Selection method: [Random/Systematic/Targeted]

| Sample # | Transaction Date | Reference/ID | Amount | Selection Basis |
|----------|-----------------|--------------|--------|-----------------|
| 1        | [Date]          | [Ref]        | $X,XXX | Random          |
| 2        | [Date]          | [Ref]        | $X,XXX | Random          |
| ...      | ...             | ...          | ...    | ...             |
采用恰当方法从总体中选取样本:
随机抽样(交易层面控制默认方法):
  • 生成随机数以从总体中选取特定项目
  • 确保覆盖整个测试周期
系统抽样(适用于周期性控制):
  • 从随机起点开始,按固定间隔选取项目
  • 确保覆盖所有子周期
定向抽样(作为随机抽样的补充,适用于风险导向测试):
  • 选取具有特定风险特征的项目(高金额、异常、期末交易)
  • 记录定向抽样的理由
呈现样本:
抽样选择
控制: [控制ID] — [描述]
测试期间: [测试周期]
总体: [数量] 项,总金额 $[合计值]
样本量: [N] 项
抽样方法: [随机/系统/定向]

| 样本编号 | 交易日期 | 参考编号 | 金额 | 抽样依据 |
|----------|-----------------|--------------|--------|-----------------|
| 1        | [日期]          | [参考号]        | $X,XXX | 随机          |
| 2        | [日期]          | [参考号]        | $X,XXX | 随机          |
| ...      | ...             | ...          | ...    | ...             |

4. Create Testing Workpaper

4. 创建测试工作底稿

Generate a testing template for each control:
SOX CONTROL TESTING WORKPAPER
==============================
Control #: [ID]
Control Description: [Full description of the control activity]
Control Owner: [Role/title — to be filled by tester]
Control Type: [Manual/Automated/IT-Dependent Manual]
Frequency: [How often the control operates]
Key Control: [Yes/No]
Relevant Assertion(s): [CEAVOP]
Testing Period: [Period]

TEST OBJECTIVE:
To determine whether [control description] operated effectively throughout the testing period.

TEST PROCEDURES:
1. [Step 1 — What to inspect, examine, or re-perform]
2. [Step 2 — What evidence to obtain]
3. [Step 3 — What to compare or verify]
4. [Step 4 — How to evaluate completeness of performance]
5. [Step 5 — How to assess timeliness of performance]

EXPECTED EVIDENCE:
- [Document type 1 — e.g., signed approval form]
- [Document type 2 — e.g., system screenshot showing review]
- [Document type 3 — e.g., reconciliation with preparer sign-off]

TEST RESULTS:

| Sample # | Ref | Procedure 1 | Procedure 2 | Procedure 3 | Result | Exception? | Notes |
|----------|-----|-------------|-------------|-------------|--------|------------|-------|
| 1        |     | Pass/Fail   | Pass/Fail   | Pass/Fail   | Pass/Fail | Y/N    |       |
| 2        |     | Pass/Fail   | Pass/Fail   | Pass/Fail   | Pass/Fail | Y/N    |       |

EXCEPTIONS NOTED:
| Sample # | Exception Description | Root Cause | Compensating Control | Impact |
|----------|----------------------|------------|---------------------|--------|
|          |                      |            |                     |        |

CONCLUSION:
[ ] Effective — Control operated effectively with no exceptions
[ ] Effective with exceptions — Control operated effectively; exceptions are isolated
[ ] Deficiency — Control did not operate effectively
[ ] Significant Deficiency — Deficiency is more than inconsequential
[ ] Material Weakness — Reasonable possibility of material misstatement not prevented/detected

Tested by: ________________  Date: ________
Reviewed by: _______________  Date: ________
为每项控制生成测试模板:
SOX控制测试工作底稿
==============================
控制编号: [ID]
控制描述: [控制活动的完整描述]
控制责任人: [岗位/头衔 — 由测试人员填写]
控制类型: [人工/自动化/依赖IT的人工控制]
执行频率: [控制的执行频次]
关键控制: 是/否
相关认定事项: [CEAVOP]
测试期间: [周期]

测试目标:
确认[控制描述]在整个测试周期内有效执行。

测试程序:
1. [步骤1 — 检查、审查或重新执行的内容]
2. [步骤2 — 需获取的证据]
3. [步骤3 — 需比较或验证的内容]
4. [步骤4 — 如何评估执行的完整性]
5. [步骤5 — 如何评估执行的及时性]

预期证据:
- [文档类型1 — 例如:经签署的审批表单]
- [文档类型2 — 例如:显示已审核的系统截图]
- [文档类型3 — 例如:经编制人签字的调节表]

