Audit Serve, Inc.
 |
Technical Articles |
|
|
Conferences |
|
|
Audit Programs |
|
|
Audit Serve Seminars |
|
|
Consulting Services |
|
|
Audit Vision Email Newsletter Free! |
|
|
What's New |
|
|
Contact Us |
The Premier Audit, Security and Sarbanes-Oxley Consulting Company
Project Scope for Sarbanes-Oxley Implementation
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
Low Cost &
Highly Skilled
IT Audit and SOX Consulting Resources Available Immediately
Call Mitch Levine at (203) 972-3567 or
email levinemh@auditserve.com
for additional information
The focus of this article is to discuss the Section 404 project
components of the Sarbanes-Oxley Act which requires a management assessment of internal controls for financial reporting.
The first project component is to identify the company's areas which are responsible for the financial reporting and the IT
systems which are used to support their processes.
The next step is to make an organizational decision on whether the systems which feed the General Ledger and other systems
which produce the financial statements will be included in the scope of the management assessment of internal controls. The is an important decision since systems which report revenue
could also include external companies in which assurances would need to be obtained that these company's are Sarbanes-Oxley compliant. Utilizing a SAS 70 service auditor's report for the
external company may not be sufficient unless the SAS 70 report specifically included in its scope the review of the financial reporting systems. In addition, if only a Type 1 SAS 70 report
was performed, then the company stated controls were not tested.
Other factors which impacts scope decisions is whether the system controls for the financial reporting systems will be evaluated.
Decisions on whether to exclude feeder systems to the systems which generate the financial statement systems should be
substantiated by business risk assessments. As the case with most of the project tasks, the SEC does not provide directives on the scope of the systems and processes which should be included in the overall assessment.
============ADVERTISEMENT===============
Audit Serve Sarbanes-Oxley Implementation Consulting Services
Contact Mitchell Levine of Audit Serve at(203) 972-3567,
e-mail Levinem@auditserve.com or visit http://www.auditserve.com
for additional information.
------------------------------------------------------
The next step in the project is to identify all of the operational, financial and system controls which provides
assurance that accurate financial reporting is occurring. This requires the Sarbanes-Oxley project team to gather
documentation which support process workflows and to conduct interviews to establish or validate existing workflows.
Templates should be established to identify the critical controls which support the accurate generation of financial statements
which differentiates between manual and system preventive controls. Once again the SEC does not provide guidance on the
level of detail in which these controls need to be documented.
When defining the company's internal controls over financial reporting, the SEC ruled that an evaluation criteria needs to be
established to report on internal controls. The AICPA and other organizations pushed for the SEC to adopt the COSO Framework as the means by which management should evaluate an company's internal
control over financial reporting. The final SEC ruling does not mandate the use of the COSO Framework but instead left the decision
to each company as long as they identified the evaluation framework used by management to assess the effectiveness of the company's
internal controls over financial reporting.
The next step is to define the testing requirements necessary to ensure that the company's internal controls over financial
reporting are functioning as intended. Once again the SEC offers no guidance on the sample sizes which need to be tested. It is a best practice that companies establish a sample size which is
consistently used throughout the project. The sample size also needs to factor in the frequency in which these processes occur.
The final step in the project is to define post implementation monitoring and subsequent assessments which need to occur once a
company has deemed itself as being Sarbanes-Oxley Section 404 compliant. The final SEC ruling provided complete flexibility on
the frequency and the methods to be used. However, the SEC was very specific in regards to requiring company's to have detective
controls to identify changes in the company's internal controls over financial reporting. In regards to the frequency in which the assessment of controls need to be performed, it is left to the
discretion of each company to design these monitoring processes which determine the overall effectiveness of internal controls over financial reporting during its fiscal year.
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.
This article appeared in a past issue of the Audit Vision E-Mail Newsletter.
Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US
This website has been optimized for Netscape and Internet Explorer 4.0
and above. Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000 All rights reserved. 27 Pine Street, Suite 700, New Canaan,
CT 06840 USA.