SOX compliance testing is the process by which a company’s management assesses internal controls over financial reporting. This control testing is mandated by The Sarbanes-Oxley Act of 2002 (SOX). SOX is a U.S. federal law requiring all public companies doing business in the United States to comply with the regulation. The law is intended to increase the accuracy and reliability of corporate disclosures in financial statements while protecting investors from fraudulent accounting practices. It also increases the responsibility of corporate governance. The bill was introduced following the Enron Corporation, WorldCom, and Tyco International fraud and accounting scandals in the early 2000s.
SOX compliance testing is primarily related to Section 302 — Corporate Responsibility for Financial Reports and Section 404 — Management Assessment of Internal Controls. All annual financial reports must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.
Compliance testing is usually split into phases. The first part is a design testing phase, also called a walk-through test, where a transaction is walked through a process from start to finish. One example is the new hire selection process at your company. You would start by walking through all the controls of a candidate being authorized to work. The walk-through would include checking all aspects of their submitting time to get paid, and ensuring their authorized pay rate matches their hours to get a paycheck. You would then trace all of this information back into the accounting records. This would involve validating that your documentation of the controls and the processes match with what you observed while testing one transaction.
The second, larger phase, sometimes broken into multiple phases, is called operational effectiveness testing. During this phase, a large sample or the entire population of transactions is tested to see if the control works every time. Here, you’re validating that the control consistently functions as it was designed.
Internal compliance teams typically test controls three times throughout the calendar year. The last one is a year-end test to ensure compliance requirements are being met. A company is required to maintain documentation supporting management’s assessment of the company’s internal controls over financial data according to the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB).
Operating effectiveness testing is a large portion of Section 404. It is management doing an internal audit, completing SOX testing for all key controls to confirm they function as they were designed. Management then concludes that there are no deficiencies, issues or errors. Management can then affirmatively state it performed its design testing, operational testing, and concluded that management’s internal SOX controls over financial reporting are in place and working.