测试结果:

| 样本编号 | 参考号 | 程序1 | 程序2 | 程序3 | 结果 | 是否存在异常? | 备注 |
|----------|-----|-------------|-------------|-------------|--------|------------|-------|
| 1        |     | 通过/不通过   | 通过/不通过   | 通过/不通过   | 通过/不通过 | 是/否    |       |
| 2        |     | 通过/不通过   | 通过/不通过   | 通过/不通过   | 通过/不通过 | 是/否    |       |

异常记录:
| 样本编号 | 异常描述 | 根本原因 | 补偿控制 | 影响 |
|----------|----------------------|------------|---------------------|--------|
|          |                      |            |                     |        |

结论:
[ ] 有效 — 控制有效执行,无异常
[ ] 存在异常但有效 — 控制有效执行;异常为孤立事件
[ ] 缺陷 — 控制未有效执行
[ ] 重大缺陷 — 缺陷的严重程度超过无关紧要的范畴
[ ] 实质性漏洞 — 存在合理可能性,导致重大错报无法被及时预防或发现

测试人: ________________  日期: ________
审核人: _______________  日期: ________

5. Provide Common Control Templates

5. 提供通用控制模板

Based on the control area, provide pre-built test step templates:
Revenue Recognition:
  • Verify sales order approval and authorization
  • Confirm delivery/performance evidence
  • Test revenue recognition timing against contract terms
  • Verify pricing accuracy to contract/price list
  • Test credit memo approval and validity
Procure to Pay:
  • Verify purchase order approval and authorization limits
  • Confirm three-way match (PO, receipt, invoice)
  • Test vendor master data change controls
  • Verify payment approval and segregation of duties
  • Test duplicate payment prevention controls
Financial Close:
  • Verify account reconciliation completeness and timeliness
  • Test journal entry approval and segregation of duties
  • Verify management review of financial statements
  • Test consolidation and elimination entries
  • Verify disclosure checklist completion
ITGC:
  • Test user access provisioning and de-provisioning
  • Verify privileged access reviews
  • Test change management approval and testing
  • Verify batch job monitoring and exception handling
  • Test backup and recovery procedures
根据控制领域提供预构建的测试步骤模板:
收入确认:
  • 验证销售订单的审批与授权
  • 确认交付/履约证据
  • 根据合同条款测试收入确认时点
  • 验证定价与合同/价目表的一致性
  • 测试贷项通知单的审批与有效性
采购到付款:
  • 验证采购订单的审批与授权限额
  • 确认三方匹配(采购订单、收货单、发票)
  • 测试供应商主数据变更控制
  • 验证付款审批与职责分离
  • 测试重复付款预防控制
财务结账:
  • 验证账户调节的完整性与及时性
  • 测试会计分录的审批与职责分离
  • 验证管理层对财务报表的审核
  • 测试合并与抵消分录
  • 验证披露清单的完成情况
ITGC:
  • 测试用户权限的授予与撤销
  • 验证特权权限的审核
  • 测试变更管理的审批与测试
  • 验证批处理作业的监控与异常处理
  • 测试备份与恢复流程

6. Document Control Assessment

6. 记录控制评估结果

Classify any identified deficiencies:
Deficiency: A control does not allow management or employees to prevent or detect misstatements on a timely basis. Consider:
  • Likelihood of misstatement
  • Magnitude of potential misstatement
  • Whether compensating controls exist
Significant Deficiency: A deficiency (or combination) that is less severe than a material weakness but important enough to merit attention by those responsible for oversight.
Material Weakness: A deficiency (or combination) such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis.
对识别出的缺陷进行分类:
缺陷: 控制无法使管理层或员工及时预防或发现错报。需考虑:
  • 错报发生的可能性
  • 潜在错报的严重程度
  • 是否存在补偿控制
重大缺陷: 一项或多项缺陷的严重程度低于实质性漏洞,但足以引起负责监督的人员关注。
实质性漏洞: 一项或多项缺陷,导致存在合理可能性,使得重大错报无法被及时预防或发现。

7. Output

7. 输出内容

Provide:
  1. Control matrix for the selected area
  2. Sample selections with methodology documentation
  3. Testing workpaper templates with pre-populated test steps
  4. Results documentation template
  5. Deficiency evaluation framework (if exceptions are identified)
  6. Suggested remediation actions for any noted deficiencies
提供以下内容:
  1. 所选领域的控制矩阵
  2. 包含方法说明的抽样选择结果
  3. 预填充测试步骤的测试工作底稿模板
  4. 结果记录模板
  5. 缺陷评估框架(若识别出异常)
  6. 针对已发现缺陷的建议整改措施