sox-testing

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SOX Compliance Testing

SOX合规测试

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.

Important: This command assists with SOX compliance workflows but does not provide audit or legal advice. All testing workpapers and assessments should be reviewed by qualified financial professionals before use in audit documentation.

Generate sample selections, create testing workpapers, document control assessments, and provide testing templates for SOX 404 internal controls over financial reporting.

若遇到不熟悉的占位符或需要查看已连接的工具，请参阅 CONNECTORS.md。

重要提示：本命令可协助完成SOX合规工作流，但不提供审计或法律建议。所有测试工作底稿和评估报告在用于审计文档前，均需由合格的财务专业人员审核。

为SOX 404财务报告内部控制生成抽样选择、创建测试工作底稿、记录控制评估结果，并提供测试模板。

Usage

使用方法

/sox <control-area> <period>

/sox <control-area> <period>

Arguments

参数

```
control-area
```
— The control area to test:
- ```
revenue-recognition
```
  — Revenue cycle controls (order-to-cash)
- ```
procure-to-pay
```
  or
```
p2p
```
  — Procurement and AP controls (purchase-to-pay)
- ```
payroll
```
  — Payroll processing and compensation controls
- ```
financial-close
```
  — Period-end close and reporting controls
- ```
treasury
```
  — Cash management and treasury controls
- ```
fixed-assets
```
  — Capital asset lifecycle controls
- ```
inventory
```
  — Inventory valuation and management controls
- ```
itgc
```
  — IT general controls (access, change management, operations)
- ```
entity-level
```
  — Entity-level and monitoring controls
- ```
journal-entries
```
  — Journal entry processing controls
- Any specific control ID or name
```
period
```
— The testing period (e.g.,
```
2024-Q4
```
,
```
2024
```
,
```
2024-H2
```
)

```
control-area
```
— 待测试的控制领域：
- ```
revenue-recognition
```
  — 收入循环控制（订单到收款）
- ```
procure-to-pay
```
  或
```
p2p
```
  — 采购与应付账款控制（采购到付款）
- ```
payroll
```
  — 薪资处理与薪酬控制
- ```
financial-close
```
  — 期末结账与报告控制
- ```
treasury
```
  — 现金管理与资金控制
- ```
fixed-assets
```
  — 固定资产全生命周期控制
- ```
inventory
```
  — 存货计价与管理控制
- ```
itgc
```
  — IT一般控制（访问权限、变更管理、运维）
- ```
entity-level
```
  — 实体层面与监控控制
- ```
journal-entries
```
  — 会计分录处理控制
- 任何特定的控制ID或名称
```
period
```
— 测试周期（例如：
```
2024-Q4
```
,
```
2024
```
,
```
2024-H2
```
）

Workflow

工作流程

1. Identify Controls to Test

1. 确定待测试的控制

Based on the control area, identify the key controls. Present the control matrix:

Control #	Control Description	Type	Frequency	Key/Non-Key	Risk	Assertion
[ID]	[Description]	Manual/Automated/IT-Dependent	Daily/Weekly/Monthly/Quarterly/Annual	Key	High/Medium/Low	[CEAVOP]

Control types:

Automated: System-enforced controls with no manual intervention
Manual: Controls performed by personnel with judgment
IT-dependent manual: Manual controls that rely on system-generated data

Assertions (CEAVOP):

Completeness — All transactions are recorded
Existence/Occurrence — Transactions actually occurred
Accuracy — Amounts are correctly recorded
Valuation — Assets/liabilities are properly valued
Obligations/Rights — Entity has rights to assets, obligations for liabilities
Presentation/Disclosure — Properly classified and disclosed

根据控制领域，识别关键控制。呈现控制矩阵：

控制编号	控制描述	类型	执行频率	关键/非关键	风险等级	认定事项
[ID]	[描述]	人工/自动化/依赖IT	每日/每周/每月/每季度/每年	关键	高/中/低	[CEAVOP]

控制类型：

自动化： 由系统执行、无需人工干预的控制
人工： 由人员凭借判断执行的控制
依赖IT的人工控制： 依赖系统生成数据的人工控制

认定事项（CEAVOP）：

C完整性 — 所有交易均已记录
E存在性/发生性 — 交易真实发生
A准确性 — 金额记录正确
V计价 — 资产/负债计价恰当
O权利与义务 — 实体拥有资产权利、承担负债义务
P列报与披露 — 分类与披露恰当

2. Determine Sample Size

2. 确定样本量

Calculate sample sizes based on control frequency and risk:

Control Frequency	Population Size (approx.)	Recommended Sample
Annual	1	1 (test the instance)
Quarterly	4	2
Monthly	12	2-4 (based on risk)
Weekly	52	5-15 (based on risk)
Daily	~250	20-40 (based on risk)
Per-transaction	Varies	25-60 (based on risk and volume)

Adjust for:

Risk level: Higher risk controls require larger samples
Prior year results: Controls with prior deficiencies need larger samples
Reliance: Controls relied upon by external auditors may need larger samples

