6. SOX 404 workload 2361

SOX 404 workload 2361

  • A

    Hi,
    I have just been hired to do SOX 404, previously i have been doing 302. My questions are:

    1. I dont really think much work has been done by my company other then preparation of some matrix and documentation which is not yet fully complete. In your experience how long will it take? i will start work from July and the deadline is Sept 08 🙂
    2. I have heard someone tell me that the company requires an in house CPA to head this SOX Compliance. Is it correct and if yes does this incharge have to sign off on something at the end or is it just to ensure that having a CPA is better as he/she will have the required knowledge? I am asking because i dont have a CPA but plenty of knowledge and experience to complete the task so can i also head the team.
    0
  • H

    Hi and welcome to the forums 🙂
    Below are some ideas that might help you get started:

    1. I dont really think much work has been done by my company other then preparation of some matrix and documentation which is not yet fully complete. In your experience how long will it take? i will start work from July and the deadline is Sept 08
      SOX 404 requirements will vary greatly by company, (e.g., depending on levels and types of automation, risk factors, etc.). This can take considerable time to learn and implement, and just one quarter to build a full SOX 404 framework does not seem like enough time to me?
      A few success factors are noted below for a good SOX 404 experience:
    2. Training - As SOX 404 is nebulus and subject to interpretations get good training so that you know what must be done (no more or no less than required)
    3. Setting up Detailed SOX 404 plan
    4. Walkthrough and approval by SOX External auditors
    5. Ensuring senior management support on resources for documentation, testing, and to make needed changes.
    6. COBIT 4.1, GAIT, and GTAG might be some good resources to read (many external auditors use COBIT checklists as key considerations to ascertain SOX 404 compliancy)
      TWO FREE RESOURCES:
      http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920
      Please copy link to browser as outside links aren’t permitted in forums
      http-and-#58;//msmvps.com/blogs/harrywaldron/archive/2008/03/27/sarbanes-oxley-404-requirements-iia-s-gait-and-gtag-free-resources.aspx
    7. I have heard someone tell me that the company requires an in house CPA to head this SOX Compliance. Is it correct and if yes does this incharge have to sign off on something at the end or is it just to ensure that having a CPA is better as he/she will have the required knowledge? I am asking because i dont have a CPA but plenty of knowledge and experience to complete the task so can i also head the team.
      There’s no requirement for a CPA to head up SOX 404 compliancy within the statutory requirements that I’m aware of. In fact, an individual with a strong audit background might do a good job as well in designing control systems, etc. I would ensure the SOX 404 leader is well trained (and even invest in some of the good offsite training available where networking with other professionals and guidelines might help one get started).
      Please copy link to browser
      http-and-#58;//www.google.com/search?hl=en-and-q=sox 404 training
      http-and-#58;//www.theiia.org/iia-training/
    0
  • I

    I think it also depends on the size of the company, number and proximity of locations that are in scope, the number of people working on the 404 project, the experience levels of those people, and whether or not all parties (process owners) are committed to making the project a success. I’m assuming that the September '08 deadline is for documentation only and that testing of key controls will then commence. In my experience, most personnel initially do not view SOX as an integrated part of their daily work routine and tend to give it a low priority, causing deadlines to be missed, which of course is detrimental to any project.
    As mentioned, set up a 404 plan, create schedules to include specific responsibilities for all personnel, time lines (be conservative), due dates, different project phases, etc. Also, read the SEC’s interpretive guidance that was issued last year, in addition to AS 5 (although AS 5 was issued by the PCAOB for EA’s). Something else, make sure there is someone on your staff who is proficient with IT controls and that the financial and IT components of SOX are working together towards a common end. Communicate frequently with all parties involved what the expectations are, and create status reports to communicate to upper management the progress of the SOX effort.
    Good luck.

    0
  • H

    In my experience, most personnel initially do not view SOX as an integrated part of their daily work routine and tend to give it a low priority, causing deadlines to be missed, which of course is detrimental to any project.
    This is wise advice and represents why senior management backing on meeting SOX compliancy is so important 🙂
    Also, read the SEC’s interpretive guidance that was issued last year, in addition to AS 5 (although AS 5 was issued by the PCAOB for EA’s)
    Below are some links that might help in this process:
    http-and-#58;//www.pcaob.org/Rules/Docket_021/2007-05-24_Release_No_2007-005.pdf
    http-and-#58;//www.sec.gov/rules/interp/2007/33-8810.pdf
    http-and-#58;//en.wikipedia.org/wiki/SOX_404_top-down_risk_assessment
    http-and-#58;//en.wikipedia.org/wiki/Auditing_Standards_Board
    http-and-#58;//www.itcinstitute.com/display.aspx?ID=3600
    http-and-#58;//www.google.com/search?hl=en-and-q=pcaob as5

    0
Log in to reply