SOX and Risk assessment 891



  • Hi all,
    My company is planning to do a risk assessment for SOX compliance. can someone guide me about a good Risk Assessment methodology.
    Is there a SOX specific Risk assessment methodolgy. are there any tools through which a self assessment can be done without involving an external consultant.
    I was also reading about Octave ( the SEI, CMU Risk assessment Methodology). Its a good Self directed assesment method but its not SOX compliance oriented.
    Thanks in advance
    BS



  • COSO ERM is the answer.
    The Committee of Sponsoring Organizations of the Treadway Commission
    (COSO) has issued Internal Control Integrated Framework to help entities assess and enhance their internal control systems.
    In 2001, COSO engaged PricewaterhouseCoopers to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.
    This Enterprise Risk Management Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management.
    It is not intended to replace the internal control framework, rather incorporates the internal control framework within it.
    Highly recommended. :.:



  • Thanks for the reply…
    I have checked the executive summary at the COSO site. Is this a self directed kind of Assessment ( Soemthing our audit team can do) or its a specialised kind of assessement method for which we need some external consultant.
    Since SOX requires Risk Assessment to be carried regularly it would be nice if we can train our people and let them do it then to hire an external consultant. We have people with audit experiences but no one has done a risk assessment before.
    Thanks
    BS



  • Since SOX requires Risk Assessment to be carried regularly it would be nice if we can train our people and let them do it
    I absolutely agree. You must first of all read the 'Enterprise Risk Management Integrated Framework ’ to have a better idea about ERM.
    cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/Enterprise Risk Management - Integrated Framework PDF.htm



  • Bhoopendra,
    You may also want to read the PCAOB’s May policy statement (in addition to their July 2004 policy statement). These statements govern how auditors are supposed to assess your internal controls.
    This new policy statement may help your employees to eliminate controls that do not specifically have an effect on your financial statements.
    Without heeding this information, you may end up including too many controls in your assessment and this will increase the time and cost of your compliance efforts.



  • Thanks George and thanks Lisa,
    I have gone through the Staff Q-and-A ( May 16, 2005) at PCAOB site and risk assessmeent has emerged as something central.
    Thanks for your valuable advice.
    BS



  • I have also gone through the Q-and-A but i was just wondering how much does it takes( in time) to do Risk Assessement in a mid sized company (3K-4K people in all)with COSO ERM Framework. If anyone had used the framework in RisK Management kindly throw some light into it.
    The question stems from the consideration of paying money to the consultants. If its a long drawn thing then we can probably train our people and let them do it rather then hiring external consultants.
    I am also not sure though whether people with diverse background like Finance and IT can be trained to do that. Since Entity level risk assessment and top down approach of testing is going to be central can someone clarify on these things.
    thanks
    CH


Log in to reply