The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
The SOX email storage requirements can be fulfilled using the
GFI MailArchiver
SOX Advertisers
Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Posted: Wed Apr 02, 2008 11:49 am Post subject: SOX 404 workload
Hi,
I have just been hired to do SOX 404, previously i have been doing 302. My questions are:
1. I dont really think much work has been done by my company other then preparation of some matrix and documentation which is not yet fully complete. In your experience how long will it take? i will start work from July and the deadline is Sept 08
2. I have heard someone tell me that the company requires an in house CPA to head this SOX Compliance. Is it correct and if yes does this incharge have to sign off on something at the end or is it just to ensure that having a CPA is better as he/she will have the required knowledge? I am asking because i dont have a CPA but plenty of knowledge and experience to complete the task so can i also head the team.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Wed Apr 02, 2008 1:13 pm Post subject:
Hi and welcome to the forums
Below are some ideas that might help you get started:
Quote:
1. I dont really think much work has been done by my company other then preparation of some matrix and documentation which is not yet fully complete. In your experience how long will it take? i will start work from July and the deadline is Sept 08
SOX 404 requirements will vary greatly by company, (e.g., depending on levels and types of automation, risk factors, etc.). This can take considerable time to learn and implement, and just one quarter to build a full SOX 404 framework does not seem like enough time to me?
A few success factors are noted below for a good SOX 404 experience:
1. Training - As SOX 404 is nebulus and subject to interpretations get good training so that you know what must be done (no more or no less than required)
2. Setting up Detailed SOX 404 plan
3. Walkthrough and approval by SOX External auditors
4. Ensuring senior management support on resources for documentation, testing, and to make needed changes.
5. COBIT 4.1, GAIT, and GTAG might be some good resources to read (many external auditors use COBIT checklists as key considerations to ascertain SOX 404 compliancy)
2. I have heard someone tell me that the company requires an in house CPA to head this SOX Compliance. Is it correct and if yes does this incharge have to sign off on something at the end or is it just to ensure that having a CPA is better as he/she will have the required knowledge? I am asking because i dont have a CPA but plenty of knowledge and experience to complete the task so can i also head the team.
There's no requirement for a CPA to head up SOX 404 compliancy within the statutory requirements that I'm aware of. In fact, an individual with a strong audit background might do a good job as well in designing control systems, etc. I would ensure the SOX 404 leader is well trained (and even invest in some of the good offsite training available where networking with other professionals and guidelines might help one get started).
I think it also depends on the size of the company, number and proximity of locations that are in scope, the number of people working on the 404 project, the experience levels of those people, and whether or not all parties (process owners) are committed to making the project a success. I'm assuming that the September '08 deadline is for documentation only and that testing of key controls will then commence. In my experience, most personnel initially do not view SOX as an integrated part of their daily work routine and tend to give it a low priority, causing deadlines to be missed, which of course is detrimental to any project.
As mentioned, set up a 404 plan, create schedules to include specific responsibilities for all personnel, time lines (be conservative), due dates, different project phases, etc. Also, read the SEC's interpretive guidance that was issued last year, in addition to AS 5 (although AS 5 was issued by the PCAOB for EA's). Something else, make sure there is someone on your staff who is proficient with IT controls and that the financial and IT components of SOX are working together towards a common end. Communicate frequently with all parties involved what the expectations are, and create status reports to communicate to upper management the progress of the SOX effort.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Tue Apr 08, 2008 6:40 am Post subject:
Igor13 wrote:
In my experience, most personnel initially do not view SOX as an integrated part of their daily work routine and tend to give it a low priority, causing deadlines to be missed, which of course is detrimental to any project.
This is wise advice and represents why senior management backing on meeting SOX compliancy is so important
Igor13 wrote:
Also, read the SEC's interpretive guidance that was issued last year, in addition to AS 5 (although AS 5 was issued by the PCAOB for EA's)
Below are some links that might help in this process:
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
