Beginning SOX 980

  • Hi Everyone,
    I am now responsible for implementing SOX for the company I currently work for. I have done quite a few set of documentations, however I was never involved in the scoping process to determine which processes to document. I am not sure where to start. Can someone give me some suggestions?

  • Start from your financial statements and work backwards.
    Identify your significant accounts (generally, all FS accounts) at a high level
    Identify the processes that feed these accounts and document those processes
    Identify your control objectives for each process that cover your financial statement assertions (completeness, accuracy, etc.)
    Identify the risks (what could go wrong) related to the control objectives
    Identify the controls that mitigate those risks.
    In addition, you should ensure that your general and application-specific IT controls and related processes are documented as well as entity-level controls (whistle-blower programs, anti-fraud programs, etc.)
    I hope that this helps you to get an idea as to how to proceed in identifying what you need to document and test.

  • Here is also the SEC’s recent statement on management’s report suggesting a top-down and a risk-based approach:

  • Thank you for all your help.

  • Thanks Melly

Log in to reply