根据控制执行频率和风险等级计算样本量：

控制执行频率	总体规模（约数）	推荐样本量
每年	1	1（测试该单次执行）
每季度	4	2
每月	12	2-4（根据风险调整）
每周	52	5-15（根据风险调整）
每日	~250	20-40（根据风险调整）
每笔交易	不固定	25-60（根据风险和交易量调整）

调整因素：

风险等级： 高风险控制需要更大样本量
上年测试结果： 存在过往缺陷的控制需要更大样本量
依赖程度： 被外部审计师依赖的控制可能需要更大样本量

3. Generate Sample Selection

3. 生成抽样选择

Select samples from the population using the appropriate method:

Random selection (default for transaction-level controls):

Generate random numbers to select specific items from the population
Ensure coverage across the full period

Systematic selection (for periodic controls):

Select items at fixed intervals with a random start point
Ensure representation across all sub-periods

Targeted selection (supplement to random, for risk-based testing):

Select items with specific risk characteristics (high dollar, unusual, period-end)
Document rationale for targeted selections

Present the sample:

SAMPLE SELECTION
Control: [Control ID] — [Description]
Period: [Testing period]
Population: [Count] items, $[Total value]
Sample size: [N] items
Selection method: [Random/Systematic/Targeted]

| Sample # | Transaction Date | Reference/ID | Amount | Selection Basis |
|----------|-----------------|--------------|--------|-----------------|
| 1        | [Date]          | [Ref]        | $X,XXX | Random          |
| 2        | [Date]          | [Ref]        | $X,XXX | Random          |
| ...      | ...             | ...          | ...    | ...             |

采用恰当方法从总体中选取样本：

随机抽样（交易层面控制默认方法）：

生成随机数以从总体中选取特定项目
确保覆盖整个测试周期

系统抽样（适用于周期性控制）：

从随机起点开始，按固定间隔选取项目
确保覆盖所有子周期

定向抽样（作为随机抽样的补充，适用于风险导向测试）：

选取具有特定风险特征的项目（高金额、异常、期末交易）
记录定向抽样的理由

呈现样本：

抽样选择
控制: [控制ID] — [描述]
测试期间: [测试周期]
总体: [数量] 项，总金额 $[合计值]
样本量: [N] 项
抽样方法: [随机/系统/定向]

| 样本编号 | 交易日期 | 参考编号 | 金额 | 抽样依据 |
|----------|-----------------|--------------|--------|-----------------|
| 1        | [日期]          | [参考号]        | $X,XXX | 随机          |
| 2        | [日期]          | [参考号]        | $X,XXX | 随机          |
| ...      | ...             | ...          | ...    | ...             |

4. Create Testing Workpaper

4. 创建测试工作底稿

Generate a testing template for each control:

SOX CONTROL TESTING WORKPAPER
==============================
Control #: [ID]
Control Description: [Full description of the control activity]
Control Owner: [Role/title — to be filled by tester]
Control Type: [Manual/Automated/IT-Dependent Manual]
Frequency: [How often the control operates]
Key Control: [Yes/No]
Relevant Assertion(s): [CEAVOP]
Testing Period: [Period]

TEST OBJECTIVE:
To determine whether [control description] operated effectively throughout the testing period.

TEST PROCEDURES:
1. [Step 1 — What to inspect, examine, or re-perform]
2. [Step 2 — What evidence to obtain]
3. [Step 3 — What to compare or verify]
4. [Step 4 — How to evaluate completeness of performance]
5. [Step 5 — How to assess timeliness of performance]

EXPECTED EVIDENCE:
- [Document type 1 — e.g., signed approval form]
- [Document type 2 — e.g., system screenshot showing review]
- [Document type 3 — e.g., reconciliation with preparer sign-off]

TEST RESULTS:

| Sample # | Ref | Procedure 1 | Procedure 2 | Procedure 3 | Result | Exception? | Notes |
|----------|-----|-------------|-------------|-------------|--------|------------|-------|
| 1        |     | Pass/Fail   | Pass/Fail   | Pass/Fail   | Pass/Fail | Y/N    |       |
| 2        |     | Pass/Fail   | Pass/Fail   | Pass/Fail   | Pass/Fail | Y/N    |       |

EXCEPTIONS NOTED:
| Sample # | Exception Description | Root Cause | Compensating Control | Impact |
|----------|----------------------|------------|---------------------|--------|
|          |                      |            |                     |        |

CONCLUSION:
[ ] Effective — Control operated effectively with no exceptions
[ ] Effective with exceptions — Control operated effectively; exceptions are isolated
[ ] Deficiency — Control did not operate effectively
[ ] Significant Deficiency — Deficiency is more than inconsequential
[ ] Material Weakness — Reasonable possibility of material misstatement not prevented/detected

Tested by: ________________  Date: ________
Reviewed by: _______________  Date: ________

