As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - Turnbull and 302/404 compliance
Posted: Fri Jan 19, 2007 2:52 am Post subject: Turnbull and 302/404 compliance
Does anyone have any case study or similar examples of how they have integrated Turnbull/corporate governance signoff with 302/404 compliance?
302 overlaps with Turnbull but Turnbull has much wider coverage and does not just focus on financial risk but the 302 sign off, whilst not requiring auditor attestation, appears to have more rigour than Turnbull because it is underpinned by 404 testing. Clearly having two methodlogies running concurrently is not the most efficient use of resources and I wondered if there were any lessons learned at other organisations
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Fri Jan 19, 2007 8:27 am Post subject:
Hi - While I'm not familar with this standard, our company (e.g., Insurance conglomorate) must also handle multiple regulatory standards. One approach that might help is use outlines of both the Turnbull and SOX requirements, looking for the commonality. Where possible, then design and streamline workflows around common controls, so that you only do it once. The non-common tasks can then be addressed separately for each of the two compliancy standards.
Some related articles might also be found here (add "www" and paste to browser)
Thanks for the steer guys. I also think there is scope to run the two togther.
What is interesting me is that for Turnbull there is more of an emphasis on self certification whilst for 404 the emphasis is more audit based. As we all know 404 permits self certification for management assessment but it is not the most effective solution when there is the risk that the external auditors may find non-complaint processes which self certfication may not pick up coupled with the cost effectiveness of external auditors placing more reliance on managements own work if there is more rigourous testing.
In your experience did you make the distinction between 302 and 404? By that I am thinking the Turnbull/regulatory process could be used to cover most of 302 elements and you can then ask the 404 testers to add any pertinent observations. Alternatively I suppose you could expand the 'tone at the top' COSO analysis/questionnaire of the 404 work and let that cover the Turnbull signoff for you but clearly by doing so you would be impossing the rigours of 404 onto the Turnbull analysis.
Just wondered which way companies swung when faced with this.
Joined: Nov 25, 2004 Posts: 787 Location: London, UK
Posted: Fri Jan 19, 2007 10:50 am Post subject:
The Financial Reporting Council issued a report on 16 December 2004 called "The Turnbull guidance as an evaluation framework for the purposes of s404(a) of the Sarbanes-Oxley Act" _________________ "The art of life is to deal with problems as they arise, rather than destroy one's spirit by worrying about them too far in advance" - Cicero
Agreed but the report really focuses on how you can use Turnbull instead of COSO for evaluating your processes.
Denis you are based in UK, do you have a Turnbull requirement or are you part of a US corp? If the former how have you merged your 404/302/Turnbull requirements or have you kept the Turnbull separate from SOX?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.