New to Sox 1924

  • Hi
    Can anyone tell me the standard steps for performing an SOX audit? I know

    1. Scope
    2. Deliverable
    3. Interim
    4. 4 quater
    5. Remediation
      Is there anything missing? also, whats the difference between Sox audit and IT audit?
      thank you

  • Hi,
    Your question is a good one and has been asked directly/indirectly in these forums. Please search within the General Sarbanes-Oxley Discussion Forums and you will find plenty of useful information and resources.
    Good Luck,

  • Deepman,
    Yes, this is a good question and I’m sure other members share your concerns regarding compliance.
    In comparing SOX and IT audits, be sure to research the differences between COSO and COBIT. Whereas SOX audits are primarily based on the internal controls and methodology outlined in COSO, COBIT 4.0 (the IT controls framework) has increasingly become used in both SOX and IT audits.
    Check out the following link, which gives a good overview of IT’s role in SOX:

  • I took the training course for IT auditor and i still have so many questions to ask and i still dont know where to start. In the training all they talk about high level stuffs and theres no hands on experience. Is there any way where i can get some hand on experience?

  • There really aren’t any ‘standard steps’ available. You should read the SEC’s recently released proposed interpretive guidance. Although it won’t provide much in terms of ‘hands on experience’ as it states explicitly that it is not prescriptive in nature and that each company should develop procedures based on their unique circumstances regarding the 404 implementation.
    Frustrating as it is, it appears that the only way for some of us to get any real 404 experience is by going through it and learning from your mistakes.

  • How are you going to get a job, if you dont have the experience?

  • People are keen to get team members on board. The best way to gain initial experience is to start as a tester and familiarise yourself with the processes /documentaiton and work your way up.
    Other medium level positions may be available if you have any kin d of previous audit experience and an understanding of risk

  • How are you going to get a job, if you dont have the experience?
    Hi and welcome 🙂
    To gain any position in a profession, the key is to differientate yourself from others. One way to achieve this is to build up expertise, knowledge, and skillsets where an employer would elect to hire on that basis, even over an experienced candidate.
    Secondly, an employer might pay a slightly lower starting salary for a non-experienced v. experienced candidate maybe as a team member or to save USDUSDUSD. There’s definitely hope. In fact, we’ve seen cases here, where someone who was very talented and they got thrown right into the ‘fire’ with little training.
    I attend a formal monthly class on leadership training and one point recently shared is that if you spent just 1 hour per day reading or researching something, within a year you’ll become an expert, e.g., I haven’t achieved even come close when it comes to SOX 😉 🙂
    Still, read through the forums thoroughly as noted by our members above and even many of the older threads as SOX hasn’t changed radically since the bill passed in 2002 and companies began implementing it more fully in 2004.
    Then with specific questions you’ll gain a lot of insight into SOX. In fact SOX audits aren’t too different from other audits. You just have to evaluate a different list of checklists, objectives, samples, documentation, etc. ensuring it’s meeting the ‘letter of the law’.
    Below are some career path threads in the Employment forums that might help also:
    Again, good luck to you

  • This might also help … In addition to the forums, these Internet SOX related links looked promising (e.g., you must separate sales/vendor links from articles, although even some of the sales related links have outlines and other resources to research the 5 good questions in the earlier post:
    As linking outside the forums isn’t allowed, please paste to browser and add ‘www’ audit steps audit process audit methodology

  • How are you going to get a job, if you dont have the experience?
    Generally, you ‘pay your dues’ through entry-level work in public accounting or the internal audit department of a public company. To get into either of these positions, you will need to have an accounting or IT degree and the desire to obtain a CPA, CIA, CISA, etc. It used to be that the Big 4 public accounting firms hired only the best of the best. Based on what I have seen lately, they either cannot always get the best or the bar has been lowered. Either way, it makes it a bit easier for college graduates to get their foot in the door. Turnover is high in many of these positions, creating lots of opportunities for those who are really interested in making a career of it.

  • I took the training course, took CISA test on dec 06 and i have 3 yrs IT experience. So, whats the best approach for me ?

  • Your best option would be to join your company’s internal audit group (if they have one) assuming that your 3 years experience is with the same company. Otherwise, refer to my previous reply and try to get on at a public company or one of the big 4 accounting firms in an IT audit role. That is where almost all of the SOX controls work experience is coming from. There may be a few smaller consulting companies that do SOX work, but the experience that you will get in working for a public company or big 4 auditor is hard to beat.

  • Please help… dont know whether this is the right topic.
    My boss wants to start from ID Management. to increase control over people and access.

    1. Is this a correct start
    2. What should I pay attention to
    3. What should I do with Audit on Identity and Access Management, reports that need to be prepared,
    4. Parameter for acceptable control over Identity and Access, according to SOX
    5. any advice or reference material regarding this matter, based on your experience.
      Thanks guys, I really appreciate your help on this.

  • Hi and welcome 🙂 Some of the sharing in this thread, might help with identifying IT needs and requirements (e.g., esp. the COBIT 4.0 and SOX 404 guidelines).
    The list you shared are indeed good points to pursue. In designing access controls, some thoughts from past experience include:

    • Inventory of existing rights and controls
    • Review and updating policies, procedures, and standards (to promote the human behaviorial controls that complement the technological safeguards)
    • Perform Risk Management exercises on the areas being controlled
    • Get input from the Business Professionals (a.k.a., system owners)
    • Design improved security controls
    • Gain approvals from the system owners
    • Implement improvements
    • Monitor and adjust according to changing needs.

    1. What should I do with Audit on Identity and Access Management, reports that need to be prepared,
    2. Parameter for acceptable control over Identity and Access, according to SOX
    3. any advice or reference material regarding this matter, based on your experience.

    ISACA has ICQs and Audit program document for Identity Management at the downloads section. You need to be a paid member to download it.

  • Thanks guys… I’ll try to do as you suggested

  • Does anyone have a standard testiing template they use when testing internal controls for section 404? If so can they provide a copy?

Log in to reply