Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· Directory
· Downloads
· FAQ
· Forums
· Search
· Sox_Admin
· Statistics
· Submit News
· Surveys
· Top 10
· Your Account

Sarbox Compliance
The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.

For detailed information see the toolkit's own website: Sarbanes-Oxley Compliance


SOX Act and Security
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.

The SOX email storage requirements can be fulfilled using the GFI MailArchiver


SOX Advertisers


Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!

Sarbanes-Oxley Act Forum: Forums

The Sarbanes Oxley Act :: View topic - How deep does quarterly testing have to be?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

How deep does quarterly testing have to be?

 
Post new topic   Reply to topic    The Sarbanes Oxley Act Forum Index -> Sarbanes-Oxley: Audit Issues
View previous topic :: View next topic  
Author Message
Guest
PostPosted: Mon Apr 04, 2005 11:20 am    Post subject: How deep does quarterly testing have to be? Reply with quote
This is my understanding of the requirements for quarterly SOX testing. Perhaps someone can add to/correct it? I think it's light, basically asking the control owners if there have been any changes (some companies automate this via emails). I'm working with auditors that test to a level making it a 'mini-sox'. How much is needed?

The requirements for quarterly SOX testing are light, it is not a partial SOX audit, it is merely a statement about changes to the controls in place, so that management is kept informed between annual SOX testing.

After reading on the matter, I found that that the requirements can be reduced to three questions, summarized as:
1. Any changes to control?
2. Any problems in the financials due to this control?
3. Does the change have a material affect?

These questions can be answered with inquiry and observation. For controls that have not changed, further testing, gathering and validating logs, sampling of file permissions, etc. are done during the annual SOX work, and not quarterly.


From the SEC (their web site, I believe):
"require a company's management, with the participation of the principal executive and financial officers, to evaluate any change in the company's internal control over financial reporting that occurred during a fiscal quarter that has materially affected, or is reasonably likely to materially affect, the company's internal control over financial reporting."

In the attached pdf, it notes:

Auditor Evaluation Responsibilities
PCAOB Auditing Standard No. 2 discusses the external auditor’s responsibilities in regards to 302. In particular, it states:

The auditor’s responsibility as it relates to management’s quarterly certifications on internal control over financial reporting is different from the auditor’s responsibility as it relates to management’s annual assessment of internal control over financial reporting. The auditor should perform limited procedures quarterly to provide a basis for determining whether he or she has become aware of any material modifications that, in the auditor’s judgment, should be made to the disclosures about changes in internal control over financial reporting in order for the certifications to be accurate and to comply with the requirements of Section 302 of the Act.

To fulfill this responsibility, the auditor should perform, on a quarterly basis, the following procedures:
• Inquire of management about significant changes in the design or operation of internal control over financial reporting as it relates to the preparation of annual as well as interim financial information that could have occurred subsequent to the preceding annual audit or prior review of interim financial information; • Evaluate the implications of misstatements identified by the auditor as part of the auditor’s required review of interim financial information (See AU sec. 722, Interim Financial
Information) as it relates to effective internal control over financial reporting; and • Determine, through a combination of observation and inquiry, whether any change in internal control over financial reporting has materially affected, or is reasonably likely to materially affect, the company’s internal control over financial reporting.
Back to top
Denis
SoxGuru
SoxGuru


Joined: Nov 25, 2004
Posts: 787
Location: London, UK
PostPosted: Tue Apr 05, 2005 1:48 am    Post subject: Reply with quote
My own interpretation is that the quarterly requirement is limited. I believe it would be justified for management to look at it's processes and question whether there have been any significant changes (to systems, personnel, transaction types, etc) and whether they are satisfied that the controls continue to operate effectively and do very little testing if they are satisfied.

However, some companies are choosing to spread their 404 testing throughout the year - perhaps as part of quarter/month-end processes - in which circumstances you can, more or less, satisfy 302 at the same time.
Back to top
View users profile
kymike
SoxGuru
SoxGuru


Joined: Jun 02, 2004
Posts: 637
Location: USA
PostPosted: Tue Apr 05, 2005 6:48 am    Post subject: Reply with quote
Unless management is testing all key controls every quarter, I don't think that the quarterly testing would satisfy the requirements of 302. 404 is a subset of 302. Management needs to have a process in place to identify any significant changes in its internal control environment for purposes of the 302 certification. Testing may be a part of that process.
Back to top
View users profile
Denis
SoxGuru
SoxGuru


Joined: Nov 25, 2004
Posts: 787
Location: London, UK
PostPosted: Tue Apr 05, 2005 8:32 am    Post subject: Reply with quote
kymike wrote:
Management needs to have a process in place to identify any significant changes in its internal control environment for purposes of the 302 certification. Testing may be a part of that process.


Although testing need not necessarily be part of the process
Back to top
View users profile


Display posts from previous:   
Post new topic   Reply to topic    The Sarbanes Oxley Act Forum Index -> Sarbanes-Oxley: Audit Issues All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Forums ©

 
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters.
Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox.
Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.