What Is Roll Forward Testing? Tips to Boost SOX Program Efficiency

What Is Roll Forward Testing? Tips to Boost SOX Program Efficiency

SOX compliance teams often deal with ongoing, testing demands for critical audit matters and financial reporting. For some, testing occurs quarterly, while other teams spread testing across the year. A common method adopted by many auditors incorporates three rounds of testing — walkthrough, interim, and roll forward testing. This article explains each and highlights key differences, and provides insights into PCAOB-compliance roll-forward testing practices to help your audit team enhance SOX efficiency.

Historical Background of Roll Forward Testing in SOX Compliance

Roll-forward testing became a common practice as companies aimed to meet the rigorous requirements of SOX compliance more efficiently. Historically, businesses relied on end-of-year testing alone, but as regulatory standards evolved, especially under PCAOB guidelines, companies recognized the need to confirm the consistency of control effectiveness throughout the year. This shift toward phased testing—walkthrough, interim, and roll forward—enables compliance teams to address critical audit matters proactively and reduces the risk of last-minute deficiencies impacting the financial audit.

What Is Roll Forward Testing in SOX? How Is It Different from Other SOX Testing Phases?

Public companies are required to ensure that their control environment is effective year-round to stay in compliance with PCAOB Standards and SOX compliance. Instead of testing all SOX controls with their total required sample size, most companies have implemented three phases of testing: walkthrough, interim, and roll forward.  This strategic structure not only meets critical audit matters requirements but also supports efficient SOX program management.

Roll forward testing is not just a SOX compliance tool; it also aligns with other compliance frameworks such as COSO (Committee of Sponsoring Organizations of the Treadway Commission), which emphasizes continuous monitoring and assessment of controls to prevent material misstatements. By aligning with COSO principles, roll-forward testing addresses SOX’s dual objectives: maintaining a reliable control environment and meeting PCAOB’s audit requirements. This approach not only meets PCAOB Standards but also strengthens the organization’s overall internal control framework, supporting financial reporting reliability year-round.

Walkthrough Testing

At the beginning of the year (typically March or April), once all entities and key controls have been identified based on the SOX risk assessment, the audit team performs process walkthroughs of key processes and performs inquiries with the control owners. During the walkthroughs, the auditor will make inquiries and inspect documents to understand the design and performance of management’s controls. As a part of the walkthrough, the auditors will request a sample of one occurrence of the control being performed so that they can validate that the control is operating as designed. 

If the auditors do not identify any deficiencies within the testing, they will proceed with testing the full sample size within the next test phase. If there are deficiencies identified within the tested sample, the SOX team will escalate the deficiency to management so that there is an opportunity to remediate the issue before the next phase of testing. 

Interim Testing

After the design walkthrough has been performed, and around mid-year (typically July/August), the audit team will plan for their interim testing phase. During the interim test phase, the audit team will test the majority of the key controls and samples required and also will test to ensure that the deficiencies identified within the walkthrough phase have now been addressed. This mid-year testing typically includes samples from the second quarter. The objective during interim testing is to ensure that all key controls that can be tested have been tested. The most common exceptions are those controls that are only performed annually during the third or fourth quarters of the fiscal year.

Roll Forward Testing

Roll forward testing bridges the timing gap between the prior testing phases, but before the conclusion of the audit for the financial year. It is based on the assumption that if you performed testing earlier in the year, you will need to perform additional testing near the end of the year (typically samples from Q4) to provide assurance that the controls tested earlier in the year are still effective. 

Typically audit teams work with their external auditors to perform a risk-based approach to determine what types of procedures need to be performed. Roll-forward tests do not necessarily need to include all test procedures that were performed during the interim test phase. Generally speaking, roll-forward testing is based on a much smaller sample than your interim sample size.

