jpskill.com
💬 コミュニケーション コミュニティ

audit-support

Support SOX 404 compliance with control testing methodology, sample selection, and documentation standards. Use when generating testing workpapers, selecting audit samples, classifying control deficiencies, or preparing for internal or external audits.

⚡ おすすめ: コマンド1行でインストール(60秒)

下記のコマンドをコピーしてターミナル(Mac/Linux)または PowerShell(Windows)に貼り付けてください。 ダウンロード → 解凍 → 配置まで全自動。

🍎 Mac / 🐧 Linux 
mkdir -p ~/.claude/skills && cd ~/.claude/skills && curl -L -o audit-support.zip https://jpskill.com/download/22614.zip && unzip -o audit-support.zip && rm audit-support.zip
🪟 Windows (PowerShell) 
$d = "$env:USERPROFILE\.claude\skills"; ni -Force -ItemType Directory $d | Out-Null; iwr https://jpskill.com/download/22614.zip -OutFile "$d\audit-support.zip"; Expand-Archive "$d\audit-support.zip" -DestinationPath $d -Force; ri "$d\audit-support.zip"

完了後、Claude Code を再起動 → 普通に「動画プロンプト作って」のように話しかけるだけで自動発動します。

💾 手動でダウンロードしたい(コマンドが難しい人向け)
  1. 1. 下の青いボタンを押して audit-support.zip をダウンロード
  2. 2. ZIPファイルをダブルクリックで解凍 → audit-support フォルダができる
  3. 3. そのフォルダを C:\Users\あなたの名前\.claude\skills\(Win)または ~/.claude/skills/(Mac)へ移動
  4. 4. Claude Code を再起動
⬇ .zip でダウンロード(推奨) ⬇ .skill 形式(上級者用) 元のソース ↗

⚠️ ダウンロード・利用は自己責任でお願いします。当サイトは内容・動作・安全性について責任を負いません。

🎯 このSkillでできること

下記の説明文を読むと、このSkillがあなたに何をしてくれるかが分かります。Claudeにこの分野の依頼をすると、自動で発動します。

📦 インストール方法 (3ステップ)

  1. 1. 上の「ダウンロード」ボタンを押して .skill ファイルを取得
  2. 2. ファイル名の拡張子を .skill から .zip に変えて展開(macは自動展開可)
  3. 3. 展開してできたフォルダを、ホームフォルダの .claude/skills/ に置く
    • · macOS / Linux: ~/.claude/skills/
    • · Windows: %USERPROFILE%\.claude\skills\

Claude Code を再起動すれば完了。「このSkillを使って…」と話しかけなくても、関連する依頼で自動的に呼び出されます。

詳しい使い方ガイドを見る →
最終更新
2026-05-18
取得日時
2026-05-18
同梱ファイル
1

📖 Skill本文(日本語訳)

※ 原文(英語/中国語)を Gemini で日本語化したものです。Claude 自身は原文を読みます。誤訳がある場合は原文をご確認ください。

監査支援

重要: このスキルは SOX コンプライアンスのワークフローを支援しますが、監査や法的なアドバイスを提供するものではありません。すべてのテスト作業書と評価は、資格のある財務専門家によってレビューされる必要があります。「重要性 (significance)」と「重大性 (materiality)」は、最終的に監査人が評価する文脈固有の概念ですが、このスキルは、監査のための効果的な内部統制と文書化の作成および評価を専門家が支援することを目的としています。

SOX 404 統制テスト方法論、サンプル選択アプローチ、テスト文書化基準、統制不備の分類、および一般的な統制タイプ。

SOX 404 統制テスト方法論

概要

SOX 第 404 条は、経営陣に財務報告に係る内部統制 (ICFR) の有効性を評価することを義務付けています。これには以下が含まれます。

  1. スコープ設定: 重要な勘定科目と関連するアサーションを特定します。
  2. リスク評価: 各重要な勘定科目における重要な虚偽表示のリスクを評価します。
  3. 統制の特定: 各リスクに対処する統制を文書化します。
  4. テスト: 主要な統制の設計と運用有効性をテストします。
  5. 評価: 不備が存在するかどうか、およびその重大性を評価します。
  6. 報告: 評価と重要な弱点を文書化します。

重要な勘定科目のスコープ設定

勘定科目は、重大な虚偽表示(個別または集計で)を含む可能性が低いとは言えない場合、重要であるとみなされます。

定量的要因:

