Another odd question 184



  • OUr auditors are telling us that we need to explicitly document all management review in order for it to be considered a SOX compliant control. As an example, say a manager get a daily report of buyer activity. He reviews it for exceptions and tosses it in the trash. The auditor is telling us these must be initialled and kept to prove review. If we as a company (1500 contributors with 7 sites in two countries) proceed down this slippery slope, we’re going to need auxiliary buildings just to house the forest we’ll be filing.
    Is anyone else in this predicament? I can’t imagine GE doing something like this.
    Thanks for your input.



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Shelly:
    Your frustration is reasonable.
    I am an Internal Auditor with Sarbanes experience and this situation is very common in many clients.
    One thing I have always recommended - that for 404 Purposes you need a proof that the reviews are being done, timely and errors/deviations have been noticed and actions have been taken. - and most most importantly in the e process - documentation exist from - Policy/procedure to Audit trail.
    In your case - you may attempt this approach- but first discuss with your auditors about the the ‘acceptability’

    1. Establish a procedure that a daily reiew of the report on buyer activity. - where does it come from- who reviews it, what does the review consist of- if there is a flag- deviance- what is the escalation- and also that a weekly review log is maintained.
    2. Get a management approval for the procedure first
    3. Detail in the procedure - what are items that will be reviwed in the Daily activity report
    4. As a support documentation for the review of the daily reports - establish a template - say a weekly memo - that confirms that daily reviews are conducted and any findings are observed /escalated( say none- if applicable) - check - Off - for each daily review completed.
    5. Also you could retain the copy of exceptional reports only - insert this in the procedure
    6. The Memo that is prepared in above fashion - once a week- can be sent to Sr.Manager for review/ can be signed filed in a binder
    7. If you religiously follow the above routine - you would develop a documentation trail ( as a follow-up to the approved procedure). This would be sufficient for 404 requirements
      Any questions, please feel to write to me:


  • Hi mahda,
    I saw your answer regarding the ausit trial and to avoid all those piles of paper and was wondering if you have any sort of example of that weekly memo you may have used in previous audits?
    I work in the Financial Department of an IT company and just for billing processes we have accumulated hundreds and hundreds of pages…
    Many thanks for your comments in advance.


Log in to reply