Roll forward testing can include a variety or combination of testing procedures and selecting the right testing procedures should be based on the control’s assessed risk:

  • Observation and Inquiry: These methods are effective for low-risk controls, providing assurance without consuming excessive resources.
  • Inspection of Documentation: For moderate-risk controls, inspection verifies that control activities are documented as expected.
  • Re-performance of the Control: For high-risk controls, such as those with significant impact on financial reporting, re-performance provides direct evidence that the control is operating effectively. 

For example, for lower risk and more routine controls, the SOX team can perform inquiries with process owners to provide assurance that the control is still operating effectively. Note that inquiry is unlikely to be a sufficient testing approach for a control that is more complex, higher risk, or subjective. For higher risk controls, the SOX team can perform full testing /re-performance of the control for a sample of one (i.e. monthly/quarterly controls). 

For public companies, PCAOB Standards require that auditors perform roll-forward procedures to update the results of interim testing to year-end. The amount of evidence needed from roll-forward testing procedures depends on the following factors: 

  • The risk, nature, and results during the interim testing of the control
  • The sufficiency of the evidence obtained during the interim testing
  • The length of the roll-forward period, and
  • The possibility that there may have been any significant changes in internal control over financial reporting after the interim testing took place 

When building a well-rounded testing program, the overall objective of SOX testing is threefold: 

  • Ensure the process or test procedures as outlined are an effective method for testing the control.
  • Ensure the control is being performed throughout the entire period and by the assigned process owner.
  • Ensure the control has been successful in preventing or detecting any material misstatements. In short, control testing validates the design and operating effectiveness.

The first two objectives tie directly to the roll forward testing phase, as the SOX team will want to ensure they are using an effective testing approach while still getting appropriate testing coverage of the control.

Key Point – Implementing roll-forward testing is valuable but requires attention to detail. Some frequent pitfalls include:

  • Inadequate Documentation: Failing to document each testing step properly can reduce the test’s reliability, especially if external auditors review the work.
  • Control Environment Changes: Any significant changes in processes, personnel, or systems should trigger a review of roll-forward test results to ensure these shifts haven’t impacted the control’s effectiveness.
  • Misjudging Control Risk: Treating all controls as equally effective throughout the year without considering risk levels can lead to inaccuracies. High-risk controls should be revisited with additional rigor in roll-forward tests.
The Evolution of SOX: Tech Adoption and Cost Focus Amid Business Changes, Cyber, and ESG Mandates

How Can Roll Forward Testing Help You Work More Efficiently?

As compliance demands continue to change, SOX and audit teams have faced new challenges, including adapting to remote work environments and addressing emerging risks. The pandemic’s impact on SOX has made it imperative to find ways to work more efficiently. Implementing roll-forward procedures is often the first step in an initiative to create a more efficient control environment — with benefits for multiple stakeholders. Switching to the roll-forward method has an immediate benefit to the SOX team by reducing their workload and providing additional time to focus on higher-risk areas. The time savings are also felt across the organization as the new testing cadence is applied to both business and IT control owners. Less time is spent gathering documents, testing, and reviewing, which leads to less audit fatigue for everyone involved. Additionally, having a robust testing program will alleviate the additional effort required by the external auditor. When testing has been updated to reflect the full year, the external auditor can place more reliance on the control testing performed by the SOX team.

Roll-forward testing is often part of a broader, long-term plan to increase efficiency in the overall SOX program. Once SOX testing is organized to minimize the amount of additional review during the end of the year, the next focus should be to automate all possible controls. SOX teams should assess all existing and newly in-scope controls for the option to automate testing using robotic process automation (RPA) to reduce the manual effort required in SOX testing. The efficiency gains from implementing roll-forward testing and automating controls will pay dividends by allowing your team to focus on more innovative techniques and value-added activities for your organization.

Sukriti

Sukriti Billah, CISA, is a Senior Manager of Implementation at AuditBoard. Sukriti joined AuditBoard from EY, where she provided consulting services over SOX cmpliance and performed operational-based internal audits. Connect with Sukriti on LinkedIn.