  • 勘定残高が重要性の閾値を超える(通常、主要なベンチマークの 3-5%)。
  • 取引量が多く、誤りのリスクが増加する。
  • 勘定科目が重要な見積もりや判断の対象となる。

定性的要因:

  • 勘定科目が複雑な会計処理(収益認識、デリバティブ、年金)を伴う。
  • 勘定科目が不正(現金、収益、関連当事者取引)の影響を受けやすい。
  • 勘定科目に過去の虚偽表示や監査調整があった。
  • 勘定科目が重要な経営判断や見積もりを伴う。
  • 新規の勘定科目または大幅に変更されたプロセス。

勘定科目タイプ別の関連するアサーション

勘定科目タイプ 主要なアサーション
収益 発生、網羅性、正確性、期間帰属
売掛金 実在性、評価(引当金)、権利
棚卸資産 実在性、評価、網羅性
固定資産 実在性、評価、網羅性、権利
買掛金 網羅性、正確性、実在性
未払費用 網羅性、評価、正確性
資本 網羅性、正確性、表示
財務決算/報告 表示、正確性、網羅性

設計有効性 vs 運用有効性

設計有効性: 関連するアサーションにおける重要な虚偽表示を防止または発見するために、統制が適切に設計されているか?

  • ウォークスルー(取引をプロセス全体で最初から最後まで追跡する)を通じて評価されます。
  • 統制がプロセスの適切な時点に配置されていることを確認します。
  • 統制が特定されたリスクに対処していることを確認します。
  • 少なくとも年 1 回、またはプロセスが変更されたときに実施されます。

運用有効性: 統制はテスト期間中、設計どおりに実際に運用されたか?

  • テスト(検査、観察、再実施、質問)を通じて評価されます。
  • 結論を裏付けるのに十分なサンプルサイズが必要です。
  • 依拠する全期間をカバーする必要があります。

サンプル選択アプローチ

無作為抽出

使用する場合: 大規模な母集団を持つ取引レベルの統制に対するデフォルトの方法です。

方法:

  1. 母集団を定義する(期間中に統制の対象となるすべての取引)。
  2. 母集団内の各項目に連番を振る。
  3. 乱数ジェネレーターを使用してサンプル項目を選択する。
  4. 選択に偏りがないことを確認する(すべての項目が等しい確率を持つ)。

利点: 統計的に有効で、弁護可能であり、選択バイアスがない。 欠点: 高リスク項目を見逃す可能性があり、完全な母集団リストが必要。

ターゲット(判断)抽出

使用する場合: リスクベースのテストのための無作為抽出の補完として、または母集団が小さいか非常に多様な場合の主要な方法として使用します。

方法:

  1. 特定の危険特性を持つ項目を特定する:
    • 高額(定義された閾値を超える)
    • 異常または非標準の取引
    • 期末取引(期間帰属リスク)
    • 関連当事者取引
    • 手動または上書き取引
    • 新規ベンダー/顧客取引
  2. リスク基準に合致する項目を選択する。
  3. 各ターゲット選択の根拠を文書化する。

利点: 最もリスクの高い項目に焦点を当て、テスト作業を効率的に利用できる。 欠点: 統計的に代表的ではなく、特定のディスクを過大に表現する可能性がある。

無計画抽出

使用する場合: 無作為抽出が非現実的(連番の母集団リストがない)で、母集団が比較的均質な場合。

方法:

  1. 特定のパターンや偏りなく項目を選択する。
  2. 選択が母集団の全期間にわたって分散していることを確認する。
  3. 無意識の偏りを避ける(常に上部の項目、丸い数字などを選択しない)。

利点: シンプルで、技術は不要。 欠点: 統計的に有効ではなく、無意識の偏りの影響を受けやすい。

系統抽出

使用する場合: 母集団が連続しており、期間全体にわたって均等なカバレッジを確保したい場合。

方法:

  1. サンプリング間隔を計算する: 母集団サイズ / サンプルサイズ
  2. 最初の間隔内でランダムな開始点を選択する。
  3. 開始点から N 番目ごとの項目を選択する。

: 母集団 1,000、サンプル 25 → 間隔 40。ランダムな開始点: 項目 17。項目 17、57、97、137、... を選択。

利点: 母集団全体にわたる均等なカバレッジ、実行が簡単。 欠点: 母集団内の周期的なパターンが結果に偏りをもたらす可能性がある。

サンプルサイズガイダンス

統制頻度 想定母集団 低リスクサンプル 中リスクサンプル 高リスクサンプル
年次 1 1 1 1
四半期

(原文がここで切り詰められています)

📜 原文 SKILL.md(Claudeが読む英語/中国語)を展開

Audit Support

Important: This skill assists with SOX compliance workflows but does not provide audit or legal advice. All testing workpapers and assessments should be reviewed by qualified financial professionals. While "significance" and "materiality" are context-specific concepts that are ultimately assessed by auditors, this skill is intended to assist professionals in the creation and evaluation of effective internal controls and documentation for audits.

