SOX Controls Testing
Legal and finance skill, available on Zeplik
SOX Controls Testing is a ready-to-run legal and finance skill on Zeplik. Generates sample selections, testing workpapers, and control assessments. Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer. It returns a structured checklist you can keep and reuse: SOX testing workpaper -- status summary, sample/control steps as stateful items grouped by control, deficiencies annotated (see artifact-templates/checklist.md).
The SOX Controls Testing skill loads automatically when your request matches it, or you can invoke it directly by typing /sox-testing in any chat. It works with attachments, connectors, and any model that supports the task, so you get the same expert method every time without setting anything up.
What the SOX Controls Testing skill can do
- Build control matrices with type, frequency, risk and CEAVOP assertions
- Calculate sample sizes based on control frequency and risk level
- Generate sample selections using random, systematic, or targeted methods
- Produce SOX testing workpapers with procedures, evidence, and results tables
Try these prompts on Zeplik
Pick a prompt to open it in the Zeplik app. If you are not signed in yet, your prompt is waiting for you the moment you do.
How the SOX Controls Testing skill works
SOX Compliance Testing
If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.
Important: This command assists with SOX compliance workflows but does not provide audit or legal advice. All testing workpapers and assessments should be reviewed by qualified financial professionals before use in audit documentation.
Generate sample selections, create testing workpapers, document control assessments, and provide testing templates for SOX 404 internal controls over financial reporting.
Usage
/sox <control-area> <period>
Arguments
control-area— The control area to test:revenue-recognition— Revenue cycle controls (order-to-cash)procure-to-payorp2p— Procurement and AP controls (purchase-to-pay)payroll— Payroll processing and compensation controlsfinancial-close— Period-end close and reporting controlstreasury— Cash management and treasury controlsfixed-assets— Capital asset lifecycle controlsinventory— Inventory valuation and management controlsitgc— IT general controls (access, change management, operations)entity-level— Entity-level and monitoring controlsjournal-entries— Journal entry processing controls- Any specific control ID or name
period— The testing period (e.g.,2024-Q4,2024,2024-H2)
Workflow
1. Identify Controls to Test
Based on the control area, identify the key controls. Present the control matrix:
| Control # | Control Description | Type | Frequency | Key/Non-Key | Risk | Assertion |
|---|---|---|---|---|---|---|
| [ID] | [Description] | Manual/Automated/IT-Dependent | Daily/Weekly/Monthly/Quarterly/Annual | Key | High/Medium/Low | [CEAVOP] |
Control types:
- Automated: System-enforced controls with no manual intervention
- Manual: Controls performed by personnel with judgment
- IT-dependent manual: Manual controls that rely on system-generated data
Assertions (CEAVOP):
- Completeness — All transactions are recorded
- Existence/Occurrence — Transactions actually occurred
- Accuracy — Amounts are correctly recorded
- Valuation — Assets/liabilities are properly valued
- Obligations/Rights — Entity has rights to assets, obligations for liabilities
- Presentation/Disclosure — Properly classified and disclosed
2. Determine Sample Size
Calculate sample sizes based on control frequency and risk:
| Control Frequency | Population Size (approx.) | Recommended Sample |
|---|---|---|
| Annual | 1 | 1 (test the instance) |
| Quarterly | 4 | 2 |
| Monthly | 12 | 2-4 (based on risk) |
| Weekly | 52 | 5-15 (based on risk) |
| Daily | ~250 | 20-40 (based on risk) |
| Per-transaction | Varies | 25-60 (based on risk and volume) |
Adjust for:
- Risk level: Higher risk controls require larger samples
- Prior year results: Controls with prior deficiencies need larger samples
- Reliance: Controls relied upon by external auditors may need larger samples
3. Generate Sample Selection
Select samples from the population using the appropriate method:
Random selection (default for transaction-level controls):
- Generate random numbers to select specific items from the population
- Ensure coverage across the full period
Systematic selection (for periodic controls):
- Select items at fixed intervals with a random start point
- Ensure representation across all sub-periods
Targeted selection (supplement to random, for risk-based testing):
- Select items with specific risk characteristics (high dollar, unusual, period-end)
- Document rationale for targeted selections
Present the sample:
SAMPLE SELECTION
Control: [Control ID] — [Description]
Period: [Testing period]
Population: [Count] items, $[Total value]
Sample size: [N] items
Selection method: [Random/Systematic/Targeted]
| Sample # | Transaction Date | Reference/ID | Amount | Selection Basis |
|----------|-----------------|--------------|--------|-----------------|
| 1 | [Date] | [Ref] | $X,XXX | Random |
| 2 | [Date] | [Ref] | $X,XXX | Random |
| ... | ... | ... | ... | ... |
4. Create Testing Workpaper
Generate a testing template for each control:
SOX CONTROL TESTING WORKPAPER
==============================
Control #: [ID]
Control Description: [Full description of the control activity]
Control Owner: [Role/title — to be filled by tester]
Control Type: [Manual/Automated/IT-Dependent Manual]
Frequency: [How often the control operates]
Key Control: [Yes/No]
Relevant Assertion(s): [CEAVOP]
Testing Period: [Period]
TEST OBJECTIVE:
To determine whether [control description] operated effectively throughout the testing period.
