Any suggestion for SOX Year 2 ? 2007



  • Hi All,
    My company has cleared its first year of SOX certification recently. After the frenzy and the huge costs incurred during our first year certification exercise, going forward into year 2 and beyond, what are essentially the possible approach and ways we can go about maintaining the SOX compliance program with our target to make it as cost efficient as possible?
    I’ve read some articles that say for SOX year 2, we are given greater flexibility in designing our own compliance programs eg. By using various tools such as Control self assessment techniques etc.
    Greatly appreciate your views on this. Thanks in advance :lol:



  • I think we will need to wait until the new guidance is officially signed off before we can be sure that a more top-down risk based approach can be taken.
    Once it is signed off, I woudl recommend sitting down with your external auditors and trying to identify what their expectations of Year 2 will be.



  • Disagree and agree.
    Disagree about the more top down risk based approach. That was already acceptable and we applied that in 2006.
    Agree that the auditors approach may well have to wait until the new audit standard is signed off.
    As for the auditors expecations, if is anything like mine it is to have their cake and eat it. Argue that they are relying on management testing, etc but keep fees at the same level (eg at more than half the cost of SOX complaince to the company.).



  • You may disagree wrightlot, but, at the end of the day, our external auditors have the right to determine that our controls are not adequate on their audit reports and this is the area that most shareholders will review within the published accounts.
    As for permission to allow the top- down risk based approach, I know that KPMG have not followed it to date (as informed by a partner in the firm) becuase the PCAOB review their workpapers and earn commission based on the number of deficiencies identified. This, at present blocks the way for them to apply a risk based approach and I do not believe they will agree to their clients applying it if it conflicts with their own approach.
    (Who are your external auditors by the way? If they ARE KPMG, I will be calling our audit manager and partner and asking questions as to why I received the above response from them).



  • KPMG…
    Happy to compare notes.



  • Very interesting.%0A I’m hoping to meet with them next week so I’ll DEFINITELY be pushing the Risk based Approach on them - regardless of what the final verison of AS5 ends up looking like.%0A Last year they insisted that a low risk small subsidiary (only 14 employees incl directors) was in full scope just because they have an intangibles balance that brought assets over 5%. The intangibles balance itself is only amortised once a year and there are NO other movements in tehe balance from year to year. This caused us a considerable amount of grief because the subsidiary has never even been subject to a statutory audit.


Log in to reply