Free SOX Control Testing Template (RCM + Test Steps) hero illustration
Compliance

Free SOX Control Testing Template (RCM + Test Steps)

A copyable risk-control matrix and control test plan you can paste into a workpaper today — with sample sizes, evidence fields, and a worked example.

·13 min read
By Audvera Team

Most SOX teams rebuild the same testing template every year in a spreadsheet, tab by tab, then spend the cycle keeping the RCM, the test plans, and the evidence in sync by hand. The template below is the version worth keeping. Paste it into a workpaper and it will hold up under an external auditor's review.

A complete SOX control testing template has two parts: a risk-control matrix (RCM) that maps each risk to the controls that mitigate it, and a control test plan that documents how each control was tested and concluded. This article gives you both as copyable tables, plus a worked example and the sample-size reference you need to fill them in.

What Goes in a SOX Control Testing Template

A complete template answers, for every in-scope control, six questions:

  1. What risk does this control mitigate?
  2. What is the control, and what are its attributes (owner, frequency, type, key/non-key, assertion)?
  3. How will we test it, and on what population?
  4. How many items, selected how?
  5. What evidence did we examine and what did we conclude?
  6. If it failed, how severe is the deficiency?

Questions 1 and 2 live in the risk-control matrix. Questions 3 through 6 live in the test plan. You need both.

The Risk-Control Matrix (Copy This)

The RCM is the scoping backbone. Each row is one control mapped to the risk it covers.

Control IDProcessRisk / what could go wrongAssertionControl descriptionControl ownerFrequencyType (P/D)Manual/AutoKey?
C-01
C-02
C-03

Attribute shorthand:

  • Assertion: Existence, Completeness, Accuracy, Valuation, Rights/Obligations, Presentation.
  • Type (P/D): Preventive stops an error before it happens; Detective catches it after.
  • Key?: Mark "Key" only for controls that, if they failed, could result in a material misstatement. Key controls get the testing focus.

The Control Test Plan (Copy This)

For each control in the RCM, one test-plan row records how it was actually tested.

FieldContent
Control IDC-01
Test objectiveConfirm the control operated over the full period
Design conclusionEffective / Not effective (from walkthrough)
PopulationSource, period, total count, how obtained
Sample sizeFrom control frequency or attribute sampling — see the linked reference
Selection methodRandom / haphazard / judgmental — and why
Attributes testedThe specific things each item must show
Pass criteriaWhat a passing item looks like
Exception criteriaWhat counts as a deviation
Evidence examinedDocuments, screenshots, system reports per item
ResultPass / Exception(s): count and detail
Operating conclusionEffective / Deficient
Preparer / date
Reviewer / date

Sample Sizes

Sample size for each control test comes from either the control's operating frequency (for manual controls) or a statistical attribute-sampling calculation. Rather than restate the numbers here, see the sample-size reference for the full frequency-based and attribute-sampling tables — they drop straight into the Sample size field of the test plan above. As a rule of thumb, the more often a control operates and the more you rely on it, the larger the sample; expecting any exceptions raises it further.

A Worked Example

Here is one control carried through both templates.

RCM row:

Control IDProcessRiskAssertionControlOwnerFrequencyTypeManual/AutoKey?
C-01RevenueRevenue recorded without valid, approved orderExistenceOrders over threshold require documented manager approval before invoicingSales Ops MgrDailyPreventiveManualKey

Test-plan row:

  • Population: All invoices over threshold, Jan 1 to Dec 31, 4,120 items, from the billing system export.
  • Sample size: 25 (daily, key, no exceptions expected).
  • Selection: Random via spreadsheet function, seed documented.
  • Attributes tested: (a) approval exists, (b) approver is authorized, (c) approval predates the invoice, (d) amount matches the approved order.
  • Pass criteria: All four attributes present for the item.
  • Exception criteria: Any attribute missing or out of sequence.
  • Result: 24 pass, 1 exception (approval dated after invoice).
  • Operating conclusion: Deficiency — evaluate severity via the deficiency process.

That single exception does not automatically fail SOX, but it does trigger a documented severity evaluation rather than a quiet pass. Getting that discipline right is the difference between a clean cycle and a restatement conversation.

Design vs. Operating Effectiveness

The template captures both because SOX 404 requires both:

  • Design effectiveness is assessed by walkthrough — would the control, operating as intended, catch a material error? Record the conclusion before you test operation.
  • Operating effectiveness is assessed by testing a sample of real instances over the period. A control that is well-designed but did not consistently operate is still a deficiency.

How Audvera Supports This

A spreadsheet template works, but it has the same failure mode every year: the RCM, the test plans, the sampling, and the evidence drift out of sync, and reconciling them at the end of the cycle eats days. Every control that changes owner or frequency has to be updated in three places by hand.

Audvera keeps the risk-control matrix, the test steps, the sampling, the evidence, and the preparer/reviewer signoff in one linked system, so a change in one place flows to the others and the audit trail is queryable rather than reconstructed. Deficiencies from control tests land in a unified register instead of a separate tab.

If you want to see it against your own controls, start with a free risk assessment — it drafts the risk-to-control skeleton you can review and take into a real testing cycle.

Frequently Asked Questions

What is a SOX control testing template?

A SOX control testing template is a structured document that captures, for each in-scope control, the risk it mitigates, the control attributes, the test procedure, the sample size, the evidence examined, and the test conclusion. It usually pairs a risk-control matrix (RCM) that maps risks to controls with a test plan that documents how each control was tested. This article gives you both, ready to copy.

What is a risk-control matrix (RCM)?

A risk-control matrix (RCM) is a table that maps each identified risk to the control(s) that mitigate it, along with control attributes such as owner, frequency, type (preventive/detective, manual/automated), whether it is a key control, and the related assertion. The RCM is the backbone of SOX scoping — it shows which risks are covered by which controls and where coverage gaps exist.

How do you write a SOX control test step?

A defensible test step states the objective, the population and how it was obtained, the sample size and selection method, the specific attributes to inspect, what constitutes a pass versus an exception, and the evidence required. Write it so another auditor could execute it and reach the same conclusion. The test-step template in this article follows exactly that structure.

How many items should I test for a SOX control?

For manual controls, a common frequency-based reference is: annual control test 1 item, quarterly 2, monthly 2 to 5, weekly 5, daily 15 to 25, and multiple-times-per-day 25 or more, assuming no exceptions are expected. Automated controls are often tested with a single benchmarked instance plus general IT controls. Always confirm against your own methodology and external auditor expectations.

What is the difference between design and operating effectiveness?

Design effectiveness asks whether the control, if operating as intended, would prevent or detect a material misstatement — you assess this by walkthrough. Operating effectiveness asks whether the control actually operated consistently over the period — you assess this by testing a sample of instances. SOX 404 requires both; a well-designed control that did not operate is still a deficiency.

How do I document a control test exception?

Record the specific item, the attribute that failed, the nature of the exception, and whether it is isolated or systemic. Evaluate severity — a single exception may still indicate a deficiency depending on the control and population. Document the root cause and the remediation, and escalate control deficiencies through your deficiency evaluation process rather than quietly passing the test.

Encrypted data in transit and at restPCAOB · IIA · SOX · GAAS · COSO workflow alignmentAI outputs include disclosure and reviewer controls

Ready to modernize your audit process?

See how Audvera supports planning through reporting in one platform.