Audit Serve, Inc.

The Premier Audit, Security and Sarbanes-Oxley Consulting Company

SOX 404 Year II: Lessons Learned, Initiatives to Pursue and
Interpretation of Guidance Provided by the SEC & PCAOB
(Part 1 of 2)

By: Mitchell H. Levine, CISA
Audit Serve, Inc.

                                                             

Low Cost & Highly Skilled 
IT Audit and SOX Consulting Resources Available Immediately
Call Mitch Levine at (203) 972-3567 or 
email levinemh@auditserve.com for additional information

The policy statement issued by PCAOB on May 16th also attempted to address provide additional cost savings for Year II by reaffirming that AS2 was intended to provide the external auditor with the flexibility to use the work of others. However, it was understood by most organizations that in order for the external auditor’s to use the issuer’s testing, the test documentation need to meet the “reperformance standard” which required copies of all sampled data to allow the external auditor to reperform the test.  Unfortunately, the issuer’s internal test documentation was viewed in most cases by the external auditor as being deficient to be used to reduce the scope of their testing and therefore evaluated the testing performed to ensure that it could be used to support management’s control assessment. If this approach is to be used during Year II to reduce the costs of the external audit, then as stated previously in this article, the retention periods of the data which is  not static needs to be increased based on the timeframes of the external auditor’s testing. This is needed since in many cases all the data to support the reperformance testing cannot be maintained in hardcopy binders.


Conclusion

Although this article expresses some doubt in regards to the practicality of deploying the recommendations of the 
Commission and PCAOB, there appears to sincere efforts to address the concerns over the costs of complying with SOX.  Year II will bring to bear the direct and sometime “heated” negotiation with the external in regards to level of evaluation and testing of process-level controls. The emphasis on Company-level controls specifically reinforces the need to have frameworks and standards within an organization along with a well defined process to ensure the organizational units are implement these standards.  Unfortunately, smaller issuers will find it difficult to avoid being evaluated based on their process-level controls. The use or company-level controls was a way for larger organizations to avoid being evaluated at a sub-organization and entity level since it would be too costly to perform this level of process-control evaluation.

The guidance and policies issued did not address any of the areas relating to third party controlled and outsourced processes which has been an area of concern with most of the SOX practitioners. Therefore, it seems like during Year II that issuers have been issued another “free pass” for these areas.

Based on the May 16th guidance, issuers now have a formal document which can be used to substantiate their reduction in the scope of their SOX projects. However, the possibility of the reporting of a material weakness will force most organizations to not reduce their overall project efforts until Year III when they are assured that their initial project reduction approaches have been accepted by the external auditors. 

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.