The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
The SOX email storage requirements can be fulfilled using the
GFI MailArchiver
SOX Advertisers
Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - Internal controls
Posted: Wed Jan 19, 2011 3:52 am Post subject: Internal controls
Hello,
I have two questions regarding internal controls in SOX. I am setting up the internal controm matrix for the documentation of controls in compliance with SOX.
Could anybody provide me with the template for control matrix in line with SOX requirements?
Second question, when documenting internal controls which do not directly relate to finance like "security control: provision of employees with electronic card to monitor their movement within the premises", do the IPO's and FS assertions also exist for this kind of control? Do I need to document them for this kind of control as well?
There are many formats you can use do document controls. An easy one to start with could be this (in a spreadsheet):
Down the left column you would list your controls and number them. You could also group them by Principal Business Activity (PBA).
Across the top, list your control objectives. You've now created a matrix. You can "X" the box under the objective that each control satisfies. After listing all the objectives, you could then continue with columns for Primary v. Compensating, Preventative v. Detective, Automated v. Manual, and then your six financial statement assertions. Again, this would be a very basic control list, but a starting point for you. Lots of other formats could be just as appropriate.
For your second question, I would argue that if none of the assertions apply, then it's probably not a SOX control. So yes, they should be documented.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
