Audit Serve, Inc.

The Premier Audit, Security and Sarbanes-Oxley Consulting Company

Sarbanes-Oxley 404: Finalizing the IT General 
Controls Portion of the Review
 (Part 2 of 2)

By: Mitchell H. Levine, CISA
Audit Serve, Inc.

                                                             

Low Cost & Highly Skilled 
IT Audit and SOX Consulting Resources Available Immediately
Call Mitch Levine at (203) 972-3567 or 
email levinemh@auditserve.com for additional information

Remediation Project Prioritization and Completion Dates 

SOX Remediation consists of establishing controls which never existed or enhancing controls based on testing performed.  Many organizations subscribed to the approach of delaying  testing until remediation was completed for the control gaps  identified during the control analysis stage of the project.  Some organizations chose to proceed directly to testing for control processes which were thought to be established in order to gain credit for testing the required sample sizes advocated by the external auditors at an early stage of the project.

The overall requirement of when controls need to be remediated depends on when the fiscal year ends for a company. The current SEC rules stipulates that Section 404 controls needed to be in place by 11/15/04. The interpretation of when the controls which impact the financial statements truly need to be in place could be viewed as being at the start of the year which is the reason many companies whose fiscal years end 12/31
were using 1/1/04 as the starting point for their sample period.  It is understood within the industry that external auditors will not be issuing control deficiencies stating that the control was not effectively functioning since the start of the fiscal year. However, after this first year of SOX implementation, the expectation will be that the control would have been in place and functioning for the entire year. 

For companies whose fiscal years ended prior to 11/15, they have some latitude of when the controls need to be in place for their 2005 fiscal year. However, to be on the “safe side” the control should be in place by 11/15 but it is known within the industry  that companies have delayed these efforts until the first quarter of 2005.

The items introduced in the rest of the article assumes that an organization has a fiscal year end of 12/31. 

The race is on to complete the remediation projects. Due to the number of items which need to be remediated, organizations have prioritized these projects based on their risk level. It is assumed that low and medium risk IT General Control issues will not lead to the external auditors reporting a Control deficiency and certainly not a material weakness.

All remediation needs to be completed within timeframes to support testing which meets sample sizes being advocated by the external auditors. Required sample sizes are based on the frequency of the control. The external auditors of the largest accounting firms have published their requirements of test samples size which fall
in the following ranges:

Daily control – 20 to 40
Weekly control – 5 to 15
Monthly control - 2 to 5
Quarterly Control – 2
Annual control - 1

It should also be noted that within the IT General Controls portion of the SOX project the frequency of many controls are intermittent.  For instance, the control to identify backup failures cannot be classified as a daily or weekly control.

Based on these requirements, a daily control would need to be in place by December 3rd and it is too late for weekly, monthly and annual control frequencies. This is unfamiliar territory regarding how the external auditors will view the implementation of controls which allows only a few tests to be performed over a limited sample period.

Another major consideration which is a major resource effort is the documentation of the remediation effort. It is expected that companies will document the remediation to include the following components within the Remediation Plan and Detailed Results documents:


- Description of condition which led to the remediation 
- Specification of how the issue will be corrected or how the 
new control was defined
- Date in which remediation performed 
- Test plan of how remediation is to be validated 
- Date of test execution for remediation validation
- Document or listing which supports successful testing/validation
of the remediation performed


A critical project management component of the remediation project is ensuring that there is a process in place for communicating to the external auditor when a control is functioning. This will then enable to the external auditor to perform their own independent test at the proper time.

Documentation Requirements

The documentation required for testing is similar to the requirements outlined above when validating the remediation. The one area which needs to be discussed is the level of detailed required in the test procedure 
and the organization of the workpaper cross referencing to allow an individual to be able to follow the testing intended to be performed to the actual testing performed.

There are two standards of documentation which are applied differently based on whether the testing is suppose to only support management’s assertion that the control is functioning properly versus the external 
auditor’s possible representation that they are relying on the internal work performed to partially support the overall testing they performed.  The documentation requirements for the external auditor are defined by the
PCAOB. The external auditor is required to perform their own independent test to draw their own conclusion (paragraph 111 of PCAOB Release 4/9/04 Standard 2). The documentation standard for external auditors testing performed, specified by PCAOB, is that audit documentation must contain sufficient information to enable an experienced auditor having no connection with the engagement but industry and audit experience to
understand. 

The only PCAOB statement regarding the documentation requirements for the internal staff supporting management’s assertions, are specified in paragraphs 122- 125 of PCAOB Release 4/9/04 Standard 2, which is 
predicated on the external auditor not relying on our tests to reduce their scope of testing. In summary, the documentation requirement is for the external auditor to validate the quality and effectiveness of 
the work performed which includes such factors as:

- Scope of work is appropriate to meet the objectives
- Work Programs are adequate
- Work performed is adequately documented including evidence of supervision
- Conclusions are appropriate

The intent by PCAOB is Standard 3 was to provide a method for companies to reduce their external audit costs by having the externally auditors partially rely on the work performed by internal organization but in no
means does it require organization to do this.

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.