TEST PROCEDURES:
1. [Step 1 — What to inspect, examine, or re-perform]
2. [Step 2 — What evidence to obtain]
3. [Step 3 — What to compare or verify]
4. [Step 4 — How to evaluate completeness of performance]
5. [Step 5 — How to assess timeliness of performance]
EXPECTED EVIDENCE:
- [Document type 1 — e.g., signed approval form]
- [Document type 2 — e.g., system screenshot showing review]
- [Document type 3 — e.g., reconciliation with preparer sign-off]
TEST RESULTS:
| Sample # | Ref | Procedure 1 | Procedure 2 | Procedure 3 | Result | Exception? | Notes |
|----------|-----|-------------|-------------|-------------|--------|------------|-------|
| 1 | | Pass/Fail | Pass/Fail | Pass/Fail | Pass/Fail | Y/N | |
| 2 | | Pass/Fail | Pass/Fail | Pass/Fail | Pass/Fail | Y/N | |
EXCEPTIONS NOTED:
| Sample # | Exception Description | Root Cause | Compensating Control | Impact |
|----------|----------------------|------------|---------------------|--------|
| | | | | |
CONCLUSION:
[ ] Effective — Control operated effectively with no exceptions
[ ] Effective with exceptions — Control operated effectively; exceptions are isolated
[ ] Deficiency — Control did not operate effectively
[ ] Significant Deficiency — Deficiency is more than inconsequential
[ ] Material Weakness — Reasonable possibility of material misstatement not prevented/detected
Tested by: ________________ Date: ________
Reviewed by: _______________ Date: ________
5. Provide Common Control Templates
Based on the control area, provide pre-built test step templates:
Revenue Recognition:
- Verify sales order approval and authorization
- Confirm delivery/performance evidence
- Test revenue recognition timing against contract terms
- Verify pricing accuracy to contract/price list
- Test credit memo approval and validity
Procure to Pay:
- Verify purchase order approval and authorization limits
- Confirm three-way match (PO, receipt, invoice)
- Test vendor master data change controls
- Verify payment approval and segregation of duties
- Test duplicate payment prevention controls
Financial Close:
- Verify account reconciliation completeness and timeliness
- Test journal entry approval and segregation of duties
- Verify management review of financial statements
- Test consolidation and elimination entries
- Verify disclosure checklist completion
ITGC:
- Test user access provisioning and de-provisioning
- Verify privileged access reviews
- Test change management approval and testing
- Verify batch job monitoring and exception handling
- Test backup and recovery procedures
6. Document Control Assessment
Classify any identified deficiencies:
Deficiency: A control does not allow management or employees to prevent or detect misstatements on a timely basis. Consider:
- Likelihood of misstatement
- Magnitude of potential misstatement
- Whether compensating controls exist
Significant Deficiency: A deficiency (or combination) that is less severe than a material weakness but important enough to merit attention by those responsible for oversight.
Material Weakness: A deficiency (or combination) such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis.
