preparar SOX control testing com control matrices, samples, workpapers, e deficiency assessment. — Claude Skill

name: sox-testing description: gerar SOX sample selections, testing workpapers, e control assessments. usar when planning trimestral ou annual SOX 404 testing, pulling a sample para a control (revenue, P2P, ITGC, close), building a testing workpaper template, ou evaluating e classifying a control deficiency. argument-hint: "<control area> [period]"

SOX conformidade Testing

If você see unfamiliar placeholders ou precisar de para verificar which tools are connected, see CONNECTORS.md.

Important: This command assists com SOX conformidade workflows but does não provide auditoria ou jurídico advice. todos testing workpapers e assessments deve be reviewed by qualified financial professionals antes usar in auditoria documentation.

gerar sample selections, criar testing workpapers, document control assessments, e provide testing templates para SOX 404 internal controls over financial reporting.

Usage

/sox <control-area> <period>

Arguments

• ¤KEEP0¤ — o control area para test:
• ¤KEEP0¤ — Revenue cycle controls (order-para-cash)
• ¤KEEP0¤ ou ¤KEEP1¤ — Procurement e AP controls (purchase-para-pay)
• ¤KEEP0¤ — Payroll processing e compensação controls
• ¤KEEP0¤ — Period-end close e reporting controls
• ¤KEEP0¤ — Cash management e treasury controls
• ¤KEEP0¤ — Capital asset lifecycle controls
• ¤KEEP0¤ — inventário valuation e management controls
• ¤KEEP0¤ — IT general controls (access, change management, operações)
• ¤KEEP0¤ — Entity-level e monitoring controls
• ¤KEEP0¤ — Journal entry processing controls
• qualquer specific control ID ou nomear
• ¤KEEP0¤ — o testing period (e.g., ¤KEEP1¤, ¤KEEP2¤, ¤KEEP3¤)

workflow

1. Identify Controls para Test

Based on o control area, identify o key controls. Present o matriz de controlos:

Control types:

• automatizado: System-enforced controls com no manual intervention
• manual: Controls performed by personnel com judgment
• IT-dependent manual: manual controls that rely on system-generated dados

Assertions (CEAVOP):

• Completeness — todos transactions are recorded
• Existence/Occurrence — Transactions actually occurred
• Accuracy — Amounts are correctly recorded
• Valuation — Assets/liabilities are properly valued
• Obligations/Rights — Entity has rights para assets, obligations para liabilities
• Presentation/Disclosure — Properly classified e disclosed

2. Determine Sample Size

Calculate sample sizes based on control frequency e risco:

Adjust para:

• risco level: Higher risco controls require larger samples
• Prior year results: Controls com prior deficiencies precisar de larger samples
• Reliance: Controls relied upon by external auditors may precisar de larger samples

3. gerar Sample Selection

Select samples a partir do population usando o appropriate method:

Random selection (default para transaction-level controls):

• gerar random numbers para select specific items a partir do population
• Ensure cobertura across o full period

Systematic selection (para periodic controls):

• Select items at fixed intervals com a random start point
• Ensure representation across todos sub-periods

Targeted selection (supplement para random, para risco-based testing):

• Select items com specific risco characteristics (high dollar, unusual, period-end)
• Document rationale para targeted selections

Present o sample:

SAMPLE SELECTION
Control: [Control ID] — [Description]
Period: [Testing period]
Population: [Count] items, $[Total value]
Sample size: [N] items
Selection method: [Random/Systematic/Targeted]

| Sample # | Transaction Date | Reference/ID | Amount | Selection Basis |
|----------|-----------------|--------------|--------|-----------------|
| 1 | [Date] | [Ref] | $X,XXX | Random |
| 2 | [Date] | [Ref] | $X,XXX | Random |
|... |... |... |... |... |

4. criar Testing Workpaper

gerar a testing template para each control:

SOX CONTROL TESTING WORKPAPER
==============================
Control #: [ID]
Control Description: [Full description do control activity]
Control responsável: [Role/title — para be filled by tester]
Control Type: [manual/Automated/IT-Dependent manual]
Frequency: [How often o control operates]
Key Control: [Yes/No]
Relevant Assertion(s): [CEAVOP]
Testing Period: [Period]

TEST OBJECTIVE:
para determine whether [control description] operated effectively throughout o testing period.

TEST PROCEDURES:
1. [Step 1 — What para inspect, examine, ou re-perform]
2. [Step 2 — What evidência para obtain]
3. [Step 3 — What para comparar ou verify]
4. [Step 4 — How para evaluate completeness de performance]
5. [Step 5 — How para assess timeliness de performance]

EXPECTED EVIDENCE:
- [Document type 1 — e.g., signed aprovação form]
- [Document type 2 — e.g., system screenshot showing rever]
- [Document type 3 — e.g., reconciliation com preparer sign-off]

TEST RESULTS:

| Sample # | Ref | Procedure 1 | Procedure 2 | Procedure 3 | Result | Exception? | Notes |
|----------|-----|-------------|-------------|-------------|--------|------------|-------|
| 1 | | Pass/Fail | Pass/Fail | Pass/Fail | Pass/Fail | Y/N | |
| 2 | | Pass/Fail | Pass/Fail | Pass/Fail | Pass/Fail | Y/N | |

EXCEPTIONS NOTED:
| Sample # | Exception Description | Root Cause | Compensating Control | impacto |
|----------|----------------------|------------|---------------------|--------|
| | | | | |

CONCLUSION:
[ ] Effective — Control operated effectively com no exceptions
[ ] Effective com exceptions — Control operated effectively; exceptions are isolated
[ ] Deficiency — Control did não operate effectively
[ ] Significant Deficiency — Deficiency is more than inconsequential
[ ] material Weakness — Reasonable possibility de material misstatement não prevented/detected

Tested by: ________________ Date: ________
Reviewed by: _______________ Date: ________

5. Provide Common Control templates

Based on o control area, provide pre-built test step templates:

Revenue Recognition:

• Verify vendas order aprovação e authorization
• Confirm delivery/performance evidência
• Test revenue recognition timing against contrato terms
• Verify pricing precisão para contrato/price list
• Test credit memo aprovação e validity

Procure para Pay:

• Verify purchase order aprovação e authorization limits
• Confirm three-way match (PO, receipt, invoice)
• Test fornecedor master dados change controls
• Verify payment aprovação e segregation de duties
• Test duplicate payment prevention controls

Financial Close:

• Verify conta reconciliation completeness e timeliness
• Test journal entry aprovação e segregation de duties
• Verify management rever de financial statements
• Test consolidation e elimination entries
• Verify disclosure checklist completion

ITGC:

• Test utilizador access provisioning e de-provisioning
• Verify privileged access revê
• Test change management aprovação e testing
• Verify batch job monitoring e exception handling
• Test backup e recovery procedures

6. Document Control Assessment

Classify qualquer identified deficiencies:

Deficiency: A control does não allow management ou employees para prevent ou detetar misstatements on a timely basis. Consider:

• probabilidade de misstatement
• Magnitude de potential misstatement
• Whether compensating controls exist

Significant Deficiency: A deficiency (ou combination) that is less severe than a material weakness but important enough para merit attention by those responsible para oversight.

material Weakness: A deficiency (ou combination) such that there is a reasonable possibility that a material misstatement will não be prevented ou detected on a timely basis.

7. Output

Provide:

1. matriz de controlos para o selected area
2. Sample selections com methodology documentation
3. Testing workpaper templates com pre-populated test steps
4. Results documentation template
5. Deficiency evaluation framework (if exceptions are identified)
6. Suggested remediation ações para qualquer noted deficiencies