为每项控制生成测试模板：

SOX控制测试工作底稿
==============================
控制编号: [ID]
控制描述: [控制活动的完整描述]
控制责任人: [岗位/头衔 — 由测试人员填写]
控制类型: [人工/自动化/依赖IT的人工控制]
执行频率: [控制的执行频次]
关键控制: 是/否
相关认定事项: [CEAVOP]
测试期间: [周期]

测试目标:
确认[控制描述]在整个测试周期内有效执行。

测试程序:
1. [步骤1 — 检查、审查或重新执行的内容]
2. [步骤2 — 需获取的证据]
3. [步骤3 — 需比较或验证的内容]
4. [步骤4 — 如何评估执行的完整性]
5. [步骤5 — 如何评估执行的及时性]

预期证据:
- [文档类型1 — 例如：经签署的审批表单]
- [文档类型2 — 例如：显示已审核的系统截图]
- [文档类型3 — 例如：经编制人签字的调节表]

测试结果:

| 样本编号 | 参考号 | 程序1 | 程序2 | 程序3 | 结果 | 是否存在异常？ | 备注 |
|----------|-----|-------------|-------------|-------------|--------|------------|-------|
| 1        |     | 通过/不通过   | 通过/不通过   | 通过/不通过   | 通过/不通过 | 是/否    |       |
| 2        |     | 通过/不通过   | 通过/不通过   | 通过/不通过   | 通过/不通过 | 是/否    |       |

异常记录:
| 样本编号 | 异常描述 | 根本原因 | 补偿控制 | 影响 |
|----------|----------------------|------------|---------------------|--------|
|          |                      |            |                     |        |

结论:
[ ] 有效 — 控制有效执行，无异常
[ ] 存在异常但有效 — 控制有效执行；异常为孤立事件
[ ] 缺陷 — 控制未有效执行
[ ] 重大缺陷 — 缺陷的严重程度超过无关紧要的范畴
[ ] 实质性漏洞 — 存在合理可能性，导致重大错报无法被及时预防或发现

测试人: ________________  日期: ________
审核人: _______________  日期: ________

5. Provide Common Control Templates

5. 提供通用控制模板

Based on the control area, provide pre-built test step templates:

Revenue Recognition:

Verify sales order approval and authorization
Confirm delivery/performance evidence
Test revenue recognition timing against contract terms
Verify pricing accuracy to contract/price list
Test credit memo approval and validity

Procure to Pay:

Verify purchase order approval and authorization limits
Confirm three-way match (PO, receipt, invoice)
Test vendor master data change controls
Verify payment approval and segregation of duties
Test duplicate payment prevention controls

Financial Close:

Verify account reconciliation completeness and timeliness
Test journal entry approval and segregation of duties
Verify management review of financial statements
Test consolidation and elimination entries
Verify disclosure checklist completion

ITGC:

Test user access provisioning and de-provisioning
Verify privileged access reviews
Test change management approval and testing
Verify batch job monitoring and exception handling
Test backup and recovery procedures

根据控制领域提供预构建的测试步骤模板：

收入确认：

验证销售订单的审批与授权
确认交付/履约证据
根据合同条款测试收入确认时点
验证定价与合同/价目表的一致性
测试贷项通知单的审批与有效性

采购到付款：

验证采购订单的审批与授权限额
确认三方匹配（采购订单、收货单、发票）
测试供应商主数据变更控制
验证付款审批与职责分离
测试重复付款预防控制

财务结账：

验证账户调节的完整性与及时性
测试会计分录的审批与职责分离
验证管理层对财务报表的审核
测试合并与抵消分录
验证披露清单的完成情况

ITGC：

测试用户权限的授予与撤销
验证特权权限的审核
测试变更管理的审批与测试
验证批处理作业的监控与异常处理
测试备份与恢复流程

6. Document Control Assessment

6. 记录控制评估结果

Classify any identified deficiencies:

Deficiency: A control does not allow management or employees to prevent or detect misstatements on a timely basis. Consider:

Likelihood of misstatement
Magnitude of potential misstatement
Whether compensating controls exist

Significant Deficiency: A deficiency (or combination) that is less severe than a material weakness but important enough to merit attention by those responsible for oversight.

Material Weakness: A deficiency (or combination) such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis.

对识别出的缺陷进行分类：

缺陷： 控制无法使管理层或员工及时预防或发现错报。需考虑：

错报发生的可能性
潜在错报的严重程度
是否存在补偿控制

重大缺陷： 一项或多项缺陷的严重程度低于实质性漏洞，但足以引起负责监督的人员关注。

实质性漏洞： 一项或多项缺陷，导致存在合理可能性，使得重大错报无法被及时预防或发现。

7. Output

7. 输出内容

Provide:

Control matrix for the selected area
Sample selections with methodology documentation
Testing workpaper templates with pre-populated test steps
Results documentation template
Deficiency evaluation framework (if exceptions are identified)
Suggested remediation actions for any noted deficiencies

提供以下内容：

所选领域的控制矩阵
包含方法说明的抽样选择结果
预填充测试步骤的测试工作底稿模板
结果记录模板
缺陷评估框架（若识别出异常）
针对已发现缺陷的建议整改措施