SOX 404 control testing methodology, sample selection approaches, testing documentation standards, control deficiency classification, and common control types.

SOX 404 Control Testing Methodology

Overview

SOX Section 404 requires management to assess the effectiveness of internal controls over financial reporting (ICFR). This involves:

  1. Scoping: Identify significant accounts and relevant assertions
  2. Risk assessment: Evaluate the risk of material misstatement for each significant account
  3. Control identification: Document the controls that address each risk
  4. Testing: Test the design and operating effectiveness of key controls
  5. Evaluation: Assess whether any deficiencies exist and their severity
  6. Reporting: Document the assessment and any material weaknesses

Scoping Significant Accounts

An account is significant if there is more than a remote likelihood that it could contain a misstatement that is material (individually or in aggregate).

Quantitative factors:

  • Account balance exceeds materiality threshold (typically 3-5% of a key benchmark)
  • Transaction volume is high, increasing the risk of error
  • Account is subject to significant estimates or judgment

Qualitative factors:

  • Account involves complex accounting (revenue recognition, derivatives, pensions)
  • Account is susceptible to fraud (cash, revenue, related-party transactions)
  • Account has had prior misstatements or audit adjustments
  • Account involves significant management judgment or estimates
  • New account or significantly changed process

Relevant Assertions by Account Type

Account Type Key Assertions
Revenue Occurrence, Completeness, Accuracy, Cut-off
Accounts Receivable Existence, Valuation (allowance), Rights
Inventory Existence, Valuation, Completeness
Fixed Assets Existence, Valuation, Completeness, Rights
Accounts Payable Completeness, Accuracy, Existence
Accrued Liabilities Completeness, Valuation, Accuracy
Equity Completeness, Accuracy, Presentation
Financial Close/Reporting Presentation, Accuracy, Completeness

Design Effectiveness vs Operating Effectiveness

Design effectiveness: Is the control properly designed to prevent or detect a material misstatement in the relevant assertion?

  • Evaluated through walkthroughs (trace a transaction end-to-end through the process)
  • Confirm the control is placed at the right point in the process
  • Confirm the control addresses the identified risk
  • Performed at least annually, or when processes change

Operating effectiveness: Did the control actually operate as designed throughout the testing period?

  • Evaluated through testing (inspection, observation, re-performance, inquiry)
  • Requires sufficient sample sizes to support a conclusion
  • Must cover the full period of reliance

Sample Selection Approaches

Random Selection

When to use: Default method for transaction-level controls with large populations.

Method:

  1. Define the population (all transactions subject to the control during the period)
  2. Number each item in the population sequentially
  3. Use a random number generator to select sample items
  4. Ensure no bias in selection (all items have equal probability)

Advantages: Statistically valid, defensible, no selection bias Disadvantages: May miss high-risk items, requires complete population listing

Targeted (Judgmental) Selection

When to use: Supplement to random selection for risk-based testing; primary method when population is small or highly varied.

Method:

  1. Identify items with specific risk characteristics:
    • High dollar amount (above a defined threshold)
    • Unusual or non-standard transactions
    • Period-end transactions (cut-off risk)
    • Related-party transactions
    • Manual or override transactions
    • New vendor/customer transactions
  2. Select items matching risk criteria
  3. Document rationale for each targeted selection

Advantages: Focuses on highest-risk items, efficient use of testing effort Disadvantages: Not statistically representative, may over-represent certain risks

Haphazard Selection

When to use: When random selection is impractical (no sequential population listing) and population is relatively homogeneous.

Method:

  1. Select items without any specific pattern or bias
  2. Ensure selections are spread across the full population period
  3. Avoid unconscious bias (don't always pick items at the top, round numbers, etc.)

Advantages: Simple, no technology required Disadvantages: Not statistically valid, susceptible to unconscious bias

Systematic Selection

When to use: When population is sequential and you want even coverage across the period.

