Citing 302 as a control in 404 1792



  • Is it appropriate to identify the 302 cert letters as a control in process narratives/control matrixes? More specifically, is it appropriate to use the 302 certification as a control around ensuring whether or not liabilities are completely stated and adequately disclosed?
    From what I’ve read, it seems that the controls in the narratives/matrixes ‘may support the quarterly Section 302 certification and at a minimum the section 302 certification process should include a consideration of the status of the 404 project’.
    Thanks.



  • Hi and welcome to the forums 🙂
    SOX 302 is about senior management endorsing primary financial controls, as SOX is primarily a self regulatory program with external auditors helping in the process to approve the controls. SOX 404 is about the IT controls surrounding automated financial systems and their workflows.
    Certainly, as senior executives sign-off each reporting period with SOX 302 they are approving all aspects of SOX compliancy including SOX 404 IT guidelines. Still, companies have to perform ‘due diligence’ in meeting all security, workflow, and other best practices associated with SOX 404 controls.
    Many external auditors recommend COBIT standards for IT and COSO standards for financial controls (you can search the forums here for more info). Below is a good site to a obtain quick overview of all the various sections:
    Please add www and paste into browser
    sarbanes-oxley-101.com/



  • I think it is feasible that the process put in place to support s302 could be a control for s404 purposes … it really depends on what process you have put in place for s302 and what risks that you want it to cover for s404.
    We certainly have a quarterly process that supports inter alia the s302 requirement which meets some risks in the financial statements close process.


Log in to reply