7. Output
Provide:
- Control matrix for the selected area
- Sample selections with methodology documentation
- Testing workpaper templates with pre-populated test steps
- Results documentation template
- Deficiency evaluation framework (if exceptions are identified)
- Suggested remediation actions for any noted deficiencies
Zeplik output presentation
Present the final deliverable as a single polished artifact: clear headings, tables where the content is tabular, fenced code where it is code. Lead with the deliverable itself; keep process commentary to a single short line. If the skill produced multiple files or sections, end with a compact list of them with one-line purposes.
How to use the SOX Controls Testing skill
Sign in to Zeplik
Create a free Zeplik account or sign in. New accounts start with free credits, so you can try the SOX Controls Testing skill right away.
Describe your legal and finance task
Ask in plain language, or type /sox-testing to invoke the skill directly. Zeplik recognizes the SOX Controls Testing skill and applies its method.
Review and refine the result
Zeplik returns a structured checklist you can edit, download, and reuse. Ask follow-ups to refine it.
Source and credit
- Author
- Anthropic
- License
- Apache-2.0
Adapted from the open-source anthropics/knowledge-work-plugins project and tuned to run natively on Zeplik. View source on GitHub.
Frequently asked questions
- What is the SOX Controls Testing skill?
- SOX Controls Testing is a ready-to-run legal and finance skill on Zeplik. Generates sample selections, testing workpapers, and control assessments. Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer. It returns a structured checklist you can keep and reuse: SOX testing workpaper -- status summary, sample/control steps as stateful items grouped by control, deficiencies annotated (see artifact-templates/checklist.md).
- How do I use SOX Controls Testing on Zeplik?
- Sign in to Zeplik and ask in plain language, or type /sox-testing in any chat to invoke it directly. The skill applies its method and returns a result you can refine in the same conversation.
- Which AI model does the SOX Controls Testing skill use?
- Any model you choose. Zeplik works across every model in one chat, so the SOX Controls Testing skill runs on your preferred model for the task.
- Where does the SOX Controls Testing skill come from?
- The SOX Controls Testing skill is adapted from the open-source anthropics/knowledge-work-plugins project (Apache-2.0) and tuned to run natively on Zeplik. The original source is linked on this page.
- How much does the SOX Controls Testing skill cost?
- Using the skill is free to start. You only spend Zeplik credits when the assistant runs, and new accounts begin with free credits.
Related legal and finance skills
- Account ReconciliationUse when the user asks to reconcile accounts -- "bank rec for June", "GL to subledger reconciliation", "intercompany rec", "find the reconciling items". Compares GL balances to subledgers, bank statements, or third-party data and categorizes differences.
- Audit SupportUse when the user is preparing for an internal or external audit -- "get ready for the auditors", "build testing workpapers", "select audit samples", "classify this control deficiency". SOX 404 control testing methodology and documentation standards. Not for running a SOX testing cycle (use sox-testing).
- Cash Flow SnapshotUse when the user asks about cash flow or runway -- "forecast my cash flow", "will I make payroll", "how long is my runway", "cash crunch coming". Builds a 30/60/90-day cash forecast with confidence bands and named risk flags from books data or CSV, plus a downloadable XLSX.
- Cash-Flow Heads UpA forward-looking 30/60-day cash outlook flagging the tightest week and two things to act on. Not for reconciling and closing the books (use close-month or month-end-prep).
- Compliance CheckUse when the user asks whether a feature, campaign, or initiative is compliant -- "compliance check this launch", "does this touch GDPR or personal data", "what approvals do we need before shipping". Surfaces applicable regulations, required approvals, jurisdictional requirements, and risk areas.
- Contract ReviewUse when the user asks to review a contract -- "review this MSA", "redline this vendor agreement", "what's risky in this contract". Clause-by-clause analysis against a negotiation playbook with redlines, business impact, and fallback positions. Not for quick NDA screening (use triage-nda).
More on Zeplik
Try SOX Controls Testing on Zeplik
Every model, one chat. Bring the SOX Controls Testing skill into your next conversation and let the assistant do the work.