New Years SOX Resolutions 1436



  • Those of us reporting on a calendar year basis have wrapped up our 2005 SOX work. It is time to reflect and take a look ahead at 2006. What are we going to do differently this year? What can we improve on?
    Let’s hear your new ideas / resolutions for 2006.
    Here are a few of mine -

    Improve communication to the process owners and test teams by providing examples of best practice process and test documentation.
    Push to complete most of our test work by the end of the third quarter so that we don’t have a big poush to get it done at year end when we should be busy with other things. This will include identifying what needs to be tested close to year end versus those controls where we can test early and cover off at year end through inquiry and observation (much less formal testing).
    Look to standardize controls as much as practicable across all of our reporting locations. We are not very standardized. This will likely be a 2-3 year process as we have a lot of processes to cover.
    Continue to contribute to this forum. While it started off slow, it has grown to be a very valuable resource to me.



  • kymike shares an excellent post as SOX is all about continuous improvements anyway 🙂 I have more of an indirect involvement in SOX, but I’ll share some more ideas:
    Invest in Training - once folks know why, how, when, and what to do, things go more smoothly
    Improve your Standards - improve your existing policies, procedures, and standards to better address the new era of SOX compliancy
    Develop an Intranet Web Site devoted to SOX - this is a great resource for referencing information. I’ve assisted in Project Management Methodology development and Security standards in the past. I’ve used the Intranet as a great resource for storing key non-sensitive documentation. Thus, placing SOX standards and reference information into this type of repository can help improve communications and referencability for everyone involved.
    Work more closely with Audit as a partner - If you work in IT, the business side, or another area work with audit so that both areas build knowledge on SOX compliancy needs.
    Continuing Education - That’s why I participate here when I have a chance. It helps improve my knowledge based on real-world experiences and the good user-to-user sharing by professionals.



  • Our Controls Framework is going on a diet… We are actually a September 30 fiscal year company, so we have a quarter of '06 done already. Our big push was to eliminate redundant controls by focusing on more entity level controls. We reduced our total controls by 46% and we never even ate at Subway…



  • Would you care to share your approach with the forum?
    What types of key controls did you pare back?
    How did you analyze coverage of financial statement assertions to ensure that remaining controls addressed all of them?
    What entity-level controls did you place the most reliance on?
    My biggest obstacle in placing reliance on ELCs is the lack of a well-distributed policy manual. I believe that we have good policies in place, but not online and easily acccessible. Turnover at our accounting locations (many) is a big risk as there is no easy reference to go to for financial policies. Once we have a better online policy manual, I will look to reducing some of our scope and placing more reliance on ELCs.



  • I don’t know if our situation was unique or not, but because we are a large company with 5 main business segments and various subsidiaries, we had lots of overlapping controls.
    Our auditor PwC helped us organize all of our controls into 3 categories; supporting, critical, and audit critical. The audit critical controls are the most crucial to verifying that our internal control is adequate.
    We then looked at each individual assessment, i.e. Payroll/HR for example. We went through with the process owners and discussed which controls are redundant (unfortunately, our original frameworks were written by internal and external auditors under guidance from the process owners, whereas it probably should have been the other way around). We then eliminated those.
    We also combined related controls into a ‘super’ control. We had situations where one control would say that this reconciliation has to be done, and another control saying it has to be reviewed. Very obvious example, but you see how they can be controlled and tested in one instance.
    We also did an extensive review to reevaluate what controls actually prevent material misstatements. I’ve only been with the company for about a year now, but the original frameworks created covered every control anyone could think of throughout our entire organization.
    Our chief auditor has announced recently that him and an outside consultant are currently working to eliminate more controls by instituting ‘entity level’ controls. I have heard that buzzword used by externals and some internal auditors, but as I am still new to the ‘biz’ it’s one of the many things I don’t really have a handle on. If anyone can provide more information and/or examples of entity level controls, I would really appreciate it.
    Thanks,
    Jason



  • Hi Jason:
    I did a quick google search on ‘Entity Level Controls’ and found a number of good articles, including the one noted below:
    ey.com/global/content.nsf/Belgium_E/Issues_-and-Perspectives-Sarbanes-Oxley-_Evaluating_internal_controls_at_the_entity_level
    This document is a tool to assist management in performing the third phase: evaluating internal control at the entity level.
    A logical place to begin any comprehensive evaluation of internal controls is at the top entity-level controls that might have a pervasive effect on the organization . This includes a consideration of factors in each of the five components of internal control that can have a pervasive effect on the risk of errors or fraud. These five interrelated components are:

    1. Control Environment
    2. Risk Assessment
    3. Information and Communication
    4. Control Activities
    5. Monitoring


  • Harry,
    Thanks for your help. The article is very interesting and I will certainly pass it on to those in my dept.
    Thanks,
    Jason



  • I cant really express n words as to how lucky( at least iam) we all are, who got to join this discussion forum for SOX.
    Great work guys and the ocean ( of Information) just keeps getting bigger.
    Thanks a lottt and keep up the good work



  • Some good stuff here, a couple I would add:
    Refocussing process scoping - every SOX project I’ve witnessed has suffered from not having an audit-style discipline in its project scoping. This has resulted on financial processes being included in scope that were not required (immaterial), inconsistency between similar processes in different locations, and other such issues. This would also include properly distinguishing between controls that relate to internal control over financial reporting and those that relate to wider enterprise risks e.g. commerical, operational risks.
    Developing efficient testing strategies - taking greater assurance from automated controls (‘test of one’ strategies), focussing on monthly rather than transactional controls.
    Spreading testing across the year - ideally making it a regular monthly/quarterly activity and helping embed internal control the operational culture.
    Broadening business engagement - getting the message across that the whole business is responsible for internal control and not just finance.
    Implementing an automated tool - the tools available have improved dramatically and in all but the smallest projects an MS Office documentation set seems unmaintainable.
    Focus on EUC - one of the areas I think has been done less well


Log in to reply