scope of IT in SOX 31

  • This post is deleted!

  • This post is deleted!

  • This post is deleted!

  • It would be the best approach to begin by identifying the business processes which could lead to a significant financial misstatement. Let’s call this scoping. After you done that you have to document the processes and the related controls. Knowing the controls you have to decide which one is your key control and skipp all the other controls. They’re not relevant for sox. You have to test and document the key controls. That is to be done by taking in condieration of what-could-go-wrong (if the control is not functioning properly). Maybe there’s a compensation control. And so on. All has to be properly documented. So that the external Auditor can come to his own conclusions by reviewing the documentation and performing some additional tests.
    Have fun…

  • Knowing the controls you have to decide which one is your key control and skipp all the other controls. They’re not relevant for sox
    I do not agree with this…
    Almost all IT-matters can lead to financial misstatements…so you have to cover almost all matters…
    For instance;
    If the e-mail ain’t working there’s a financial risk in that for not being able to serve the customers…
    If your backup for documents ain’t working, there a financial risk of not being able to restore those contracts you might be needed in a law-suit later…
    If a program for stock-control isn’t working well enough or not beeing updated often enough you might have a risk of not being able to state the whole stock amount on your financial statements…
    Also you might not being able to forsee a lack of a certain stock whilst customer had ordered this…risk: losing customer/law suit etc…
    If the computers aren’t kept ‘in shape’ you have a financial risk of losing data when this computer gives up, or the person who worked on it cannot work for a day or more whilest he was busy to close a superdeal…
    etc etc…
    Besides your accountingdepartement, the IT dep is the most Sox-related department in you business

  • I totally agree with you as long as the systems you’re talking about are relevant in terms of sox. If you run a ecommerce business like e.g. amazon and your mail servers are not functioning anymore, you’ll have a big problem.
    But that’s a problem in terms of economical loss (operational risk). This is not whats sox is out for.
    Sox requires you to disclose correct financial reports like balance sheets, P-and-L, 20-F and so on. You are required to control and assure the correctness of these reports. No more and no less. Sox is not intessted in your economical wealth. If you are bankcrupt, well ok, as long as the financial statements showing this are correct.
    There’s a fine line between sox and operational risk.
    So if you fail to establish user authorization within your SAP and you are violating general ledger entries, than you’ll have a sox topic. But only if there are no other controls (maybe manual in terms of reviewing lists and reports) to compensate that.

  • Hi,
    We are a public company and we want to build a new database with some reporting tools attached for marketing, the call center and the sales force team. Do I need to be SAS70 since I won’t use this report for financial reporting?

  • I’m a senior level IT employee of a huge corporation. The word is that SOX has upper mgt. browning their pants and covering all bases to the nth degree. I have a different theory. I believe that every time IT needs budget allocations they say the letters ‘SOX’ and the CEO pulls out his checkbook.
    The other day an associate of mine made a two line code change to a payroll program. The change took him about 5 minutes to track down and complete. Our change control process required 12 hours for him to get the change into production, ala ‘SOX’. Those of you who are SOX experts might be able to set me straight, but does the government really care whether our test case template is 100 pages long or one paragraph. I can’t believe that it makes any difference to Uncle Sam.

  • Hi Bothorn,
    I can see your frustration in the example you have. A five minute change require 12 hours of work is NOT what SOX is all about.
    Yes you should go through the change management process, however I would look at how your change process is written. It should account for small or emergency changes that does not require the full amount of documentation. You should differenctiate a change that requires months of work or a 5 minute job. For my clients, i recommended that they have 4 classes of changes. A,B,C and X for emergency changes. Your change would be a class C change and all it would require is a log entry in the change log to ensure that it has been tracked and some reasonable testing occurred.
    HOpe this helps and post any concerns you may have and i will try to answer them.

  • Hi,
    Having just been looking at the Sarbanes Oxley from a different perspective (IT Recruitment), i wondered if any of you could give some information as to the types of companies the act would affect and am i correct in thinking that any company in the World with a US listed parent would need to implement the correct system?
    Thanks for any info.

Log in to reply