management is not compliant, what can I do as a tester? 2647

  • I was told by our S.O. leads that we needed 2 people to do the testing and reporting. I told my manager (I am not management but doing all the data collection, testing and reporting) and she forbid me from asking the leads if this would put us in non-compliance. I need to know if this is an issue, and is there a segment of the law I can show her to back my statement? I am the SME (subject matter expert). How can I best protect myself? Thanks~.

  • Hi and Welcome to the forums 🙂
    Yes, the risk management process and testing program for financial controls is a vital part for SOX compliancy (esp. Financial IT controls as specified by SOX 404). Your manager may also want to check with the SOX external auditors assigned to your company. A failure to test critical controls would lead to deficiencies and even non-certification with the SEC.
    SOX controls will results in overhead. Maybe the testing can be accomplished without significant impacts to staffing, as many companies work this into existing job roles, in our leaner personnel environments.
    Below are some resources that might help. You can also search the forums here with keywords like testing for more relevant information:
    Top Down Risk Assessment (TDRA) and SOX testing
    TDRA is a hierarchical framework that involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. Both the PCAOB and SEC guidance contain similar frameworks. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. Key steps include:

    1. identifying significant financial reporting elements (accounts or disclosures)
    2. identifying material financial statement risks within these accounts or disclosures
    3. determining which entity-level controls would address these risks with sufficient precision
    4. determining which transaction-level controls would address these risks in the absence of precise entity-level controls
    5. determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls
      Management is required to document how it has interpreted and applied its TDRA to arrive at the scope of controls tested. In addition, the sufficiency of evidence required (i.e., the timing, nature, and extent of control testing) is based upon management (and the auditor’s) TDRA. As such, TDRA has significant compliance cost implications for SOX 404
      PCAOB - More Resources
      As COBIT is used by many external SAS auditors to provide guidelines for controlling automated financial systems, this resource may be helpful to research IT needs:
      Free COBIT 4.x PDF copy by registering with ISACA
      Also, COSO provides excellent guidance in the general design of financial and workflow controls as noted here:
      COSO Guidance - Monitoring

Log in to reply