As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Posted: Tue Mar 25, 2008 4:02 pm Post subject: Entity Level Controls
AS 5 points out that management and external auditors should place more reliance on entity level controls. However, I am having trouble identifying more than two! I am referring to controls that have a direct impact on a specific financial statement risk and not the indirect controls such as an ethics policy. Has anyone identified any entity-level controls and how are you benefiting from them in your 404 work?
Here is my take on this - I think sometimes it is a matter of semantics. We have classified our controls into these buckets -
Entity-level (policies, general corporate tone of mgmt)
Company-level common controls (account reconciliations, JEs, SOD, system access, period close analytics) which are tested on a combined basis over all processes
Process-specific controls (specific reviews of judgmental reserves, spreadsheets, etc)
I also have not found any of our ELCs that provide FS assertion coverage. We do rely on the company-level controls to cover FS assurance at a high level.
Thanks for your comments. I was hoping you could provide specifics on how you have linked the CLC account reconciliations to your processes to allow you to eliminate key controls and/or reduce testing around process-specific controls. I am interested in balance sheet reconciliation and review controls as a company-level control but am concerned with the result of "failing" the control. Balance sheet reconciliations are such an important control, what if you find exceptions in testing? Do you fail the entire control? How does that impact other exceptions that you feel are not a significant deficiency due to the compensating control "balance sheet reconcilations are performed, etc?"
There is some judgment required when looking at test exceptions as to whether or not to fail a control. When we look at reconciliations, we review to ensure that they include preparer and review signatures and dates work performed, tie back to supporting information (gl, subledger, excel control file, bank statement, etc.), schedule foots, outstanding items aged and cleared timely. If there is a lack of signatures or dates, we do not fail the control as we can generally determine that they were prepared / reviewed. Other exceptions may cause us to increase our sample size to help in our judgment as to operating effectively or deficient.
If this control fails, then other controls that failed which rely on reconciliations would also fail.
In general, we rely on (from top to bottom) -
Period/quarter reviews (very detailed)
Account-specific controls for validity of supporting balances (generally the manually-calculated support such as lease reserves, AFDA, OAL, etc.)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.