Sox Testing

Name: Sox Testing
Author: anthropics

anthropics/knowledge-work-plugins

Draft SOX 404 sample selections, testing workpapers, and control deficiency assessments for quarterly or annual internal control testing.

Overview

Sox-testing is an agent skill for the Operate phase that generates SOX 404 sample selections, testing workpapers, and control assessments for named financial control areas.

Install

npx skills add https://github.com/anthropics/knowledge-work-plugins --skill sox-testing

What is this skill?

Command-style entry: /sox <control-area> <period> with mapped control areas (revenue-recognition, p2p, payroll, financia
Generates sample selections, testing workpaper templates, and control assessments for SOX 404 ICFR
Explicit disclaimer: assists workflows—not audit or legal advice; requires qualified financial review
References CONNECTORS.md for placeholder and tool connectivity checks
Supports evaluating and classifying control deficiencies during testing
Eight named control-area arguments including revenue-recognition, p2p, payroll, financial-close, treasury, fixed-assets,

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.4k installs on skills.sh; 19.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You must plan SOX testing for a control area but lack a consistent sample selection and workpaper starting point for the period.

Who is it for?

Controllers and internal audit liaisons at SOX-scoped companies running recurring 404 control tests across standard cycles.

Skip if: Typical indie SaaS builders with no ICFR obligations, or anyone seeking authoritative audit or legal advice without professional review.

When should I use this skill?

Planning quarterly or annual SOX 404 testing, pulling samples, building testing workpapers, or evaluating control deficiencies; user invokes /sox with control area and period.

What do I get? / Deliverables

You receive structured testing templates, sample selection guidance, and deficiency assessment drafts ready for qualified finance review before audit documentation.

Sample selection documentation
SOX testing workpaper template
Control deficiency assessment draft

Recommended Skills

China Stock Analysissugarforever/01coder-agent-skills

China Stock Analysis is an agent skill that packages value-investing workflows for China A-shares (A股) into repeatable P…12.6k installs·113 stars

Grimoire Polymarketfranalgaba/grimoire

Grimoire Polymarket is an agent skill that routes Polymarket market discovery, CLOB market data, and order-management op…11.7k installs·5 stars

Backtesting Frameworkswshobson/agents

backtesting-frameworks is a Finance & Trading agent skill that walks solo and indie builders through implementing event-…11.2k installs·36.5k stars

Stock Analysisgracefullight/stock-checker

stock-analysis equips solo builders and operators who want market and portfolio visibility without leaving the agent ter…10.1k installs·28 stars

Coinglassstarchild-ai-agent/official-skills

Coinglass is an official Starchild agent extension that exposes crypto derivatives intelligence as registered tools for …10k installs·13 stars

Akshare Stockmolezzz/openclaw-stock-skill

AKShare Stock is a finance-focused agent skill for OpenClaw that turns Mandarin or mixed natural-language queries into s…9.7k installs·14 stars

Journey fit

Primary fit

OperateIteration & experiments

SOX testing is recurring operational control work after the product and finance processes are live, aligned with audit cycles rather than initial build. Iterate fits ongoing control retesting, deficiency classification updates, and workpaper refinement each period.

Also useful

ShipSecurity

How it compares

Use this templated compliance assistant instead of unstructured chat for SOX workpapers—it does not replace GRC platforms or auditor judgment.

Common Questions / FAQ

Who is sox-testing for?

Finance and compliance staff at companies subject to SOX 404 who need agent help drafting samples, workpapers, and control assessments.

When should I use sox-testing?

During Operate when planning quarterly or annual SOX testing, pulling samples for a control like revenue or ITGC, or building deficiency classification notes for a period.

Is sox-testing safe to install?

It may connect to internal data via configured connectors; review the Security Audits panel on this page and treat all outputs as draft until finance professionals approve them.

SKILL.md

READMESKILL.md - Sox Testing

# SOX Compliance Testing

> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../../CONNECTORS.md).

**Important**: This command assists with SOX compliance workflows but does not provide audit or legal advice. All testing workpapers and assessments should be reviewed by qualified financial professionals before use in audit documentation.

Generate sample selections, create testing workpapers, document control assessments, and provide testing templates for SOX 404 internal controls over financial reporting.

## Usage

```
/sox <control-area> <period>
```

### Arguments

- `control-area` — The control area to test:
  - `revenue-recognition` — Revenue cycle controls (order-to-cash)
  - `procure-to-pay` or `p2p` — Procurement and AP controls (purchase-to-pay)
  - `payroll` — Payroll processing and compensation controls
  - `financial-close` — Period-end close and reporting controls
  - `treasury` — Cash management and treasury controls
  - `fixed-assets` — Capital asset lifecycle controls
  - `inventory` — Inventory valuation and management controls
  - `itgc` — IT general controls (access, change management, operations)
  - `entity-level` — Entity-level and monitoring controls
  - `journal-entries` — Journal entry processing controls
  - Any specific control ID or name
- `period` — The testing period (e.g., `2024-Q4`, `2024`, `2024-H2`)

## Workflow

### 1. Identify Controls to Test

Based on the control area, identify the key controls. Present the control matrix:

| Control # | Control Description | Type | Frequency | Key/Non-Key | Risk | Assertion |
|-----------|-------------------|------|-----------|-------------|------|-----------|
| [ID]      | [Description]     | Manual/Automated/IT-Dependent | Daily/Weekly/Monthly/Quarterly/Annual | Key | High/Medium/Low | [CEAVOP] |

