March 1, 2009


Posted in Frameworks, SOX tagged at 6:47 pm by Molly

SOX Compliance Roadmap

1) Plan and Scope IT Controls

Assign accountability and responsibility.
Statement on Auditing Standards (SAS) 70 reports are traditionally performed for service organisations.

2) Assess IT Risk

Assess the likelihood and impact of IT systems causing financial statement error or fraud.
Inherent risk rather than residual risk.
Access controls, without them, there is a risk to someone accessing and falsifying transactions into the system.
Perform the following risk assessment:-
* nature of technology
* nature of people
* nature of processes
* past experience
* significance to the financial reports

3) Document Controls

Document application controls.
Document IT general controls.
Identify IT entity-level controls.
Identify application controls – automated controls & IT-dependent manual controls.
Identify IT general controls.
Identify which controls are relevant controls
Consider IT-based antifraud controls
Control documentation (document controls over financial reporting and perform an assessment of their design and operating effectiveness).

4) Evaluate Control Design & Operating Effectiveness

All key controls are documented.
Test controls to confirm their operating effectiveness.
Consider the nature of evidence required.
Forms of evidence:-
* inquiry – seeking info of knowledgeable persons;
* inspection of documentation – inspect reports;
* observation;
* reperformance – independently run exception reports;
Consider the timing of control testing.
Roll-forward testing.

5) Prioritise and Remediate Deficiencies

Impact assessment.
Consider whether compensating controls exist and can be relied upon.
Consider guidance from the SEC and PCAOB
* application-level deficiencies;
* control environment deficiencies;
* failing to remediate a deficiency for an unreasonable period of time;
Identify and assess IT general control deficiencies
* design deficiencies;
* operating effectiveness deficiencies;

6) Build Sustainability

Consider automated controls.
Rationalise to eliminate redundant and duplicate controls.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: