Outlook forms for approval 1382

  • Greetings…
    I have currently undertaken a task that involves building custom Outlook forms for asset disposal - no problem with showing what user approved, when since the approval system of Outlook provides this in a handy printout (obtainable from Exchange directly too if I’m not mistaken); BUT is this printout enough for the SOX compliance?

  • You bet. It is sufficient.

  • Hi,
    Your question is quite simple on the surface, but requires further elaboration.
    When encountering a question that is not directly addressed in the generally accepted SOX guidance document developed by the governing bodies (PCAOB, SEC, etc.), it might be appropriate to consider adopting guidance and maintaining the same quality standard that is used by external auditors and is supported by SAS, AUs, and FASB pronouncements.
    This strategy establishes a parallel quality standard when planning and implementing SOX compliance initiatives and will help to ensure that your work product is accepted by the external auditor.
    The following relates to documentation requirements, albeit, in an external audit situation. However, the guidance seems well-suited to your particular requirements and should be more than adequate for compliance with SOX.
    Documentation requirements for tests of controls and substantive tests are covered in SAS-96 (AU 339) Audit Documentation. The guidance provides certain specific documentation requirements.
    For tests of controls and substantive tests of details that involve inspection of documents or confirmation, SAS-96 (AU 339.08) requires audit documentation to include identification of the items tested. This may be accomplished by indicating the source from which the items were selected and the specific selection criteria. For example, audit documentation would include:
    a. Identifying characteristics (e.g., the specific invoice numbers of the items included in the sample), when a haphazard or random sample is selected.
    b. A description of the scope and an identification of the listing (e.g., all sales invoices over USD50,000 from the October sales journal), when all items over a specified dollar amount are selected from a listing.
    c. An identification of the source of the documents and an indication of the starting point and the sampling interval (e.g., a systematic sample of shipping documents was selected from the shipping log for the period from June 1, 20X6, to October 31, 20X6, starting with report number 1234 and selecting every 50th shipping document from that point), when a systematic sample is selected from a population of documents.
    Thus, the Outlook form that you designed to track asset disposals is acceptable for SOX. Agree. However, it might be a good idea to ensure that a clear audit trail exists for all disposal activities. Since asset disposals often involve collecting cash, it might be a good idea to map the disposal tranaction to the Accounts Receivable Subsidiary Ledger to create an audit trail for the asset disposal. The Outlook printout and the clear audit trail to evidence and support asset disposals should enable you to maintain a higher documentation standard.
    SOX is not about just satisfying a documentation requirement, but in my opinion, complying with the spirit and intent of the Act.
    Hope this helps,

Log in to reply