Sarbanes-Oxley Section 404: Report Testing Methodology Guide

An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring the completeness and accuracy of system reports. This presentation serves as a guide to train SOX project teams on testing reports that are used during the financial reporting process.

The purpose of initially testing a report is to gain comfort that the report is both complete and accurate and to find any issues with the report that can be remediated before year-end. The second time a report is tested is to confirm that the report has been remediated correctly or if it passed initial testing to confirm that it has not changed. Sample questions to use in this assessment process include:

• What is the report used for (what is the purpose of the report)?
• How is the report/data generated or extracted (e.g., does someone go into the system at the end of every month and manually generate the report, is it automatically scheduled, etc.)?
• What is the source database from which the report is pulled?
• What is the report showing/catching, how often is the report generated, and who generates it?
• What kind of security is around the report (e.g., who has access to create/edit/delete/execute the report)?