AS 5- risk based approach 2635
foofam77 last edited by
just want to clarify with respect to adopting a top-down risk base approach to implement SOX.
It is more of like focussing on higher level controls such as Accounts Reconciliations, Flux Analysis, and Business System Application controls, and determine if these controls are prevalent across the entire financial records…By doing this, all aspects of the financials (regardless if they are material accounts or not) would be covered in this manner…
has anyone adopted such high level approach before?
for such approach, do you still do process narratives or soley rely on the excel spreadsheet?
I am scratching my head on how such approach can be translated into paper documentation (excel format).
Does anyone have a sort-of template on hand?
THank you in advance for your inputs…
John1ak last edited by
I have been involved in a couple of these transitions. What you need to to is get an ELC template - the big 4 all have them - and test/adapt the 150 odd controls they have come up with as applicable to your business.
Then you go to the Finacial Control RCM’s done under AS2 and test them pretty much as you did under AS2 using test templates as appicable.
Thereafter go through the AS2 testing for the other processes and have a good hard look at each control within the process to determine its relevance as a key control in IFCR and (very importantly) Fraud Risk. We found we were able to eliminate rougly 2/3 of the AS2 based tests in these processes - depending obviously on how well the ELC’s were imbedded. This area can be problematic which may then require additional lower level testing if Management has not bought into the ELC concept.
We have not developed any new templates except for the ELC chart