Method:

  1. Calculate the sampling interval: Population size / Sample size
  2. Select a random starting point within the first interval
  3. Select every Nth item from the starting point

Example: Population of 1,000, sample of 25 → interval of 40. Random start: item 17. Select items 17, 57, 97, 137, ...

Advantages: Even coverage across population, simple to execute Disadvantages: Periodic patterns in the population could bias results

Sample Size Guidance

Control Frequency Expected Population Low Risk Sample Moderate Risk Sample High Risk Sample
Annual 1 1 1 1
Quarterly 4 2 2 3
Monthly 12 2 3 4
Weekly 52 5 8 15
Daily ~250 20 30 40
Per-transaction (small pop.) < 250 20 30 40
Per-transaction (large pop.) 250+ 25 40 60

Factors increasing sample size:

  • Higher inherent risk in the account/process
  • Control is the sole control addressing a significant risk (no redundancy)
  • Prior period control deficiency identified
  • New control (not tested in prior periods)
  • External auditor reliance on management testing

Testing Documentation Standards

Workpaper Requirements

Every control test should be documented with:

  1. Control identification:

    • Control number/ID
    • Control description (what is done, by whom, how often)
    • Control type (manual, automated, IT-dependent manual)
    • Control frequency
    • Risk and assertion addressed

  2. Test design:

    • Test objective (what you are trying to determine)
    • Test procedures (step-by-step instructions)
    • Expected evidence (what you expect to see if the control is effective)
    • Sample selection methodology and rationale

  3. Test execution:

    • Population description and size
    • Sample selection details (method, items selected)
    • Results for each sample item (pass/fail with specific evidence examined)
    • Exceptions noted with full description

  4. Conclusion:

    • Overall assessment (effective / deficiency / significant deficiency / material weakness)
    • Basis for conclusion
    • Impact assessment for any exceptions
    • Compensating controls considered (if applicable)

  5. Sign-off:

    • Tester name and date
    • Reviewer name and date

Evidence Standards

Sufficient evidence includes:

  • Screenshots showing system-enforced controls
  • Signed/initialed approval documents
  • Email approvals with identifiable approver and date
  • System audit logs showing who performed the action and when
  • Re-performed calculations with matching results
  • Observation notes (with date, location, observer)

Insufficient evidence:

  • Verbal confirmations alone (must be corroborated)
  • Undated documents
  • Evidence without identifiable performer/approver
  • Generic system reports without date/time stamps
  • "Per discussion with [name]" without corroborating documentation

Working Paper Organization

Organize testing files by control area:

SOX Testing/
├── [Year]/
│   ├── Scoping and Risk Assessment/
│   ├── Revenue Cycle/
│   │   ├── Control Matrix
│   │   ├── Walkthrough Documentation
│   │   ├── Test Workpapers (one per control)
│   │   └── Supporting Evidence
│   ├── Procure to Pay/
│   ├── Payroll/
│   ├── Financial Close/
│   ├── Treasury/
│   ├── Fixed Assets/
│   ├── IT General Controls/
│   ├── Entity Level Controls/
│   └── Summary and Conclusions/
│       ├── Deficiency Evaluation
│       └── Management Assessment

Control Deficiency Classification

Deficiency

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Evaluation factors:

  • What is the likelihood that the control failure could result in a misstatement?
  • What is the magnitude of the potential misstatement?
  • Is there a compensating control that mitigates the deficiency?

Significant Deficiency

A deficiency, or combination of deficiencies, that is less severe than a material weakness yet important enough to merit attention by those charged with governance.

Indicators:

  • The deficiency could result in a misstatement that is more than inconsequential but less than material
  • There is more than a remote (but less than reasonably possible) likelihood of a material misstatement
  • The control is a key control and the deficiency is not fully mitigated by compensating controls
  • Combination of individually minor deficiencies that together represent a significant concern

Material Weakness

A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis.

