Audit Serve, Inc.
 |
Technical Articles |
|
|
Conferences |
|
|
Audit Programs |
|
|
Audit Serve Seminars |
|
|
Consulting Services |
|
|
Audit Vision Email Newsletter Free! |
|
|
What's New |
|
|
Contact Us |
The Premier Audit, Security and Sarbanes-Oxley Consulting Company
SOX
Re-Engineering: Establishing and Testing
Entity-Level Controls
By: Mitchell H. Levine, CISA
-
Audit Serve, Inc.
SOX
Restructuring
Consulting Services
Based
on AS 5 Guidance
Prior to an organization proceeding down the path to eliminate the testing of activity-level controls based on establishing and testing linked entity-level controls, a negotiation needs to occur with the external auditors to ensure that they agree with the established link between the entity and activity level controls and the method in which the entity-level controls will be tested. Although AS5 removed the requirement for external auditors to express an opinion on management’s SOX control design and testing, the two projects are linked because the external auditors in almost all cases rely partially on management’s testing to reduce the scope of their testing.
When establishing test plans for entity-level controls, strong consideration should be made to design the tests in which the administration processes for carrying out the control are tested instead of designing a test to identify isolated instances in which a control/event did not occur which is tied to an entity-level control. For instance, the entity-level control to ensure that Data Owners are defined for all sensitive resources should have a test which ensures that (1) a data classification standard exists which identifies sensitive resources (2) a corporate-wide tracking list is maintained which identifies sensitive resources and their respective data owners. The entity-level testing approach which should not be taken would be to randomly select a sensitive resource and determining whether it is included on the tracking list.
Although AS5 provided a basis for eliminating the need to test activity-level controls, if the absence of these controls would not cause a material misstatement that would not be prevented or detected, organizations have been reluctant to use this guidance from PCAOB as the basis for eliminating these activity-level controls.
It
is also important to test the entity-level controls as early in the
fiscal year as possible to allow for re-testing and possible control
design remediation if the test should fail. As an alternative, if the
entity-level test fails, testing would need to be scheduled for linked
activity-level controls which originally were not slated to be tested.
_________________________________________________________
Mitchell Levine is the founder of Audit
Serve, Inc. whose primary mission in 2008 has been to provide SOX scope
reduction consulting services. Audit Serve conducts Integrated & IT
Audits, SOX Control Design & Testing. Email Mr. Levine at
Levinemh@auditserve.com if you would
like to discuss your organization's specific project requirements in
order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.
This article appeared in a past issue of the Audit Vision E-Mail Newsletter.
Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US
This website has been optimized for Netscape and Internet Explorer 4.0
and above. Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000 All rights reserved. 27 Pine Street, Suite 700, New Canaan,
CT 06840 USA.