Management needs to perform its own testing and assessment of the effectiveness of internal controls over financial reporting. External auditors will then independently test the controls to ensure that they are in effect as stated by management. Testing typically includes a combination of corroborative inquiry, observation and reperformance of a selection of control procedures. It is not possible to offer specific guidance on exactly which controls will be tested; that determination should be made by management based upon their risk assessment. The question underscores the importance of communicating early and often with external auditors to ensure they will be satisfied with the extent of testing.”]
Source: https://www.csoonline.com/article/2117251/auditing-and-sox.html