Transition Year 2028



  • My employer has a fiscal year ending in July, so for fiscal 2008 we have to issue a management report, but the auditor attestation doesn’t happen until fiscal 2009. We’re non-accelerated, so 2008 is our first reporting year.
    The CFO wants us to do the minimum required to comply with the law for 2008. And the question is, what exactly does that mean? I am preparing to do the full-scale risk assessment, process documentation, control/risk matrix, walkthrough and test plan preparation, but the CFO does not want to spend an extra minute more than we have to.
    So, if I complete a risk/control matrix and a test of design, does that sound sufficient to be called a managment review of the control environment?I have been trying to find an objective source of what work has to exist behind a management report, but so far I’m lost.
    Thanks in advance.



  • We had a similar situation for 2006 year end with an exemption for auditor attestation until 2007.
    Essentially, you still have to comply with SOX in full. The only difference is that your auditor will not be testing this year, only your internal team.
    Our auditors did review all of our process narratives, controls matrices and findings, together with consideration towards whether or not we had adequate controls designed however. It is therefore important to ensure that they are all up to date and accurate.
    The only benefit of the exemption is a saving in audit fees, although I felt that this was lost on the lack of support provided to us from our auditors as they lost interest in our project last August after the exemptions were announced, and I feel that in hindsight, there were some deficiencies which could have been avoided if we had obtained some sort of feedback at that stage of the project.


Log in to reply