The Sarbanes-Oxley Act requires public company executives and auditors to certify the controls and procedures used to generate their financial statements.  The original compliance date was October 15th of this year.
The SEC has extended the deadline for compliance with the Sarbanes-Oxley to financial fiscal years ending on or after June 15, 2004. One of the primary components of the Sarbanes-Oxley Act is Section 404, which requires a management assessment of internal controls for financial reporting.


Types of Audits

Although public companies have devoted significant resources to identifying, documenting and enhancing controls used to generate financial statements, audit departments have not recognized the importance of this project. An audit to ensure an organization's compliance with Sarbanes-Oxley could be approached as a project audit similar to Y2K where the audit department performs periodic audits of an area to ensure that the project is on track to be completed in the proper timeframes. A project audit should assess whether the level of controls  identified which support the integrity of the financial statements were appropriate. An alternative audit would be to approach the audit as a pre-implementation audit in which an auditor is assigned to the project and performs a review of the major components and tasks which comprise the project. The problem with this approach, which will be discussed later in
this article, is whether the systems which are subject to certification, extends beyond the General Ledger systems. If
the scope of systems impacted by Sarbanes-Oxley extends to all financial systems which send sales and expense data to the General Ledger systems, then all of these systems would also require an audit to be performed.

With the extension of compliance till after June 15, 2004, audit departments have a second chance to include audits in their schedule over the next 10 months to ensure their  companies meets the requirements of the Sarbanes-Oxley Act.

Potential Issues & Audit Areas

One potential audit issue, relates to how the project is structured in your organization. The big four accounting firms
and medium size accounting firms have made a big business assisting companies in the development, documentation and testing the controls of the systems which impact the financial statements. If these firms also have the responsibility for certifying the organization's financial statement this is a  conflict of interests which is not allowed as part of the Sarbanes-Oxley Act.


Many organizations have been "short sighted" in the interpretation of which systems are impacted by Sarbanes-Oxley.  Many organizations are only reviewing the systems, operations
and financial controls relating to their General Ledger systems which produce the financial statements. However, the sales and expense data which originated from other systems and feed the General Ledger systems should be considered for review since they impact the financial systems. In addition, these systems could be
fed by other systems which also may need to be considered for review. It is suggested that a classification scheme be established in one's organization to identify primary and secondary systems which impact financial data.

When performing a review of the IT controls which impact the financial statements, there is question as to whether these controls only pertain to the application processing. A case could be made that the operating system and data bases used by the application system would also need to be reviewed since they impact the integrity of the data. 

Some organizations, have a false sense of comfort because they use off-the-shelf systems such as SAP. However, since pre-existing workflows had to be forced into the rigid SAP structures, the overall design of the controls and manual workarounds need to be assessed on an individual company basis. 

Conclusion

Sarbanes-Oxley is the latest example of a project which impacts most companies. Y2K and euro currency projects 
were the last two projects which had similar global implications but of greater exposure if the projects were 
not successful. The difference is that businesses would fail if they were not Y2K or euro compliant.. 

For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.