Indicators:

  • Identification of fraud by senior management (any magnitude)
  • Restatement of previously issued financial statements to correct a material error
  • Identification by the auditor of a material misstatement that would not have been detected by the company's controls
  • Ineffective oversight of financial reporting by the audit committee
  • Deficiency in a pervasive control (entity-level, IT general control) affecting multiple processes

Deficiency Aggregation

Individual deficiencies that are not significant individually may be significant in combination:

  1. Identify all deficiencies in the same process or affecting the same assertion
  2. Evaluate whether the combined effect could result in a material misstatement
  3. Consider whether deficiencies in compensating controls exacerbate other deficiencies
  4. Document the aggregation analysis and conclusion

Remediation

For each identified deficiency:

  1. Root cause analysis: Why did the control fail? (design gap, execution failure, staffing, training, system issue)
  2. Remediation plan: Specific actions to fix the control (redesign, additional training, system enhancement, added review)
  3. Timeline: Target date for remediation completion
  4. Owner: Person responsible for implementing the remediation
  5. Validation: How and when the remediated control will be re-tested to confirm effectiveness

Common Control Types

IT General Controls (ITGCs)

Controls over the IT environment that support the reliable functioning of application controls and automated processes.

Access Controls:

  • User access provisioning (new access requests require approval)
  • User access de-provisioning (terminated users removed timely)
  • Privileged access management (admin/superuser access restricted and monitored)
  • Periodic access reviews (user access recertified on a defined schedule)
  • Password policies (complexity, rotation, lockout)
  • Segregation of duties enforcement (conflicting access prevented)

Change Management:

  • Change requests documented and approved before implementation
  • Changes tested in a non-production environment before promotion
  • Separation of development and production environments
  • Emergency change procedures (documented, approved post-implementation)
  • Change review and post-implementation validation

IT Operations:

  • Batch job monitoring and exception handling
  • Backup and recovery procedures (regular backups, tested restores)
  • System availability and performance monitoring
  • Incident management and escalation procedures
  • Disaster recovery planning and testing

Manual Controls

Controls performed by people using judgment, typically involving review and approval.

Examples:

  • Management review of financial statements and key metrics
  • Supervisory approval of journal entries above a threshold
  • Three-way match verification (PO, receipt, invoice)
  • Account reconciliation preparation and review
  • Physical inventory observation and count
  • Vendor master data change approval
  • Customer credit approval

Key attributes to test:

  • Was the control performed by the right person (proper authority)?
  • Was it performed timely (within the required timeframe)?
  • Is there evidence of the review (signature, initials, email, system log)?
  • Did the reviewer have sufficient information to perform an effective review?
  • Were exceptions identified and appropriately addressed?

Automated Controls

Controls enforced by IT systems without human intervention.

Examples:

  • System-enforced approval workflows (cannot proceed without required approvals)
  • Three-way match automation (system blocks payment if PO/receipt/invoice don't match)
  • Duplicate payment detection (system flags or blocks duplicate invoices)
  • Credit limit enforcement (system prevents orders exceeding credit limit)
  • Automated calculations (depreciation, amortization, interest, tax)
  • System-enforced segregation of duties (conflicting roles prevented)
  • Input validation controls (required fields, format checks, range checks)
  • Automated reconciliation matching

Testing approach:

  • Test design: Confirm the system configuration enforces the control as intended
  • Test operating effectiveness: For automated controls, if the system configuration has not changed, one test of the control is typically sufficient for the period (supplemented by ITGC testing of change management)
  • Verify change management ITGCs are effective (if system changed, re-test the control)

IT-Dependent Manual Controls

Manual controls that rely on the completeness and accuracy of system-generated information.

Examples:

  • Management review of a system-generated exception report
  • Supervisor review of a system-generated aging report to assess reserves
  • Reconciliation using system-generated trial balance data
  • Approval of transactions identified by a system-generated workflow

Testing approach:

  • Test the manual control (review, approval, follow-up on exceptions)
  • AND test the completeness and accuracy of the underlying report/data (IPE — Information Produced by the Entity)
  • IPE testing confirms the data the reviewer relied on was complete and accurate

Entity-Level Controls

Broad controls that operate at the organizational level and affect multiple processes.

Examples:

  • Tone at the top / code of conduct
  • Risk assessment process
  • Audit committee oversight of financial reporting
  • Internal audit function and activities
  • Fraud risk assessment and anti-fraud programs
  • Whistleblower/ethics hotline
  • Management monitoring of control effectiveness
  • Financial reporting competence (staffing, training, qualifications)
  • Period-end financial reporting process (close procedures, GAAP compliance reviews)

Significance:

  • Entity-level controls can mitigate but typically cannot replace process-level controls
  • Ineffective entity-level controls (especially audit committee oversight and tone at the top) are strong indicators of a material weakness
  • Effective entity-level controls may reduce the extent of testing needed for process-level controls