Sometimes it seems like we never stop testing SOX controls. For some SOX compliance teams, testing is repeated in full every quarter. Others have adopted a more efficient practice of spreading out the test work to cover the year. One of the more common methods uses three rounds of testing — walkthrough, interim, and roll forward testing. If you’re wondering, what is roll forward testing — this article defines the three test phases and the differences between each, and breaks down key considerations during roll forward testing to help your team work more efficiently.
What Is Roll Forward Testing in SOX? How Is It Different from Other SOX Testing Phases?
Public companies are required to ensure that their control environment is effective year-round. Instead of testing all SOX controls with their total required sample size, most companies have implemented three phases of testing: walkthrough, interim, and roll forward.
At the beginning of the year (typically March or April), once all entities and key controls have been scoped based on the risk assessment for SOX, the SOX team performs process walkthroughs with key process/control owners. During the walkthroughs, the SOX team will make inquiries and inspect documents to understand the design and performance of managements’ controls. As a part of the walkthrough, the SOX team will request a sample of one occurrence of the control being performed so that they can validate that the control is operating as designed.
If the SOX team identifies no deficiencies within the testing, they will proceed with testing the full sample size within the next test phase. If there are deficiencies identified within the sample of one testing, the SOX team will escalate the deficiency to management so that there is an opportunity for remediation prior to the next phase of testing.
After the design walkthrough has been performed, and around mid-year (typically July/August), the SOX team will plan for their interim testing phase. During the interim test phase, the SOX team will test the majority of the key controls and samples required, and also will test to ensure that the deficiencies identified within the walkthrough phase have now been addressed. This mid-year testing typically includes samples from the second quarter. The objective during interim testing is to ensure that all key controls that can be tested have been tested. The most common exceptions are those controls that are only performed annually during the third or fourth quarters of the fiscal year.
Roll Forward Testing
Roll forward testing bridges the timing gap between the prior testing phases, but before the conclusion of the audit for the financial year. It is based on the assumption that if you perform testing earlier in the year, you will need to perform additional testing near the end of the year (typically samples from Q4) to provide assurance that the controls tested earlier in the year are still effective.
Typically SOX teams work with their external auditors to perform a risk-based approach to determine what types of procedures need to be performed. Roll forward tests do not necessarily need to include all test procedures that were performed during the interim test phase. Generally speaking, roll forward testing is based on a much smaller sample than your interim sample size.
Roll forward testing can include a variety or combination of testing procedures including:
- inquiries with process owners.
- inspection of documentation.
- re-performance of the control.
For example, for lower risk and more routine controls, the SOX team can perform inquiries with process owners to provide assurance that the control is still operating effectively. Note that inquiry is unlikely to be a sufficient testing approach for a control that is more complex, higher risk, or subjective. For higher risk controls, the SOX team can perform full testing /re-performance of the control for a sample of one (i.e. monthly/quarterly controls).
For public companies, PCAOB Standards require that auditors perform roll forward procedures to update the results of interim testing to year-end. The amount of evidence needed from roll-forward testing procedures depends on the following factors:
- The risk, nature and results during the interim testing of the control
- The sufficiency of the evidence obtained during the interim testing
- The length of the roll-forward period, and
- The possibility that there may have been any significant changes in internal control over financial reporting after the interim testing took place
When building a well-rounded testing program, the overall objective to SOX testing is threefold:
- Ensure the process or test procedures as outlined are an effective method for testing the control.
- Ensure the control is being performed throughout the entire period and by the assigned process owner.
- Ensure the control has been successful in preventing or detecting any material misstatements. In short, control testing validates the design and operating effectiveness.
The first two objectives tie directly to the roll forward testing phase, as the SOX team will want to ensure they are using an effective testing approach while still getting appropriate testing coverage of the control.
How Can Roll Forward Testing Help You Work More Efficiently?
Working during and after the pandemic has pushed SOX and audit teams to expand their scope and address emerging risks. The pandemic impact on SOX has made it imperative to find ways to work more efficiently. Implementing roll forward procedures is often the first step in an initiative to create a more efficient control environment — with benefits for multiple stakeholders. Moving to the roll forward method has an immediate benefit to the SOX team since they can free up some of the testing time. The time savings are also felt across the organization as the new testing cadence is applied to both business and IT control owners. Less time is spent gathering documents, testing, and reviewing, which leads to less audit fatigue for everyone involved. Additionally, by having a robust testing program, this will alleviate the additional effort required by the external auditor. When testing has been updated to reflect the full year, the external auditor can place more reliance on the control testing performed by the SOX team.
Roll forward testing is often part of a larger maturity plan to increase efficiency in the overall SOX program. Once SOX testing is organized to minimize the amount of additional review during the end of the year, the next focus should be to automate all possible controls. SOX teams should assess all existing and newly in scope controls for the option to automate testing using robotic process automation (RPA) to reduce the manual effort required in SOX testing. The efficiency gains from implementing roll forward testing and automating controls are worth the effort and will enable your team to take on more innovative techniques and spend time in more value-added activities for your organization.
Sukriti Billah, CISA, is a Senior Manager of Implementation at AuditBoard. Sukriti joined AuditBoard from EY, where she provided consulting services over SOX cmpliance and performed operational-based internal audits. Connect with Sukriti on LinkedIn.