Audit Serve, Inc.

 

Technical Articles
Conferences
Audit Programs
Audit Serve Seminars
Consulting Services
Audit Vision Email Newsletter Free!
What's New
Contact Us

 

The Premier Audit, Security and Sarbanes-Oxley Consulting Company

  
     SOX Initiatives to Reduce the Overall Project Scope
                      By: Mitchell H. Levine, CISA - Audit Serve, Inc.

                                            
                             SOX Restructuring Consulting Services
                                                Based on AS 5 Guidance

Most organizations have not effectively utilizing the ammunition provided by Auditing Standard 5 (AS5) to significantly
reduce the scope of the ITGC (IT General Controls) testing.  AS5 specifically states that the top-down risk based
approach to identifying the controls to be tested could include the testing of entity level controls and not having to test
their associated activity/process level controls. 

This would require an organization to define the entity level controls would covers each activity/process level control.   

As stated in AS5, this top-down approach should also consider the likelihood that the control which is not effective could lead to material misstatement of the financial statements which is not disclosed.  In this case, the activity/process level ITGC control would still need to be tested even if there is an entity level control which proven effective.   

These ITGC activity/process level controls which could lead to material misstatements which are not disclosed are limited to few possible scenarios.  However, one possible scenario is granting of individuals direct update access to data outside the control of the application since it would not be possible to turn the required level  of audit trails at a database level to disclose changes to the financial statements. 

Alternatively, if there was not an associated entity level control for an activity/process  level control, the testing of the activity/process level control could be removed from being tested because it would not lead a material misstatement of the financial statements.  This was the ammunition that organizations have used in the past to distinguish between their key and non-key controls. 

Organizations should establish a cross-reference table of all the activity/process level controls which tie to specific entity level controls.  

Example #1:

Activity/Process control:  All software elevations are tested prior to deployment to production

Entity Level control:  A workflow management system is deployed for all software changes 

Example #2:

Activity/Process controls:  An effective test process is used for all software deployment to production

Entity Level control:  A software development methodology is used and deployed across all organization units 

Documenting the rational for the removal of controls to be tested is critical.  With AS5 removing the external auditors review of management’s assessment of controls over financial reporting, the external auditor needs to be solicited for their concurrence of the controls which will be eliminated from testing using the top-down risk based approach deployed.  Otherwise, these controls still may be included in the external auditor’s test which is not disclosed by management’s testing.

Subscribe to the Audit Vision email newsletter to receive the next SOX article entitled "SOX Re-Engineering:  Establishing and Testing Entity-Level Controls"

_____________________________________________________________________________________________

Mitchell Levine is the founder of Audit Serve, Inc. whose primary mission in 2008 has been to provide  SOX scope reduction consulting services.   Audit Serve conducts Integrated & IT Audits, SOX Control Design & Testing.   Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.

Copyright  2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

 

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.