As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Posted: Fri Dec 09, 2011 3:11 pm Post subject: Multiple location considerations
Company A has three operating divisions.
Division 1 has centralized financial processing.
Division 2 has multiple locations each with similar functions and each having unique financial processing systems.
Division 3 has multiple locations each with similar functions and similar processing systems established by the HQ office of Division 3.
Division 3 is material to Company A. None of Division 3's multiple financial processing locations is individually material to Company A or to Division 3. Controls need to be tested for Division 3 for SOX purposes.
How would you approach controls testing in Division 3? If a tested key control failed at only one of Division 3's financial processing locations, would that be considered a control deficiency? What if the same control failed at 3 of 10 financial processing locations? Would that be 1 or 3 control deficiencies?
Would your answer differ if the same fact pattern was applied to Division 2?
I have my own opinion, but I want to hear your point of view before I reveal my thoughts.
Posted: Tue Jan 10, 2012 3:00 am Post subject: Multiple location considerations
happy new year and wish to all the best,
if i got well and you got 3 units of A company with different financial processing for each, the same unit, sorry if i repeat you just to make sure, the units itselfs has differents proceeding with their sub units ( corporate processing for 3 , if i take division 3 as corporate, and the div 2, no corporate processing.
for the div 3, subject to your control, you will take your sample of control from the sub units of div 3, well i think it depend of the topic controled and its impact category, isn't it? as instance, a deficiency in reputation of company or in regulatory even in one location may differe , in impact term, than others topics , and also considere the materiality. for sure if from a sample of 10 items, 3 failed in control, it is significant since it is 30% of the sample which present deficiency, what do you think?
for division 2, since there is not similar financial processing systems, i wonder how will you choose your sample ? here you don't have a "corporate" process from div 2 that you will assess in its subunit; but with differents financial controling process on place,
i would be also interested to hear your opinion
thanks for the question
Since you say Div. 3's locations all have similar functions and processing systems, then we would consider it one cycle and they would likely have the same control activities at each location. I would pick a sample of locations to test. If a control failed at more than one location (or 3 out of 10), then we would consider it 1 deficiency (but all 3 locations would share responsibility for the remediation plan).
For Div. 2, since they have unique financial processing systems, we would likely consider each of those to be separate SOX cycles. For example, if Div. 2 had a warehouse in Texas and a warehouse in Oklahoma and they used totally different inventory management systems, then we might have Sox cycle called "Texas Inventory" and one called "Oklahoma Inventory" and the control activities, narratives, etc. could be different. And in that case you could have deficiencies for each location. Of course, we would also do a scoping exercise and some locations might not warrant being a SOX cycle due to immateriality.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.