Should SOX controls have quarterly self-assessments on top of recurring testing?
Our SOX team already does design testing early in the year, interim operating tests, and year-end roll-forward work. ERM wants all control owners to complete a quarterly self-assessment in the GRC tool anyway. I cannot tell whether that creates better assurance or just duplicates what the testers are already doing.
It depends on whether the self-assessment answers a new control question.
If your SOX testing already proves the control operated, a generic quarterly attestation can become duplicate paperwork. Where a self-assessment helps is when it surfaces change risk before formal testing catches it. For example:
- the preparer or reviewer changed
- the report source moved to a new system
- a threshold override occurred
- the control was performed late or with a workaround
Those are change signals, not replacements for operating-effectiveness testing.
For CIA-style questions, the best answer usually favors a targeted attestation over a broad yes-or-no certification. A short change questionnaire adds value. A second process that simply restates "the control worked" often does not.
Master Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.