**Control types:**
- **Automated:** System-enforced controls with no manual intervention
- **Manual:** Controls performed by personnel with judgment
- **IT-dependent manual:** Manual controls that rely on system-generated data

**Assertions (CEAVOP):**
- **C**ompleteness — All transactions are recorded
- **E**xistence/Occurrence — Transactions actually occurred
- **A**ccuracy — Amounts are correctly recorded
- **V**aluation — Assets/liabilities are properly valued
- **O**bligations/Rights — Entity has rights to assets, obligations for liabilities
- **P**resentation/Disclosure — Properly classified and disclosed

### 2. Determine Sample Size

Calculate sample sizes based on control frequency and risk:

| Control Frequency | Population Size (approx.) | Recommended Sample |
|------------------|--------------------------|-------------------|
| Annual           | 1                        | 1 (test the instance) |
| Quarterly        | 4                        | 2 |
| Monthly          | 12                       | 2-4 (based on risk) |
| Weekly           | 52                       | 5-15 (based on risk) |
| Daily            | ~250                     | 20-40 (based on risk) |
| Per-transaction  | Varies                   | 25-60 (based on risk and volume) |

Adjust for:
- **Risk level:** Higher risk controls require larger samples
- **Prior year results:** Controls with prior deficiencies need larger samples
- **Reliance:** Controls relied upon by external auditors may need larger samples

### 3. Generate Sample Selection

Select samples from the population using the appropriate method:

**Random selection** (default for transaction-level controls):
- Generate random numbers to select specific items from the population
- Ensure coverage across the full period

What is this skill?

Command-style entry: /sox <control-area> <period> with mapped control areas (revenue-recognition, p2p, payroll, financia

Generates sample selections, testing workpaper templates, and control assessments for SOX 404 ICFR

Explicit disclaimer: assists workflows—not audit or legal advice; requires qualified financial review

References CONNECTORS.md for placeholder and tool connectivity checks

Supports evaluating and classifying control deficiencies during testing

Eight named control-area arguments including revenue-recognition, p2p, payroll, financial-close, treasury, fixed-assets,

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.4k installs on skills.sh; 19.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

OperateIteration & experiments

Also useful

ShipSecurity

SKILL.md

READMESKILL.md - Sox Testing

# SOX Compliance Testing

> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../../CONNECTORS.md).

**Important**: This command assists with SOX compliance workflows but does not provide audit or legal advice. All testing workpapers and assessments should be reviewed by qualified financial professionals before use in audit documentation.

Generate sample selections, create testing workpapers, document control assessments, and provide testing templates for SOX 404 internal controls over financial reporting.

## Usage

```
/sox <control-area> <period>
```

### Arguments

- `control-area` — The control area to test:
  - `revenue-recognition` — Revenue cycle controls (order-to-cash)
  - `procure-to-pay` or `p2p` — Procurement and AP controls (purchase-to-pay)
  - `payroll` — Payroll processing and compensation controls
  - `financial-close` — Period-end close and reporting controls
  - `treasury` — Cash management and treasury controls
  - `fixed-assets` — Capital asset lifecycle controls
  - `inventory` — Inventory valuation and management controls
  - `itgc` — IT general controls (access, change management, operations)
  - `entity-level` — Entity-level and monitoring controls
  - `journal-entries` — Journal entry processing controls
  - Any specific control ID or name
- `period` — The testing period (e.g., `2024-Q4`, `2024`, `2024-H2`)

## Workflow

### 1. Identify Controls to Test

Based on the control area, identify the key controls. Present the control matrix:

| Control # | Control Description | Type | Frequency | Key/Non-Key | Risk | Assertion |
|-----------|-------------------|------|-----------|-------------|------|-----------|
| [ID]      | [Description]     | Manual/Automated/IT-Dependent | Daily/Weekly/Monthly/Quarterly/Annual | Key | High/Medium/Low | [CEAVOP] |

**Control types:**
- **Automated:** System-enforced controls with no manual intervention
- **Manual:** Controls performed by personnel with judgment
- **IT-dependent manual:** Manual controls that rely on system-generated data

**Assertions (CEAVOP):**
- **C**ompleteness — All transactions are recorded
- **E**xistence/Occurrence — Transactions actually occurred
- **A**ccuracy — Amounts are correctly recorded
- **V**aluation — Assets/liabilities are properly valued
- **O**bligations/Rights — Entity has rights to assets, obligations for liabilities
- **P**resentation/Disclosure — Properly classified and disclosed

### 2. Determine Sample Size

Calculate sample sizes based on control frequency and risk:

| Control Frequency | Population Size (approx.) | Recommended Sample |
|------------------|--------------------------|-------------------|
| Annual           | 1                        | 1 (test the instance) |
| Quarterly        | 4                        | 2 |
| Monthly          | 12                       | 2-4 (based on risk) |
| Weekly           | 52                       | 5-15 (based on risk) |
| Daily            | ~250                     | 20-40 (based on risk) |
| Per-transaction  | Varies                   | 25-60 (based on risk and volume) |

Adjust for:
- **Risk level:** Higher risk controls require larger samples
- **Prior year results:** Controls with prior deficiencies need larger samples
- **Reliance:** Controls relied upon by external auditors may need larger samples

### 3. Generate Sample Selection

Select samples from the population using the appropriate method:

**Random selection** (default for transaction-level controls):
- Generate random numbers to select specific items from the population
- Ensure coverage across the full period

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is sox-testing for?

When should I use sox-testing?

Is sox-testing safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is sox-testing for?

When should I use sox-testing?

Is sox-testing safe to install?

SKILL.md